Re: PROBLEM: A Capability LSM Module serious bug

From: Liang Bin (liangbin01@private)
Date: Mon Dec 08 2003 - 18:12:17 PST

  • Next message: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"

    In the case of nfs, you are right! 
    Function xprt_bindresvport ( linux/net/sunrpc/xprt.c) is an another example, it bypass capable and check cap_effective directly.
    In order to fix this bug thoroughly, we may need replace all check code about cap_*fields with capable(cap) in kernel source tree.
    
    Thanks
    
    LiangBin
    ISCAS
    
    Chris Wright writes:
    
    > * liangbin01at_private (liangbin01at_private) wrote:
    >> When POSIX Capability LSM module isn't compiled into kernel, after inserting 
    >> Capability module into kernel, all existed normal users processes will have 
    >> total Capability privileges of superuser (root). 
    > 
    > Thanks for the complete bugreport and patch.  Below is a (quick hack at a)
    > fix for dummy.c that will at least keep track of the task->cap_* fields.
    > This enables the use of nfs locking when dummy.c is only security
    > interface loaded, since that manually manipulates cap_effective with
    > cap_raise().  Before this priv escalation was lost between the cap_raise()
    > and the subsequent capable() call.  As a side effect, this will leave the
    > cap_* fields properly initialized when/if the capability module is loaded.
    > 
    > thoughts?
    > 
    > thanks,
    > -chris
    > -- 
    > Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    
    > 
    > ===== security/dummy.c 1.47 vs edited =====
    > --- 1.47/security/dummy.c Wed Oct  8 16:01:50 2003
    > +++ edited/security/dummy.c Mon Dec  8 14:34:02 2003
    > @@ -96,12 +96,18 @@
    >  
    >  static int dummy_capable (struct task_struct *tsk, int cap)
    >  {
    > +#if 0
    >   if (cap_is_fs_cap (cap) ? tsk->fsuid == 0 : tsk->euid == 0)
    >    /* capability granted */
    >    return 0;
    >  
    >   /* capability denied */
    >   return -EPERM;
    > +#endif
    > + if (cap_raised (tsk->cap_effective, cap))
    > +  return 0;
    > + else
    > +  return -EPERM;
    >  }
    >  
    >  static int dummy_sysctl (ctl_table * table, int op)
    > @@ -201,6 +207,7 @@
    >  
    >  static void dummy_bprm_compute_creds (struct linux_binprm *bprm)
    >  {
    > + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
    >   return;
    >  }
    >  
    > @@ -548,6 +555,7 @@
    >  
    >  static int dummy_task_post_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
    >  {
    > + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
    >   return 0;
    >  }
    >  
    
    
    



    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 18:13:55 PST