New issue
Advanced search Search tips

Issue 845640 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature

Blocked on:
issue 899772

Blocking:
issue 884511



Sign in to add a comment

Come up with alternative to giving CAP_SET{UID/GID} and CAP_KILL for process management in CrOS

Project Member Reported by mortonm@chromium.org, May 22 2018

Issue description

Allow non-root processes in CrOS to setuid()/setgid() to specifically whitelisted UIDs/GIDs, as well as kill spawned processes that have switched to these whitelisted UIDs/GIDs, without needing to give CAP_SET{UID/GID} and CAP_KILL to non-root processes.

doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.fxpk50cps4zs
 
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 26

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d

commit bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d
Author: Micah Morton <mortonm@chromium.org>
Date: Thu Jul 26 02:45:28 2018

CHROMIUM: add new syscall whitelist to alt-syscall

This CL adds a new syscall table which can be applied to programs in
CrOS that run in a minijail. Existing syscall tables in this file only
enumerate a subset of syscalls available in Linux, whereas this CL adds
a general-purpose whitelist for CrOS that enumerates every syscall in
Linux for the given architectures. While this generic table can be used
to hook any arbitrary syscall in the kernel, for now we only have plans
to use it to hook the setuid() syscall, as part  of some bookkeeping we
have to do for the feature detailed in this doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt

Although other syscall tables in this file enumerate syscalls for the
x86-32 architecture, I didn't bother with that here since 32-bit x86
boards are EOL in CrOS and we don't have any need for using this
generic syscall table in any kind of 32-bit compatibility mode.

P.S. coming up with the syscalls for each architecture involved some
gross manual awk commands operating on the source headers in these
files (suggestions welcome if anyone knows a better way of doing this):
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.14/arch/x86/syscalls/syscall_64.tbl
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.14/arch/arm/kernel/calls.S
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.14/include/uapi/asm-generic/unistd.h

BUG= chromium:845640 , chromium:649417
TEST=used in conjunction with minijail to hook the setuid() syscall and
change its behavior.
Change-Id: Ia4df89bfe68231eafe8d5fc8baa73dff3c9509d1
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1138403
Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org>

[add] https://crrev.com/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d/security/chromiumos/read_write_test_whitelists.h
[add] https://crrev.com/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d/security/chromiumos/android_whitelists.h
[modify] https://crrev.com/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d/security/chromiumos/alt-syscall.c
[add] https://crrev.com/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d/security/chromiumos/alt-syscall.h
[add] https://crrev.com/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d/security/chromiumos/third_party_whitelists.h
[add] https://crrev.com/bd519cc3d4f34427d0cf8ea09138889eaa1f5b8d/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 2 by bugdroid1@chromium.org, Aug 7

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/522f48ee6f6f06be1615ca7adbbb97036cb3ace3

commit 522f48ee6f6f06be1615ca7adbbb97036cb3ace3
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Aug 07 05:11:29 2018

CHROMIUM: add new syscall whitelist to alt-syscall

NOTE: this change was originally reviewed for the 3.14 branch in
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1138403.
The only meaningful change is to add the bpf() syscall to the
process_tree whitelist, since it exists in 3.18 but not 3.14.

This CL adds a new syscall table which can be applied to programs in
CrOS that run in a minijail. Existing syscall tables in this file only
enumerate a subset of syscalls available in Linux, whereas this CL adds
a general-purpose whitelist for CrOS that enumerates every syscall in
Linux for the given architectures. While this generic table can be used
to hook any arbitrary syscall in the kernel, for now we only have plans
to use it to hook the setuid() syscall, as part  of some bookkeeping we
have to do for the feature detailed in this doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt

Although other syscall tables in this file enumerate syscalls for the
x86-32 architecture, I didn't bother with that here since 32-bit x86
boards are EOL in CrOS and we don't have any need for using this
generic syscall table in any kind of 32-bit compatibility mode.

P.S. coming up with the syscalls for each architecture involved some
gross manual awk commands operating on the source headers in these
files (suggestions welcome if anyone knows a better way of doing this):
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.18/arch/x86/syscalls/syscall_64.tbl
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.18/arch/arm/kernel/calls.S
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.18/include/uapi/asm-generic/unistd.h

BUG= chromium:845640 , chromium:649417
TEST=used in conjunction with minijail to hook the setuid() syscall and
change its behavior.
Signed-off-by: Micah Morton <mortonm@chromium.org>

Change-Id: I8b0c24f086ed7f187412eabeff341a132c5d111c
Reviewed-on: https://chromium-review.googlesource.com/1161180
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Micah Morton <mortonm@chromium.org>

[add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/read_write_test_whitelists.h
[add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/android_whitelists.h
[modify] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/alt-syscall.c
[add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/alt-syscall.h
[add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/third_party_whitelists.h
[add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 3 by bugdroid1@chromium.org, Aug 7

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32

commit 146ac9e4cb9f2fbdb210385f8786c7d94bb02e32
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Aug 07 05:11:32 2018

CHROMIUM: add new syscall whitelist to alt-syscall

NOTE: this change was originally reviewed for the 3.14 branch in
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1138403.
The only meaningful change is to add the following syscalls to the
process_tree whitelist, since they exist in 4.4 but not 3.14 or 3.18:
- execveat
- userfaultfd
- mlock2

This CL adds a new syscall table which can be applied to programs in
CrOS that run in a minijail. Existing syscall tables in this file only
enumerate a subset of syscalls available in Linux, whereas this CL adds
a general-purpose whitelist for CrOS that enumerates every syscall in
Linux for the given architectures. While this generic table can be used
to hook any arbitrary syscall in the kernel, for now we only have plans
to use it to hook the setuid() syscall, as part  of some bookkeeping we
have to do for the feature detailed in this doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt

Although other syscall tables in this file enumerate syscalls for the
x86-32 architecture, I didn't bother with that here since 32-bit x86
boards are EOL in CrOS and we don't have any need for using this
generic syscall table in any kind of 32-bit compatibility mode.

P.S. coming up with the syscalls for each architecture involved some
gross manual awk commands operating on the source headers in these
files (suggestions welcome if anyone knows a better way of doing this):
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.4/arch/x86/entry/syscalls/syscall_64.tbl
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.4/arch/arm/kernel/calls.S
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.4/include/uapi/asm-generic/unistd.h

BUG= chromium:845640 , chromium:649417
TEST=used in conjunction with minijail to hook the setuid() syscall and
change its behavior.
Signed-off-by: Micah Morton <mortonm@chromium.org>

Change-Id: I2f73677979d44cede216c51d9f0eb26e20517c05
Reviewed-on: https://chromium-review.googlesource.com/1163802
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Micah Morton <mortonm@chromium.org>

[add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/read_write_test_whitelists.h
[add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/android_whitelists.h
[modify] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/alt-syscall.c
[add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/alt-syscall.h
[add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/third_party_whitelists.h
[add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 4 by bugdroid1@chromium.org, Aug 7

Labels: merge-merged-chromeos-4.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7539e681b9341cd8c2881935cdacb15aa242730b

commit 7539e681b9341cd8c2881935cdacb15aa242730b
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Aug 07 08:51:13 2018

CHROMIUM: add new syscall whitelist to alt-syscall

NOTE: this change was originally reviewed for the 3.14 branch in
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1138403.
The only meaningful change is to add the following syscalls to the
process_tree whitelist, since they exist in 4.14 but 3.14/3.18/4.4:
- copy_file_range
- preadv2
- pwritev2
- pkey_mprotect
- pkey_alloc
- pkey_free
- statx

This CL adds a new syscall table which can be applied to programs in
CrOS that run in a minijail. Existing syscall tables in this file only
enumerate a subset of syscalls available in Linux, whereas this CL adds
a general-purpose whitelist for CrOS that enumerates every syscall in
Linux for the given architectures. While this generic table can be used
to hook any arbitrary syscall in the kernel, for now we only have plans
to use it to hook the setuid() syscall, as part  of some bookkeeping we
have to do for the feature detailed in this doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt

Although other syscall tables in this file enumerate syscalls for the
x86-32 architecture, I didn't bother with that here since 32-bit x86
boards are EOL in CrOS and we don't have any need for using this
generic syscall table in any kind of 32-bit compatibility mode.

P.S. coming up with the syscalls for each architecture involved some
gross manual awk commands operating on the source headers in these
files (suggestions welcome if anyone knows a better way of doing this):
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.14/arch/x86/entry/syscalls/syscall_64.tbl
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.14/arch/arm/tools/syscall.tbl
https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.14/include/uapi/asm-generic/unistd.h

BUG= chromium:845640 , chromium:649417
TEST=used in conjunction with minijail to hook the setuid() syscall and
change its behavior.
Signed-off-by: Micah Morton <mortonm@chromium.org>
Change-Id: I6906cdc41db05abe2cb4adf4361f7b3b44881991
Reviewed-on: https://chromium-review.googlesource.com/1162120

[add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/read_write_test_whitelists.h
[add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/android_whitelists.h
[modify] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/alt-syscall.c
[add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/alt-syscall.h
[add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/third_party_whitelists.h
[add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/process_tree_whitelists.h

Blocking: 884511
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2f5554ca43b2b9be30c2b5d8e283011085b3fb78

commit 2f5554ca43b2b9be30c2b5d8e283011085b3fb78
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Oct 16 09:57:32 2018

UPSTREAM: new helper: memdup_user_nul()

Similar to memdup_user(), except that allocated buffer is one byte
longer and '\0' is stored after the copied data.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit e9d408e107db9a554b36c3a79f67b37dd3e16da0)

BUG= chromium:845640 
TEST=tested with CL:1055871

Change-Id: Ib94adb757d6167f3cb4f834599be2b894f703e1f
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1281062
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/2f5554ca43b2b9be30c2b5d8e283011085b3fb78/include/linux/string.h
[modify] https://crrev.com/2f5554ca43b2b9be30c2b5d8e283011085b3fb78/mm/util.c

Project Member

Comment 7 by bugdroid1@chromium.org, Oct 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c96fb206ab18a506d32d3878e196a2c2126dd7fc

commit c96fb206ab18a506d32d3878e196a2c2126dd7fc
Author: David Howells <dhowells@redhat.com>
Date: Tue Oct 16 09:57:30 2018

UPSTREAM: Provide a function to create a NUL-terminated string from unterminated data

Provide a function, kmemdup_nul(), that will create a NUL-terminated string
from an unterminated character array where the length is known in advance.

This is better than kstrndup() in situations where we already know the
string length as the strnlen() in kstrndup() is superfluous.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit f35157417215ec138c920320c746fdb3e04ef1d5)

BUG= chromium:845640 
TEST=tested with CL:1055871

Change-Id: I0167728305181386b4aa3c13b3a1b7aab2129df0
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1281182
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/c96fb206ab18a506d32d3878e196a2c2126dd7fc/include/linux/string.h
[modify] https://crrev.com/c96fb206ab18a506d32d3878e196a2c2126dd7fc/mm/util.c

Project Member

Comment 8 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/55bc07e9c0b60a3714583eb3885ec60420ce8f93

commit 55bc07e9c0b60a3714583eb3885ec60420ce8f93
Author: David Howells <dhowells@redhat.com>
Date: Tue Oct 23 20:01:51 2018

UPSTREAM: Provide a function to create a NUL-terminated string from unterminated data

Provide a function, kmemdup_nul(), that will create a NUL-terminated string
from an unterminated character array where the length is known in advance.

This is better than kstrndup() in situations where we already know the
string length as the strnlen() in kstrndup() is superfluous.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit f35157417215ec138c920320c746fdb3e04ef1d5)

BUG= chromium:845640 
TEST=tested with CL:1055871

Change-Id: I0167728305181386b4aa3c13b3a1b7aab2129df0
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1294703
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/55bc07e9c0b60a3714583eb3885ec60420ce8f93/include/linux/string.h
[modify] https://crrev.com/55bc07e9c0b60a3714583eb3885ec60420ce8f93/mm/util.c

Project Member

Comment 9 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ab35955486d6a066a4099fe8ed0680c828256e64

commit ab35955486d6a066a4099fe8ed0680c828256e64
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Oct 23 20:01:40 2018

UPSTREAM: new helper: memdup_user_nul()

Similar to memdup_user(), except that allocated buffer is one byte
longer and '\0' is stored after the copied data.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit e9d408e107db9a554b36c3a79f67b37dd3e16da0)

BUG= chromium:845640 
TEST=tested with CL:1055871

Change-Id: Ib94adb757d6167f3cb4f834599be2b894f703e1f
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1294704
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/ab35955486d6a066a4099fe8ed0680c828256e64/include/linux/string.h
[modify] https://crrev.com/ab35955486d6a066a4099fe8ed0680c828256e64/mm/util.c

Project Member

Comment 10 by bugdroid1@chromium.org, Oct 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/85380cafd9dc34b56ce2befda87966f1cca91c24

commit 85380cafd9dc34b56ce2befda87966f1cca91c24
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 24 20:03:16 2018

CHROMIUM: Add process mgmt security policies to chromiumos LSM

Enable support for configuring per-user policies in CrOS that restrict
which UIDs can be switched to by processes running under that user
(process must first have CAP_SETUID).

doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#

Following this CL, we will add support for similar exceptions for the
setgid() and kill() syscalls, which will use same whitelist to allow
exceptions to be made for these syscalls in similar process management situations.

NOTE: corresponding CLs in same topic are listed below.
init - CL:1062656
autotest - CL:1064698
overlays - CL:1068077
shill - CL:1222569, CL:1222788

BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1055871
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[add] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/process_management.h
[modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/securityfs.c
[modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/include/linux/security.h
[modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/lsm.c
[modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/alt-syscall.c
[modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/security.c
[delete] https://crrev.com/06b28c62ae5bd234c90006006219629c7441ce1e/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 11 by bugdroid1@chromium.org, Oct 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/57aeee2a884911a0a86042e8e16f02920195c541

commit 57aeee2a884911a0a86042e8e16f02920195c541
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 24 20:03:12 2018

CHROMIUM: Add process mgmt security policies to chromiumos LSM

Enable support for configuring per-user policies in CrOS that restrict
which UIDs can be switched to by processes running under that user
(process must first have CAP_SETUID).

doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#

Following this CL, we will add support for similar exceptions for the
setgid() and kill() syscalls, which will use same whitelist to allow
exceptions to be made for these syscalls in similar process management situations.

NOTE: corresponding CLs in same topic are listed below.
init - CL:1062656
autotest - CL:1064698
overlays - CL:1068077
shill - CL:1222569, CL:1222788

BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1296818
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[add] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/process_management.h
[modify] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/lsm.c
[modify] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/alt-syscall.c
[modify] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/securityfs.c
[delete] https://crrev.com/523d4ec896297f400d1b5a52d587fa051aeff346/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 12 by bugdroid1@chromium.org, Oct 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e6bf4bd4648b24b779daa97652391737f31a5856

commit e6bf4bd4648b24b779daa97652391737f31a5856
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 24 23:45:09 2018

CHROMIUM: Add process mgmt security policies to chromiumos LSM

Enable support for configuring per-user policies in CrOS that restrict
which UIDs can be switched to by processes running under that user
(process must first have CAP_SETUID).

doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#

Following this CL, we will add support for similar exceptions for the
setgid() and kill() syscalls, which will use same whitelist to allow
exceptions to be made for these syscalls in similar process management situations.

NOTE: corresponding CLs in same topic are listed below.
init - CL:1062656
autotest - CL:1064698
overlays - CL:1068077
shill - CL:1222569, CL:1222788

BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1294557

[add] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/process_management.h
[modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/securityfs.c
[modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/include/linux/security.h
[modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/lsm.c
[modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/alt-syscall.c
[modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/security.c
[delete] https://crrev.com/c6b9ee35d8af53e7db34d1bc5058642146700cf3/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 13 by bugdroid1@chromium.org, Oct 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cf99fd93c49c22e76e7f371a69d96fbb47c153d1

commit cf99fd93c49c22e76e7f371a69d96fbb47c153d1
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 24 23:45:13 2018

CHROMIUM: Add process mgmt security policies to chromiumos LSM

Enable support for configuring per-user policies in CrOS that restrict
which UIDs can be switched to by processes running under that user
(process must first have CAP_SETUID).

doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#

Following this CL, we will add support for similar exceptions for the
setgid() and kill() syscalls, which will use same whitelist to allow
exceptions to be made for these syscalls in similar process management situations.

NOTE: corresponding CLs in same topic are listed below.
init - CL:1062656
autotest - CL:1064698
overlays - CL:1068077
shill - CL:1222569, CL:1222788

BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1297081
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[add] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/process_management.h
[modify] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/lsm.c
[modify] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/alt-syscall.c
[modify] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/securityfs.c
[delete] https://crrev.com/30a7a6ab5cfc5640a9ef78b0d6f2e0ae5640dd4b/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 14 by bugdroid1@chromium.org, Oct 26

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/da95100ae643afbf599ad8c14ae588814fd58372

commit da95100ae643afbf599ad8c14ae588814fd58372
Author: Guenter Roeck <groeck@chromium.org>
Date: Fri Oct 26 07:41:08 2018

FIXUP: CHROMIUM: Add process mgmt security policies to chromiumos LSM

chromiumos LSM no longer builds with most architectures due to its use
of symbols and functions not available on all architectures. Restrict
to x86_64 and arm64 since thos are the only tested and supported
architectures, and there are presumably no plans to ever upstream this
code.

BUG= chromium:845640 , chromium:649417
TEST=Build non-standard architectures

Change-Id: I3bcf9ba4c6d5f75f85e3b26b7c02c561411c3fb0
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1298701
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/da95100ae643afbf599ad8c14ae588814fd58372/security/chromiumos/Kconfig

Project Member

Comment 15 by bugdroid1@chromium.org, Oct 26

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6c8468f6145aa331c4d50b349863ed464f10485d

commit 6c8468f6145aa331c4d50b349863ed464f10485d
Author: Guenter Roeck <groeck@chromium.org>
Date: Fri Oct 26 07:41:10 2018

FIXUP: CHROMIUM: Add process mgmt security policies to chromiumos LSM

chromiumos LSM no longer builds with most architectures due to its use
of symbols and functions not available on all architectures. Restrict
to x86_64 and arm64 since thos are the only tested and supported
architectures, and there are presumably no plans to ever upstream this
code.

BUG= chromium:845640 , chromium:649417
TEST=Build non-standard architectures

Change-Id: I3bcf9ba4c6d5f75f85e3b26b7c02c561411c3fb0
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1298703
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/6c8468f6145aa331c4d50b349863ed464f10485d/security/chromiumos/Kconfig

Blockedon: 899772
Project Member

Comment 17 by bugdroid1@chromium.org, Oct 31

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/d9e1f06de1d573e5adf7649b7395b568a846e0cf

commit d9e1f06de1d573e5adf7649b7395b568a846e0cf
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 31 19:42:22 2018

init: Add process management whitelist configuration

Support configuring the whitelist for process management through
installation of a file in
/usr/share/cros/startup/process_management_policies/ that specifies
which users should be allowed to use other UIDs on the system for the
purposes of process management.

CQ-DEPEND=CL:1055871,CL:1064698,CL:1068077,CL:1296792,CL:1296793
BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes with manual addition of policy file
in /usr/share/cros/startup/process_management_policies/. also tested as
part of larger shill sandbox debug CL

Change-Id: I56dd5c7aa49a1d92e4f79796730378f3069217b5
Reviewed-on: https://chromium-review.googlesource.com/1062656
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/d9e1f06de1d573e5adf7649b7395b568a846e0cf/init/chromeos_startup
[add] https://crrev.com/d9e1f06de1d573e5adf7649b7395b568a846e0cf/init/config_process_mgmt_utils.sh

Project Member

Comment 18 by bugdroid1@chromium.org, Oct 31

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/8c99f9ec0b1992f60799073ed9cf7e1bd19837c8

commit 8c99f9ec0b1992f60799073ed9cf7e1bd19837c8
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 31 19:42:22 2018

Add process management policy test in ebuild

CQ-DEPEND=CL:1055871,CL:1064698,CL:1062656,CL:1296792,CL:1296793
BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Change-Id: Iaa16292d0d4d714f166798936fbcec44c875b2c4
Reviewed-on: https://chromium-review.googlesource.com/1068077
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/8c99f9ec0b1992f60799073ed9cf7e1bd19837c8/chromeos-base/autotest-tests-security/autotest-tests-security-9999.ebuild

Project Member

Comment 19 by bugdroid1@chromium.org, Oct 31

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/58114e79d3a16f6aa9c08795792b287338a518d7

commit 58114e79d3a16f6aa9c08795792b287338a518d7
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Oct 31 19:42:23 2018

Add autotest for process management security policies

CL:1055871 extends the chromiumos LSM to support configuring per-UID
policies in CrOS that restrict which other UIDs can be switched to by
processes spawned under the restricted UID. This autotest ensures that
restricted users can only setuid() to UIDs approved by the security
policy installed on the system.

CQ-DEPEND=CL:1062656,CL:1068077,CL:1055871,CL:1296792,CL:1296793
BUG= chromium:845640 
TEST=autotest passes with LSM functionality enabled and configured on
DUT

Change-Id: I9a9d5e8c1c1f507d46b905bb268a2184646547c0
Reviewed-on: https://chromium-review.googlesource.com/1064698
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>

[add] https://crrev.com/58114e79d3a16f6aa9c08795792b287338a518d7/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py
[add] https://crrev.com/58114e79d3a16f6aa9c08795792b287338a518d7/client/site_tests/security_ProcessManagementPolicy/control

Status: Fixed (was: Started)
Project Member

Comment 21 by bugdroid1@chromium.org, Nov 7

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c44bdea4ffc64e130c339fad76ce46ce3153a5e2

commit c44bdea4ffc64e130c339fad76ce46ce3153a5e2
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Nov 07 09:21:24 2018

FIXUP: CHROMIUM: protect hash table from concurrent writers

Guard the hash table in the process management policy portion of the
chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe
against removal by different threads.

BUG= chromium:845640 
TEST=edited /sbin/chromeos_startup to remove securityfs umount, then
flushed policies running security_ProcessManagementPolicy autotest
before and after

Signed-off-by: Micah Morton <mortonm@chromium.org>

Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12
Reviewed-on: https://chromium-review.googlesource.com/1318352
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/c44bdea4ffc64e130c339fad76ce46ce3153a5e2/security/chromiumos/lsm.c

Project Member

Comment 22 by bugdroid1@chromium.org, Nov 7

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/02810e26f2d986339a37b311dc65ba6d0be9decb

commit 02810e26f2d986339a37b311dc65ba6d0be9decb
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Nov 07 14:34:42 2018

FIXUP: CHROMIUM: protect hash table from concurrent writers

Guard the hash table in the process management policy portion of the
chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe
against removal by different threads.

BUG= chromium:845640 
TEST=edited /sbin/chromeos_startup to remove securityfs umount, then
flushed policies running security_ProcessManagementPolicy autotest
before and after

Signed-off-by: Micah Morton <mortonm@chromium.org>

Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12
Reviewed-on: https://chromium-review.googlesource.com/1318351
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/02810e26f2d986339a37b311dc65ba6d0be9decb/security/chromiumos/lsm.c

Project Member

Comment 23 by bugdroid1@chromium.org, Nov 7

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0268b7fd915d8d6eb26cfffeb98bf8a5088ee823

commit 0268b7fd915d8d6eb26cfffeb98bf8a5088ee823
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Nov 07 14:34:58 2018

FIXUP: CHROMIUM: protect hash table from concurrent writers

Guard the hash table in the process management policy portion of the
chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe
against removal by different threads.

BUG= chromium:845640 
TEST=edited /sbin/chromeos_startup to remove securityfs umount, then
flushed policies running security_ProcessManagementPolicy autotest
before and after

Signed-off-by: Micah Morton <mortonm@chromium.org>

Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12
Reviewed-on: https://chromium-review.googlesource.com/1315674
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/0268b7fd915d8d6eb26cfffeb98bf8a5088ee823/security/chromiumos/lsm.c

Project Member

Comment 24 by bugdroid1@chromium.org, Nov 7

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7712c1d5eee6abbb35730c5385513e4a272a493e

commit 7712c1d5eee6abbb35730c5385513e4a272a493e
Author: Micah Morton <mortonm@chromium.org>
Date: Wed Nov 07 14:34:32 2018

FIXUP: CHROMIUM: protect hash table from concurrent writers

Guard the hash table in the process management policy portion of the
chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe
against removal by different threads.

BUG= chromium:845640 
TEST=edited /sbin/chromeos_startup to remove securityfs umount, then
flushed policies running security_ProcessManagementPolicy autotest
before and after

Signed-off-by: Micah Morton <mortonm@chromium.org>

Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12
Reviewed-on: https://chromium-review.googlesource.com/1318350
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/7712c1d5eee6abbb35730c5385513e4a272a493e/security/chromiumos/lsm.c

Project Member

Comment 25 by bugdroid1@chromium.org, Nov 9

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/3fef550c0c2d6f307d2224f0dbd3c108fe0af96d

commit 3fef550c0c2d6f307d2224f0dbd3c108fe0af96d
Author: Micah Morton <mortonm@chromium.org>
Date: Fri Nov 09 19:05:08 2018

security_ProcessManagementPolicy: make n/a for 3.8

Make this test n/a for kernel 3.8, since we didn't port the kernel
changes that support these policies back to 3.8.

Also removed unused import and added docstring to get repo upload to
stop complaining.

BUG= chromium:845640 
TEST=ran test on 3.8 board with change

Change-Id: I7a61327bb59a4bee1bc2a9724bfb6cce504dfa08
Reviewed-on: https://chromium-review.googlesource.com/1312278
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: David Haddock <dhaddock@chromium.org>

[modify] https://crrev.com/3fef550c0c2d6f307d2224f0dbd3c108fe0af96d/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py

Project Member

Comment 26 by bugdroid1@chromium.org, Nov 13

Labels: merge-merged-chromeos-4.19
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/65cd67231ce06e5f562f68e9367839fcb81d4edc

commit 65cd67231ce06e5f562f68e9367839fcb81d4edc
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Nov 13 11:32:59 2018

CHROMIUM: Add process mgmt security policies to chromiumos LSM

Enable support for configuring per-user policies in CrOS that restrict
which UIDs can be switched to by processes running under that user
(process must first have CAP_SETUID).

doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#

Following this CL, we will add support for similar exceptions for the
setgid() and kill() syscalls, which will use same whitelist to allow
exceptions to be made for these syscalls in similar process management situations.

NOTE: corresponding CLs in same topic are listed below.
init - CL:1062656
autotest - CL:1064698
overlays - CL:1068077
shill - CL:1222569, CL:1222788

BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1321178
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[add] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/process_management.h
[modify] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/lsm.c
[modify] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/alt-syscall.c
[modify] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/securityfs.c
[delete] https://crrev.com/e1843fb3a0454bca10f21241e592a4ded05358f8/security/chromiumos/process_tree_whitelists.h

Project Member

Comment 27 by bugdroid1@chromium.org, Nov 15

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d7929e9fcc97e2e2610117f2a136ca393ef22684

commit d7929e9fcc97e2e2610117f2a136ca393ef22684
Author: Guenter Roeck <groeck@chromium.org>
Date: Thu Nov 15 10:16:40 2018

FIXUP: CHROMIUM: Add process mgmt security policies to chromiumos LSM

chromiumos LSM no longer builds with most architectures due to its use
of symbols and functions not available on all architectures. Restrict
to x86_64 and arm64 since thos are the only tested and supported
architectures, and there are presumably no plans to ever upstream this
code.

BUG= chromium:845640 , chromium:649417
TEST=Build non-standard architectures

Change-Id: I3bcf9ba4c6d5f75f85e3b26b7c02c561411c3fb0
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1298702
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/d7929e9fcc97e2e2610117f2a136ca393ef22684/security/chromiumos/Kconfig

Project Member

Comment 28 by bugdroid1@chromium.org, Nov 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/736c9030faca760e03b4f532895f2700a2a3cff0

commit 736c9030faca760e03b4f532895f2700a2a3cff0
Author: Micah Morton <mortonm@chromium.org>
Date: Fri Nov 16 13:02:12 2018

security_ProcessManagementPolicy: add shill whitelist

Add the whitelist policy for shill to this test since it recently landed
in CL:1222569.

Also removed a couple unused python import statements and added a
docstring to get repo upload to stop complaining.

BUG= chromium:845640 
TEST=ran the autotest with changes

Change-Id: I42963d63c833a41fa308ea3a047ab5da69806a07
Reviewed-on: https://chromium-review.googlesource.com/1323751
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Micah Morton <mortonm@chromium.org>

[modify] https://crrev.com/736c9030faca760e03b4f532895f2700a2a3cff0/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py

Project Member

Comment 29 by bugdroid1@chromium.org, Nov 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/0744ef2ec4d69f67cccb09976076000dfc4f1fdb

commit 0744ef2ec4d69f67cccb09976076000dfc4f1fdb
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Nov 20 03:13:59 2018

security_ProcessManagementPolicy: make n/a for 3.10

Make this test n/a for kernel 3.10 (its already n/a for 3.8), since we
didn't port the kernel changes that support these policies back to 3.10.

BUG= chromium:845640 
TEST=observed the n/a error being hit when checking whether 'version'
equals '3.14.0' on lulu board

Change-Id: I16e0f1d97f29a3467bcc87f535c6afb3ee6bfd26
Reviewed-on: https://chromium-review.googlesource.com/1333933
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: David Haddock <dhaddock@chromium.org>

[modify] https://crrev.com/0744ef2ec4d69f67cccb09976076000dfc4f1fdb/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py

Project Member

Comment 30 by bugdroid1@chromium.org, Dec 3

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/027bce94f0e7a27a1c2d86622949582f6ae874ee

commit 027bce94f0e7a27a1c2d86622949582f6ae874ee
Author: Micah Morton <mortonm@chromium.org>
Date: Mon Dec 03 20:43:28 2018

CHROMIUM: add WARN print statement to chromiumos LSM

We should add a warn statement any time a process with setuid hardening
policies applied is rejected by the kernel from doing some operation
that requires CAP_SETUID. We already do this for rejected UID
transitions and other functions in this file.

BUG= chromium:845640 
TEST=try to write to /proc/<pid>/ns/user and see it fail and log

Signed-off-by: Micah Morton <mortonm@chromium.org>
Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020
Reviewed-on: https://chromium-review.googlesource.com/1356080
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>

[modify] https://crrev.com/027bce94f0e7a27a1c2d86622949582f6ae874ee/security/chromiumos/lsm.c

Project Member

Comment 31 by bugdroid1@chromium.org, Dec 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cfd582ba5a72bdd75ba5105fcf2f489a51292690

commit cfd582ba5a72bdd75ba5105fcf2f489a51292690
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Dec 04 04:32:07 2018

CHROMIUM: add WARN print statement to chromiumos LSM

We should add a warn statement any time a process with setuid hardening
policies applied is rejected by the kernel from doing some operation
that requires CAP_SETUID. We already do this for rejected UID
transitions and other functions in this file.

BUG= chromium:845640 
TEST=try to write to /proc/<pid>/ns/user and see it fail and log

Signed-off-by: Micah Morton <mortonm@chromium.org>
Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020
Reviewed-on: https://chromium-review.googlesource.com/1355861

[modify] https://crrev.com/cfd582ba5a72bdd75ba5105fcf2f489a51292690/security/chromiumos/lsm.c

Project Member

Comment 32 by bugdroid1@chromium.org, Dec 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/dfa8cdee57cf5b67645134cd8b168d5742bc9ebe

commit dfa8cdee57cf5b67645134cd8b168d5742bc9ebe
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Dec 04 04:32:09 2018

CHROMIUM: add WARN print statement to chromiumos LSM

We should add a warn statement any time a process with setuid hardening
policies applied is rejected by the kernel from doing some operation
that requires CAP_SETUID. We already do this for rejected UID
transitions and other functions in this file.

BUG= chromium:845640 
TEST=try to write to /proc/<pid>/ns/user and see it fail and log

Signed-off-by: Micah Morton <mortonm@chromium.org>
Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020
Reviewed-on: https://chromium-review.googlesource.com/1355862

[modify] https://crrev.com/dfa8cdee57cf5b67645134cd8b168d5742bc9ebe/security/chromiumos/lsm.c

Project Member

Comment 33 by bugdroid1@chromium.org, Dec 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f40e421a29c3872979b72802daacb197fdaa4a41

commit f40e421a29c3872979b72802daacb197fdaa4a41
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Dec 04 04:32:03 2018

CHROMIUM: add WARN print statement to chromiumos LSM

We should add a warn statement any time a process with setuid hardening
policies applied is rejected by the kernel from doing some operation
that requires CAP_SETUID. We already do this for rejected UID
transitions and other functions in this file.

BUG= chromium:845640 
TEST=try to write to /proc/<pid>/ns/user and see it fail and log

Signed-off-by: Micah Morton <mortonm@chromium.org>
Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020
Reviewed-on: https://chromium-review.googlesource.com/1355864

[modify] https://crrev.com/f40e421a29c3872979b72802daacb197fdaa4a41/security/chromiumos/lsm.c

Project Member

Comment 34 by bugdroid1@chromium.org, Dec 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5b9a1b6d1307474baf87104de4fafbc4ac6d54b2

commit 5b9a1b6d1307474baf87104de4fafbc4ac6d54b2
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Dec 04 04:32:11 2018

CHROMIUM: add WARN print statement to chromiumos LSM

We should add a warn statement any time a process with setuid hardening
policies applied is rejected by the kernel from doing some operation
that requires CAP_SETUID. We already do this for rejected UID
transitions and other functions in this file.

BUG= chromium:845640 
TEST=try to write to /proc/<pid>/ns/user and see it fail and log

Signed-off-by: Micah Morton <mortonm@chromium.org>
Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020
Reviewed-on: https://chromium-review.googlesource.com/1355863

[modify] https://crrev.com/5b9a1b6d1307474baf87104de4fafbc4ac6d54b2/security/chromiumos/lsm.c

Project Member

Comment 35 by bugdroid1@chromium.org, Jan 6

Labels: merge-merged-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/10c986351de92b1dfbfab88c62636212ad4cd8b5

commit 10c986351de92b1dfbfab88c62636212ad4cd8b5
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Jan 06 04:08:29 2019

UPSTREAM: new helper: memdup_user_nul()

Similar to memdup_user(), except that allocated buffer is one byte
longer and '\0' is stored after the copied data.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit e9d408e107db9a554b36c3a79f67b37dd3e16da0)

BUG= chromium:845640 
TEST=tested with CL:1055871

Change-Id: Ib94adb757d6167f3cb4f834599be2b894f703e1f
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1281062
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 2f5554ca43b2b9be30c2b5d8e283011085b3fb78)
Reviewed-on: https://chromium-review.googlesource.com/1387639
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/10c986351de92b1dfbfab88c62636212ad4cd8b5/include/linux/string.h
[modify] https://crrev.com/10c986351de92b1dfbfab88c62636212ad4cd8b5/mm/util.c

Project Member

Comment 36 by bugdroid1@chromium.org, Jan 6

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5bfb38512faa96f0755b76cebf8cf2cd11590f08

commit 5bfb38512faa96f0755b76cebf8cf2cd11590f08
Author: David Howells <dhowells@redhat.com>
Date: Sun Jan 06 04:08:30 2019

UPSTREAM: Provide a function to create a NUL-terminated string from unterminated data

Provide a function, kmemdup_nul(), that will create a NUL-terminated string
from an unterminated character array where the length is known in advance.

This is better than kstrndup() in situations where we already know the
string length as the strnlen() in kstrndup() is superfluous.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit f35157417215ec138c920320c746fdb3e04ef1d5)

BUG= chromium:845640 
TEST=tested with CL:1055871

Change-Id: I0167728305181386b4aa3c13b3a1b7aab2129df0
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1281182
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit c96fb206ab18a506d32d3878e196a2c2126dd7fc)
Reviewed-on: https://chromium-review.googlesource.com/1387641
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/5bfb38512faa96f0755b76cebf8cf2cd11590f08/include/linux/string.h
[modify] https://crrev.com/5bfb38512faa96f0755b76cebf8cf2cd11590f08/mm/util.c

Project Member

Comment 37 by bugdroid1@chromium.org, Jan 6

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/221174956a10796906b6611f21b5a68c917daf5f

commit 221174956a10796906b6611f21b5a68c917daf5f
Author: Micah Morton <mortonm@chromium.org>
Date: Sun Jan 06 04:08:33 2019

security_ProcessManagementPolicy: lock down vpn users

Make sure vpn users "openvpn" and "ipsec" can't setuid to root even when
they have CAP_SETUID.

A.K.A. make sure CL:1356101 does what it intended.

BUG= chromium:845640 
TEST=ran autotest

Change-Id: I4534b38ee529bcc8b9fcd9cc03bb2a1ea8950499
Reviewed-on: https://chromium-review.googlesource.com/1396530
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>

[modify] https://crrev.com/221174956a10796906b6611f21b5a68c917daf5f/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py

Project Member

Comment 38 by bugdroid1@chromium.org, Jan 8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/95d349ce11307453794fc45196c2c42bf8ac55b4

commit 95d349ce11307453794fc45196c2c42bf8ac55b4
Author: Micah Morton <mortonm@chromium.org>
Date: Tue Jan 08 13:03:15 2019

CHROMIUM: Add process mgmt security policies to chromiumos LSM

Enable support for configuring per-user policies in CrOS that restrict
which UIDs can be switched to by processes running under that user
(process must first have CAP_SETUID).

doc:
https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#

Following this CL, we will add support for similar exceptions for the
setgid() and kill() syscalls, which will use same whitelist to allow
exceptions to be made for these syscalls in similar process management situations.

NOTE: corresponding CLs in same topic are listed below.
init - CL:1062656
autotest - CL:1064698
overlays - CL:1068077
shill - CL:1222569, CL:1222788

CQ-DEPEND=CL:1387641,CL:1387639,CL:1393623
BUG= chromium:845640 , chromium:649417
TEST=autotest in CL:1064698 passes. also tested as part of larger shill
sandbox debug CL

Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1055871
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14
Reviewed-on: https://chromium-review.googlesource.com/1387643

[modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/security.c
[modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/chromiumos/lsm.c
[add] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/chromiumos/process_management.h
[modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/chromiumos/securityfs.c
[modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/include/linux/security.h

Sign in to add a comment