security: Introduce (rather basic) security restrictions for C/R

Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

security: Introduce (rather basic) security restrictions for C/R
Right now we have an ability to launch the C/R service from root and execure dump requests from unpriviledged users. Not to be bad guys, we deny dumping tasks belonging to user, that cannot be "watched" (traced, read /proc, etc.) by the dumper. In the future we will use this "engine" when launched with suid bit, and (probably) will have more sophisticated policy. Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
91389f87 · Pavel Emelyanov · cfe72ab7 · 91389f87 · 91389f87 · 91389f87
Commit 91389f87 authored Sep 28, 2013 by Pavel Emelyanov
Showing with 36 additions and 17 deletions

Makefile.crtools Makefile.crtools +1 -0

cr-dump.c cr-dump.c +2 -15

cr-service.c cr-service.c +1 -1

cr-service.h include/cr-service.h +0 -1

crtools.h include/crtools.h +3 -0

security.c security.c +29 -0

No files found.
--- a/Makefile.crtools
+++ b/Makefile.crtools
@@ -2,6 +2,7 @@ obj-y	+= parasite-syscall.o
 obj-y	+= mem.o
 obj-y	+= cr-restore.o
 obj-y	+= crtools.o
+obj-y	+= security.o
 obj-y	+= image.o
 obj-y	+= image-desc.o
 obj-y	+= net.o

--- a/cr-dump.c
+++ b/cr-dump.c
@@ -1341,19 +1341,6 @@ err_cure:
 	goto err_free;
 }

-static int check_uid(uid)
-{
-	if (cr_service_client)
-		if ((cr_service_client->uid != uid) &&
-				(cr_service_client->uid != 0)) {
-			pr_err("UID (%d) != client's UID(%d)\n",
-				uid, cr_service_client->uid);
-			return -1;
-		}
-
-	return 0;
-}
-
 static int dump_one_task(struct pstree_item *item)
 {
 	pid_t pid = item->pid.real;
@@ -1389,8 +1376,8 @@ static int dump_one_task(struct pstree_item *item)
 	if (ret)
 		goto err;

-	ret = check_uid(cr.uids[0]);
-	if (ret) {
+	if (!may_dump_uid(cr.uids[0])) {
+		ret = -1;
 		pr_err("Check uid (pid: %d) failed\n", pid);
 		goto err;
 	}

--- a/cr-service.c
+++ b/cr-service.c
@@ -88,7 +88,7 @@ static int setup_dump_from_req(int sk, CriuDumpReq *req)
 		return -1;
 	}

-	cr_service_client->uid = ids.uid;
+	restrict_uid(ids.uid);

 	if (fstat(sk, &st)) {
 		pr_perror("Can't get socket stat");

--- a/include/cr-service.h
+++ b/include/cr-service.h
@@ -11,7 +11,6 @@ int cr_service(bool deamon_mode);
 int send_criu_dump_resp(int socket_fd, bool success, bool restored);

 struct _cr_service_client {
-	int uid;
 };

 extern struct _cr_service_client *cr_service_client;

--- a/include/crtools.h
+++ b/include/crtools.h
@@ -208,4 +208,7 @@ static inline bool pid_rst_prio(unsigned pid_a, unsigned pid_b)
 	return pid_a < pid_b;
 }

+void restrict_uid(unsigned int uid);
+bool may_dump_uid(unsigned int uid);
+
 #endif /* __CR_CRTOOLS_H__ */
--- a/security.c
+++ b/security.c
+#include <unistd.h>
+#include "crtools.h"
+#include "log.h"
+
+static unsigned int dumper_uid = 0;
+
+/*
+ * Setup what user is requesting for dump (via rpc or using 
+ * suid bit on crtools). Later we would deny to dump/restore 
+ * a task, to which the original user doesn't have the direct 
+ * access to. (Or implement some trickier security policy).
+ */
+
+void restrict_uid(unsigned int uid)
+{
+	pr_info("Restrict C/R with %u uid\n", uid);
+	dumper_uid = uid;
+}
+
+bool may_dump_uid(unsigned int uid)
+{
+	if (dumper_uid == 0)
+		return true;
+	if (dumper_uid == uid)
+		return true;
+
+	pr_err("UID (%u) != dumper's UID(%u)\n", uid, dumper_uid);
+	return false;
+}