summaryrefslogtreecommitdiffstats
path: root/kernel/sys.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2020-06-14 20:39:31 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2020-06-14 20:39:31 +0200
commit4a87b197c1da6b16608d5110709e0b3308e25dcd (patch)
tree65ffaafafca247113124b1d62e4e9bdd8b2a3f4d /kernel/sys.c
parentMerge tag 'for-5.8-part2-tag' of git://git.kernel.org/pub/scm/linux/kernel/gi... (diff)
parentsecurity: Add LSM hooks to set*gid syscalls (diff)
downloadlinux-4a87b197c1da6b16608d5110709e0b3308e25dcd.tar.xz
linux-4a87b197c1da6b16608d5110709e0b3308e25dcd.zip
Merge tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux
Pull SafeSetID update from Micah Morton: "Add additional LSM hooks for SafeSetID SafeSetID is capable of making allow/deny decisions for set*uid calls on a system, and we want to add similar functionality for set*gid calls. The work to do that is not yet complete, so probably won't make it in for v5.8, but we are looking to get this simple patch in for v5.8 since we have it ready. We are planning on the rest of the work for extending the SafeSetID LSM being merged during the v5.9 merge window" * tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux: security: Add LSM hooks to set*gid syscalls
Diffstat (limited to 'kernel/sys.c')
-rw-r--r--kernel/sys.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/kernel/sys.c b/kernel/sys.c
index fd46865b46ba..00a96746e28a 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -393,6 +393,10 @@ long __sys_setregid(gid_t rgid, gid_t egid)
new->sgid = new->egid;
new->fsgid = new->egid;
+ retval = security_task_fix_setgid(new, old, LSM_SETID_RE);
+ if (retval < 0)
+ goto error;
+
return commit_creds(new);
error:
@@ -435,6 +439,10 @@ long __sys_setgid(gid_t gid)
else
goto error;
+ retval = security_task_fix_setgid(new, old, LSM_SETID_ID);
+ if (retval < 0)
+ goto error;
+
return commit_creds(new);
error:
@@ -756,6 +764,10 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
new->sgid = ksgid;
new->fsgid = new->egid;
+ retval = security_task_fix_setgid(new, old, LSM_SETID_RES);
+ if (retval < 0)
+ goto error;
+
return commit_creds(new);
error:
@@ -862,7 +874,8 @@ long __sys_setfsgid(gid_t gid)
ns_capable(old->user_ns, CAP_SETGID)) {
if (!gid_eq(kgid, old->fsgid)) {
new->fsgid = kgid;
- goto change_okay;
+ if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0)
+ goto change_okay;
}
}