LSM: Signal to SafeSetID when setting group IDs

author Thomas Cedeno <thomascedeno@google.com>

Thu, 16 Jul 2020 19:13:57 +0000 (19:13 +0000)

committer Micah Morton <mortonm@chromium.org>

Tue, 13 Oct 2020 16:17:34 +0000 (09:17 -0700)
author Thomas Cedeno <thomascedeno@google.com>
Thu, 16 Jul 2020 19:13:57 +0000 (19:13 +0000)
committer Micah Morton <mortonm@chromium.org>
Tue, 13 Oct 2020 16:17:34 +0000 (09:17 -0700)
diff --git a/kernel/capability.c b/kernel/capability.c

index 7c59b096c98aee0a1867ee7c450c9efc99d4e345..de7eac903a2a5f6e6af42158b753f711dff9093c 100644 (file)
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -418,7 +418,7 @@ EXPORT_SYMBOL(ns_capable_noaudit);
  /**
   * ns_capable_setid - Determine if the current task has a superior capability
   * in effect, while signalling that this check is being done from within a
- * setid syscall.
+ * setid or setgroups syscall.
   * @ns:  The usernamespace we want the capability in
   * @cap: The capability to be tested for
   *
diff --git a/kernel/groups.c b/kernel/groups.c

index 6ee6691f6839f64554aceeb1bbeca0785feda08d..fe7e6385530e679596009b2e125cb808397d870f 100644 (file)
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -178,7 +178,7 @@ bool may_setgroups(void)
  {
         struct user_namespace *user_ns = current_user_ns();
  
-       return ns_capable(user_ns, CAP_SETGID) &&
+       return ns_capable_setid(user_ns, CAP_SETGID) &&
                 userns_may_setgroups(user_ns);
  }
  
diff --git a/kernel/sys.c b/kernel/sys.c

index ab6c409b1159b1538437198d5a7745766f45e906..ad80f9767f27a66611a1363b027d93e13841729b 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -373,7 +373,7 @@ long __sys_setregid(gid_t rgid, gid_t egid)
         if (rgid != (gid_t) -1) {
                 if (gid_eq(old->gid, krgid) ||
                     gid_eq(old->egid, krgid) ||
-                   ns_capable(old->user_ns, CAP_SETGID))
+                   ns_capable_setid(old->user_ns, CAP_SETGID))
                         new->gid = krgid;
                 else
                         goto error;
@@ -382,7 +382,7 @@ long __sys_setregid(gid_t rgid, gid_t egid)
                 if (gid_eq(old->gid, kegid) ||
                     gid_eq(old->egid, kegid) ||
                     gid_eq(old->sgid, kegid) ||
-                   ns_capable(old->user_ns, CAP_SETGID))
+                   ns_capable_setid(old->user_ns, CAP_SETGID))
                         new->egid = kegid;
                 else
                         goto error;
@@ -432,7 +432,7 @@ long __sys_setgid(gid_t gid)
         old = current_cred();
  
         retval = -EPERM;
-       if (ns_capable(old->user_ns, CAP_SETGID))
+       if (ns_capable_setid(old->user_ns, CAP_SETGID))
                 new->gid = new->egid = new->sgid = new->fsgid = kgid;
         else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
                 new->egid = new->fsgid = kgid;
@@ -744,7 +744,7 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
         old = current_cred();
  
         retval = -EPERM;
-       if (!ns_capable(old->user_ns, CAP_SETGID)) {
+       if (!ns_capable_setid(old->user_ns, CAP_SETGID)) {
                 if (rgid != (gid_t) -1        && !gid_eq(krgid, old->gid) &&
                     !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid))
                         goto error;
@@ -871,7 +871,7 @@ long __sys_setfsgid(gid_t gid)
  
         if (gid_eq(kgid, old->gid)  || gid_eq(kgid, old->egid)  ||
             gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
-           ns_capable(old->user_ns, CAP_SETGID)) {
+           ns_capable_setid(old->user_ns, CAP_SETGID)) {
                 if (!gid_eq(kgid, old->fsgid)) {
                         new->fsgid = kgid;
                         if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0)
author	Thomas Cedeno <thomascedeno@google.com>
	Thu, 16 Jul 2020 19:13:57 +0000 (19:13 +0000)
committer	Micah Morton <mortonm@chromium.org>
	Tue, 13 Oct 2020 16:17:34 +0000 (09:17 -0700)
kernel/capability.c		patch \| blob \| blame \| history
kernel/groups.c		patch \| blob \| blame \| history
kernel/sys.c		patch \| blob \| blame \| history