[PATCH 2/5] exec: Directly call security_bprm_set_creds from __do_execve_file
Eric W. Biederman
ebiederm at xmission.com
Sat May 9 20:12:22 UTC 2020
Linus Torvalds <torvalds at linux-foundation.org> writes:
> On Sat, May 9, 2020 at 12:44 PM Eric W. Biederman <ebiederm at xmission.com> wrote:
>> Now that security_bprm_set_creds is no longer responsible for calling
>> cap_bprm_set_creds, security_bprm_set_creds only does something for
>> the primary file that is being executed (not any interpreters it may
>> have). Therefore call security_bprm_set_creds from __do_execve_file,
>> instead of from prepare_binprm so that it is only called once, and
>> remove the now unnecessary called_set_creds field of struct binprm.
> Ahh, good, this patch removes the 'called_set_creds' logic from the
> security subsystems.
> So it does half of what I asked for: please also just rename that
> "security_bprm_set_creds()" to be "security_primary_bprm_set_creds()"
> so that the change of semantics also shows up that way.
> And so that there is no confusion about the fact that
> "cap_bprm_set_creds()" has absolutely nothing to do with
> "security_bprm_set_creds()" any more.
I agree something needs to be renamed, to remove confusion.
I am off for a nap now, and tomorrow is Mother's day so I probably won't
be back to this seriously until Monday. But please disect these patches
and I will address any problems.
More information about the Linux-security-module-archive