summaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
authorJann Horn <jannh@google.com>2019-04-11 13:12:43 -0700
committerMicah Morton <mortonm@chromium.org>2019-07-15 08:07:51 -0700
commit4f72123da579655855301b591535a1415224f123 (patch)
tree6b9ca3a8a23eb20b41591819ee7fef3b04f207b4 /tools
parentfbd9acb2dc2aa55902c48a83f157082849209fba (diff)
LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it securely constrains UID 1 to UIDs 1, 2 and 3: 1:2 1:3 However, because no constraints are applied to UIDs 2 and 3, an attacker with UID 1 can simply first switch to UID 2, then switch to any UID from there. The secure way to write this ruleset would be: 1:2 1:3 2:2 3:3 , which uses "transition to self" as a way to inhibit the default-allow policy without allowing anything specific. This is somewhat unintuitive. To make sure that policy authors don't accidentally write insecure policies because of this, let the kernel verify that a new ruleset does not contain any entries that are constrained, but transitively unconstrained. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org>
Diffstat (limited to 'tools')
-rw-r--r--tools/testing/selftests/safesetid/safesetid-test.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/tools/testing/selftests/safesetid/safesetid-test.c b/tools/testing/selftests/safesetid/safesetid-test.c
index 4f03813d1911..8f40c6ecdad1 100644
--- a/tools/testing/selftests/safesetid/safesetid-test.c
+++ b/tools/testing/selftests/safesetid/safesetid-test.c
@@ -144,7 +144,9 @@ static void write_policies(void)
{
static char *policy_str =
"1:2\n"
- "1:3\n";
+ "1:3\n"
+ "2:2\n"
+ "3:3\n";
ssize_t written;
int fd;