linux/tools/testing/selftests/safesetid
Jann Horn 4f72123da5 LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it
securely constrains UID 1 to UIDs 1, 2 and 3:

    1:2
    1:3

However, because no constraints are applied to UIDs 2 and 3, an attacker
with UID 1 can simply first switch to UID 2, then switch to any UID from
there. The secure way to write this ruleset would be:

    1:2
    1:3
    2:2
    3:3

, which uses "transition to self" as a way to inhibit the default-allow
policy without allowing anything specific.

This is somewhat unintuitive. To make sure that policy authors don't
accidentally write insecure policies because of this, let the kernel verify
that a new ruleset does not contain any entries that are constrained, but
transitively unconstrained.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
2019-07-15 08:07:51 -07:00
..
.gitignore LSM: SafeSetID: add selftest 2019-02-12 10:58:51 -08:00
config LSM: SafeSetID: add selftest 2019-02-12 10:58:51 -08:00
Makefile LSM: SafeSetID: add selftest 2019-02-12 10:58:51 -08:00
safesetid-test.c LSM: SafeSetID: verify transitive constrainedness 2019-07-15 08:07:51 -07:00
safesetid-test.sh LSM: SafeSetID: add selftest 2019-02-12 10:58:51 -08:00