[PATCH] proc: prevent changes to overridden credentials
James Morris
jmorris at namei.org
Fri Apr 19 20:26:58 UTC 2019
On Fri, 19 Apr 2019, Paul Moore wrote:
> On Fri, Apr 19, 2019 at 2:55 PM Paul Moore <paul at paul-moore.com> wrote:
> > Prevent userspace from changing the the /proc/PID/attr values if the
> > task's credentials are currently overriden. This not only makes sense
> > conceptually, it also prevents some really bizarre error cases caused
> > when trying to commit credentials to a task with overridden
> > credentials.
> >
> > Cc: <stable at vger.kernel.org>
> > Reported-by: "chengjian (D)" <cj.chengjian at huawei.com>
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> > fs/proc/base.c | 5 +++++
> > 1 file changed, 5 insertions(+)
>
> I sent this to the LSM list as I figure it should probably go via
> James' linux-security tree since it is cross-LSM and doesn't really
> contain any LSM specific code. That said, if you don't want this
> James let me know and I'll send it via the SELinux tree assuming I can
> get ACKs from John and Casey (this should only affect SELinux,
> AppArmor, and Smack).
This is fine to go via your tree.
Acked-by: James Morris <james.morris at microsoft.com>
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list