commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. diff --git a/fs/exec.c b/fs/exec.c index 1dff97d..5af5d91 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -225,8 +225,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, #ifdef CONFIG_GRKERNSEC_PROC_MEMMAP // only allow 512KB for argv+env on suid/sgid binaries // to prevent easy ASLR exhaustion - if (((bprm->cred->euid != current_euid()) || - (bprm->cred->egid != current_egid())) && + if (((!uid_eq(bprm->cred->euid, current_euid())) || + (!gid_eq(bprm->cred->egid, current_egid()))) && (size > (512 * 1024))) { put_page(page); return NULL; @@ -1640,7 +1640,7 @@ static int do_execve_common(const char *filename, /* limit suid stack to 8MB * we saved the old limits above and will restore them if this exec fails */ - if (((bprm->cred->euid != current_euid()) || (bprm->cred->egid != current_egid())) && + if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) && (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024))) current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024; #endif diff --git a/fs/proc/base.c b/fs/proc/base.c index 3d6a99f..65e5187 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -594,7 +594,7 @@ static bool has_pid_permissions(struct pid_namespace *pid, const struct cred *tmpcred = current_cred(); const struct cred *cred = __task_cred(task); - if (!tmpcred->uid || (tmpcred->uid == cred->uid) + if (uid_eq(tmpcred->uid, make_kuid(current_user_ns(), 0)) || uid_eq(tmpcred->uid, cred->uid) #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP || in_group_p(grsec_proc_gid) #endif diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c index cb9b67d..21b52ff 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -111,10 +111,10 @@ static struct net *get_proc_task_net(struct inode *dir) #endif #ifdef CONFIG_GRKERNSEC_PROC_USER - if (cred->fsuid) + if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID)) return net; #elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP) - if (cred->fsuid && !in_group_p(grsec_proc_gid)) + if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid)) return net; #endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c index 69e1320..6b7b8f7 100644 --- a/grsecurity/gracl.c +++ b/grsecurity/gracl.c @@ -2039,7 +2039,7 @@ gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u3 const struct cred *cred = current_cred(); security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype, - cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry, + GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename, 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip); @@ -2047,16 +2047,29 @@ gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u3 } static void -gr_log_learn_id_change(const char type, const unsigned int real, - const unsigned int effective, const unsigned int fs) +gr_log_learn_uid_change(const kuid_t real, const kuid_t effective, const kuid_t fs) { struct task_struct *task = current; const struct cred *cred = current_cred(); security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype, - cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry, + GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename, - type, real, effective, fs, &task->signal->saved_ip); + 'u', GR_GLOBAL_UID(real), GR_GLOBAL_UID(effective), GR_GLOBAL_UID(fs), &task->signal->saved_ip); + + return; +} + +static void +gr_log_learn_gid_change(const kgid_t real, const kgid_t effective, const kgid_t fs) +{ + struct task_struct *task = current; + const struct cred *cred = current_cred(); + + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype, + GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry, + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename, + 'g', GR_GLOBAL_GID(real), GR_GLOBAL_GID(effective), GR_GLOBAL_GID(fs), &task->signal->saved_ip); return; } @@ -2329,23 +2342,28 @@ gr_set_proc_res(struct task_struct *task) extern int __gr_process_user_ban(struct user_struct *user); int -gr_check_user_change(int real, int effective, int fs) +gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs) { unsigned int i; __u16 num; uid_t *uidlist; - int curuid; + uid_t curuid; int realok = 0; int effectiveok = 0; int fsok = 0; + uid_t globalreal, globaleffective, globalfs; #if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE) struct user_struct *user; - if (real == -1) + if (!uid_valid(real)) goto skipit; - user = find_user(real); + /* find user based on global namespace */ + + globalreal = GR_GLOBAL_UID(real); + + user = find_user(make_kuid(&init_user_ns, globalreal)); if (user == NULL) goto skipit; @@ -2365,7 +2383,7 @@ skipit: return 0; if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) - gr_log_learn_id_change('u', real, effective, fs); + gr_log_learn_uid_change(real, effective, fs); num = current->acl->user_trans_num; uidlist = current->acl->user_transitions; @@ -2373,31 +2391,43 @@ skipit: if (uidlist == NULL) return 0; - if (real == -1) + if (!uid_valid(real)) { realok = 1; - if (effective == -1) + globalreal = (uid_t)-1; + } else { + globalreal = GR_GLOBAL_UID(real); + } + if (!uid_valid(effective)) { effectiveok = 1; - if (fs == -1) + globaleffective = (uid_t)-1; + } else { + globaleffective = GR_GLOBAL_UID(effective); + } + if (!uid_valid(fs)) { fsok = 1; + globalfs = (uid_t)-1; + } else { + globalfs = GR_GLOBAL_UID(fs); + } if (current->acl->user_trans_type & GR_ID_ALLOW) { for (i = 0; i < num; i++) { - curuid = (int)uidlist[i]; - if (real == curuid) + curuid = uidlist[i]; + if (globalreal == curuid) realok = 1; - if (effective == curuid) + if (globaleffective == curuid) effectiveok = 1; - if (fs == curuid) + if (globalfs == curuid) fsok = 1; } } else if (current->acl->user_trans_type & GR_ID_DENY) { for (i = 0; i < num; i++) { - curuid = (int)uidlist[i]; - if (real == curuid) + curuid = uidlist[i]; + if (globalreal == curuid) break; - if (effective == curuid) + if (globaleffective == curuid) break; - if (fs == curuid) + if (globalfs == curuid) break; } /* not in deny list */ @@ -2411,27 +2441,28 @@ skipit: if (realok && effectiveok && fsok) return 0; else { - gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real); + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal); return 1; } } int -gr_check_group_change(int real, int effective, int fs) +gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs) { unsigned int i; __u16 num; gid_t *gidlist; - int curgid; + gid_t curgid; int realok = 0; int effectiveok = 0; int fsok = 0; + gid_t globalreal, globaleffective, globalfs; if (unlikely(!(gr_status & GR_READY))) return 0; if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) - gr_log_learn_id_change('g', real, effective, fs); + gr_log_learn_gid_change(real, effective, fs); num = current->acl->group_trans_num; gidlist = current->acl->group_transitions; @@ -2439,31 +2470,43 @@ gr_check_group_change(int real, int effective, int fs) if (gidlist == NULL) return 0; - if (real == -1) + if (!gid_valid(real)) { realok = 1; - if (effective == -1) + globalreal = (gid_t)-1; + } else { + globalreal = GR_GLOBAL_GID(real); + } + if (!gid_valid(effective)) { effectiveok = 1; - if (fs == -1) + globaleffective = (gid_t)-1; + } else { + globaleffective = GR_GLOBAL_GID(effective); + } + if (!gid_valid(fs)) { fsok = 1; + globalfs = (gid_t)-1; + } else { + globalfs = GR_GLOBAL_GID(fs); + } if (current->acl->group_trans_type & GR_ID_ALLOW) { for (i = 0; i < num; i++) { - curgid = (int)gidlist[i]; - if (real == curgid) + curgid = gidlist[i]; + if (globalreal == curgid) realok = 1; - if (effective == curgid) + if (globaleffective == curgid) effectiveok = 1; - if (fs == curgid) + if (globalfs == curgid) fsok = 1; } } else if (current->acl->group_trans_type & GR_ID_DENY) { for (i = 0; i < num; i++) { - curgid = (int)gidlist[i]; - if (real == curgid) + curgid = gidlist[i]; + if (globalreal == curgid) break; - if (effective == curgid) + if (globaleffective == curgid) break; - if (fs == curgid) + if (globalfs == curgid) break; } /* not in deny list */ @@ -2477,7 +2520,7 @@ gr_check_group_change(int real, int effective, int fs) if (realok && effectiveok && fsok) return 0; else { - gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real); + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal); return 1; } } @@ -2485,16 +2528,21 @@ gr_check_group_change(int real, int effective, int fs) extern int gr_acl_is_capable(const int cap); void -gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid) +gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid) { struct acl_role_label *role = task->role; struct acl_subject_label *subj = NULL; struct acl_object_label *obj; struct file *filp; + uid_t uid; + gid_t gid; if (unlikely(!(gr_status & GR_READY))) return; + uid = GR_GLOBAL_UID(kuid); + gid = GR_GLOBAL_GID(kgid); + filp = task->exec_file; /* kernel process, we'll give them the kernel role */ @@ -3448,7 +3496,7 @@ gr_set_acls(const int type) if (task->exec_file) { cred = __task_cred(task); - task->role = lookup_acl_role_label(task, cred->uid, cred->gid); + task->role = lookup_acl_role_label(task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid)); ret = gr_apply_subject_to_task(task); if (ret) { read_unlock(&grsec_exec_file_lock); @@ -3531,7 +3579,7 @@ skip_reslog: rcu_read_lock(); cred = __task_cred(task); security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, - task->role->roletype, cred->uid, cred->gid, acl->filename, + task->role->roletype, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), acl->filename, acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max, "", (unsigned long) res, &task->signal->saved_ip); rcu_read_unlock(); diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c index 6d21049..bdd51ea 100644 --- a/grsecurity/gracl_cap.c +++ b/grsecurity/gracl_cap.c @@ -49,8 +49,8 @@ int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cr if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && cap_raised(cred->cap_effective, cap)) { security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, - task->role->roletype, cred->uid, - cred->gid, task->exec_file ? + task->role->roletype, GR_GLOBAL_UID(cred->uid), + GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : curracl->filename, curracl->filename, 0UL, diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c index 58800a7..4699807 100644 --- a/grsecurity/gracl_ip.c +++ b/grsecurity/gracl_ip.c @@ -114,8 +114,8 @@ gr_search_socket(const int domain, const int type, const int protocol) if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) { __u32 fakeip = 0; security_learn(GR_IP_LEARN_MSG, current->role->rolename, - current->role->roletype, cred->uid, - cred->gid, current->exec_file ? + current->role->roletype, GR_GLOBAL_UID(cred->uid), + GR_GLOBAL_GID(cred->gid), current->exec_file ? gr_to_filename(current->exec_file->f_path.dentry, current->exec_file->f_path.mnt) : curr->filename, curr->filename, @@ -142,8 +142,8 @@ inet_check: if (type == SOCK_RAW || type == SOCK_PACKET) { __u32 fakeip = 0; security_learn(GR_IP_LEARN_MSG, current->role->rolename, - current->role->roletype, cred->uid, - cred->gid, current->exec_file ? + current->role->roletype, GR_GLOBAL_UID(cred->uid), + GR_GLOBAL_GID(cred->gid), current->exec_file ? gr_to_filename(current->exec_file->f_path.dentry, current->exec_file->f_path.mnt) : curr->filename, curr->filename, @@ -152,8 +152,8 @@ inet_check: } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) { __u32 fakeip = 0; security_learn(GR_IP_LEARN_MSG, current->role->rolename, - current->role->roletype, cred->uid, - cred->gid, current->exec_file ? + current->role->roletype, GR_GLOBAL_UID(cred->uid), + GR_GLOBAL_GID(cred->gid), current->exec_file ? gr_to_filename(current->exec_file->f_path.dentry, current->exec_file->f_path.mnt) : curr->filename, curr->filename, @@ -249,8 +249,8 @@ gr_search_connectbind(const int full_mode, struct sock *sk, if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) { security_learn(GR_IP_LEARN_MSG, current->role->rolename, - current->role->roletype, cred->uid, - cred->gid, current->exec_file ? + current->role->roletype, GR_GLOBAL_UID(cred->uid), + GR_GLOBAL_GID(cred->gid), current->exec_file ? gr_to_filename(current->exec_file->f_path.dentry, current->exec_file->f_path.mnt) : curr->filename, curr->filename, diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c index 25197e9..10398db 100644 --- a/grsecurity/gracl_segv.c +++ b/grsecurity/gracl_segv.c @@ -99,9 +99,10 @@ gr_insertsort(void) } static __inline__ void -gr_insert_uid(const uid_t uid, const unsigned long expires) +gr_insert_uid(const kuid_t kuid, const unsigned long expires) { int loc; + uid_t uid = GR_GLOBAL_UID(kuid); if (uid_used == GR_UIDTABLE_MAX) return; @@ -136,14 +137,17 @@ gr_remove_uid(const unsigned short loc) } int -gr_check_crash_uid(const uid_t uid) +gr_check_crash_uid(const kuid_t kuid) { int loc; int ret = 0; + uid_t uid; if (unlikely(!gr_acl_is_enabled())) return 0; + uid = GR_GLOBAL_UID(kuid); + spin_lock(&gr_uid_lock); loc = gr_find_uid(uid); @@ -166,8 +170,8 @@ proc_is_setxid(const struct cred *cred) if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) || !uid_eq(cred->uid, cred->fsuid)) return 1; - if (!uid_eq(cred->gid, cred->egid) || !uid_eq(cred->gid, cred->sgid) || - !uid_eq(cred->gid, cred->fsgid)) + if (!gid_eq(cred->gid, cred->egid) || !gid_eq(cred->gid, cred->sgid) || + !gid_eq(cred->gid, cred->fsgid)) return 1; return 0; diff --git a/grsecurity/gracl_shm.c b/grsecurity/gracl_shm.c index 9d83a69..120978a 100644 --- a/grsecurity/gracl_shm.c +++ b/grsecurity/gracl_shm.c @@ -9,7 +9,7 @@ int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, - const time_t shm_createtime, const uid_t cuid, const int shmid) + const time_t shm_createtime, const kuid_t cuid, const int shmid) { struct task_struct *task; @@ -30,7 +30,7 @@ gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, (task->acl != current->acl))) { read_unlock(&tasklist_lock); rcu_read_unlock(); - gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid); + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, GR_GLOBAL_UID(cuid), shm_cprid, shmid); return 0; } read_unlock(&tasklist_lock); diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c index e6796b3..207d409 100644 --- a/grsecurity/grsec_disabled.c +++ b/grsecurity/grsec_disabled.c @@ -137,7 +137,7 @@ gr_check_crash_exec(const struct file *filp) } int -gr_check_crash_uid(const uid_t uid) +gr_check_crash_uid(const kuid_t uid) { return 0; } @@ -314,7 +314,7 @@ gr_acl_handle_filldir(const struct file *file, const char *name, int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, - const time_t shm_createtime, const uid_t cuid, const int shmid) + const time_t shm_createtime, const kuid_t cuid, const int shmid) { return 1; } @@ -371,7 +371,7 @@ gr_acl_handle_mprotect(const struct file *file, const unsigned long prot) } void -gr_set_role_label(const uid_t uid, const gid_t gid) +gr_set_role_label(const kuid_t uid, const kgid_t gid) { return; } @@ -401,13 +401,13 @@ gr_set_kernel_label(struct task_struct *task) } int -gr_check_user_change(int real, int effective, int fs) +gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs) { return 0; } int -gr_check_group_change(int real, int effective, int fs) +gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs) { return 0; } diff --git a/grsecurity/grsec_fifo.c b/grsecurity/grsec_fifo.c index d3ee748..06cc6ea 100644 --- a/grsecurity/grsec_fifo.c +++ b/grsecurity/grsec_fifo.c @@ -13,10 +13,10 @@ gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt, if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) && !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) && - (dentry->d_inode->i_uid != dir->d_inode->i_uid) && - (cred->fsuid != dentry->d_inode->i_uid)) { + !uid_eq(dentry->d_inode->i_uid, dir->d_inode->i_uid) && + !uid_eq(cred->fsuid, dentry->d_inode->i_uid)) { if (!inode_permission(dentry->d_inode, acc_mode)) - gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid); + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, GR_GLOBAL_UID(dentry->d_inode->i_uid), GR_GLOBAL_GID(dentry->d_inode->i_gid)); return -EACCES; } #endif diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c index 05a6015..a862e9f 100644 --- a/grsecurity/grsec_init.c +++ b/grsecurity/grsec_init.c @@ -10,7 +10,7 @@ int grsec_enable_ptrace_readexec; int grsec_enable_setxid; int grsec_enable_symlinkown; -int grsec_symlinkown_gid; +kgid_t grsec_symlinkown_gid; int grsec_enable_brute; int grsec_enable_link; int grsec_enable_dmesg; @@ -23,7 +23,7 @@ int grsec_enable_audit_ptrace; int grsec_enable_time; int grsec_enable_audit_textrel; int grsec_enable_group; -int grsec_audit_gid; +kgid_t grsec_audit_gid; int grsec_enable_chdir; int grsec_enable_mount; int grsec_enable_rofs; @@ -42,7 +42,7 @@ int grsec_enable_chroot_caps; int grsec_enable_chroot_sysctl; int grsec_enable_chroot_unix; int grsec_enable_tpe; -int grsec_tpe_gid; +kgid_t grsec_tpe_gid; int grsec_enable_blackhole; #ifdef CONFIG_IPV6_MODULE EXPORT_SYMBOL(grsec_enable_blackhole); @@ -51,11 +51,11 @@ int grsec_lastack_retries; int grsec_enable_tpe_all; int grsec_enable_tpe_invert; int grsec_enable_socket_all; -int grsec_socket_all_gid; +kgid_t grsec_socket_all_gid; int grsec_enable_socket_client; -int grsec_socket_client_gid; +kgid_t grsec_socket_client_gid; int grsec_enable_socket_server; -int grsec_socket_server_gid; +kgid_t grsec_socket_server_gid; int grsec_resource_logging; int grsec_disable_privio; int grsec_enable_log_rwxmaps; @@ -161,7 +161,7 @@ grsecurity_init(void) #endif #ifdef CONFIG_GRKERNSEC_AUDIT_GROUP grsec_enable_group = 1; - grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID; + grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID); #endif #ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC grsec_enable_ptrace_readexec = 1; @@ -256,26 +256,26 @@ grsecurity_init(void) #endif #ifdef CONFIG_GRKERNSEC_SYMLINKOWN grsec_enable_symlinkown = 1; - grsec_symlinkown_gid = CONFIG_GRKERNSEC_SYMLINKOWN_GID; + grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID); #endif #ifdef CONFIG_GRKERNSEC_TPE grsec_enable_tpe = 1; - grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID; + grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID); #ifdef CONFIG_GRKERNSEC_TPE_ALL grsec_enable_tpe_all = 1; #endif #endif #ifdef CONFIG_GRKERNSEC_SOCKET_ALL grsec_enable_socket_all = 1; - grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID; + grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID); #endif #ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT grsec_enable_socket_client = 1; - grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID; + grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID); #endif #ifdef CONFIG_GRKERNSEC_SOCKET_SERVER grsec_enable_socket_server = 1; - grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID; + grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID); #endif #endif diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c index 7bd6c2b..7c06085 100644 --- a/grsecurity/grsec_log.c +++ b/grsecurity/grsec_log.c @@ -13,9 +13,6 @@ #define ENABLE_PREEMPT() #endif -#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x)) -#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x)) - #define BEGIN_LOCKS(x) \ DISABLE_PREEMPT(); \ rcu_read_lock(); \ diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c index 07e0dc0..ac20d7f 100644 --- a/grsecurity/grsec_tpe.c +++ b/grsecurity/grsec_tpe.c @@ -16,7 +16,7 @@ gr_tpe_allow(const struct file *file) char *msg2 = NULL; // never restrict root - if (!cred->uid) + if (uid_eq(cred->uid, GLOBAL_ROOT_UID)) return 1; if (grsec_enable_tpe) { @@ -37,7 +37,7 @@ gr_tpe_allow(const struct file *file) if (!msg) goto next_check; - if (inode->i_uid) + if (!uid_eq(inode->i_uid, GLOBAL_ROOT_UID)) msg2 = "file in non-root-owned directory"; else if (inode->i_mode & S_IWOTH) msg2 = "file in world-writable directory"; @@ -56,7 +56,7 @@ next_check: if (!grsec_enable_tpe || !grsec_enable_tpe_all) return 1; - if (inode->i_uid && (inode->i_uid != cred->uid)) + if (!uid_eq(inode->i_uid, GLOBAL_ROOT_UID) && !uid_eq(inode->i_uid, cred->uid)) msg = "directory not owned by user"; else if (inode->i_mode & S_IWOTH) msg = "file in world-writable directory"; diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h index baa6e96..9bb6662 100644 --- a/include/linux/grinternal.h +++ b/include/linux/grinternal.h @@ -60,18 +60,18 @@ extern int grsec_enable_chroot_caps; extern int grsec_enable_chroot_sysctl; extern int grsec_enable_chroot_unix; extern int grsec_enable_symlinkown; -extern int grsec_symlinkown_gid; +extern kgid_t grsec_symlinkown_gid; extern int grsec_enable_tpe; -extern int grsec_tpe_gid; +extern kgid_t grsec_tpe_gid; extern int grsec_enable_tpe_all; extern int grsec_enable_tpe_invert; extern int grsec_enable_socket_all; -extern int grsec_socket_all_gid; +extern kgid_t grsec_socket_all_gid; extern int grsec_enable_socket_client; -extern int grsec_socket_client_gid; +extern kgid_t grsec_socket_client_gid; extern int grsec_enable_socket_server; -extern int grsec_socket_server_gid; -extern int grsec_audit_gid; +extern kgid_t grsec_socket_server_gid; +extern kgid_t grsec_audit_gid; extern int grsec_enable_group; extern int grsec_enable_audit_textrel; extern int grsec_enable_log_rwxmaps; diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h index c5e5913..1ae241a 100644 --- a/include/linux/grsecurity.h +++ b/include/linux/grsecurity.h @@ -42,8 +42,8 @@ char gr_roletype_to_char(void); int gr_acl_enable_at_secure(void); -int gr_check_user_change(int real, int effective, int fs); -int gr_check_group_change(int real, int effective, int fs); +int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs); +int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs); void gr_del_task_from_ip_table(struct task_struct *p); @@ -115,7 +115,7 @@ int gr_task_is_capable_nolog(const struct task_struct *task, const int cap); void gr_copy_label(struct task_struct *tsk); void gr_handle_crash(struct task_struct *task, const int sig); int gr_handle_signal(const struct task_struct *p, const int sig); -int gr_check_crash_uid(const uid_t uid); +int gr_check_crash_uid(const kuid_t uid); int gr_check_protected_task(const struct task_struct *task); int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type); int gr_acl_handle_mmap(const struct file *file, @@ -142,8 +142,8 @@ __u32 gr_acl_handle_execve(const struct dentry *dentry, int gr_check_crash_exec(const struct file *filp); int gr_acl_is_enabled(void); void gr_set_kernel_label(struct task_struct *task); -void gr_set_role_label(struct task_struct *task, const uid_t uid, - const gid_t gid); +void gr_set_role_label(struct task_struct *task, const kuid_t uid, + const kgid_t gid); int gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt, const int unsafe_flags); @@ -243,7 +243,7 @@ extern int grsec_enable_dmesg; extern int grsec_disable_privio; #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP -extern int grsec_proc_gid; +extern kgid_t grsec_proc_gid; #endif #ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h index 8e522cbc..1b67af5 100644 --- a/include/linux/uidgid.h +++ b/include/linux/uidgid.h @@ -197,4 +197,7 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid) #endif /* CONFIG_USER_NS */ +#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x)) +#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x)) + #endif /* _LINUX_UIDGID_H */ diff --git a/init/Kconfig b/init/Kconfig index b13cb62..1eeca9b 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1080,8 +1080,6 @@ config UIDGID_CONVERTED depends on OCFS2_FS = n depends on XFS_FS = n - depends on GRKERNSEC = n - config UIDGID_STRICT_TYPE_CHECKS bool "Require conversions between uid/gids and their internal representation" depends on UIDGID_CONVERTED diff --git a/ipc/shm.c b/ipc/shm.c index 38dfd0c..55cff14 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -71,7 +71,7 @@ static int sysvipc_shm_proc_show(struct seq_file *s, void *it); #ifdef CONFIG_GRKERNSEC extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid, - const time_t shm_createtime, const uid_t cuid, + const time_t shm_createtime, const kuid_t cuid, const int shmid); extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid, const time_t shm_createtime); diff --git a/kernel/cred.c b/kernel/cred.c index eefe488..3874e41 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -501,7 +501,7 @@ void gr_delayed_cred_worker(void) current->delayed_cred = NULL; - if (current_uid() && new != NULL) { + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) && new != NULL) { // from doing get_cred on it when queueing this put_cred(new); return; @@ -562,7 +562,8 @@ int commit_creds(struct cred *new) init_cred */ if (grsec_enable_setxid && !current_is_single_threaded() && - !current_uid() && new->uid) { + uid_eq(current_uid(), GLOBAL_ROOT_UID) && + !uid_eq(new->uid, GLOBAL_ROOT_UID)) { schedule_it = 1; } ret = __commit_creds(new); diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c index 45c017a..706ccca 100644 --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -557,7 +557,7 @@ static int s_show(struct seq_file *m, void *p) struct kallsym_iter *iter = m->private; #ifdef CONFIG_GRKERNSEC_HIDESYM - if (current_uid()) + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) return 0; #endif diff --git a/kernel/kmod.c b/kernel/kmod.c index 3fe3781..b893e79 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -139,7 +139,7 @@ static int ____request_module(bool wait, char *module_param, const char *fmt, va return ret; #ifdef CONFIG_GRKERNSEC_MODHARDEN - if (!current_uid()) { + if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) { /* hack to workaround consolekit/udisks stupidity */ read_lock(&tasklist_lock); if (!strcmp(current->comm, "mount") && @@ -204,12 +204,12 @@ int __request_module(bool wait, const char *fmt, ...) int ret; #ifdef CONFIG_GRKERNSEC_MODHARDEN - if (current_uid()) { + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) { char module_param[MODULE_NAME_LEN]; memset(module_param, 0, sizeof(module_param)); - snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid()); + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", GR_GLOBAL_UID(current_uid())); va_start(args, fmt); ret = ____request_module(wait, module_param, fmt, args); diff --git a/kernel/sys.c b/kernel/sys.c index b0cd50d..4e42ef5 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -601,7 +601,7 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid) goto error; } - if (gr_check_group_change(new->gid, new->egid, -1)) + if (gr_check_group_change(new->gid, new->egid, INVALID_GID)) goto error; if (rgid != (gid_t) -1 || @@ -740,7 +740,7 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid) goto error; } - if (gr_check_user_change(new->uid, new->euid, -1)) + if (gr_check_user_change(new->uid, new->euid, INVALID_UID)) goto error; if (!uid_eq(new->uid, old->uid)) { @@ -868,7 +868,7 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) goto error; } - if (gr_check_user_change(kruid, keuid, -1)) + if (gr_check_user_change(kruid, keuid, INVALID_UID)) goto error; if (ruid != (uid_t) -1) { @@ -953,7 +953,7 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid) goto error; } - if (gr_check_group_change(krgid, kegid, -1)) + if (gr_check_group_change(krgid, kegid, INVALID_GID)) goto error; if (rgid != (gid_t) -1) @@ -1009,7 +1009,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid) if (!uid_valid(kuid)) return old_fsuid; - if (gr_check_user_change(-1, -1, kuid)) + if (gr_check_user_change(INVALID_UID, INVALID_UID, kuid)) goto error; new = prepare_creds(); @@ -1059,7 +1059,7 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid) if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) || gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) || nsown_capable(CAP_SETGID)) { - if (gr_check_group_change(-1, -1, kgid)) + if (gr_check_group_change(INVALID_GID, INVALID_GID, kgid)) goto error; if (!gid_eq(kgid, old->fsgid)) {