kernel
Revision | 2bd8593118d5e4d79c29cfd9ad9184a010b50227 (tree) |
---|---|
Time | 2019-06-13 01:05:33 |
Author | Robert Love <rlove@goog...> |
Commiter | Chih-Wei Huang |
ANDROID: net: Paranoid network.
With CONFIG_ANDROID_PARANOID_NETWORK, require specific uids/gids to instantiate
network sockets.
Signed-off-by: Robert Love <rlove@google.com>
paranoid networking: Use in_egroup_p() to check group membership
The previous group_search() caused trouble for partners with module builds.
in_egroup_p() is also cleaner.
Signed-off-by: Nick Pelly <npelly@google.com>
Fix 2.6.29 build.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
net: Fix compilation of the IPv6 module
Fix compilation of the IPv6 module -- current->euid does not exist anymore,
current_euid() is what needs to be used.
Signed-off-by: Steinar H. Gunderson <sesse@google.com>
net: bluetooth: Remove the AID_NET_BT* gid numbers
Removed bluetooth checks for AID_NET_BT and AID_NET_BT_ADMIN
which are not useful anymore.
This is in preparation for getting rid of all the AID_* gids.
Change-Id: I879d7181f07532784499ef152288d12a03ab6354
Signed-off-by: JP Abgrall <jpa@google.com>
[AmitP: Folded following android-4.9 commit changes into this patch
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
ANDROID: net: paranoid: security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable().
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
ANDROID: net: paranoid: Replace AID_NET_RAW checks with capable(CAP_NET_RAW).
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
ANDROID: net: paranoid: Only NET_ADMIN is allowed to fully control TUN interfaces.
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
ANDROID: net: paranoid: security: Add proper checks for Android specific capability checks
Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.
Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera <tushar.behera@linaro.org>
Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
ANDROID: net: paranoid: commoncap: Begin to warn users of implicit PARANOID_NETWORK capability grants
CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special"
Android groups net_admin and net_raw.
This is a byproduct of the init system not being able to specify
capabilities back in the day, but has now been resolved and .rc files
can explictly specify the capabilities to be granted to a service.
Thus, we should start to remove this implict capability grant, and the
first step is to warn when a process doesn't have explicit capablity
but is a member of the implicitly granted group, when that capability
is checked.
This will allow for the PARANOID_NETWORK checks in commoncap.c to
be totally removed in a future kernel.
Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4
Signed-off-by: John Stultz <john.stultz@linaro.org>
@@ -2866,6 +2866,12 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, | ||
2866 | 2866 | int ret; |
2867 | 2867 | bool do_notify = false; |
2868 | 2868 | |
2869 | +#ifdef CONFIG_ANDROID_PARANOID_NETWORK | |
2870 | + if (cmd != TUNGETIFF && !capable(CAP_NET_ADMIN)) { | |
2871 | + return -EPERM; | |
2872 | + } | |
2873 | +#endif | |
2874 | + | |
2869 | 2875 | if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || |
2870 | 2876 | (_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) { |
2871 | 2877 | if (copy_from_user(&ifr, argp, ifreq_len)) |
@@ -0,0 +1,26 @@ | ||
1 | +/* include/linux/android_aid.h | |
2 | + * | |
3 | + * Copyright (C) 2008 Google, Inc. | |
4 | + * | |
5 | + * This software is licensed under the terms of the GNU General Public | |
6 | + * License version 2, as published by the Free Software Foundation, and | |
7 | + * may be copied, distributed, and modified under those terms. | |
8 | + * | |
9 | + * This program is distributed in the hope that it will be useful, | |
10 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
12 | + * GNU General Public License for more details. | |
13 | + * | |
14 | + */ | |
15 | + | |
16 | +#ifndef _LINUX_ANDROID_AID_H | |
17 | +#define _LINUX_ANDROID_AID_H | |
18 | + | |
19 | +/* AIDs that the kernel treats differently */ | |
20 | +#define AID_OBSOLETE_000 KGIDT_INIT(3001) /* was NET_BT_ADMIN */ | |
21 | +#define AID_OBSOLETE_001 KGIDT_INIT(3002) /* was NET_BT */ | |
22 | +#define AID_INET KGIDT_INIT(3003) | |
23 | +#define AID_NET_RAW KGIDT_INIT(3004) | |
24 | +#define AID_NET_ADMIN KGIDT_INIT(3005) | |
25 | + | |
26 | +#endif |
@@ -92,6 +92,12 @@ source "net/netlabel/Kconfig" | ||
92 | 92 | |
93 | 93 | endif # if INET |
94 | 94 | |
95 | +config ANDROID_PARANOID_NETWORK | |
96 | + bool "Only allow certain groups to create sockets" | |
97 | + default y | |
98 | + help | |
99 | + none | |
100 | + | |
95 | 101 | config NETWORK_SECMARK |
96 | 102 | bool "Security Marking" |
97 | 103 | help |
@@ -108,11 +108,40 @@ void bt_sock_unregister(int proto) | ||
108 | 108 | } |
109 | 109 | EXPORT_SYMBOL(bt_sock_unregister); |
110 | 110 | |
111 | +#ifdef CONFIG_PARANOID_NETWORK | |
112 | +static inline int current_has_bt_admin(void) | |
113 | +{ | |
114 | + return !current_euid(); | |
115 | +} | |
116 | + | |
117 | +static inline int current_has_bt(void) | |
118 | +{ | |
119 | + return current_has_bt_admin(); | |
120 | +} | |
121 | +# else | |
122 | +static inline int current_has_bt_admin(void) | |
123 | +{ | |
124 | + return 1; | |
125 | +} | |
126 | + | |
127 | +static inline int current_has_bt(void) | |
128 | +{ | |
129 | + return 1; | |
130 | +} | |
131 | +#endif | |
132 | + | |
111 | 133 | static int bt_sock_create(struct net *net, struct socket *sock, int proto, |
112 | 134 | int kern) |
113 | 135 | { |
114 | 136 | int err; |
115 | 137 | |
138 | + if (proto == BTPROTO_RFCOMM || proto == BTPROTO_SCO || | |
139 | + proto == BTPROTO_L2CAP) { | |
140 | + if (!current_has_bt()) | |
141 | + return -EPERM; | |
142 | + } else if (!current_has_bt_admin()) | |
143 | + return -EPERM; | |
144 | + | |
116 | 145 | if (net != &init_net) |
117 | 146 | return -EAFNOSUPPORT; |
118 | 147 |
@@ -123,6 +123,20 @@ | ||
123 | 123 | |
124 | 124 | #include <trace/events/sock.h> |
125 | 125 | |
126 | +#ifdef CONFIG_ANDROID_PARANOID_NETWORK | |
127 | +#include <linux/android_aid.h> | |
128 | + | |
129 | +static inline int current_has_network(void) | |
130 | +{ | |
131 | + return in_egroup_p(AID_INET) || capable(CAP_NET_RAW); | |
132 | +} | |
133 | +#else | |
134 | +static inline int current_has_network(void) | |
135 | +{ | |
136 | + return 1; | |
137 | +} | |
138 | +#endif | |
139 | + | |
126 | 140 | /* The inetsw table contains everything that inet_create needs to |
127 | 141 | * build a new socket. |
128 | 142 | */ |
@@ -258,6 +272,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, | ||
258 | 272 | if (protocol < 0 || protocol >= IPPROTO_MAX) |
259 | 273 | return -EINVAL; |
260 | 274 | |
275 | + if (!current_has_network()) | |
276 | + return -EACCES; | |
277 | + | |
261 | 278 | sock->state = SS_UNCONNECTED; |
262 | 279 | |
263 | 280 | /* Look for the requested type/protocol pair. */ |
@@ -306,8 +323,7 @@ lookup_protocol: | ||
306 | 323 | } |
307 | 324 | |
308 | 325 | err = -EPERM; |
309 | - if (sock->type == SOCK_RAW && !kern && | |
310 | - !ns_capable(net->user_ns, CAP_NET_RAW)) | |
326 | + if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) | |
311 | 327 | goto out_rcu_unlock; |
312 | 328 | |
313 | 329 | sock->ops = answer->ops; |
@@ -66,6 +66,20 @@ | ||
66 | 66 | #include <linux/uaccess.h> |
67 | 67 | #include <linux/mroute6.h> |
68 | 68 | |
69 | +#ifdef CONFIG_ANDROID_PARANOID_NETWORK | |
70 | +#include <linux/android_aid.h> | |
71 | + | |
72 | +static inline int current_has_network(void) | |
73 | +{ | |
74 | + return in_egroup_p(AID_INET) || capable(CAP_NET_RAW); | |
75 | +} | |
76 | +#else | |
77 | +static inline int current_has_network(void) | |
78 | +{ | |
79 | + return 1; | |
80 | +} | |
81 | +#endif | |
82 | + | |
69 | 83 | #include "ip6_offload.h" |
70 | 84 | |
71 | 85 | MODULE_AUTHOR("Cast of dozens"); |
@@ -122,6 +136,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, | ||
122 | 136 | if (protocol < 0 || protocol >= IPPROTO_MAX) |
123 | 137 | return -EINVAL; |
124 | 138 | |
139 | + if (!current_has_network()) | |
140 | + return -EACCES; | |
141 | + | |
125 | 142 | /* Look for the requested type/protocol pair. */ |
126 | 143 | lookup_protocol: |
127 | 144 | err = -ESOCKTNOSUPPORT; |
@@ -168,8 +185,7 @@ lookup_protocol: | ||
168 | 185 | } |
169 | 186 | |
170 | 187 | err = -EPERM; |
171 | - if (sock->type == SOCK_RAW && !kern && | |
172 | - !ns_capable(net->user_ns, CAP_NET_RAW)) | |
188 | + if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) | |
173 | 189 | goto out_rcu_unlock; |
174 | 190 | |
175 | 191 | sock->ops = answer->ops; |
@@ -31,6 +31,10 @@ | ||
31 | 31 | #include <linux/binfmts.h> |
32 | 32 | #include <linux/personality.h> |
33 | 33 | |
34 | +#ifdef CONFIG_ANDROID_PARANOID_NETWORK | |
35 | +#include <linux/android_aid.h> | |
36 | +#endif | |
37 | + | |
34 | 38 | /* |
35 | 39 | * If a non-root user executes a setuid-root binary in |
36 | 40 | * !secure(SECURE_NOROOT) mode, then we raise capabilities. |
@@ -54,7 +58,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) | ||
54 | 58 | } |
55 | 59 | |
56 | 60 | /** |
57 | - * cap_capable - Determine whether a task has a particular effective capability | |
61 | + * __cap_capable - Determine whether a task has a particular effective capability | |
58 | 62 | * @cred: The credentials to use |
59 | 63 | * @ns: The user namespace in which we need the capability |
60 | 64 | * @cap: The capability to check for |
@@ -68,7 +72,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) | ||
68 | 72 | * cap_has_capability() returns 0 when a task has a capability, but the |
69 | 73 | * kernel's capable() and has_capability() returns 1 for this case. |
70 | 74 | */ |
71 | -int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | |
75 | +int __cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | |
72 | 76 | int cap, int audit) |
73 | 77 | { |
74 | 78 | struct user_namespace *ns = targ_ns; |
@@ -106,6 +110,27 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | ||
106 | 110 | /* We never get here */ |
107 | 111 | } |
108 | 112 | |
113 | +int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, | |
114 | + int cap, int audit) | |
115 | +{ | |
116 | + int ret = __cap_capable(cred, targ_ns, cap, audit); | |
117 | + | |
118 | +#ifdef CONFIG_ANDROID_PARANOID_NETWORK | |
119 | + if (ret != 0 && cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) { | |
120 | + printk("Process %s granted CAP_NET_RAW from Android group net_raw.\n", current->comm); | |
121 | + printk(" Please update the .rc file to explictly set 'capabilities NET_RAW'\n"); | |
122 | + printk(" Implicit grants are deprecated and will be removed in the future.\n"); | |
123 | + return 0; | |
124 | + } | |
125 | + if (ret != 0 && cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) { | |
126 | + printk("Process %s granted CAP_NET_ADMIN from Android group net_admin.\n", current->comm); | |
127 | + printk(" Please update the .rc file to explictly set 'capabilities NET_ADMIN'\n"); | |
128 | + printk(" Implicit grants are deprecated and will be removed in the future.\n"); | |
129 | + return 0; | |
130 | + } | |
131 | +#endif | |
132 | + return ret; | |
133 | +} | |
109 | 134 | /** |
110 | 135 | * cap_settime - Determine whether the current process may set the system clock |
111 | 136 | * @ts: The time to set |