security/safesetid/securityfs.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * SafeSetID Linux Security Module
   4  *
   5  * Author: Micah Morton <mortonm@chromium.org>
   6  *
   7  * Copyright (C) 2018 The Chromium OS Authors.
   8  *
   9  * This program is free software; you can redistribute it and/or modify
  10  * it under the terms of the GNU General Public License version 2, as
  11  * published by the Free Software Foundation.
  12  *
  13  */
  14
  15 #define pr_fmt(fmt) "SafeSetID: " fmt
  16
  17 #include <linux/security.h>
  18 #include <linux/cred.h>
  19
  20 #include "lsm.h"
  21
  22 static DEFINE_MUTEX(uid_policy_update_lock);
  23 static DEFINE_MUTEX(gid_policy_update_lock);
  24
  25 /*
  26  * In the case the input buffer contains one or more invalid IDs, the kid_t
  27  * variables pointed to by @parent and @child will get updated but this
  28  * function will return an error.
  29  * Contents of @buf may be modified.
  30  */
  31 static int parse_policy_line(struct file *file, char *buf,
  32         struct setid_rule *rule)
  33 {
  34         char *child_str;
  35         int ret;
  36         u32 parsed_parent, parsed_child;
  37
  38         /* Format of |buf| string should be <UID>:<UID> or <GID>:<GID> */
  39         child_str = strchr(buf, ':');
  40         if (child_str == NULL)
  41                 return -EINVAL;
  42         *child_str = '\0';
  43         child_str++;
  44
  45         ret = kstrtou32(buf, 0, &parsed_parent);
  46         if (ret)
  47                 return ret;
  48
  49         ret = kstrtou32(child_str, 0, &parsed_child);
  50         if (ret)
  51                 return ret;
  52
  53         if (rule->type == UID){
  54                 rule->src_id.uid = make_kuid(file->f_cred->user_ns, parsed_parent);
  55                 rule->dst_id.uid = make_kuid(file->f_cred->user_ns, parsed_child);
  56                 if (!uid_valid(rule->src_id.uid) || !uid_valid(rule->dst_id.uid))
  57                         return -EINVAL;
  58         } else if (rule->type == GID){
  59                 rule->src_id.gid = make_kgid(file->f_cred->user_ns, parsed_parent);
  60                 rule->dst_id.gid = make_kgid(file->f_cred->user_ns, parsed_child);
  61                 if (!gid_valid(rule->src_id.gid) || !gid_valid(rule->dst_id.gid))
  62                         return -EINVAL;
  63         } else {
  64                 /* Error, rule->type is an invalid type */
  65                 return -EINVAL;
  66         }
  67         return 0;
  68 }
  69
  70 static void __release_ruleset(struct rcu_head *rcu)
  71 {
  72         struct setid_ruleset *pol =
  73                 container_of(rcu, struct setid_ruleset, rcu);
  74         int bucket;
  75         struct setid_rule *rule;
  76         struct hlist_node *tmp;
  77
  78         hash_for_each_safe(pol->rules, bucket, tmp, rule, next)
  79                 kfree(rule);
  80         kfree(pol->policy_str);
  81         kfree(pol);
  82 }
  83
  84 static void release_ruleset(struct setid_ruleset *pol){
  85         call_rcu(&pol->rcu, __release_ruleset);
  86 }
  87
  88 static void insert_rule(struct setid_ruleset *pol, struct setid_rule *rule)
  89 {
  90         if (pol->type == UID)
  91                 hash_add(pol->rules, &rule->next, __kuid_val(rule->src_id.uid));
  92         else if (pol->type == GID)
  93                 hash_add(pol->rules, &rule->next, __kgid_val(rule->src_id.gid));
  94         else /* Error, pol->type is neither UID or GID */
  95                 return;
  96 }
  97
  98 static int verify_ruleset(struct setid_ruleset *pol)
  99 {
 100         int bucket;
 101         struct setid_rule *rule, *nrule;
 102         int res = 0;
 103
 104         hash_for_each(pol->rules, bucket, rule, next) {
 105                 if (_setid_policy_lookup(pol, rule->dst_id, INVALID_ID) == SIDPOL_DEFAULT) {
 106                         if (pol->type == UID) {
 107                                 pr_warn("insecure policy detected: uid %d is constrained but transitively unconstrained through uid %d\n",
 108                                         __kuid_val(rule->src_id.uid),
 109                                         __kuid_val(rule->dst_id.uid));
 110                         } else if (pol->type == GID) {
 111                                 pr_warn("insecure policy detected: gid %d is constrained but transitively unconstrained through gid %d\n",
 112                                         __kgid_val(rule->src_id.gid),
 113                                         __kgid_val(rule->dst_id.gid));
 114                         } else { /* pol->type is an invalid type */
 115                                 res = -EINVAL;
 116                                 return res;
 117                         }
 118                         res = -EINVAL;
 119
 120                         /* fix it up */
 121                         nrule = kmalloc(sizeof(struct setid_rule), GFP_KERNEL);
 122                         if (!nrule)
 123                                 return -ENOMEM;
 124                         if (pol->type == UID){
 125                                 nrule->src_id.uid = rule->dst_id.uid;
 126                                 nrule->dst_id.uid = rule->dst_id.uid;
 127                                 nrule->type = UID;
 128                         } else { /* pol->type must be GID if we've made it to here */
 129                                 nrule->src_id.gid = rule->dst_id.gid;
 130                                 nrule->dst_id.gid = rule->dst_id.gid;
 131                                 nrule->type = GID;
 132                         }
 133                         insert_rule(pol, nrule);
 134                 }
 135         }
 136         return res;
 137 }
 138
 139 static ssize_t handle_policy_update(struct file *file,
 140                                     const char __user *ubuf, size_t len, enum setid_type policy_type)
 141 {
 142         struct setid_ruleset *pol;
 143         char *buf, *p, *end;
 144         int err;
 145
 146         pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
 147         if (!pol)
 148                 return -ENOMEM;
 149         pol->policy_str = NULL;
 150         pol->type = policy_type;
 151         hash_init(pol->rules);
 152
 153         p = buf = memdup_user_nul(ubuf, len);
 154         if (IS_ERR(buf)) {
 155                 err = PTR_ERR(buf);
 156                 goto out_free_pol;
 157         }
 158         pol->policy_str = kstrdup(buf, GFP_KERNEL);
 159         if (pol->policy_str == NULL) {
 160                 err = -ENOMEM;
 161                 goto out_free_buf;
 162         }
 163
 164         /* policy lines, including the last one, end with \n */
 165         while (*p != '\0') {
 166                 struct setid_rule *rule;
 167
 168                 end = strchr(p, '\n');
 169                 if (end == NULL) {
 170                         err = -EINVAL;
 171                         goto out_free_buf;
 172                 }
 173                 *end = '\0';
 174
 175                 rule = kmalloc(sizeof(struct setid_rule), GFP_KERNEL);
 176                 if (!rule) {
 177                         err = -ENOMEM;
 178                         goto out_free_buf;
 179                 }
 180
 181                 rule->type = policy_type;
 182                 err = parse_policy_line(file, p, rule);
 183                 if (err)
 184                         goto out_free_rule;
 185
 186                 if (_setid_policy_lookup(pol, rule->src_id, rule->dst_id) == SIDPOL_ALLOWED) {
 187                         pr_warn("bad policy: duplicate entry\n");
 188                         err = -EEXIST;
 189                         goto out_free_rule;
 190                 }
 191
 192                 insert_rule(pol, rule);
 193                 p = end + 1;
 194                 continue;
 195
 196 out_free_rule:
 197                 kfree(rule);
 198                 goto out_free_buf;
 199         }
 200
 201         err = verify_ruleset(pol);
 202         /* bogus policy falls through after fixing it up */
 203         if (err && err != -EINVAL)
 204                 goto out_free_buf;
 205
 206         /*
 207          * Everything looks good, apply the policy and release the old one.
 208          * What we really want here is an xchg() wrapper for RCU, but since that
 209          * doesn't currently exist, just use a spinlock for now.
 210          */
 211         if (policy_type == UID) {
 212                 mutex_lock(&uid_policy_update_lock);
 213                 pol = rcu_replace_pointer(safesetid_setuid_rules, pol,
 214                                           lockdep_is_held(&uid_policy_update_lock));
 215                 mutex_unlock(&uid_policy_update_lock);
 216         } else if (policy_type == GID) {
 217                 mutex_lock(&gid_policy_update_lock);
 218                 pol = rcu_replace_pointer(safesetid_setgid_rules, pol,
 219                                           lockdep_is_held(&gid_policy_update_lock));
 220                 mutex_unlock(&gid_policy_update_lock);
 221         } else {
 222                 /* Error, policy type is neither UID or GID */
 223                 pr_warn("error: bad policy type");
 224         }
 225         err = len;
 226
 227 out_free_buf:
 228         kfree(buf);
 229 out_free_pol:
 230         if (pol)
 231                 release_ruleset(pol);
 232         return err;
 233 }
 234
 235 static ssize_t safesetid_uid_file_write(struct file *file,
 236                                     const char __user *buf,
 237                                     size_t len,
 238                                     loff_t *ppos)
 239 {
 240         if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN))
 241                 return -EPERM;
 242
 243         if (*ppos != 0)
 244                 return -EINVAL;
 245
 246         return handle_policy_update(file, buf, len, UID);
 247 }
 248
 249 static ssize_t safesetid_gid_file_write(struct file *file,
 250                                     const char __user *buf,
 251                                     size_t len,
 252                                     loff_t *ppos)
 253 {
 254         if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN))
 255                 return -EPERM;
 256
 257         if (*ppos != 0)
 258                 return -EINVAL;
 259
 260         return handle_policy_update(file, buf, len, GID);
 261 }
 262
 263 static ssize_t safesetid_file_read(struct file *file, char __user *buf,
 264                                    size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset)
 265 {
 266         ssize_t res = 0;
 267         struct setid_ruleset *pol;
 268         const char *kbuf;
 269
 270         mutex_lock(policy_update_lock);
 271         pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock));
 272         if (pol) {
 273                 kbuf = pol->policy_str;
 274                 res = simple_read_from_buffer(buf, len, ppos,
 275                                               kbuf, strlen(kbuf));
 276         }
 277         mutex_unlock(policy_update_lock);
 278
 279         return res;
 280 }
 281
 282 static ssize_t safesetid_uid_file_read(struct file *file, char __user *buf,
 283                                    size_t len, loff_t *ppos)
 284 {
 285         return safesetid_file_read(file, buf, len, ppos,
 286                                    &uid_policy_update_lock, safesetid_setuid_rules);
 287 }
 288
 289 static ssize_t safesetid_gid_file_read(struct file *file, char __user *buf,
 290                                    size_t len, loff_t *ppos)
 291 {
 292         return safesetid_file_read(file, buf, len, ppos,
 293                                    &gid_policy_update_lock, safesetid_setgid_rules);
 294 }
 295
 296
 297
 298 static const struct file_operations safesetid_uid_file_fops = {
 299         .read = safesetid_uid_file_read,
 300         .write = safesetid_uid_file_write,
 301 };
 302
 303 static const struct file_operations safesetid_gid_file_fops = {
 304         .read = safesetid_gid_file_read,
 305         .write = safesetid_gid_file_write,
 306 };
 307
 308 static int __init safesetid_init_securityfs(void)
 309 {
 310         int ret;
 311         struct dentry *policy_dir;
 312         struct dentry *uid_policy_file;
 313         struct dentry *gid_policy_file;
 314
 315         if (!safesetid_initialized)
 316                 return 0;
 317
 318         policy_dir = securityfs_create_dir("safesetid", NULL);
 319         if (IS_ERR(policy_dir)) {
 320                 ret = PTR_ERR(policy_dir);
 321                 goto error;
 322         }
 323
 324         uid_policy_file = securityfs_create_file("uid_allowlist_policy", 0600,
 325                         policy_dir, NULL, &safesetid_uid_file_fops);
 326         if (IS_ERR(uid_policy_file)) {
 327                 ret = PTR_ERR(uid_policy_file);
 328                 goto error;
 329         }
 330
 331         gid_policy_file = securityfs_create_file("gid_allowlist_policy", 0600,
 332                         policy_dir, NULL, &safesetid_gid_file_fops);
 333         if (IS_ERR(gid_policy_file)) {
 334                 ret = PTR_ERR(gid_policy_file);
 335                 goto error;
 336         }
 337
 338
 339         return 0;
 340
 341 error:
 342         securityfs_remove(policy_dir);
 343         return ret;
 344 }
 345 fs_initcall(safesetid_init_securityfs);