OSDN -- 오픈 소스 소프트웨어 개발 및 다운로드
Translation Status of 한국말 translation status for ko

Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

kernel: Commit

kernel


Commit MetaInfo

Revision2bd8593118d5e4d79c29cfd9ad9184a010b50227 (tree)
Time2019-06-13 01:05:33
AuthorRobert Love <rlove@goog...>
CommiterChih-Wei Huang

Log Message

ANDROID: net: Paranoid network.

With CONFIG_ANDROID_PARANOID_NETWORK, require specific uids/gids to instantiate
network sockets.

Signed-off-by: Robert Love <rlove@google.com>

paranoid networking: Use in_egroup_p() to check group membership

The previous group_search() caused trouble for partners with module builds.
in_egroup_p() is also cleaner.

Signed-off-by: Nick Pelly <npelly@google.com>

Fix 2.6.29 build.

Signed-off-by: Arve Hjønnevåg <arve@android.com>

net: Fix compilation of the IPv6 module

Fix compilation of the IPv6 module -- current->euid does not exist anymore,
current_euid() is what needs to be used.

Signed-off-by: Steinar H. Gunderson <sesse@google.com>

net: bluetooth: Remove the AID_NET_BT* gid numbers

Removed bluetooth checks for AID_NET_BT and AID_NET_BT_ADMIN
which are not useful anymore.
This is in preparation for getting rid of all the AID_* gids.

Change-Id: I879d7181f07532784499ef152288d12a03ab6354
Signed-off-by: JP Abgrall <jpa@google.com>

[AmitP: Folded following android-4.9 commit changes into this patch

a2624d7b9d73 ("ANDROID: Add android_aid.h")]

Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: net: paranoid: security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable().

Signed-off-by: Chia-chi Yeh <chiachi@android.com>

ANDROID: net: paranoid: Replace AID_NET_RAW checks with capable(CAP_NET_RAW).

Signed-off-by: Chia-chi Yeh <chiachi@android.com>

ANDROID: net: paranoid: Only NET_ADMIN is allowed to fully control TUN interfaces.

Signed-off-by: Chia-chi Yeh <chiachi@android.com>

ANDROID: net: paranoid: security: Add proper checks for Android specific capability checks

Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.

Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera <tushar.behera@linaro.org>
Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>

ANDROID: net: paranoid: commoncap: Begin to warn users of implicit PARANOID_NETWORK capability grants

CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special"
Android groups net_admin and net_raw.

This is a byproduct of the init system not being able to specify
capabilities back in the day, but has now been resolved and .rc files
can explictly specify the capabilities to be granted to a service.

Thus, we should start to remove this implict capability grant, and the
first step is to warn when a process doesn't have explicit capablity
but is a member of the implicitly granted group, when that capability
is checked.

This will allow for the PARANOID_NETWORK checks in commoncap.c to
be totally removed in a future kernel.

Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4
Signed-off-by: John Stultz <john.stultz@linaro.org>

Change Summary

Incremental Difference

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2866,6 +2866,12 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
28662866 int ret;
28672867 bool do_notify = false;
28682868
2869+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
2870+ if (cmd != TUNGETIFF && !capable(CAP_NET_ADMIN)) {
2871+ return -EPERM;
2872+ }
2873+#endif
2874+
28692875 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE ||
28702876 (_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) {
28712877 if (copy_from_user(&ifr, argp, ifreq_len))
--- /dev/null
+++ b/include/linux/android_aid.h
@@ -0,0 +1,26 @@
1+/* include/linux/android_aid.h
2+ *
3+ * Copyright (C) 2008 Google, Inc.
4+ *
5+ * This software is licensed under the terms of the GNU General Public
6+ * License version 2, as published by the Free Software Foundation, and
7+ * may be copied, distributed, and modified under those terms.
8+ *
9+ * This program is distributed in the hope that it will be useful,
10+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
11+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12+ * GNU General Public License for more details.
13+ *
14+ */
15+
16+#ifndef _LINUX_ANDROID_AID_H
17+#define _LINUX_ANDROID_AID_H
18+
19+/* AIDs that the kernel treats differently */
20+#define AID_OBSOLETE_000 KGIDT_INIT(3001) /* was NET_BT_ADMIN */
21+#define AID_OBSOLETE_001 KGIDT_INIT(3002) /* was NET_BT */
22+#define AID_INET KGIDT_INIT(3003)
23+#define AID_NET_RAW KGIDT_INIT(3004)
24+#define AID_NET_ADMIN KGIDT_INIT(3005)
25+
26+#endif
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -92,6 +92,12 @@ source "net/netlabel/Kconfig"
9292
9393 endif # if INET
9494
95+config ANDROID_PARANOID_NETWORK
96+ bool "Only allow certain groups to create sockets"
97+ default y
98+ help
99+ none
100+
95101 config NETWORK_SECMARK
96102 bool "Security Marking"
97103 help
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -108,11 +108,40 @@ void bt_sock_unregister(int proto)
108108 }
109109 EXPORT_SYMBOL(bt_sock_unregister);
110110
111+#ifdef CONFIG_PARANOID_NETWORK
112+static inline int current_has_bt_admin(void)
113+{
114+ return !current_euid();
115+}
116+
117+static inline int current_has_bt(void)
118+{
119+ return current_has_bt_admin();
120+}
121+# else
122+static inline int current_has_bt_admin(void)
123+{
124+ return 1;
125+}
126+
127+static inline int current_has_bt(void)
128+{
129+ return 1;
130+}
131+#endif
132+
111133 static int bt_sock_create(struct net *net, struct socket *sock, int proto,
112134 int kern)
113135 {
114136 int err;
115137
138+ if (proto == BTPROTO_RFCOMM || proto == BTPROTO_SCO ||
139+ proto == BTPROTO_L2CAP) {
140+ if (!current_has_bt())
141+ return -EPERM;
142+ } else if (!current_has_bt_admin())
143+ return -EPERM;
144+
116145 if (net != &init_net)
117146 return -EAFNOSUPPORT;
118147
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -123,6 +123,20 @@
123123
124124 #include <trace/events/sock.h>
125125
126+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
127+#include <linux/android_aid.h>
128+
129+static inline int current_has_network(void)
130+{
131+ return in_egroup_p(AID_INET) || capable(CAP_NET_RAW);
132+}
133+#else
134+static inline int current_has_network(void)
135+{
136+ return 1;
137+}
138+#endif
139+
126140 /* The inetsw table contains everything that inet_create needs to
127141 * build a new socket.
128142 */
@@ -258,6 +272,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
258272 if (protocol < 0 || protocol >= IPPROTO_MAX)
259273 return -EINVAL;
260274
275+ if (!current_has_network())
276+ return -EACCES;
277+
261278 sock->state = SS_UNCONNECTED;
262279
263280 /* Look for the requested type/protocol pair. */
@@ -306,8 +323,7 @@ lookup_protocol:
306323 }
307324
308325 err = -EPERM;
309- if (sock->type == SOCK_RAW && !kern &&
310- !ns_capable(net->user_ns, CAP_NET_RAW))
326+ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
311327 goto out_rcu_unlock;
312328
313329 sock->ops = answer->ops;
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -66,6 +66,20 @@
6666 #include <linux/uaccess.h>
6767 #include <linux/mroute6.h>
6868
69+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
70+#include <linux/android_aid.h>
71+
72+static inline int current_has_network(void)
73+{
74+ return in_egroup_p(AID_INET) || capable(CAP_NET_RAW);
75+}
76+#else
77+static inline int current_has_network(void)
78+{
79+ return 1;
80+}
81+#endif
82+
6983 #include "ip6_offload.h"
7084
7185 MODULE_AUTHOR("Cast of dozens");
@@ -122,6 +136,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
122136 if (protocol < 0 || protocol >= IPPROTO_MAX)
123137 return -EINVAL;
124138
139+ if (!current_has_network())
140+ return -EACCES;
141+
125142 /* Look for the requested type/protocol pair. */
126143 lookup_protocol:
127144 err = -ESOCKTNOSUPPORT;
@@ -168,8 +185,7 @@ lookup_protocol:
168185 }
169186
170187 err = -EPERM;
171- if (sock->type == SOCK_RAW && !kern &&
172- !ns_capable(net->user_ns, CAP_NET_RAW))
188+ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
173189 goto out_rcu_unlock;
174190
175191 sock->ops = answer->ops;
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -31,6 +31,10 @@
3131 #include <linux/binfmts.h>
3232 #include <linux/personality.h>
3333
34+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
35+#include <linux/android_aid.h>
36+#endif
37+
3438 /*
3539 * If a non-root user executes a setuid-root binary in
3640 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
@@ -54,7 +58,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
5458 }
5559
5660 /**
57- * cap_capable - Determine whether a task has a particular effective capability
61+ * __cap_capable - Determine whether a task has a particular effective capability
5862 * @cred: The credentials to use
5963 * @ns: The user namespace in which we need the capability
6064 * @cap: The capability to check for
@@ -68,7 +72,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
6872 * cap_has_capability() returns 0 when a task has a capability, but the
6973 * kernel's capable() and has_capability() returns 1 for this case.
7074 */
71-int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
75+int __cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
7276 int cap, int audit)
7377 {
7478 struct user_namespace *ns = targ_ns;
@@ -106,6 +110,27 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
106110 /* We never get here */
107111 }
108112
113+int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
114+ int cap, int audit)
115+{
116+ int ret = __cap_capable(cred, targ_ns, cap, audit);
117+
118+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
119+ if (ret != 0 && cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) {
120+ printk("Process %s granted CAP_NET_RAW from Android group net_raw.\n", current->comm);
121+ printk(" Please update the .rc file to explictly set 'capabilities NET_RAW'\n");
122+ printk(" Implicit grants are deprecated and will be removed in the future.\n");
123+ return 0;
124+ }
125+ if (ret != 0 && cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) {
126+ printk("Process %s granted CAP_NET_ADMIN from Android group net_admin.\n", current->comm);
127+ printk(" Please update the .rc file to explictly set 'capabilities NET_ADMIN'\n");
128+ printk(" Implicit grants are deprecated and will be removed in the future.\n");
129+ return 0;
130+ }
131+#endif
132+ return ret;
133+}
109134 /**
110135 * cap_settime - Determine whether the current process may set the system clock
111136 * @ts: The time to set
Show on old repository browser