hardened-config: enable the SafeSetID LSM

The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
This commit is contained in:
Joachim Fasting 2019-05-07 11:08:36 +02:00
parent 7085da0cef
commit 87bc514620
No known key found for this signature in database
GPG Key ID: 5C204DF675C90294

View File

@ -91,6 +91,9 @@ optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") {
PAGE_POISONING_NO_SANITY = yes;
PAGE_POISONING_ZERO = yes;
# Enable the SafeSetId LSM
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
# Reboot devices immediately if kernel experiences an Oops.
PANIC_ON_OOPS = yes;
PANIC_TIMEOUT = freeform "-1";