Blame view

kernel/linux-imx6_3.14.28/Documentation/security/credentials.txt 20.4 KB
6b13f685e   김민수   BSP 최초 추가
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
  			     ====================
  			     CREDENTIALS IN LINUX
  			     ====================
  
  By: David Howells <dhowells@redhat.com>
  
  Contents:
  
   (*) Overview.
  
   (*) Types of credentials.
  
   (*) File markings.
  
   (*) Task credentials.
  
       - Immutable credentials.
       - Accessing task credentials.
       - Accessing another task's credentials.
       - Altering credentials.
       - Managing credentials.
  
   (*) Open file credentials.
  
   (*) Overriding the VFS's use of credentials.
  
  
  ========
  OVERVIEW
  ========
  
  There are several parts to the security check performed by Linux when one
  object acts upon another:
  
   (1) Objects.
  
       Objects are things in the system that may be acted upon directly by
       userspace programs.  Linux has a variety of actionable objects, including:
  
  	- Tasks
  	- Files/inodes
  	- Sockets
  	- Message queues
  	- Shared memory segments
  	- Semaphores
  	- Keys
  
       As a part of the description of all these objects there is a set of
       credentials.  What's in the set depends on the type of object.
  
   (2) Object ownership.
  
       Amongst the credentials of most objects, there will be a subset that
       indicates the ownership of that object.  This is used for resource
       accounting and limitation (disk quotas and task rlimits for example).
  
       In a standard UNIX filesystem, for instance, this will be defined by the
       UID marked on the inode.
  
   (3) The objective context.
  
       Also amongst the credentials of those objects, there will be a subset that
       indicates the 'objective context' of that object.  This may or may not be
       the same set as in (2) - in standard UNIX files, for instance, this is the
       defined by the UID and the GID marked on the inode.
  
       The objective context is used as part of the security calculation that is
       carried out when an object is acted upon.
  
   (4) Subjects.
  
       A subject is an object that is acting upon another object.
  
       Most of the objects in the system are inactive: they don't act on other
       objects within the system.  Processes/tasks are the obvious exception:
       they do stuff; they access and manipulate things.
  
       Objects other than tasks may under some circumstances also be subjects.
       For instance an open file may send SIGIO to a task using the UID and EUID
       given to it by a task that called fcntl(F_SETOWN) upon it.  In this case,
       the file struct will have a subjective context too.
  
   (5) The subjective context.
  
       A subject has an additional interpretation of its credentials.  A subset
       of its credentials forms the 'subjective context'.  The subjective context
       is used as part of the security calculation that is carried out when a
       subject acts.
  
       A Linux task, for example, has the FSUID, FSGID and the supplementary
       group list for when it is acting upon a file - which are quite separate
       from the real UID and GID that normally form the objective context of the
       task.
  
   (6) Actions.
  
       Linux has a number of actions available that a subject may perform upon an
       object.  The set of actions available depends on the nature of the subject
       and the object.
  
       Actions include reading, writing, creating and deleting files; forking or
       signalling and tracing tasks.
  
   (7) Rules, access control lists and security calculations.
  
       When a subject acts upon an object, a security calculation is made.  This
       involves taking the subjective context, the objective context and the
       action, and searching one or more sets of rules to see whether the subject
       is granted or denied permission to act in the desired manner on the
       object, given those contexts.
  
       There are two main sources of rules:
  
       (a) Discretionary access control (DAC):
  
  	 Sometimes the object will include sets of rules as part of its
  	 description.  This is an 'Access Control List' or 'ACL'.  A Linux
  	 file may supply more than one ACL.
  
  	 A traditional UNIX file, for example, includes a permissions mask that
  	 is an abbreviated ACL with three fixed classes of subject ('user',
  	 'group' and 'other'), each of which may be granted certain privileges
  	 ('read', 'write' and 'execute' - whatever those map to for the object
  	 in question).  UNIX file permissions do not allow the arbitrary
  	 specification of subjects, however, and so are of limited use.
  
  	 A Linux file might also sport a POSIX ACL.  This is a list of rules
  	 that grants various permissions to arbitrary subjects.
  
       (b) Mandatory access control (MAC):
  
  	 The system as a whole may have one or more sets of rules that get
  	 applied to all subjects and objects, regardless of their source.
  	 SELinux and Smack are examples of this.
  
  	 In the case of SELinux and Smack, each object is given a label as part
  	 of its credentials.  When an action is requested, they take the
  	 subject label, the object label and the action and look for a rule
  	 that says that this action is either granted or denied.
  
  
  ====================
  TYPES OF CREDENTIALS
  ====================
  
  The Linux kernel supports the following types of credentials:
  
   (1) Traditional UNIX credentials.
  
  	Real User ID
  	Real Group ID
  
       The UID and GID are carried by most, if not all, Linux objects, even if in
       some cases it has to be invented (FAT or CIFS files for example, which are
       derived from Windows).  These (mostly) define the objective context of
       that object, with tasks being slightly different in some cases.
  
  	Effective, Saved and FS User ID
  	Effective, Saved and FS Group ID
  	Supplementary groups
  
       These are additional credentials used by tasks only.  Usually, an
       EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID
       will be used as the objective.  For tasks, it should be noted that this is
       not always true.
  
   (2) Capabilities.
  
  	Set of permitted capabilities
  	Set of inheritable capabilities
  	Set of effective capabilities
  	Capability bounding set
  
       These are only carried by tasks.  They indicate superior capabilities
       granted piecemeal to a task that an ordinary task wouldn't otherwise have.
       These are manipulated implicitly by changes to the traditional UNIX
       credentials, but can also be manipulated directly by the capset() system
       call.
  
       The permitted capabilities are those caps that the process might grant
       itself to its effective or permitted sets through capset().  This
       inheritable set might also be so constrained.
  
       The effective capabilities are the ones that a task is actually allowed to
       make use of itself.
  
       The inheritable capabilities are the ones that may get passed across
       execve().
  
       The bounding set limits the capabilities that may be inherited across
       execve(), especially when a binary is executed that will execute as UID 0.
  
   (3) Secure management flags (securebits).
  
       These are only carried by tasks.  These govern the way the above
       credentials are manipulated and inherited over certain operations such as
       execve().  They aren't used directly as objective or subjective
       credentials.
  
   (4) Keys and keyrings.
  
       These are only carried by tasks.  They carry and cache security tokens
       that don't fit into the other standard UNIX credentials.  They are for
       making such things as network filesystem keys available to the file
       accesses performed by processes, without the necessity of ordinary
       programs having to know about security details involved.
  
       Keyrings are a special type of key.  They carry sets of other keys and can
       be searched for the desired key.  Each process may subscribe to a number
       of keyrings:
  
  	Per-thread keying
  	Per-process keyring
  	Per-session keyring
  
       When a process accesses a key, if not already present, it will normally be
       cached on one of these keyrings for future accesses to find.
  
       For more information on using keys, see Documentation/security/keys.txt.
  
   (5) LSM
  
       The Linux Security Module allows extra controls to be placed over the
       operations that a task may do.  Currently Linux supports several LSM
       options.
  
       Some work by labelling the objects in a system and then applying sets of
       rules (policies) that say what operations a task with one label may do to
       an object with another label.
  
   (6) AF_KEY
  
       This is a socket-based approach to credential management for networking
       stacks [RFC 2367].  It isn't discussed by this document as it doesn't
       interact directly with task and file credentials; rather it keeps system
       level credentials.
  
  
  When a file is opened, part of the opening task's subjective context is
  recorded in the file struct created.  This allows operations using that file
  struct to use those credentials instead of the subjective context of the task
  that issued the operation.  An example of this would be a file opened on a
  network filesystem where the credentials of the opened file should be presented
  to the server, regardless of who is actually doing a read or a write upon it.
  
  
  =============
  FILE MARKINGS
  =============
  
  Files on disk or obtained over the network may have annotations that form the
  objective security context of that file.  Depending on the type of filesystem,
  this may include one or more of the following:
  
   (*) UNIX UID, GID, mode;
  
   (*) Windows user ID;
  
   (*) Access control list;
  
   (*) LSM security label;
  
   (*) UNIX exec privilege escalation bits (SUID/SGID);
  
   (*) File capabilities exec privilege escalation bits.
  
  These are compared to the task's subjective security context, and certain
  operations allowed or disallowed as a result.  In the case of execve(), the
  privilege escalation bits come into play, and may allow the resulting process
  extra privileges, based on the annotations on the executable file.
  
  
  ================
  TASK CREDENTIALS
  ================
  
  In Linux, all of a task's credentials are held in (uid, gid) or through
  (groups, keys, LSM security) a refcounted structure of type 'struct cred'.
  Each task points to its credentials by a pointer called 'cred' in its
  task_struct.
  
  Once a set of credentials has been prepared and committed, it may not be
  changed, barring the following exceptions:
  
   (1) its reference count may be changed;
  
   (2) the reference count on the group_info struct it points to may be changed;
  
   (3) the reference count on the security data it points to may be changed;
  
   (4) the reference count on any keyrings it points to may be changed;
  
   (5) any keyrings it points to may be revoked, expired or have their security
       attributes changed; and
  
   (6) the contents of any keyrings to which it points may be changed (the whole
       point of keyrings being a shared set of credentials, modifiable by anyone
       with appropriate access).
  
  To alter anything in the cred struct, the copy-and-replace principle must be
  adhered to.  First take a copy, then alter the copy and then use RCU to change
  the task pointer to make it point to the new copy.  There are wrappers to aid
  with this (see below).
  
  A task may only alter its _own_ credentials; it is no longer permitted for a
  task to alter another's credentials.  This means the capset() system call is no
  longer permitted to take any PID other than the one of the current process.
  Also keyctl_instantiate() and keyctl_negate() functions no longer permit
  attachment to process-specific keyrings in the requesting process as the
  instantiating process may need to create them.
  
  
  IMMUTABLE CREDENTIALS
  ---------------------
  
  Once a set of credentials has been made public (by calling commit_creds() for
  example), it must be considered immutable, barring two exceptions:
  
   (1) The reference count may be altered.
  
   (2) Whilst the keyring subscriptions of a set of credentials may not be
       changed, the keyrings subscribed to may have their contents altered.
  
  To catch accidental credential alteration at compile time, struct task_struct
  has _const_ pointers to its credential sets, as does struct file.  Furthermore,
  certain functions such as get_cred() and put_cred() operate on const pointers,
  thus rendering casts unnecessary, but require to temporarily ditch the const
  qualification to be able to alter the reference count.
  
  
  ACCESSING TASK CREDENTIALS
  --------------------------
  
  A task being able to alter only its own credentials permits the current process
  to read or replace its own credentials without the need for any form of locking
  - which simplifies things greatly.  It can just call:
  
  	const struct cred *current_cred()
  
  to get a pointer to its credentials structure, and it doesn't have to release
  it afterwards.
  
  There are convenience wrappers for retrieving specific aspects of a task's
  credentials (the value is simply returned in each case):
  
  	uid_t current_uid(void)		Current's real UID
  	gid_t current_gid(void)		Current's real GID
  	uid_t current_euid(void)	Current's effective UID
  	gid_t current_egid(void)	Current's effective GID
  	uid_t current_fsuid(void)	Current's file access UID
  	gid_t current_fsgid(void)	Current's file access GID
  	kernel_cap_t current_cap(void)	Current's effective capabilities
  	void *current_security(void)	Current's LSM security pointer
  	struct user_struct *current_user(void)  Current's user account
  
  There are also convenience wrappers for retrieving specific associated pairs of
  a task's credentials:
  
  	void current_uid_gid(uid_t *, gid_t *);
  	void current_euid_egid(uid_t *, gid_t *);
  	void current_fsuid_fsgid(uid_t *, gid_t *);
  
  which return these pairs of values through their arguments after retrieving
  them from the current task's credentials.
  
  
  In addition, there is a function for obtaining a reference on the current
  process's current set of credentials:
  
  	const struct cred *get_current_cred(void);
  
  and functions for getting references to one of the credentials that don't
  actually live in struct cred:
  
  	struct user_struct *get_current_user(void);
  	struct group_info *get_current_groups(void);
  
  which get references to the current process's user accounting structure and
  supplementary groups list respectively.
  
  Once a reference has been obtained, it must be released with put_cred(),
  free_uid() or put_group_info() as appropriate.
  
  
  ACCESSING ANOTHER TASK'S CREDENTIALS
  ------------------------------------
  
  Whilst a task may access its own credentials without the need for locking, the
  same is not true of a task wanting to access another task's credentials.  It
  must use the RCU read lock and rcu_dereference().
  
  The rcu_dereference() is wrapped by:
  
  	const struct cred *__task_cred(struct task_struct *task);
  
  This should be used inside the RCU read lock, as in the following example:
  
  	void foo(struct task_struct *t, struct foo_data *f)
  	{
  		const struct cred *tcred;
  		...
  		rcu_read_lock();
  		tcred = __task_cred(t);
  		f->uid = tcred->uid;
  		f->gid = tcred->gid;
  		f->groups = get_group_info(tcred->groups);
  		rcu_read_unlock();
  		...
  	}
  
  Should it be necessary to hold another task's credentials for a long period of
  time, and possibly to sleep whilst doing so, then the caller should get a
  reference on them using:
  
  	const struct cred *get_task_cred(struct task_struct *task);
  
  This does all the RCU magic inside of it.  The caller must call put_cred() on
  the credentials so obtained when they're finished with.
  
   [*] Note: The result of __task_cred() should not be passed directly to
       get_cred() as this may race with commit_cred().
  
  There are a couple of convenience functions to access bits of another task's
  credentials, hiding the RCU magic from the caller:
  
  	uid_t task_uid(task)		Task's real UID
  	uid_t task_euid(task)		Task's effective UID
  
  If the caller is holding the RCU read lock at the time anyway, then:
  
  	__task_cred(task)->uid
  	__task_cred(task)->euid
  
  should be used instead.  Similarly, if multiple aspects of a task's credentials
  need to be accessed, RCU read lock should be used, __task_cred() called, the
  result stored in a temporary pointer and then the credential aspects called
  from that before dropping the lock.  This prevents the potentially expensive
  RCU magic from being invoked multiple times.
  
  Should some other single aspect of another task's credentials need to be
  accessed, then this can be used:
  
  	task_cred_xxx(task, member)
  
  where 'member' is a non-pointer member of the cred struct.  For instance:
  
  	uid_t task_cred_xxx(task, suid);
  
  will retrieve 'struct cred::suid' from the task, doing the appropriate RCU
  magic.  This may not be used for pointer members as what they point to may
  disappear the moment the RCU read lock is dropped.
  
  
  ALTERING CREDENTIALS
  --------------------
  
  As previously mentioned, a task may only alter its own credentials, and may not
  alter those of another task.  This means that it doesn't need to use any
  locking to alter its own credentials.
  
  To alter the current process's credentials, a function should first prepare a
  new set of credentials by calling:
  
  	struct cred *prepare_creds(void);
  
  this locks current->cred_replace_mutex and then allocates and constructs a
  duplicate of the current process's credentials, returning with the mutex still
  held if successful.  It returns NULL if not successful (out of memory).
  
  The mutex prevents ptrace() from altering the ptrace state of a process whilst
  security checks on credentials construction and changing is taking place as
  the ptrace state may alter the outcome, particularly in the case of execve().
  
  The new credentials set should be altered appropriately, and any security
  checks and hooks done.  Both the current and the proposed sets of credentials
  are available for this purpose as current_cred() will return the current set
  still at this point.
  
  
  When the credential set is ready, it should be committed to the current process
  by calling:
  
  	int commit_creds(struct cred *new);
  
  This will alter various aspects of the credentials and the process, giving the
  LSM a chance to do likewise, then it will use rcu_assign_pointer() to actually
  commit the new credentials to current->cred, it will release
  current->cred_replace_mutex to allow ptrace() to take place, and it will notify
  the scheduler and others of the changes.
  
  This function is guaranteed to return 0, so that it can be tail-called at the
  end of such functions as sys_setresuid().
  
  Note that this function consumes the caller's reference to the new credentials.
  The caller should _not_ call put_cred() on the new credentials afterwards.
  
  Furthermore, once this function has been called on a new set of credentials,
  those credentials may _not_ be changed further.
  
  
  Should the security checks fail or some other error occur after prepare_creds()
  has been called, then the following function should be invoked:
  
  	void abort_creds(struct cred *new);
  
  This releases the lock on current->cred_replace_mutex that prepare_creds() got
  and then releases the new credentials.
  
  
  A typical credentials alteration function would look something like this:
  
  	int alter_suid(uid_t suid)
  	{
  		struct cred *new;
  		int ret;
  
  		new = prepare_creds();
  		if (!new)
  			return -ENOMEM;
  
  		new->suid = suid;
  		ret = security_alter_suid(new);
  		if (ret < 0) {
  			abort_creds(new);
  			return ret;
  		}
  
  		return commit_creds(new);
  	}
  
  
  MANAGING CREDENTIALS
  --------------------
  
  There are some functions to help manage credentials:
  
   (*) void put_cred(const struct cred *cred);
  
       This releases a reference to the given set of credentials.  If the
       reference count reaches zero, the credentials will be scheduled for
       destruction by the RCU system.
  
   (*) const struct cred *get_cred(const struct cred *cred);
  
       This gets a reference on a live set of credentials, returning a pointer to
       that set of credentials.
  
   (*) struct cred *get_new_cred(struct cred *cred);
  
       This gets a reference on a set of credentials that is under construction
       and is thus still mutable, returning a pointer to that set of credentials.
  
  
  =====================
  OPEN FILE CREDENTIALS
  =====================
  
  When a new file is opened, a reference is obtained on the opening task's
  credentials and this is attached to the file struct as 'f_cred' in place of
  'f_uid' and 'f_gid'.  Code that used to access file->f_uid and file->f_gid
  should now access file->f_cred->fsuid and file->f_cred->fsgid.
  
  It is safe to access f_cred without the use of RCU or locking because the
  pointer will not change over the lifetime of the file struct, and nor will the
  contents of the cred struct pointed to, barring the exceptions listed above
  (see the Task Credentials section).
  
  
  =======================================
  OVERRIDING THE VFS'S USE OF CREDENTIALS
  =======================================
  
  Under some circumstances it is desirable to override the credentials used by
  the VFS, and that can be done by calling into such as vfs_mkdir() with a
  different set of credentials.  This is done in the following places:
  
   (*) sys_faccessat().
  
   (*) do_coredump().
  
   (*) nfs4recover.c.