Weekly Edition
Return to the Kernel page
| ||||||||||||||||||||||
Introduce credentials [ver #5]
Hi Al, Christoph, Stephen, Casey, Andrew, James,
(Hopefully) one last check before I send these to Andrew Morton.
I've ported these to linux-next. There are a few minor changes from this.
I've changed override_creds() to get a ref on the credentials it was passed,
rather than consuming the caller's credentials.
I've added a documentation patch; the documentation isn't complete yet, but
going upstream and being added to later doesn't break anything.
I've added a number of patches to the beginning:
(1) A patch to fix capable()'s ability to corrupt the task_struct::flags of
another process.
(2) Andrew Morgan's patches to fix file capabilities.
I've added three new patches to the end:
(1) A patch to split 'real' credentials from 'effective' credentials. This
makes overriding of the credentials possible without requiring the
patches to thread the cred pointer down through the VFS.
I want to do this at some point, but that set of patches currently stands
at ~150 patches and is ~5.5MB in size and is not yet complete. There's
also some disagreement about what actually needs which cred pointer. So
this patch is intended to be a temporary measure. Almost everything is
hidden inside the wrappers previously introduced.
(2) A patch to add a new SELinux class for the kernel to check whether kernel
services can be used by userspace programs, and what file creation labels
they are allowed to use.
(3) A patch to add a way to create and use kernel service credentials, using
the SELinux class introduced in (2) for SELinux's hooks.
Patches (2) and (3) have been ported from my previous FS-Cache patch
submissions.
I will post the FS-Cache patches separately.
A tarball of these patches can be retrieved from:
http://people.redhat.com/~dhowells/cow-creds-5.tar.bz2
I've been testing these patches with the LTP syscalls and SELinux test scripts.
---
There are three parts to this project:
(1) Implement COW credentials.
(2) Pass the cred pointer through the vfs_xxx() functions and suchlike to all
the places that need them.
(3) Document it.
I'm intending to use this code to implement FS-Cache/CacheFiles, but it can
also be used for NFSD.
The associated patches implement (1) and (3). Some things to note:
(a) All of {,e,s,fs}{u,g}id and supplementary groups, capabilities, secure
bits, keyrings, and the task security pointer have migrated into struct
cred.
(b) Changing a tasks credentials involves creating a new struct cred (call
prepare_creds()) and then using RCU to change things over (call
commit_creds()).
(c) task_struct::cred is a const struct cred *, as are all pointers that
aren't used specifically for creating new credentials. This catches
places that are changing creds when they shouldn't be at compile time.
To get a new ref on a const cred, use get_cred() which casts away the
const and calls atomic_inc().
(d) It is no longer possible for a task to instantiate another task's
keyrings. The keyrings code tries to make sure that the required keyrings
are present in request_key(), and redirects any attempt to nominate a
process-specific keyring when instantiating a key to whatever keyring was
suggested by sys_request_key() (or it uses the default).
(e) sys_capset() is neutered: it can only affect the caller. This means
current doesn't have to lock to access its own credentials.
(f) execve() is cleaner. The changes are all worked out in a new set of
credentials, then the whole lot is installed in install_exec_creds() (a
replacement for compute_creds()) in three stages:
(i) The LSM is called - security_bprm_committing_creds() - so that the LSM
can do stuff that must be done before the new creds take effect.
SELinux uses this to call flush_authorized_files() and to flush
rlimits.
(ii) commit_creds() is called to make the actual change.
(iii) The LSM is called again - security_bprm_committed_creds() - so that
the LSM can do stuff that must be done under the new creds. SELinux
uses this to flush signal handlers.
(g) Most of the bprm LSM hooks have been replaced with simplified code
arranged differently.
(h) In struct file, f_uid and f_gid have been replaced by f_cred, which is a
pointer to the opener's credentials at the time of opening.
(i) Credentials are shared where possible. More work should go into this as
it plays it safe when sharing keyrings over non-CLONE_THREAD clones.
(j) The reparent_to_init LSM hook for kernel threads is gone. Kernel threads
now made to share init_cred instead at the start of their life (they may
change this later).
Most of the work is in patch 15 [Subject: CRED: Inaugurate COW credentials].
The description attached to this describes each of the logical changes in more
detail. The preceding patches are preparation.
I'm working on (2) and (3) at the moment.
These patches compile for make allyesconfig, and I've built and run a kernel on
my x86_64 test box with these patches applied.
The patches are:
(*) 01-fix-PF_SUPERPRIV.diff
Fix a potential corruption bug in capable() with setting PF_SUPERPRIV on
other tasks without locks.
(*) 02-filecap-security-fix.patch
(*) 03-filecap-blunt-CAP_SETPCAP-on-strace.patch
(*) 04-filecap-say-ptrace-not-strace.diff
(*) 05-filecap-refactor-support.patch
(*) 06-filecap-no-longer-experimental.diff
Andrew Morgan's file capabilities fixing patches.
(*) 07-keys-disperse-key_ui_h.diff
Disperse the bits of <linux/key_ui.h> and delete the file. The keyfs
filesystem didn't happen, so this isn't necessary.
(*) 08-keys-alter-key-instantiation.diff
Alter the key instantiation code so as to remove the ability to directly
access another process's credentials. The contents of the keyrings
themselves may still change, however. I could implement a COW shadow of
the subscribed keyrings, but I really don't think it's worth it.
(*) 09-cred-neuter-sys_capset.diff
Remove the ability of sys_capset() to affect other processes.
(*) 10-cred-current-fsugid.diff
(*) 11-cred-current-ugid-eugid.diff
Wrap accesses to most current->*[ug]id and some task->*[ug]id to use
accessor macros to cut down the later patches and to hide RCU locking
where it may be necessary later.
(*) 12-cred-separate-creds.diff
Separate the credentials into cred struct, though that's still embedded in
task_struct at this point.
(*) 13-cred-detach-creds.diff
Detach the struct cred from task_struct, though its lifetime still follows
that of task_struct.
(*) 14-cred-current-wrappers.diff
(*) 15-cred-task-rcu-wrappers.diff
(*) 16-cred-selinux-wrappers.diff
Wrap accesses to current's creds. Wrap accesses to other tasks' creds to
hide the RCU where possible. Add in RCU directly where it is has to be.
(*) 17-cred-pertg-keyrings.diff
Separate the process and session keyrings from signal_struct, and make
them dangle shareably from struct cred instead.
(*) 18-cred-is_single_threaded.diff
Rename is_single_threaded() to is_wq_single_threaded().
(*) 19-cred-selinux-xxx_has_perm.diff
Make {file,inode}_has_perm() take a cred pointer.
(*) 20-cred-dentry_open.diff
Pass a cred pointer through dentry_open().
(*) 21-cred-cow-creds.diff
Do the actual work of COW credentials.
(*) 22-cred-improve-execve.diff
Make execve() take advantage of COW credentials.
(*) 23-cred-prettify-commoncap.diff
Add comments in to commoncap.c and do some other stylistic cleanups.
(*) 24-cred-file-creds.diff
Share the process's credentials with any files it opens.
(*) 25-cred-document.diff
Documentation of Linux credentials and the methods by which they may be
manipulated.
(*) 26-cred-objsubj-split.diff
Differentiate objective/real subjective creds vs effective creds, and
allow just the latter to be overridden.
(*) 27-cred-kernel_service-class.diff
Introduce an SELinux class for kernel service ops.
(*) 28-cred-kernel-service.diff
Provide cred ops for kernel service credential management.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||||||||||||||||||||