diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-06-14 20:39:31 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-06-14 20:39:31 +0200 |
commit | 4a87b197c1da6b16608d5110709e0b3308e25dcd (patch) | |
tree | 65ffaafafca247113124b1d62e4e9bdd8b2a3f4d /kernel/sys.c | |
parent | Merge tag 'for-5.8-part2-tag' of git://git.kernel.org/pub/scm/linux/kernel/gi... (diff) | |
parent | security: Add LSM hooks to set*gid syscalls (diff) | |
download | linux-4a87b197c1da6b16608d5110709e0b3308e25dcd.tar.xz linux-4a87b197c1da6b16608d5110709e0b3308e25dcd.zip |
Merge tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux
Pull SafeSetID update from Micah Morton:
"Add additional LSM hooks for SafeSetID
SafeSetID is capable of making allow/deny decisions for set*uid calls
on a system, and we want to add similar functionality for set*gid
calls.
The work to do that is not yet complete, so probably won't make it in
for v5.8, but we are looking to get this simple patch in for v5.8
since we have it ready.
We are planning on the rest of the work for extending the SafeSetID
LSM being merged during the v5.9 merge window"
* tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux:
security: Add LSM hooks to set*gid syscalls
Diffstat (limited to 'kernel/sys.c')
-rw-r--r-- | kernel/sys.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/kernel/sys.c b/kernel/sys.c index fd46865b46ba..00a96746e28a 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -393,6 +393,10 @@ long __sys_setregid(gid_t rgid, gid_t egid) new->sgid = new->egid; new->fsgid = new->egid; + retval = security_task_fix_setgid(new, old, LSM_SETID_RE); + if (retval < 0) + goto error; + return commit_creds(new); error: @@ -435,6 +439,10 @@ long __sys_setgid(gid_t gid) else goto error; + retval = security_task_fix_setgid(new, old, LSM_SETID_ID); + if (retval < 0) + goto error; + return commit_creds(new); error: @@ -756,6 +764,10 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) new->sgid = ksgid; new->fsgid = new->egid; + retval = security_task_fix_setgid(new, old, LSM_SETID_RES); + if (retval < 0) + goto error; + return commit_creds(new); error: @@ -862,7 +874,8 @@ long __sys_setfsgid(gid_t gid) ns_capable(old->user_ns, CAP_SETGID)) { if (!gid_eq(kgid, old->fsgid)) { new->fsgid = kgid; - goto change_okay; + if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0) + goto change_okay; } } |