[PATCH v5 1/2] LSM: SafeSetID: gate setgid transitions

Casey Schaufler casey at schaufler-ca.com
Fri Mar 29 19:44:30 UTC 2019


On 3/29/2019 11:06 AM, James Morris wrote:
> On Tue, 5 Mar 2019, mortonm at chromium.org wrote:
>
>> From: Micah Morton <mortonm at chromium.org>
>>
>> This patch generalizes the 'task_fix_setuid' LSM hook to enable hooking
>> setgid transitions as well as setuid transitions. The hook is renamed to
>> 'task_fix_setid'. The patch introduces calls to this hook from the
>> setgid functions in kernel/sys.c. This will allow the SafeSetID LSM to
>> govern setgid transitions in addition to setuid transitions. This patch
>> also makes sure the setgid functions in kernel/sys.c call
>> security_capable_setid rather than the ordinary security_capable
>> function, so that the security_capable hook in the SafeSetID LSM knows
>> it is being invoked from a setid function.
>>
>> Signed-off-by: Micah Morton <mortonm at chromium.org>
> Wondering if there are any further comments or reviews for this before it
> is merged?

My comments have been addressed.




More information about the Linux-security-module-archive mailing list