From: Kees Cook <keescook@chromium.org>
To: Micah Morton <mortonm@chromium.org>
Cc: linux-security-module@vger.kernel.org, jmorris@namei.org,
serge@hallyn.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] LSM: SafeSetID: Add setgroups() security policy handling
Date: Mon, 13 Jun 2022 16:46:29 -0700 [thread overview]
Message-ID: <202206131643.4FB2340C43@keescook> (raw)
In-Reply-To: <CAJ-EccOhrYG6n6As72R7YzSk+Zzy=oFFJ62hG9476njprpJuvw@mail.gmail.com>
On Mon, Jun 13, 2022 at 02:00:03PM -0700, Micah Morton wrote:
> On Mon, Jun 13, 2022 at 1:28 PM Micah Morton <mortonm@chromium.org> wrote:
> [...]
> > +static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old)
> > +{
> > + int i;
> > +
> > + /* Do nothing if there are no setgid restrictions for our old RGID. */
> > + if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
> > + return 0;
> > +
> > + get_group_info(new->group_info);
> > + for (i = 0; i < new->group_info->ngroups; i++) {
> > + if (!id_permitted_for_cred(old, (kid_t){.gid = group_info->gid[i]}, GID)) {
>
> Oops, should be:
>
> !id_permitted_for_cred(old, (kid_t){.gid = new->group_info->gid[i]}, GID)
>
> Guess I won't send a whole new patch just for that one line
This begs the question: are there self-tests for this LSM somewhere?
It'd be really nice to add them to tool/testing/selftests ...
--
Kees Cook
next prev parent reply other threads:[~2022-06-13 23:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 20:28 [PATCH 2/2] LSM: SafeSetID: Add setgroups() security policy handling Micah Morton
2022-06-13 21:00 ` Micah Morton
2022-06-13 23:46 ` Kees Cook [this message]
2022-06-14 17:36 ` Micah Morton
2022-06-16 17:19 ` Micah Morton
2022-06-14 4:35 ` kernel test robot
2022-06-14 7:50 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202206131643.4FB2340C43@keescook \
--to=keescook@chromium.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mortonm@chromium.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox