audit: only allow tasks to set their loginuid if it is -1

At the moment we allow tasks to set their loginuid if they have CAP_AUDIT_CONTROL. In reality we want tasks to set the loginuid when they log in and it be impossible to ever reset. We had to make it mutable even after it was once set (with the CAP) because on update and admin might have to restart sshd. Now sshd would get his loginuid and the next user which logged in using ssh would not be able to set his loginuid. Systemd has changed how userspace works and allowed us to make the kernel work the way it should. With systemd users (even admins) are not supposed to restart services directly. The system will restart the service for them. Thus since systemd is going to loginuid==-1, sshd would get -1, and sshd would be allowed to set a new loginuid without special permissions. If an admin in this system were to manually start an sshd he is inserting himself into the system chain of trust and thus, logically, it's his loginuid that should be used! Since we have old systems I make this a Kconfig option. Signed-off-by: Eric Paris <eparis@redhat.com>

audit: only allow tasks to set their loginuid if it is -1
At the moment we allow tasks to set their loginuid if they have CAP_AUDIT_CONTROL. In reality we want tasks to set the loginuid when they log in and it be impossible to ever reset. We had to make it mutable even after it was once set (with the CAP) because on update and admin might have to restart sshd. Now sshd would get his loginuid and the next user which logged in using ssh would not be able to set his loginuid. Systemd has changed how userspace works and allowed us to make the kernel work the way it should. With systemd users (even admins) are not supposed to restart services directly. The system will restart the service for them. Thus since systemd is going to loginuid==-1, sshd would get -1, and sshd would be allowed to set a new loginuid without special permissions. If an admin in this system were to manually start an sshd he is inserting himself into the system chain of trust and thus, logically, it's his loginuid that should be used! Since we have old systems I make this a Kconfig option. Signed-off-by: Eric Paris <eparis@redhat.com>
Eric Paris · Al Viro
1 parent 0a300be6d5
Showing 3 changed files with 24 additions and 4 deletions Side-by-side Diff
fs/proc/base.c
init/Kconfig
kernel/auditsc.c
@@ -1197,9 +1197,6 @@
 	ssize_t length;
 	uid_t loginuid;
  
-	if (!capable(CAP_AUDIT_CONTROL))
-		return -EPERM;
-
 	rcu_read_lock();
 	if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
 		rcu_read_unlock();
@@ -372,6 +372,20 @@
 	depends on AUDITSYSCALL
 	select FSNOTIFY
  
+config AUDIT_LOGINUID_IMMUTABLE
+	bool "Make audit loginuid immutable"
+	depends on AUDIT
+	help
+	  The config option toggles if a task setting it's loginuid requires
+	  CAP_SYS_AUDITCONTROL or if that task should require no special permissions
+	  but should instead only allow setting its loginuid if it was never
+	  previously set.  On systems which use systemd or a similar central
+	  process to restart login services this should be set to true.  On older
+	  systems in which an admin would typically have to directly stop and
+	  start processes this should be set to false.  Setting this to true allows
+	  one to drop potentially dangerous capabilites from the login tasks,
+	  but may not be backwards compatible with older init systems.
+
 source "kernel/irq/Kconfig"
  
 menu "RCU Subsystem"
@@ -2173,9 +2173,18 @@
 int audit_set_loginuid(uid_t loginuid)
 {
 	struct task_struct *task = current;
-	unsigned int sessionid = atomic_inc_return(&session_id);
 	struct audit_context *context = task->audit_context;
+	unsigned int sessionid;
  
+#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
+	if (task->loginuid != -1)
+		return -EPERM;
+#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
+	if (!capable(CAP_AUDIT_CONTROL))
+		return -EPERM;
+#endif  /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
+
+	sessionid = atomic_inc_return(&session_id);
 	if (context && context->in_syscall) {
 		struct audit_buffer *ab;
...	...	@@ -1197,9 +1197,6 @@
1197	1197	ssize_t length;
1198	1198	uid_t loginuid;
1199	1199
1200		- if (!capable(CAP_AUDIT_CONTROL))
1201		- return -EPERM;
1202		-
1203	1200	rcu_read_lock();
1204	1201	if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) {
1205	1202	rcu_read_unlock();
...	...	@@ -372,6 +372,20 @@
372	372	depends on AUDITSYSCALL
373	373	select FSNOTIFY
374	374
	375	+config AUDIT_LOGINUID_IMMUTABLE
	376	+ bool "Make audit loginuid immutable"
	377	+ depends on AUDIT
	378	+ help
	379	+ The config option toggles if a task setting it's loginuid requires
	380	+ CAP_SYS_AUDITCONTROL or if that task should require no special permissions
	381	+ but should instead only allow setting its loginuid if it was never
	382	+ previously set. On systems which use systemd or a similar central
	383	+ process to restart login services this should be set to true. On older
	384	+ systems in which an admin would typically have to directly stop and
	385	+ start processes this should be set to false. Setting this to true allows
	386	+ one to drop potentially dangerous capabilites from the login tasks,
	387	+ but may not be backwards compatible with older init systems.
	388	+
375	389	source "kernel/irq/Kconfig"
376	390
377	391	menu "RCU Subsystem"
...	...	@@ -2173,9 +2173,18 @@
2173	2173	int audit_set_loginuid(uid_t loginuid)
2174	2174	{
2175	2175	struct task_struct *task = current;
2176		- unsigned int sessionid = atomic_inc_return(&session_id);
2177	2176	struct audit_context *context = task->audit_context;
	2177	+ unsigned int sessionid;
2178	2178
	2179	+#ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
	2180	+ if (task->loginuid != -1)
	2181	+ return -EPERM;
	2182	+#else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
	2183	+ if (!capable(CAP_AUDIT_CONTROL))
	2184	+ return -EPERM;
	2185	+#endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
	2186	+
	2187	+ sessionid = atomic_inc_return(&session_id);
2179	2188	if (context && context->in_syscall) {
2180	2189	struct audit_buffer *ab;
2181	2190