Re: [PATCH v2] define convenient securebits masks for prctl users

From: Michael Kerrisk
Date: Thu Oct 15 2009 - 01:27:54 EST

Next message: david: "removing existing working drivers via staging"
Previous message: Jeremy Fitzhardinge: "Re: [Xen-devel] [PATCH 05/12] xen/pvclock: add monotonicity check"
In reply to: Serge E. Hallyn: "[PATCH v2] define convenient securebits masks for prctl users"
Next in thread: Serge E. Hallyn: "Re: [PATCH v2] define convenient securebits masks for prctl users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Serge,

On Wed, Oct 14, 2009 at 11:15 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote:
> The securebits are used by passing them to prctl with the
> PR_{S,G}ET_SECUREBITS commands. But the defines must be
> shifted to be used in prctl, which begs to be confused and
> misused by userspace. So define some more convenient
> values for userspace to specify. This way userspace does
>
> prctl(PR_SET_SECUREBITS, SECBIT_NOROOT);
>
> instead of
>
> prctl(PR_SET_SECUREBITS, 1 << SECURE_NOROOT);
>
> Thanks to Michael for the idea.
>
> This patch also adds include/linux/securebits to the installed headers.
> Then perhaps it can be included by glibc's sys/prctl.h.
>
> Changelog:
> Oct 14: (Suggestions by Michael Kerrisk):
> 1. spell out SETUID in SECBIT_NO_SETUID*
> 2. SECBIT_X_LOCKED does not imply SECBIT_X
> 3. add definitions for keepcaps

Thanks for these changes.

> Oct 14: As suggested by Michael Kerrisk, don't
> use SB_* as that convention is already in
> use. Use SECBIT_ prefix instead.
>
> Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
> Acked-by: Andrew G. Morgan <morgan@xxxxxxxxxx>

Acked-by: Michael Kerrisk <mtk.manpages@xxxxxxxxx>

Cheers,

Michael

> Cc: Michael Kerrisk <mtk.manpages@xxxxxxxxx>
> Cc: Ulrich Drepper <drepper@xxxxxxxxxx>
> ---
> include/linux/Kbuild | 1 +
> include/linux/securebits.h | 22 ++++++++++++++++------
> 2 files changed, 17 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/Kbuild b/include/linux/Kbuild
> index 3e8bd18..94fe9f7 100644
> --- a/include/linux/Kbuild
> +++ b/include/linux/Kbuild
> @@ -328,6 +328,7 @@ unifdef-y += scc.h
> unifdef-y += sched.h
> unifdef-y += screen_info.h
> unifdef-y += sdla.h
> +unifdef-y += securebits.h
> unifdef-y += selinux_netlink.h
> unifdef-y += sem.h
> unifdef-y += serial_core.h
> diff --git a/include/linux/securebits.h b/include/linux/securebits.h
> index d2c5ed8..9ad109e 100644
> --- a/include/linux/securebits.h
> +++ b/include/linux/securebits.h
> @@ -1,6 +1,13 @@
> #ifndef _LINUX_SECUREBITS_H
> #define _LINUX_SECUREBITS_H 1
>
> +/* Each securesetting is implemented using two bits. One bit specifies
> + whether the setting is on or off. The other bit specify whether the
> + setting is locked or not. A setting which is locked cannot be
> + changed from user-level. */
> +#define issecure_mask(X) (1 << (X))
> +#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
> +
> #define SECUREBITS_DEFAULT 0x00000000
>
> /* When set UID 0 has no special privileges. When unset, we support
> @@ -12,6 +19,9 @@
> #define SECURE_NOROOT 0
> #define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */
>
> +#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT))
> +#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED))
> +
> /* When set, setuid to/from uid 0 does not trigger capability-"fixup".
> When unset, to provide compatiblility with old programs relying on
> set*uid to gain/lose privilege, transitions to/from uid 0 cause
> @@ -19,6 +29,10 @@
> #define SECURE_NO_SETUID_FIXUP 2
> #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
>
> +#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP))
> +#define SECBIT_NO_SETUID_FIXUP_LOCKED \
> + (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
> +
> /* When set, a process can retain its capabilities even after
> transitioning to a non-root user (the set-uid fixup suppressed by
> bit 2). Bit-4 is cleared when a process calls exec(); setting both
> @@ -27,12 +41,8 @@
> #define SECURE_KEEP_CAPS 4
> #define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */
>
> -/* Each securesetting is implemented using two bits. One bit specifies
> - whether the setting is on or off. The other bit specify whether the
> - setting is locked or not. A setting which is locked cannot be
> - changed from user-level. */
> -#define issecure_mask(X) (1 << (X))
> -#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
> +#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
> +#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
>
> #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
> issecure_mask(SECURE_NO_SETUID_FIXUP) | \
> --
> 1.6.1
>
>

--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface" http://blog.man7.org/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: david: "removing existing working drivers via staging"
Previous message: Jeremy Fitzhardinge: "Re: [Xen-devel] [PATCH 05/12] xen/pvclock: add monotonicity check"
In reply to: Serge E. Hallyn: "[PATCH v2] define convenient securebits masks for prctl users"
Next in thread: Serge E. Hallyn: "Re: [PATCH v2] define convenient securebits masks for prctl users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]