Re: PROBLEM: A Capability LSM Module serious bug

From: Liang Bin (liangbin01@private)
Date: Mon Dec 08 2003 - 18:12:17 PST

Next message: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"

Previous message: Liang Bin: "Re: PROBLEM: A Capability LSM Module serious bug"
Maybe in reply to: liangbin01@private: "PROBLEM: A Capability LSM Module serious bug"
Next in thread: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Reply: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the case of nfs, you are right! 
Function xprt_bindresvport ( linux/net/sunrpc/xprt.c) is an another example, it bypass capable and check cap_effective directly.
In order to fix this bug thoroughly, we may need replace all check code about cap_*fields with capable(cap) in kernel source tree.

Thanks

LiangBin
ISCAS

Chris Wright writes:

> * liangbin01at_private (liangbin01at_private) wrote:
>> When POSIX Capability LSM module isn't compiled into kernel, after inserting 
>> Capability module into kernel, all existed normal users processes will have 
>> total Capability privileges of superuser (root). 
> 
> Thanks for the complete bugreport and patch.  Below is a (quick hack at a)
> fix for dummy.c that will at least keep track of the task->cap_* fields.
> This enables the use of nfs locking when dummy.c is only security
> interface loaded, since that manually manipulates cap_effective with
> cap_raise().  Before this priv escalation was lost between the cap_raise()
> and the subsequent capable() call.  As a side effect, this will leave the
> cap_* fields properly initialized when/if the capability module is loaded.
> 
> thoughts?
> 
> thanks,
> -chris
> -- 
> Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

> 
> ===== security/dummy.c 1.47 vs edited =====
> --- 1.47/security/dummy.c Wed Oct  8 16:01:50 2003
> +++ edited/security/dummy.c Mon Dec  8 14:34:02 2003
> @@ -96,12 +96,18 @@
>  
>  static int dummy_capable (struct task_struct *tsk, int cap)
>  {
> +#if 0
>   if (cap_is_fs_cap (cap) ? tsk->fsuid == 0 : tsk->euid == 0)
>    /* capability granted */
>    return 0;
>  
>   /* capability denied */
>   return -EPERM;
> +#endif
> + if (cap_raised (tsk->cap_effective, cap))
> +  return 0;
> + else
> +  return -EPERM;
>  }
>  
>  static int dummy_sysctl (ctl_table * table, int op)
> @@ -201,6 +207,7 @@
>  
>  static void dummy_bprm_compute_creds (struct linux_binprm *bprm)
>  {
> + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
>   return;
>  }
>  
> @@ -548,6 +555,7 @@
>  
>  static int dummy_task_post_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
>  {
> + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
>   return 0;
>  }
>

Next message: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Previous message: Liang Bin: "Re: PROBLEM: A Capability LSM Module serious bug"
Maybe in reply to: liangbin01@private: "PROBLEM: A Capability LSM Module serious bug"
Next in thread: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Reply: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 18:13:55 PST