Commit 7b769e45 authored by Lukas Braun's avatar Lukas Braun Committed by Simon Ruderich
Browse files

slsm: implement confine flag

A confined process will never change its label and will thus
never gain new permissions.
Unlike the inherit flag, the confined process does not inherit
the permissions of the execing (unconfined) process.
parent fbb55fdb
#ifndef __PASST_CONTEXT_H
#define __PASST_CONTEXT_H
#include <linux/cred.h>
#include <linux/kref.h>
struct passt_task {
char *label;
int inherit;
};
#endif /* __PASST_CONTEXT_H */
......@@ -14,6 +14,11 @@
static char *init = "<<init>>";
struct passt_task {
char *label;
unsigned confined:1;
};
/**
* passt_dup_task - duplicates all resources related to @old_pt
......@@ -101,7 +106,10 @@ static int passt_bprm_set_creds(struct linux_binprm *bprm) {
perms = slsm_query_perms(name, pt->label);
if (perms.mode & SLSM_MODE_X) {
if (!pt->inherit && !(perms.flags & SLSM_FLAG_INHERIT)) {
if (pt->confined || (perms.flags & SLSM_FLAG_INHERIT)) {
pt->confined = 1;
printk(KERN_INFO "slsm: %s inherited %s\n", name, pt->label);
} else {
// TODO: cache labels
char *old_label = pt->label;
char *new_label = kstrdup(name, GFP_KERNEL);
......@@ -111,9 +119,11 @@ static int passt_bprm_set_creds(struct linux_binprm *bprm) {
pt->label = new_label;
kfree(old_label);
}
} else {
printk(KERN_INFO "slsm: %s inherited %s\n", name, pt->label);
pt->inherit = 1;
if (perms.flags & SLSM_FLAG_CONFINE) {
pt->confined = 1;
printk(KERN_INFO "slsm: %s confining to %s\n", name, pt->label);
}
}
goto cleanup;
} else
......
......@@ -164,6 +164,20 @@ test_expect_success 'disallow delete of file' "
test_cmp expected /tmp/slsm/test-me
"
test_expect_success 'confine process' "
test_when_finished cleanup && setup &&
echo data >/tmp/slsm/private &&
echo '#!/bin/sh' >/tmp/slsm/script &&
echo 'exec cat /tmp/slsm/private' >>/tmp/slsm/script &&
chmod +x /tmp/slsm/script &&
\
rules a=/tmp/slsm/script p=/tmp/slsm/private m=0 '' \
p=/tmp/slsm/script m=5 f=2 &&
test_must_fail /tmp/slsm/script &&
echo data >expected &&
test_cmp expected /tmp/slsm/private
"
test_expect_success 'last matching rule for a node is used' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
......
......@@ -147,7 +147,7 @@ unsigned slsm_perms_mode_grant(struct slsm_perms perms, struct slsm_perms perms_
unsigned slsm_perms_would_elevate(struct slsm_perms perms, struct slsm_perms perms_would_get) {
unsigned flags, flags_would_get;
unsigned restrictions = SLSM_FLAG_INHERIT;
unsigned restrictions = SLSM_FLAG_INHERIT | SLSM_FLAG_CONFINE;
if (!slsm_perms_mode_grant(perms, perms_would_get))
return 1;
......
......@@ -35,6 +35,8 @@ struct tree_node {
#define SLSM_FLAG_INHERIT (1 << 0)
#define SLSM_FLAG_CONFINE (1 << 1)
/* NOTE: when adding new flags adapt slsm_perms_would_elevate() */
struct slsm_perms {
unsigned mode;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment