[PATCH v2 1/8] exec: Teach prepare_exec_creds how exec treats uids & gids

Linus Torvalds torvalds at linux-foundation.org
Tue May 19 18:28:14 UTC 2020

On Tue, May 19, 2020 at 11:03 AM Kees Cook <keescook at chromium.org> wrote:
> One question, though: why add this, since the repeat calling of the caps
> LSM hook will do this?

I assume it's for the "preserve_creds" case where we don't even end up
setting creds at all.

Yeah, at some point we'll hit a bprm handler that doesn't set
'preserve_creds', and it all does get set in the end, but that's not
statically all that obvious.

I think it makes sense to initialize as much as possible from the
generic code, and rely as little as possible on what the binfmt
handlers end up actually doing.


More information about the Linux-security-module-archive mailing list