Come up with alternative to giving CAP_SET{UID/GID} and CAP_KILL for process management in CrOS |
|||||||||
Issue description
Allow non-root processes in CrOS to setuid()/setgid() to specifically whitelisted UIDs/GIDs, as well as kill spawned processes that have switched to these whitelisted UIDs/GIDs, without needing to give CAP_SET{UID/GID} and CAP_KILL to non-root processes.
doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.fxpk50cps4zs
,
Aug 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/522f48ee6f6f06be1615ca7adbbb97036cb3ace3 commit 522f48ee6f6f06be1615ca7adbbb97036cb3ace3 Author: Micah Morton <mortonm@chromium.org> Date: Tue Aug 07 05:11:29 2018 CHROMIUM: add new syscall whitelist to alt-syscall NOTE: this change was originally reviewed for the 3.14 branch in https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1138403. The only meaningful change is to add the bpf() syscall to the process_tree whitelist, since it exists in 3.18 but not 3.14. This CL adds a new syscall table which can be applied to programs in CrOS that run in a minijail. Existing syscall tables in this file only enumerate a subset of syscalls available in Linux, whereas this CL adds a general-purpose whitelist for CrOS that enumerates every syscall in Linux for the given architectures. While this generic table can be used to hook any arbitrary syscall in the kernel, for now we only have plans to use it to hook the setuid() syscall, as part of some bookkeeping we have to do for the feature detailed in this doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt Although other syscall tables in this file enumerate syscalls for the x86-32 architecture, I didn't bother with that here since 32-bit x86 boards are EOL in CrOS and we don't have any need for using this generic syscall table in any kind of 32-bit compatibility mode. P.S. coming up with the syscalls for each architecture involved some gross manual awk commands operating on the source headers in these files (suggestions welcome if anyone knows a better way of doing this): https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.18/arch/x86/syscalls/syscall_64.tbl https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.18/arch/arm/kernel/calls.S https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v3.18/include/uapi/asm-generic/unistd.h BUG= chromium:845640 , chromium:649417 TEST=used in conjunction with minijail to hook the setuid() syscall and change its behavior. Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I8b0c24f086ed7f187412eabeff341a132c5d111c Reviewed-on: https://chromium-review.googlesource.com/1161180 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/read_write_test_whitelists.h [add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/android_whitelists.h [modify] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/alt-syscall.c [add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/alt-syscall.h [add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/third_party_whitelists.h [add] https://crrev.com/522f48ee6f6f06be1615ca7adbbb97036cb3ace3/security/chromiumos/process_tree_whitelists.h
,
Aug 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32 commit 146ac9e4cb9f2fbdb210385f8786c7d94bb02e32 Author: Micah Morton <mortonm@chromium.org> Date: Tue Aug 07 05:11:32 2018 CHROMIUM: add new syscall whitelist to alt-syscall NOTE: this change was originally reviewed for the 3.14 branch in https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1138403. The only meaningful change is to add the following syscalls to the process_tree whitelist, since they exist in 4.4 but not 3.14 or 3.18: - execveat - userfaultfd - mlock2 This CL adds a new syscall table which can be applied to programs in CrOS that run in a minijail. Existing syscall tables in this file only enumerate a subset of syscalls available in Linux, whereas this CL adds a general-purpose whitelist for CrOS that enumerates every syscall in Linux for the given architectures. While this generic table can be used to hook any arbitrary syscall in the kernel, for now we only have plans to use it to hook the setuid() syscall, as part of some bookkeeping we have to do for the feature detailed in this doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt Although other syscall tables in this file enumerate syscalls for the x86-32 architecture, I didn't bother with that here since 32-bit x86 boards are EOL in CrOS and we don't have any need for using this generic syscall table in any kind of 32-bit compatibility mode. P.S. coming up with the syscalls for each architecture involved some gross manual awk commands operating on the source headers in these files (suggestions welcome if anyone knows a better way of doing this): https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.4/arch/x86/entry/syscalls/syscall_64.tbl https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.4/arch/arm/kernel/calls.S https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.4/include/uapi/asm-generic/unistd.h BUG= chromium:845640 , chromium:649417 TEST=used in conjunction with minijail to hook the setuid() syscall and change its behavior. Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I2f73677979d44cede216c51d9f0eb26e20517c05 Reviewed-on: https://chromium-review.googlesource.com/1163802 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/read_write_test_whitelists.h [add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/android_whitelists.h [modify] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/alt-syscall.c [add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/alt-syscall.h [add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/third_party_whitelists.h [add] https://crrev.com/146ac9e4cb9f2fbdb210385f8786c7d94bb02e32/security/chromiumos/process_tree_whitelists.h
,
Aug 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7539e681b9341cd8c2881935cdacb15aa242730b commit 7539e681b9341cd8c2881935cdacb15aa242730b Author: Micah Morton <mortonm@chromium.org> Date: Tue Aug 07 08:51:13 2018 CHROMIUM: add new syscall whitelist to alt-syscall NOTE: this change was originally reviewed for the 3.14 branch in https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1138403. The only meaningful change is to add the following syscalls to the process_tree whitelist, since they exist in 4.14 but 3.14/3.18/4.4: - copy_file_range - preadv2 - pwritev2 - pkey_mprotect - pkey_alloc - pkey_free - statx This CL adds a new syscall table which can be applied to programs in CrOS that run in a minijail. Existing syscall tables in this file only enumerate a subset of syscalls available in Linux, whereas this CL adds a general-purpose whitelist for CrOS that enumerates every syscall in Linux for the given architectures. While this generic table can be used to hook any arbitrary syscall in the kernel, for now we only have plans to use it to hook the setuid() syscall, as part of some bookkeeping we have to do for the feature detailed in this doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1#heading=h.xgjl2srtytjt Although other syscall tables in this file enumerate syscalls for the x86-32 architecture, I didn't bother with that here since 32-bit x86 boards are EOL in CrOS and we don't have any need for using this generic syscall table in any kind of 32-bit compatibility mode. P.S. coming up with the syscalls for each architecture involved some gross manual awk commands operating on the source headers in these files (suggestions welcome if anyone knows a better way of doing this): https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.14/arch/x86/entry/syscalls/syscall_64.tbl https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.14/arch/arm/tools/syscall.tbl https://cs.corp.google.com/chromeos_public/src/third_party/kernel/v4.14/include/uapi/asm-generic/unistd.h BUG= chromium:845640 , chromium:649417 TEST=used in conjunction with minijail to hook the setuid() syscall and change its behavior. Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I6906cdc41db05abe2cb4adf4361f7b3b44881991 Reviewed-on: https://chromium-review.googlesource.com/1162120 [add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/read_write_test_whitelists.h [add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/android_whitelists.h [modify] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/alt-syscall.c [add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/alt-syscall.h [add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/third_party_whitelists.h [add] https://crrev.com/7539e681b9341cd8c2881935cdacb15aa242730b/security/chromiumos/process_tree_whitelists.h
,
Sep 17
,
Oct 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2f5554ca43b2b9be30c2b5d8e283011085b3fb78 commit 2f5554ca43b2b9be30c2b5d8e283011085b3fb78 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Oct 16 09:57:32 2018 UPSTREAM: new helper: memdup_user_nul() Similar to memdup_user(), except that allocated buffer is one byte longer and '\0' is stored after the copied data. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit e9d408e107db9a554b36c3a79f67b37dd3e16da0) BUG= chromium:845640 TEST=tested with CL:1055871 Change-Id: Ib94adb757d6167f3cb4f834599be2b894f703e1f Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1281062 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/2f5554ca43b2b9be30c2b5d8e283011085b3fb78/include/linux/string.h [modify] https://crrev.com/2f5554ca43b2b9be30c2b5d8e283011085b3fb78/mm/util.c
,
Oct 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c96fb206ab18a506d32d3878e196a2c2126dd7fc commit c96fb206ab18a506d32d3878e196a2c2126dd7fc Author: David Howells <dhowells@redhat.com> Date: Tue Oct 16 09:57:30 2018 UPSTREAM: Provide a function to create a NUL-terminated string from unterminated data Provide a function, kmemdup_nul(), that will create a NUL-terminated string from an unterminated character array where the length is known in advance. This is better than kstrndup() in situations where we already know the string length as the strnlen() in kstrndup() is superfluous. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit f35157417215ec138c920320c746fdb3e04ef1d5) BUG= chromium:845640 TEST=tested with CL:1055871 Change-Id: I0167728305181386b4aa3c13b3a1b7aab2129df0 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1281182 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/c96fb206ab18a506d32d3878e196a2c2126dd7fc/include/linux/string.h [modify] https://crrev.com/c96fb206ab18a506d32d3878e196a2c2126dd7fc/mm/util.c
,
Oct 23
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/55bc07e9c0b60a3714583eb3885ec60420ce8f93 commit 55bc07e9c0b60a3714583eb3885ec60420ce8f93 Author: David Howells <dhowells@redhat.com> Date: Tue Oct 23 20:01:51 2018 UPSTREAM: Provide a function to create a NUL-terminated string from unterminated data Provide a function, kmemdup_nul(), that will create a NUL-terminated string from an unterminated character array where the length is known in advance. This is better than kstrndup() in situations where we already know the string length as the strnlen() in kstrndup() is superfluous. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit f35157417215ec138c920320c746fdb3e04ef1d5) BUG= chromium:845640 TEST=tested with CL:1055871 Change-Id: I0167728305181386b4aa3c13b3a1b7aab2129df0 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1294703 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/55bc07e9c0b60a3714583eb3885ec60420ce8f93/include/linux/string.h [modify] https://crrev.com/55bc07e9c0b60a3714583eb3885ec60420ce8f93/mm/util.c
,
Oct 23
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ab35955486d6a066a4099fe8ed0680c828256e64 commit ab35955486d6a066a4099fe8ed0680c828256e64 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Oct 23 20:01:40 2018 UPSTREAM: new helper: memdup_user_nul() Similar to memdup_user(), except that allocated buffer is one byte longer and '\0' is stored after the copied data. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit e9d408e107db9a554b36c3a79f67b37dd3e16da0) BUG= chromium:845640 TEST=tested with CL:1055871 Change-Id: Ib94adb757d6167f3cb4f834599be2b894f703e1f Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1294704 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/ab35955486d6a066a4099fe8ed0680c828256e64/include/linux/string.h [modify] https://crrev.com/ab35955486d6a066a4099fe8ed0680c828256e64/mm/util.c
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/85380cafd9dc34b56ce2befda87966f1cca91c24 commit 85380cafd9dc34b56ce2befda87966f1cca91c24 Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 24 20:03:16 2018 CHROMIUM: Add process mgmt security policies to chromiumos LSM Enable support for configuring per-user policies in CrOS that restrict which UIDs can be switched to by processes running under that user (process must first have CAP_SETUID). doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1# Following this CL, we will add support for similar exceptions for the setgid() and kill() syscalls, which will use same whitelist to allow exceptions to be made for these syscalls in similar process management situations. NOTE: corresponding CLs in same topic are listed below. init - CL:1062656 autotest - CL:1064698 overlays - CL:1068077 shill - CL:1222569, CL:1222788 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1055871 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/process_management.h [modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/securityfs.c [modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/include/linux/security.h [modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/lsm.c [modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/chromiumos/alt-syscall.c [modify] https://crrev.com/85380cafd9dc34b56ce2befda87966f1cca91c24/security/security.c [delete] https://crrev.com/06b28c62ae5bd234c90006006219629c7441ce1e/security/chromiumos/process_tree_whitelists.h
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/57aeee2a884911a0a86042e8e16f02920195c541 commit 57aeee2a884911a0a86042e8e16f02920195c541 Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 24 20:03:12 2018 CHROMIUM: Add process mgmt security policies to chromiumos LSM Enable support for configuring per-user policies in CrOS that restrict which UIDs can be switched to by processes running under that user (process must first have CAP_SETUID). doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1# Following this CL, we will add support for similar exceptions for the setgid() and kill() syscalls, which will use same whitelist to allow exceptions to be made for these syscalls in similar process management situations. NOTE: corresponding CLs in same topic are listed below. init - CL:1062656 autotest - CL:1064698 overlays - CL:1068077 shill - CL:1222569, CL:1222788 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1296818 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/process_management.h [modify] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/lsm.c [modify] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/alt-syscall.c [modify] https://crrev.com/57aeee2a884911a0a86042e8e16f02920195c541/security/chromiumos/securityfs.c [delete] https://crrev.com/523d4ec896297f400d1b5a52d587fa051aeff346/security/chromiumos/process_tree_whitelists.h
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e6bf4bd4648b24b779daa97652391737f31a5856 commit e6bf4bd4648b24b779daa97652391737f31a5856 Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 24 23:45:09 2018 CHROMIUM: Add process mgmt security policies to chromiumos LSM Enable support for configuring per-user policies in CrOS that restrict which UIDs can be switched to by processes running under that user (process must first have CAP_SETUID). doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1# Following this CL, we will add support for similar exceptions for the setgid() and kill() syscalls, which will use same whitelist to allow exceptions to be made for these syscalls in similar process management situations. NOTE: corresponding CLs in same topic are listed below. init - CL:1062656 autotest - CL:1064698 overlays - CL:1068077 shill - CL:1222569, CL:1222788 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1294557 [add] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/process_management.h [modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/securityfs.c [modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/include/linux/security.h [modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/lsm.c [modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/chromiumos/alt-syscall.c [modify] https://crrev.com/e6bf4bd4648b24b779daa97652391737f31a5856/security/security.c [delete] https://crrev.com/c6b9ee35d8af53e7db34d1bc5058642146700cf3/security/chromiumos/process_tree_whitelists.h
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cf99fd93c49c22e76e7f371a69d96fbb47c153d1 commit cf99fd93c49c22e76e7f371a69d96fbb47c153d1 Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 24 23:45:13 2018 CHROMIUM: Add process mgmt security policies to chromiumos LSM Enable support for configuring per-user policies in CrOS that restrict which UIDs can be switched to by processes running under that user (process must first have CAP_SETUID). doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1# Following this CL, we will add support for similar exceptions for the setgid() and kill() syscalls, which will use same whitelist to allow exceptions to be made for these syscalls in similar process management situations. NOTE: corresponding CLs in same topic are listed below. init - CL:1062656 autotest - CL:1064698 overlays - CL:1068077 shill - CL:1222569, CL:1222788 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1297081 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/process_management.h [modify] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/lsm.c [modify] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/alt-syscall.c [modify] https://crrev.com/cf99fd93c49c22e76e7f371a69d96fbb47c153d1/security/chromiumos/securityfs.c [delete] https://crrev.com/30a7a6ab5cfc5640a9ef78b0d6f2e0ae5640dd4b/security/chromiumos/process_tree_whitelists.h
,
Oct 26
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/da95100ae643afbf599ad8c14ae588814fd58372 commit da95100ae643afbf599ad8c14ae588814fd58372 Author: Guenter Roeck <groeck@chromium.org> Date: Fri Oct 26 07:41:08 2018 FIXUP: CHROMIUM: Add process mgmt security policies to chromiumos LSM chromiumos LSM no longer builds with most architectures due to its use of symbols and functions not available on all architectures. Restrict to x86_64 and arm64 since thos are the only tested and supported architectures, and there are presumably no plans to ever upstream this code. BUG= chromium:845640 , chromium:649417 TEST=Build non-standard architectures Change-Id: I3bcf9ba4c6d5f75f85e3b26b7c02c561411c3fb0 Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1298701 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/da95100ae643afbf599ad8c14ae588814fd58372/security/chromiumos/Kconfig
,
Oct 26
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6c8468f6145aa331c4d50b349863ed464f10485d commit 6c8468f6145aa331c4d50b349863ed464f10485d Author: Guenter Roeck <groeck@chromium.org> Date: Fri Oct 26 07:41:10 2018 FIXUP: CHROMIUM: Add process mgmt security policies to chromiumos LSM chromiumos LSM no longer builds with most architectures due to its use of symbols and functions not available on all architectures. Restrict to x86_64 and arm64 since thos are the only tested and supported architectures, and there are presumably no plans to ever upstream this code. BUG= chromium:845640 , chromium:649417 TEST=Build non-standard architectures Change-Id: I3bcf9ba4c6d5f75f85e3b26b7c02c561411c3fb0 Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1298703 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/6c8468f6145aa331c4d50b349863ed464f10485d/security/chromiumos/Kconfig
,
Oct 29
,
Oct 31
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/d9e1f06de1d573e5adf7649b7395b568a846e0cf commit d9e1f06de1d573e5adf7649b7395b568a846e0cf Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 31 19:42:22 2018 init: Add process management whitelist configuration Support configuring the whitelist for process management through installation of a file in /usr/share/cros/startup/process_management_policies/ that specifies which users should be allowed to use other UIDs on the system for the purposes of process management. CQ-DEPEND=CL:1055871,CL:1064698,CL:1068077,CL:1296792,CL:1296793 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes with manual addition of policy file in /usr/share/cros/startup/process_management_policies/. also tested as part of larger shill sandbox debug CL Change-Id: I56dd5c7aa49a1d92e4f79796730378f3069217b5 Reviewed-on: https://chromium-review.googlesource.com/1062656 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/d9e1f06de1d573e5adf7649b7395b568a846e0cf/init/chromeos_startup [add] https://crrev.com/d9e1f06de1d573e5adf7649b7395b568a846e0cf/init/config_process_mgmt_utils.sh
,
Oct 31
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/8c99f9ec0b1992f60799073ed9cf7e1bd19837c8 commit 8c99f9ec0b1992f60799073ed9cf7e1bd19837c8 Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 31 19:42:22 2018 Add process management policy test in ebuild CQ-DEPEND=CL:1055871,CL:1064698,CL:1062656,CL:1296792,CL:1296793 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Change-Id: Iaa16292d0d4d714f166798936fbcec44c875b2c4 Reviewed-on: https://chromium-review.googlesource.com/1068077 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/8c99f9ec0b1992f60799073ed9cf7e1bd19837c8/chromeos-base/autotest-tests-security/autotest-tests-security-9999.ebuild
,
Oct 31
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/58114e79d3a16f6aa9c08795792b287338a518d7 commit 58114e79d3a16f6aa9c08795792b287338a518d7 Author: Micah Morton <mortonm@chromium.org> Date: Wed Oct 31 19:42:23 2018 Add autotest for process management security policies CL:1055871 extends the chromiumos LSM to support configuring per-UID policies in CrOS that restrict which other UIDs can be switched to by processes spawned under the restricted UID. This autotest ensures that restricted users can only setuid() to UIDs approved by the security policy installed on the system. CQ-DEPEND=CL:1062656,CL:1068077,CL:1055871,CL:1296792,CL:1296793 BUG= chromium:845640 TEST=autotest passes with LSM functionality enabled and configured on DUT Change-Id: I9a9d5e8c1c1f507d46b905bb268a2184646547c0 Reviewed-on: https://chromium-review.googlesource.com/1064698 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [add] https://crrev.com/58114e79d3a16f6aa9c08795792b287338a518d7/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py [add] https://crrev.com/58114e79d3a16f6aa9c08795792b287338a518d7/client/site_tests/security_ProcessManagementPolicy/control
,
Nov 2
,
Nov 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c44bdea4ffc64e130c339fad76ce46ce3153a5e2 commit c44bdea4ffc64e130c339fad76ce46ce3153a5e2 Author: Micah Morton <mortonm@chromium.org> Date: Wed Nov 07 09:21:24 2018 FIXUP: CHROMIUM: protect hash table from concurrent writers Guard the hash table in the process management policy portion of the chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe against removal by different threads. BUG= chromium:845640 TEST=edited /sbin/chromeos_startup to remove securityfs umount, then flushed policies running security_ProcessManagementPolicy autotest before and after Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12 Reviewed-on: https://chromium-review.googlesource.com/1318352 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/c44bdea4ffc64e130c339fad76ce46ce3153a5e2/security/chromiumos/lsm.c
,
Nov 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/02810e26f2d986339a37b311dc65ba6d0be9decb commit 02810e26f2d986339a37b311dc65ba6d0be9decb Author: Micah Morton <mortonm@chromium.org> Date: Wed Nov 07 14:34:42 2018 FIXUP: CHROMIUM: protect hash table from concurrent writers Guard the hash table in the process management policy portion of the chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe against removal by different threads. BUG= chromium:845640 TEST=edited /sbin/chromeos_startup to remove securityfs umount, then flushed policies running security_ProcessManagementPolicy autotest before and after Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12 Reviewed-on: https://chromium-review.googlesource.com/1318351 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/02810e26f2d986339a37b311dc65ba6d0be9decb/security/chromiumos/lsm.c
,
Nov 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0268b7fd915d8d6eb26cfffeb98bf8a5088ee823 commit 0268b7fd915d8d6eb26cfffeb98bf8a5088ee823 Author: Micah Morton <mortonm@chromium.org> Date: Wed Nov 07 14:34:58 2018 FIXUP: CHROMIUM: protect hash table from concurrent writers Guard the hash table in the process management policy portion of the chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe against removal by different threads. BUG= chromium:845640 TEST=edited /sbin/chromeos_startup to remove securityfs umount, then flushed policies running security_ProcessManagementPolicy autotest before and after Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12 Reviewed-on: https://chromium-review.googlesource.com/1315674 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/0268b7fd915d8d6eb26cfffeb98bf8a5088ee823/security/chromiumos/lsm.c
,
Nov 7
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7712c1d5eee6abbb35730c5385513e4a272a493e commit 7712c1d5eee6abbb35730c5385513e4a272a493e Author: Micah Morton <mortonm@chromium.org> Date: Wed Nov 07 14:34:32 2018 FIXUP: CHROMIUM: protect hash table from concurrent writers Guard the hash table in the process management policy portion of the chromiumos LSM from concurrent flushes. hash_for_each_safe is not safe against removal by different threads. BUG= chromium:845640 TEST=edited /sbin/chromeos_startup to remove securityfs umount, then flushed policies running security_ProcessManagementPolicy autotest before and after Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I3f5a08b40f30199a11799f6cded117458f7b6f12 Reviewed-on: https://chromium-review.googlesource.com/1318350 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/7712c1d5eee6abbb35730c5385513e4a272a493e/security/chromiumos/lsm.c
,
Nov 9
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/3fef550c0c2d6f307d2224f0dbd3c108fe0af96d commit 3fef550c0c2d6f307d2224f0dbd3c108fe0af96d Author: Micah Morton <mortonm@chromium.org> Date: Fri Nov 09 19:05:08 2018 security_ProcessManagementPolicy: make n/a for 3.8 Make this test n/a for kernel 3.8, since we didn't port the kernel changes that support these policies back to 3.8. Also removed unused import and added docstring to get repo upload to stop complaining. BUG= chromium:845640 TEST=ran test on 3.8 board with change Change-Id: I7a61327bb59a4bee1bc2a9724bfb6cce504dfa08 Reviewed-on: https://chromium-review.googlesource.com/1312278 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: David Haddock <dhaddock@chromium.org> [modify] https://crrev.com/3fef550c0c2d6f307d2224f0dbd3c108fe0af96d/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py
,
Nov 13
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/65cd67231ce06e5f562f68e9367839fcb81d4edc commit 65cd67231ce06e5f562f68e9367839fcb81d4edc Author: Micah Morton <mortonm@chromium.org> Date: Tue Nov 13 11:32:59 2018 CHROMIUM: Add process mgmt security policies to chromiumos LSM Enable support for configuring per-user policies in CrOS that restrict which UIDs can be switched to by processes running under that user (process must first have CAP_SETUID). doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1# Following this CL, we will add support for similar exceptions for the setgid() and kill() syscalls, which will use same whitelist to allow exceptions to be made for these syscalls in similar process management situations. NOTE: corresponding CLs in same topic are listed below. init - CL:1062656 autotest - CL:1064698 overlays - CL:1068077 shill - CL:1222569, CL:1222788 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1321178 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [add] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/process_management.h [modify] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/lsm.c [modify] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/alt-syscall.c [modify] https://crrev.com/65cd67231ce06e5f562f68e9367839fcb81d4edc/security/chromiumos/securityfs.c [delete] https://crrev.com/e1843fb3a0454bca10f21241e592a4ded05358f8/security/chromiumos/process_tree_whitelists.h
,
Nov 15
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d7929e9fcc97e2e2610117f2a136ca393ef22684 commit d7929e9fcc97e2e2610117f2a136ca393ef22684 Author: Guenter Roeck <groeck@chromium.org> Date: Thu Nov 15 10:16:40 2018 FIXUP: CHROMIUM: Add process mgmt security policies to chromiumos LSM chromiumos LSM no longer builds with most architectures due to its use of symbols and functions not available on all architectures. Restrict to x86_64 and arm64 since thos are the only tested and supported architectures, and there are presumably no plans to ever upstream this code. BUG= chromium:845640 , chromium:649417 TEST=Build non-standard architectures Change-Id: I3bcf9ba4c6d5f75f85e3b26b7c02c561411c3fb0 Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1298702 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> [modify] https://crrev.com/d7929e9fcc97e2e2610117f2a136ca393ef22684/security/chromiumos/Kconfig
,
Nov 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/736c9030faca760e03b4f532895f2700a2a3cff0 commit 736c9030faca760e03b4f532895f2700a2a3cff0 Author: Micah Morton <mortonm@chromium.org> Date: Fri Nov 16 13:02:12 2018 security_ProcessManagementPolicy: add shill whitelist Add the whitelist policy for shill to this test since it recently landed in CL:1222569. Also removed a couple unused python import statements and added a docstring to get repo upload to stop complaining. BUG= chromium:845640 TEST=ran the autotest with changes Change-Id: I42963d63c833a41fa308ea3a047ab5da69806a07 Reviewed-on: https://chromium-review.googlesource.com/1323751 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Micah Morton <mortonm@chromium.org> [modify] https://crrev.com/736c9030faca760e03b4f532895f2700a2a3cff0/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py
,
Nov 20
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/0744ef2ec4d69f67cccb09976076000dfc4f1fdb commit 0744ef2ec4d69f67cccb09976076000dfc4f1fdb Author: Micah Morton <mortonm@chromium.org> Date: Tue Nov 20 03:13:59 2018 security_ProcessManagementPolicy: make n/a for 3.10 Make this test n/a for kernel 3.10 (its already n/a for 3.8), since we didn't port the kernel changes that support these policies back to 3.10. BUG= chromium:845640 TEST=observed the n/a error being hit when checking whether 'version' equals '3.14.0' on lulu board Change-Id: I16e0f1d97f29a3467bcc87f535c6afb3ee6bfd26 Reviewed-on: https://chromium-review.googlesource.com/1333933 Commit-Ready: Micah Morton <mortonm@chromium.org> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: David Haddock <dhaddock@chromium.org> [modify] https://crrev.com/0744ef2ec4d69f67cccb09976076000dfc4f1fdb/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py
,
Dec 3
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/027bce94f0e7a27a1c2d86622949582f6ae874ee commit 027bce94f0e7a27a1c2d86622949582f6ae874ee Author: Micah Morton <mortonm@chromium.org> Date: Mon Dec 03 20:43:28 2018 CHROMIUM: add WARN print statement to chromiumos LSM We should add a warn statement any time a process with setuid hardening policies applied is rejected by the kernel from doing some operation that requires CAP_SETUID. We already do this for rejected UID transitions and other functions in this file. BUG= chromium:845640 TEST=try to write to /proc/<pid>/ns/user and see it fail and log Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020 Reviewed-on: https://chromium-review.googlesource.com/1356080 Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com> [modify] https://crrev.com/027bce94f0e7a27a1c2d86622949582f6ae874ee/security/chromiumos/lsm.c
,
Dec 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cfd582ba5a72bdd75ba5105fcf2f489a51292690 commit cfd582ba5a72bdd75ba5105fcf2f489a51292690 Author: Micah Morton <mortonm@chromium.org> Date: Tue Dec 04 04:32:07 2018 CHROMIUM: add WARN print statement to chromiumos LSM We should add a warn statement any time a process with setuid hardening policies applied is rejected by the kernel from doing some operation that requires CAP_SETUID. We already do this for rejected UID transitions and other functions in this file. BUG= chromium:845640 TEST=try to write to /proc/<pid>/ns/user and see it fail and log Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020 Reviewed-on: https://chromium-review.googlesource.com/1355861 [modify] https://crrev.com/cfd582ba5a72bdd75ba5105fcf2f489a51292690/security/chromiumos/lsm.c
,
Dec 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/dfa8cdee57cf5b67645134cd8b168d5742bc9ebe commit dfa8cdee57cf5b67645134cd8b168d5742bc9ebe Author: Micah Morton <mortonm@chromium.org> Date: Tue Dec 04 04:32:09 2018 CHROMIUM: add WARN print statement to chromiumos LSM We should add a warn statement any time a process with setuid hardening policies applied is rejected by the kernel from doing some operation that requires CAP_SETUID. We already do this for rejected UID transitions and other functions in this file. BUG= chromium:845640 TEST=try to write to /proc/<pid>/ns/user and see it fail and log Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020 Reviewed-on: https://chromium-review.googlesource.com/1355862 [modify] https://crrev.com/dfa8cdee57cf5b67645134cd8b168d5742bc9ebe/security/chromiumos/lsm.c
,
Dec 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f40e421a29c3872979b72802daacb197fdaa4a41 commit f40e421a29c3872979b72802daacb197fdaa4a41 Author: Micah Morton <mortonm@chromium.org> Date: Tue Dec 04 04:32:03 2018 CHROMIUM: add WARN print statement to chromiumos LSM We should add a warn statement any time a process with setuid hardening policies applied is rejected by the kernel from doing some operation that requires CAP_SETUID. We already do this for rejected UID transitions and other functions in this file. BUG= chromium:845640 TEST=try to write to /proc/<pid>/ns/user and see it fail and log Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020 Reviewed-on: https://chromium-review.googlesource.com/1355864 [modify] https://crrev.com/f40e421a29c3872979b72802daacb197fdaa4a41/security/chromiumos/lsm.c
,
Dec 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5b9a1b6d1307474baf87104de4fafbc4ac6d54b2 commit 5b9a1b6d1307474baf87104de4fafbc4ac6d54b2 Author: Micah Morton <mortonm@chromium.org> Date: Tue Dec 04 04:32:11 2018 CHROMIUM: add WARN print statement to chromiumos LSM We should add a warn statement any time a process with setuid hardening policies applied is rejected by the kernel from doing some operation that requires CAP_SETUID. We already do this for rejected UID transitions and other functions in this file. BUG= chromium:845640 TEST=try to write to /proc/<pid>/ns/user and see it fail and log Signed-off-by: Micah Morton <mortonm@chromium.org> Change-Id: I4fa7205939c8af172e0a4bd56ffd699275f75020 Reviewed-on: https://chromium-review.googlesource.com/1355863 [modify] https://crrev.com/5b9a1b6d1307474baf87104de4fafbc4ac6d54b2/security/chromiumos/lsm.c
,
Jan 6
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/10c986351de92b1dfbfab88c62636212ad4cd8b5 commit 10c986351de92b1dfbfab88c62636212ad4cd8b5 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Sun Jan 06 04:08:29 2019 UPSTREAM: new helper: memdup_user_nul() Similar to memdup_user(), except that allocated buffer is one byte longer and '\0' is stored after the copied data. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit e9d408e107db9a554b36c3a79f67b37dd3e16da0) BUG= chromium:845640 TEST=tested with CL:1055871 Change-Id: Ib94adb757d6167f3cb4f834599be2b894f703e1f Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1281062 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> (cherry picked from commit 2f5554ca43b2b9be30c2b5d8e283011085b3fb78) Reviewed-on: https://chromium-review.googlesource.com/1387639 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/10c986351de92b1dfbfab88c62636212ad4cd8b5/include/linux/string.h [modify] https://crrev.com/10c986351de92b1dfbfab88c62636212ad4cd8b5/mm/util.c
,
Jan 6
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5bfb38512faa96f0755b76cebf8cf2cd11590f08 commit 5bfb38512faa96f0755b76cebf8cf2cd11590f08 Author: David Howells <dhowells@redhat.com> Date: Sun Jan 06 04:08:30 2019 UPSTREAM: Provide a function to create a NUL-terminated string from unterminated data Provide a function, kmemdup_nul(), that will create a NUL-terminated string from an unterminated character array where the length is known in advance. This is better than kstrndup() in situations where we already know the string length as the strnlen() in kstrndup() is superfluous. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit f35157417215ec138c920320c746fdb3e04ef1d5) BUG= chromium:845640 TEST=tested with CL:1055871 Change-Id: I0167728305181386b4aa3c13b3a1b7aab2129df0 Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1281182 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> (cherry picked from commit c96fb206ab18a506d32d3878e196a2c2126dd7fc) Reviewed-on: https://chromium-review.googlesource.com/1387641 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/5bfb38512faa96f0755b76cebf8cf2cd11590f08/include/linux/string.h [modify] https://crrev.com/5bfb38512faa96f0755b76cebf8cf2cd11590f08/mm/util.c
,
Jan 6
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/221174956a10796906b6611f21b5a68c917daf5f commit 221174956a10796906b6611f21b5a68c917daf5f Author: Micah Morton <mortonm@chromium.org> Date: Sun Jan 06 04:08:33 2019 security_ProcessManagementPolicy: lock down vpn users Make sure vpn users "openvpn" and "ipsec" can't setuid to root even when they have CAP_SETUID. A.K.A. make sure CL:1356101 does what it intended. BUG= chromium:845640 TEST=ran autotest Change-Id: I4534b38ee529bcc8b9fcd9cc03bb2a1ea8950499 Reviewed-on: https://chromium-review.googlesource.com/1396530 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com> [modify] https://crrev.com/221174956a10796906b6611f21b5a68c917daf5f/client/site_tests/security_ProcessManagementPolicy/security_ProcessManagementPolicy.py
,
Jan 8
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/95d349ce11307453794fc45196c2c42bf8ac55b4 commit 95d349ce11307453794fc45196c2c42bf8ac55b4 Author: Micah Morton <mortonm@chromium.org> Date: Tue Jan 08 13:03:15 2019 CHROMIUM: Add process mgmt security policies to chromiumos LSM Enable support for configuring per-user policies in CrOS that restrict which UIDs can be switched to by processes running under that user (process must first have CAP_SETUID). doc: https://docs.google.com/document/d/1yYpayuOsZ_v-Ey8AZJoUAOVaxpKhojLad7PidCndjRM/edit?pli=1# Following this CL, we will add support for similar exceptions for the setgid() and kill() syscalls, which will use same whitelist to allow exceptions to be made for these syscalls in similar process management situations. NOTE: corresponding CLs in same topic are listed below. init - CL:1062656 autotest - CL:1064698 overlays - CL:1068077 shill - CL:1222569, CL:1222788 CQ-DEPEND=CL:1387641,CL:1387639,CL:1393623 BUG= chromium:845640 , chromium:649417 TEST=autotest in CL:1064698 passes. also tested as part of larger shill sandbox debug CL Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1055871 Reviewed-by: Dmitry Torokhov <dtor@chromium.org> Change-Id: Ie0d6b1534606b0016310a369f0ec34cffb553b14 Reviewed-on: https://chromium-review.googlesource.com/1387643 [modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/security.c [modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/chromiumos/lsm.c [add] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/chromiumos/process_management.h [modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/security/chromiumos/securityfs.c [modify] https://crrev.com/95d349ce11307453794fc45196c2c42bf8ac55b4/include/linux/security.h |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by bugdroid1@chromium.org
, Jul 26