criu/security.c

#include <unistd.h>
#include "crtools.h"
#include "proc_parse.h"
#include "log.h"

static unsigned int cr_uid; /* UID which user can C/R */

/*
 * Setup what user is requesting for dump (via rpc or using 
 * suid bit on crtools). Later we would deny to dump/restore 
 * a task, to which the original user doesn't have the direct 
 * access to. (Or implement some trickier security policy).
 */

void restrict_uid(unsigned int uid)
{
	pr_info("Restrict C/R with %u uid\n", uid);
	cr_uid = uid;
}

static bool check_uid(unsigned int uid)
{
	if (cr_uid == 0)
		return true;
	if (cr_uid == uid)
		return true;

	return false;
}

bool may_dump(struct proc_status_creds *creds)
{
	unsigned int uid = creds->uids[0];

	if (check_uid(uid))
		return true;

	pr_err("UID (%u) != dumper's UID(%u)\n", uid, cr_uid);
	return false;
}

bool may_restore(CredsEntry *creds)
{
	unsigned int uid = creds->uid;

	if (check_uid(uid))
		return true;

	pr_err("UID (%u) != restorer's UID(%u)\n", uid, cr_uid);
	return false;
}
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`#include <unistd.h>`
			`#include "crtools.h"`
security: Push full creds info into may_xxx checks It's not enough to check only uids on dump and restore -- we need to check e-ids and s-ids now (and caps in the future). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 15:48:44 +04:00			`#include "proc_parse.h"`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`#include "log.h"`

v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00			`static unsigned int cr_uid; /* UID which user can C/R */`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00
			`/*`
			`* Setup what user is requesting for dump (via rpc or using`
			`* suid bit on crtools). Later we would deny to dump/restore`
			`* a task, to which the original user doesn't have the direct`
			`* access to. (Or implement some trickier security policy).`
			`*/`

			`void restrict_uid(unsigned int uid)`
			`{`
			`pr_info("Restrict C/R with %u uid\n", uid);`
v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00			`cr_uid = uid;`
			`}`

			`static bool check_uid(unsigned int uid)`
			`{`
			`if (cr_uid == 0)`
			`return true;`
			`if (cr_uid == uid)`
			`return true;`

			`return false;`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`}`

security: Push full creds info into may_xxx checks It's not enough to check only uids on dump and restore -- we need to check e-ids and s-ids now (and caps in the future). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 15:48:44 +04:00			`bool may_dump(struct proc_status_creds *creds)`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`{`
security: Push full creds info into may_xxx checks It's not enough to check only uids on dump and restore -- we need to check e-ids and s-ids now (and caps in the future). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 15:48:44 +04:00			`unsigned int uid = creds->uids[0];`

v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00			`if (check_uid(uid))`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`return true;`
v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00
			`pr_err("UID (%u) != dumper's UID(%u)\n", uid, cr_uid);`
			`return false;`
			`}`

security: Push full creds info into may_xxx checks It's not enough to check only uids on dump and restore -- we need to check e-ids and s-ids now (and caps in the future). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 15:48:44 +04:00			`bool may_restore(CredsEntry *creds)`
v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00			`{`
security: Push full creds info into may_xxx checks It's not enough to check only uids on dump and restore -- we need to check e-ids and s-ids now (and caps in the future). Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 15:48:44 +04:00			`unsigned int uid = creds->uid;`

v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00			`if (check_uid(uid))`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`return true;`

v2 security: set suid flag on crtools and check real uid on dump/restore v2: remove redundant functions and variables. Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-10-02 17:11:17 +04:00			`pr_err("UID (%u) != restorer's UID(%u)\n", uid, cr_uid);`
security: Introduce (rather basic) security restrictions for C/R Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com> 2013-09-28 06:16:17 +04:00			`return false;`
			`}`