kernel BUG at kernel/cred.c:434!
Paul Moore
paul at paul-moore.com
Wed Apr 17 15:40:49 UTC 2019
On Wed, Apr 17, 2019 at 10:57 AM Oleg Nesterov <oleg at redhat.com> wrote:
> On 04/17, Paul Moore wrote:
> >
> > I'm tempted to simply return an error in selinux_setprocattr() if
> > the task's credentials are not the same as its real_cred;
>
> What about other modules? I have no idea what smack_setprocattr() is,
> but it too does prepare_creds/commit creds.
>
> it seems that the simplest workaround should simply add the additional
> cred == real_cred into proc_pid_attr_write().
Yes, that is simple, but I worry about what other LSMs might want to
do. While I believe failing if the effective creds are not the same
as the real_creds is okay for SELinux (possibly Smack too), I worry
about what other LSMs may want to do. After all,
proc_pid_attr_write() doesn't change the the creds itself, that is
something the specific LSMs do.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list