The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).
The LSM allows configuring a whitelist policy of permitted from:to uid
transitions. The policy is enforced upon calls to setuid(2) and related
syscalls.
Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies
A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).
A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).
See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
This reverts commit c68e8b05f0.
RANDSTRUCT currently fails to work with out-of-tree modules, as
evinced by
c68e8b05f0 (commitcomment-31850284)
and https://github.com/NixOS/nixpkgs/issues/53522.
Specifically, loading out-of-tree modules results in modsym version
mismatches, as in
spl: version magic '4.20.0 SMP mod_unload modversions RANDSTRUCT_PLUGIN
from the issue above.
A working hypothesis is that the randstruct seed is not carried over when
building out-of-tree modules but more investigation is needed here.
Closes https://github.com/NixOS/nixpkgs/issues/53522
This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
EXPERT however seems to introduce quite a few changes that would need to be
properly vetted.
The version guard is unnecessary, however, as this config has been supported
since 4.3.
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
explicitly unsetting results in an error because the configfile builder fails
to detect that it has in fact been unset (reporting it as an unused option).
For now, leave WRITABLE_HOOKS as an "optional" config for documentation
purposes.
Note
- the kernel config parser ignores "# foo is unset" comments so they
have no effect; disabling kernel modules would break *everything* and so
is ill-suited for a general-purpose kernel anyway --- the hardened nixos
profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
the build; fix by making it optional
- restored some original comments which I feel are clearer
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
