[PATCH 2/5] exec: Directly call security_bprm_set_creds from __do_execve_file

Eric W. Biederman ebiederm at xmission.com
Sat May 9 20:12:22 UTC 2020

Linus Torvalds <torvalds at linux-foundation.org> writes:

> On Sat, May 9, 2020 at 12:44 PM Eric W. Biederman <ebiederm at xmission.com> wrote:
>> Now that security_bprm_set_creds is no longer responsible for calling
>> cap_bprm_set_creds, security_bprm_set_creds only does something for
>> the primary file that is being executed (not any interpreters it may
>> have).  Therefore call security_bprm_set_creds from __do_execve_file,
>> instead of from prepare_binprm so that it is only called once, and
>> remove the now unnecessary called_set_creds field of struct binprm.
> Ahh, good, this patch removes the 'called_set_creds' logic from the
> security subsystems.
> So it does half of what I asked for: please also just rename that
> "security_bprm_set_creds()" to be "security_primary_bprm_set_creds()"
> so that the change of semantics also shows up that way.
> And so that there is no confusion about the fact that
> "cap_bprm_set_creds()" has absolutely nothing to do with
> "security_bprm_set_creds()" any more.

I agree something needs to be renamed, to remove confusion.

I am off for a nap now, and tomorrow is Mother's day so I probably won't
be back to this seriously until Monday.  But please disect these patches
and I will address any problems.


More information about the Linux-security-module-archive mailing list