linux/security/safesetid
Jann Horn 4f72123da5 LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it
securely constrains UID 1 to UIDs 1, 2 and 3:

    1:2
    1:3

However, because no constraints are applied to UIDs 2 and 3, an attacker
with UID 1 can simply first switch to UID 2, then switch to any UID from
there. The secure way to write this ruleset would be:

    1:2
    1:3
    2:2
    3:3

, which uses "transition to self" as a way to inhibit the default-allow
policy without allowing anything specific.

This is somewhat unintuitive. To make sure that policy authors don't
accidentally write insecure policies because of this, let the kernel verify
that a new ruleset does not contain any entries that are constrained, but
transitively unconstrained.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
2019-07-15 08:07:51 -07:00
..
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
lsm.c LSM: SafeSetID: rewrite userspace API to atomic updates 2019-07-15 08:07:29 -07:00
lsm.h LSM: SafeSetID: add read handler 2019-07-15 08:07:40 -07:00
Makefile LSM: add SafeSetID module that gates setid calls 2019-01-25 11:22:45 -08:00
securityfs.c LSM: SafeSetID: verify transitive constrainedness 2019-07-15 08:07:51 -07:00