mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 06:40:54 +07:00
111767c1d8
For SafeSetID to properly gate set*gid() calls, it needs to know whether ns_capable() is being called from within a sys_set*gid() function or is being called from elsewhere in the kernel. This allows SafeSetID to deny CAP_SETGID to restricted groups when they are attempting to use the capability for code paths other than updating GIDs (e.g. setting up userns GID mappings). This is the identical approach to what is currently done for CAP_SETUID. NOTE: We also add signaling to SafeSetID from the setgroups() syscall, as we have future plans to restrict a process' ability to set supplementary groups in addition to what is added in this series for restricting setting of the primary group. Signed-off-by: Thomas Cedeno <thomascedeno@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org>
242 lines
4.9 KiB
C
242 lines
4.9 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Supplementary group IDs
|
|
*/
|
|
#include <linux/cred.h>
|
|
#include <linux/export.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/security.h>
|
|
#include <linux/sort.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/user_namespace.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
struct group_info *groups_alloc(int gidsetsize)
|
|
{
|
|
struct group_info *gi;
|
|
unsigned int len;
|
|
|
|
len = sizeof(struct group_info) + sizeof(kgid_t) * gidsetsize;
|
|
gi = kmalloc(len, GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_NORETRY);
|
|
if (!gi)
|
|
gi = __vmalloc(len, GFP_KERNEL_ACCOUNT);
|
|
if (!gi)
|
|
return NULL;
|
|
|
|
atomic_set(&gi->usage, 1);
|
|
gi->ngroups = gidsetsize;
|
|
return gi;
|
|
}
|
|
|
|
EXPORT_SYMBOL(groups_alloc);
|
|
|
|
void groups_free(struct group_info *group_info)
|
|
{
|
|
kvfree(group_info);
|
|
}
|
|
|
|
EXPORT_SYMBOL(groups_free);
|
|
|
|
/* export the group_info to a user-space array */
|
|
static int groups_to_user(gid_t __user *grouplist,
|
|
const struct group_info *group_info)
|
|
{
|
|
struct user_namespace *user_ns = current_user_ns();
|
|
int i;
|
|
unsigned int count = group_info->ngroups;
|
|
|
|
for (i = 0; i < count; i++) {
|
|
gid_t gid;
|
|
gid = from_kgid_munged(user_ns, group_info->gid[i]);
|
|
if (put_user(gid, grouplist+i))
|
|
return -EFAULT;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* fill a group_info from a user-space array - it must be allocated already */
|
|
static int groups_from_user(struct group_info *group_info,
|
|
gid_t __user *grouplist)
|
|
{
|
|
struct user_namespace *user_ns = current_user_ns();
|
|
int i;
|
|
unsigned int count = group_info->ngroups;
|
|
|
|
for (i = 0; i < count; i++) {
|
|
gid_t gid;
|
|
kgid_t kgid;
|
|
if (get_user(gid, grouplist+i))
|
|
return -EFAULT;
|
|
|
|
kgid = make_kgid(user_ns, gid);
|
|
if (!gid_valid(kgid))
|
|
return -EINVAL;
|
|
|
|
group_info->gid[i] = kgid;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int gid_cmp(const void *_a, const void *_b)
|
|
{
|
|
kgid_t a = *(kgid_t *)_a;
|
|
kgid_t b = *(kgid_t *)_b;
|
|
|
|
return gid_gt(a, b) - gid_lt(a, b);
|
|
}
|
|
|
|
void groups_sort(struct group_info *group_info)
|
|
{
|
|
sort(group_info->gid, group_info->ngroups, sizeof(*group_info->gid),
|
|
gid_cmp, NULL);
|
|
}
|
|
EXPORT_SYMBOL(groups_sort);
|
|
|
|
/* a simple bsearch */
|
|
int groups_search(const struct group_info *group_info, kgid_t grp)
|
|
{
|
|
unsigned int left, right;
|
|
|
|
if (!group_info)
|
|
return 0;
|
|
|
|
left = 0;
|
|
right = group_info->ngroups;
|
|
while (left < right) {
|
|
unsigned int mid = (left+right)/2;
|
|
if (gid_gt(grp, group_info->gid[mid]))
|
|
left = mid + 1;
|
|
else if (gid_lt(grp, group_info->gid[mid]))
|
|
right = mid;
|
|
else
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* set_groups - Change a group subscription in a set of credentials
|
|
* @new: The newly prepared set of credentials to alter
|
|
* @group_info: The group list to install
|
|
*/
|
|
void set_groups(struct cred *new, struct group_info *group_info)
|
|
{
|
|
put_group_info(new->group_info);
|
|
get_group_info(group_info);
|
|
new->group_info = group_info;
|
|
}
|
|
|
|
EXPORT_SYMBOL(set_groups);
|
|
|
|
/**
|
|
* set_current_groups - Change current's group subscription
|
|
* @group_info: The group list to impose
|
|
*
|
|
* Validate a group subscription and, if valid, impose it upon current's task
|
|
* security record.
|
|
*/
|
|
int set_current_groups(struct group_info *group_info)
|
|
{
|
|
struct cred *new;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
set_groups(new, group_info);
|
|
return commit_creds(new);
|
|
}
|
|
|
|
EXPORT_SYMBOL(set_current_groups);
|
|
|
|
SYSCALL_DEFINE2(getgroups, int, gidsetsize, gid_t __user *, grouplist)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int i;
|
|
|
|
if (gidsetsize < 0)
|
|
return -EINVAL;
|
|
|
|
/* no need to grab task_lock here; it cannot change */
|
|
i = cred->group_info->ngroups;
|
|
if (gidsetsize) {
|
|
if (i > gidsetsize) {
|
|
i = -EINVAL;
|
|
goto out;
|
|
}
|
|
if (groups_to_user(grouplist, cred->group_info)) {
|
|
i = -EFAULT;
|
|
goto out;
|
|
}
|
|
}
|
|
out:
|
|
return i;
|
|
}
|
|
|
|
bool may_setgroups(void)
|
|
{
|
|
struct user_namespace *user_ns = current_user_ns();
|
|
|
|
return ns_capable_setid(user_ns, CAP_SETGID) &&
|
|
userns_may_setgroups(user_ns);
|
|
}
|
|
|
|
/*
|
|
* SMP: Our groups are copy-on-write. We can set them safely
|
|
* without another task interfering.
|
|
*/
|
|
|
|
SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
|
|
{
|
|
struct group_info *group_info;
|
|
int retval;
|
|
|
|
if (!may_setgroups())
|
|
return -EPERM;
|
|
if ((unsigned)gidsetsize > NGROUPS_MAX)
|
|
return -EINVAL;
|
|
|
|
group_info = groups_alloc(gidsetsize);
|
|
if (!group_info)
|
|
return -ENOMEM;
|
|
retval = groups_from_user(group_info, grouplist);
|
|
if (retval) {
|
|
put_group_info(group_info);
|
|
return retval;
|
|
}
|
|
|
|
groups_sort(group_info);
|
|
retval = set_current_groups(group_info);
|
|
put_group_info(group_info);
|
|
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* Check whether we're fsgid/egid or in the supplemental group..
|
|
*/
|
|
int in_group_p(kgid_t grp)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int retval = 1;
|
|
|
|
if (!gid_eq(grp, cred->fsgid))
|
|
retval = groups_search(cred->group_info, grp);
|
|
return retval;
|
|
}
|
|
|
|
EXPORT_SYMBOL(in_group_p);
|
|
|
|
int in_egroup_p(kgid_t grp)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
int retval = 1;
|
|
|
|
if (!gid_eq(grp, cred->egid))
|
|
retval = groups_search(cred->group_info, grp);
|
|
return retval;
|
|
}
|
|
|
|
EXPORT_SYMBOL(in_egroup_p);
|