|
| 1 | +# SafeSetID Policy Manager |
| 2 | + |
| 3 | +This repository contains the `safesetid` script — a policy manager for the SafeSetID Linux Security Module (LSM). |
| 4 | + |
| 5 | +The script writes base policies to the SafeSetID sysfs interface, detects newly created users/UIDs, and can restrict them. It features a robust self-healing model (wrapper, hardened backups, `tmpfs` runtime store) to ensure the integrity of the system. |
| 6 | + |
| 7 | +Important: This is a Bash script and requires kernel support for SafeSetID exposed at `/sys/kernel/security/safesetid`. If this directory is missing, no kernel policies will be modified. |
| 8 | + |
| 9 | +## Why Use SafeSetID? A Comparison with `NoNewPrivileges` |
| 10 | + |
| 11 | +Before using this tool, it's helpful to understand what SafeSetID provides compared to other security mechanisms like systemd's `NoNewPrivileges=yes`. |
| 12 | + |
| 13 | +In short: |
| 14 | +- `NoNewPrivileges=yes` is a hammer. It's a one-way switch that prevents a process and all of its children from gaining new privileges (e.g., from setuid binaries). It's powerful but coarse. |
| 15 | +- SafeSetID is a scalpel. It's a rule-based LSM that lets you define exactly which UID/GID identity transitions are allowed. It doesn’t block all privilege transitions, only those not explicitly on the allow-list. |
| 16 | + |
| 17 | +### Feature Comparison |
| 18 | + |
| 19 | +| Feature | `NoNewPrivileges=yes` (systemd) | SafeSetID (Kernel LSM) | |
| 20 | +| :--- | :--- | :--- | |
| 21 | +| **Goal** | Prevent any future privilege gains in a process tree. | Control identity transitions by explicitly allow-listing UID/GID changes. | |
| 22 | +| **Granularity** | Coarse (global on/off per process tree). | Fine-grained (per-transition rules). | |
| 23 | +| **Flexibility** | Low—can break legitimate workflows. | High—allows specific transitions while blocking unexpected ones. | |
| 24 | +| **Use Case** | Long-running daemons that never need privilege changes. | Tools or workflows that require specific, controlled transitions. | |
| 25 | +| **Operational Complexity** | Easy to enable, but blunt for complex apps. | Requires policy management (which this script automates). | |
| 26 | +| **Recovery / Self-Healing** | None. | **Supported by this project** (wrapper, backups, tmpfs, monitors). | |
| 27 | + |
| 28 | +This `safesetid` script acts as a policy manager, making the powerful SafeSetID kernel feature practical and automated. |
| 29 | + |
| 30 | +--- |
| 31 | + |
| 32 | +## Current Status and Behavior |
| 33 | + |
| 34 | +- Oneshoot and path-triggered units: |
| 35 | + - `safesetid.service` is `Type=oneshot`. It may appear `inactive` after successful execution (`Result=success`). |
| 36 | + - `safesetid-monitor.service` and `safesetid-file-monitor.service` are triggered by their respective `.path` units and are typically `static/inactive` until a file change occurs. |
| 37 | +- Self-healing: |
| 38 | + - Hardened backups are kept in `/var/lib/safesetid` (optionally immutable). |
| 39 | + - A runtime trust anchor (`tmpfs` at `/var/tmp/safesetid`) holds authoritative copies; monitors and verify repair deviations. |
| 40 | +- Internal commands (protected): |
| 41 | + - Internal maintenance commands (prefixed with `_` and `check_function`) cannot be run directly from a terminal and are executed only via the wrapper or systemd. |
| 42 | +- DoS mitigation: |
| 43 | + - High-frequency events are tracked; a mitigator may be scheduled to reduce load and perform conservative repairs. |
| 44 | +- Locks: |
| 45 | + - Global locking avoids concurrent modifications; if `flock` is unavailable, the script falls back to best-effort temporary locks. |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +## Installation & Administration |
| 50 | + |
| 51 | +### Install or Update |
| 52 | +The installer is idempotent and sets up all components, backups, hashes, and systemd units. |
| 53 | +```bash |
| 54 | +sudo ./safesetid install_script |
| 55 | +``` |
| 56 | +During installation a 32-bit uninstall token (hex, 8 chars) is generated and stored at `/var/lib/safesetid/.uninstall_token`. The installer logs the token once — store it securely. |
| 57 | + |
| 58 | +### Configure Base Policies |
| 59 | +Edit and apply UID/GID policies. Must be invoked via `sudo`/`doas` (not from a direct root shell). |
| 60 | +```bash |
| 61 | +sudo safesetid configure_uid |
| 62 | +sudo safesetid configure_gid |
| 63 | +``` |
| 64 | + |
| 65 | +### Manual Verification |
| 66 | +Run integrity checks and self-healing. Typically triggered automatically by `.path` units. |
| 67 | +```bash |
| 68 | +sudo safesetid verify |
| 69 | +``` |
| 70 | + |
| 71 | +### Uninstall (Protected) |
| 72 | +Uninstall requires: |
| 73 | +1. Invocation via `sudo`/`doas` from a regular user. |
| 74 | +2. The uninstall token as the second argument (generated at install, stored in `/var/lib/safesetid/.uninstall_token`). |
| 75 | +3. Interactive confirmation. |
| 76 | +```bash |
| 77 | +sudo safesetid uninstall_script <UNINSTALL_TOKEN> |
| 78 | +``` |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +## Systemd Units |
| 83 | + |
| 84 | +- `var-tmp-safesetid.mount`: mounts the runtime `tmpfs`. |
| 85 | +- `safesetid.service`: oneshot boot-time application of policies. |
| 86 | +- `safesetid-wrapper-restore.path` + `.service`: restores the wrapper if changed/deleted. |
| 87 | +- `safesetid-monitor.path` + `.service`: watches `/etc/passwd` and runs a UID check. |
| 88 | +- `safesetid-file-monitor.path` + `.service`: watches critical script/config files and triggers verification. |
| 89 | + |
| 90 | +Note: Path-triggered services are expected to be `inactive/static` and only run on file events. Oneshoot `safesetid.service` is `inactive` after successful completion. |
| 91 | + |
| 92 | +--- |
| 93 | + |
| 94 | +## Smoke Test |
| 95 | + |
| 96 | +A non-destructive smoke test is provided under `Test/smoke_test`. It: |
| 97 | +- Runs syntax and ShellCheck. |
| 98 | +- Invokes `verify` and validates datastore integrity and wrapper backups. |
| 99 | +- Tests lock behavior by running verify and check_function concurrently (check_function is blocked from terminal, as designed). |
| 100 | +- Checks all systemd units, treating oneshot/static/path-triggered units correctly. |
| 101 | +- Optionally triggers `.path` units via `touch /etc/passwd` and `touch /etc/group` and prints recent journal entries. |
| 102 | + |
| 103 | +Run: |
| 104 | +```bash |
| 105 | +sudo ./Test/smoke_test |
| 106 | +``` |
| 107 | + |
| 108 | +--- |
| 109 | + |
| 110 | +## Troubleshooting |
| 111 | + |
| 112 | +- View unit status and logs: |
| 113 | +```bash |
| 114 | +sudo systemctl status safesetid-*.path safesetid-*.service var-tmp-safesetid.mount |
| 115 | +sudo journalctl -u safesetid.service -n 50 --no-pager |
| 116 | +sudo journalctl -u safesetid-file-monitor.service -n 50 --no-pager |
| 117 | +``` |
| 118 | +- If `/sys/kernel/security/safesetid` is missing, kernel support is not available; the script will skip kernel policy writes. |
| 119 | + |
| 120 | +--- |
| 121 | + |
| 122 | +## Security Notes |
| 123 | + |
| 124 | +- This is not a high-security product; it’s a practical policy manager with bonus self-protection. |
| 125 | +- Self-healing and immutable backups raise the bar against accidental changes and simple tampering. A local root attacker can still disable protections. |
| 126 | +- For stronger guarantees, consider Secure Boot, IMA/EVM, and remote/WORM logging. |
| 127 | + |
| 128 | +--- |
| 129 | + |
| 130 | +## License |
| 131 | + |
| 132 | +MIT License |
0 commit comments