Branch data Line data Source code
1 : : #include <unistd.h>
2 : : #include "crtools.h"
3 : : #include "proc_parse.h"
4 : : #include "log.h"
5 : :
6 : : #include "protobuf/creds.pb-c.h"
7 : :
8 : : /*
9 : : * UID and GID of user requesting for C/R
10 : : */
11 : : static unsigned int cr_uid, cr_gid;
12 : :
13 : : /*
14 : : * Setup what user is requesting for dump (via rpc or using
15 : : * suid bit on crtools). Later we would deny to dump/restore
16 : : * a task, to which the original user doesn't have the direct
17 : : * access to. (Or implement some trickier security policy).
18 : : */
19 : :
20 : 3702 : void restrict_uid(unsigned int uid, unsigned int gid)
21 : : {
22 : 3702 : pr_info("Restrict C/R with %u:%u uid\n", uid, gid);
23 : 3702 : cr_uid = uid;
24 : 3702 : cr_gid = gid;
25 : 3702 : }
26 : :
27 : 2532 : static bool check_ids(unsigned int crid, unsigned int rid, unsigned int eid, unsigned int sid)
28 : : {
29 [ - + ]: 2532 : if (crid == 0)
30 : : return true;
31 [ # # ][ # # ]: 0 : if (crid == rid && crid == eid && crid == sid)
32 : : return true;
33 : :
34 : 0 : pr_err("UID/GID mismatch %u != (%u,%u,%u)\n", crid, rid, eid, sid);
35 : 0 : return false;
36 : : }
37 : :
38 : 1266 : static bool check_caps(u32 *inh, u32 *eff, u32 *prm)
39 : : {
40 : : int i;
41 : :
42 : : /*
43 : : * Impose the most strict requirements for now.
44 : : * "Real" root user can use any caps, other users may
45 : : * use none. Later we will implement more sophisticated
46 : : * security model.
47 : : */
48 : :
49 [ + - ][ - + ]: 1266 : if (cr_uid == 0 && cr_gid == 0)
50 : : return true;
51 : :
52 [ # # ]: 0 : for (i = 0; i < CR_CAP_SIZE; i++) {
53 [ # # ][ # # ]: 0 : if (inh[i] != 0 || eff[i] != 0 || prm[i] != 0) {
[ # # ]
54 : 0 : pr_err("CAPs not allowed for non-root user\n");
55 : 0 : return false;
56 : : }
57 : : }
58 : :
59 : : return true;
60 : : }
61 : :
62 : 919 : bool may_dump(struct proc_status_creds *creds)
63 : : {
64 [ + - ]: 1838 : return check_ids(cr_uid, creds->uids[0], creds->uids[1], creds->uids[2]) &&
65 [ + - ][ - + ]: 1838 : check_ids(cr_gid, creds->gids[0], creds->gids[1], creds->gids[2]) &&
66 : 919 : check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
67 : : }
68 : :
69 : 347 : bool may_restore(CredsEntry *creds)
70 : : {
71 [ + - ]: 694 : return check_ids(cr_uid, creds->uid, creds->euid, creds->suid) &&
72 [ + - ][ - + ]: 694 : check_ids(cr_gid, creds->gid, creds->egid, creds->sgid) &&
73 : 347 : check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
74 : : }
|
