From: Micah Morton <mortonm@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-security-module@vger.kernel.org, jmorris@namei.org,
serge@hallyn.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] LSM: SafeSetID: Add setgroups() security policy handling
Date: Thu, 16 Jun 2022 10:19:41 -0700 [thread overview]
Message-ID: <CAJ-EccMGXZ_-eQsqwFEbxXs-ZBah5q4okBVL9cf8Qx+0nuLs7Q@mail.gmail.com> (raw)
In-Reply-To: <CAJ-EccN92u8y46j+h1Vg8tzFfRDynMM=1zRF6zGjx_4qKJ=AbQ@mail.gmail.com>
On Tue, Jun 14, 2022 at 10:36 AM Micah Morton <mortonm@chromium.org> wrote:
>
> On Mon, Jun 13, 2022 at 4:46 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Mon, Jun 13, 2022 at 02:00:03PM -0700, Micah Morton wrote:
> > > On Mon, Jun 13, 2022 at 1:28 PM Micah Morton <mortonm@chromium.org> wrote:
> > > [...]
> > > > +static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old)
> > > > +{
> > > > + int i;
> > > > +
> > > > + /* Do nothing if there are no setgid restrictions for our old RGID. */
> > > > + if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
> > > > + return 0;
> > > > +
> > > > + get_group_info(new->group_info);
> > > > + for (i = 0; i < new->group_info->ngroups; i++) {
> > > > + if (!id_permitted_for_cred(old, (kid_t){.gid = group_info->gid[i]}, GID)) {
> > >
> > > Oops, should be:
> > >
> > > !id_permitted_for_cred(old, (kid_t){.gid = new->group_info->gid[i]}, GID)
> > >
> > > Guess I won't send a whole new patch just for that one line
> >
> > This begs the question: are there self-tests for this LSM somewhere?
> > It'd be really nice to add them to tool/testing/selftests ...
>
> There actually is tools/testing/selftests/safesetid/ but I haven't
> updated it since v1 of SafeSetID that only accommodated UIDs. I've
> been relying on integration testing we have out of tree on the Chrome
> OS side but I suppose its reasonable to bring the selftest up to date
> as well :)
>
> Also both patches are a couple lines off from the ones I was finished
> developing/testing with.. some kind of screw up happened when I copied
> from my dev machine to another where I could get git-send-email
> working properly. I'll just resend these 2 patches along with the
> update to the selftest.
Just sent the updated patches and selftest patch.
>
> Thanks
>
> >
> > --
> > Kees Cook
next prev parent reply other threads:[~2022-06-16 17:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 20:28 [PATCH 2/2] LSM: SafeSetID: Add setgroups() security policy handling Micah Morton
2022-06-13 21:00 ` Micah Morton
2022-06-13 23:46 ` Kees Cook
2022-06-14 17:36 ` Micah Morton
2022-06-16 17:19 ` Micah Morton [this message]
2022-06-14 4:35 ` kernel test robot
2022-06-14 7:50 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ-EccMGXZ_-eQsqwFEbxXs-ZBah5q4okBVL9cf8Qx+0nuLs7Q@mail.gmail.com \
--to=mortonm@chromium.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).