[PATCH] selinux, smack: fix subjective/objective credential use mixups
Paul Moore
paul at paul-moore.com
Thu Sep 23 16:30:36 UTC 2021
On Thu, Sep 23, 2021 at 12:20 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> On 9/23/2021 8:47 AM, Paul Moore wrote:
> > Jann Horn reported a problem with commit eb1231f73c4d ("selinux:
> > clarify task subjective and objective credentials") where some LSM
> > hooks were attempting to access the subjective credentials of a task
> > other than the current task. Generally speaking, it is not safe to
> > access another task's subjective credentials and doing so can cause
> > a number of problems.
> >
> > Further, while looking into the problem, I realized that Smack was
> > suffering from a similar problem brought about by a similar commit
> > 1fb057dcde11 ("smack: differentiate between subjective and objective
> > task credentials").
> >
> > This patch addresses this problem by restoring the use of the task's
> > objective credentials in those cases where the task is other than the
> > current executing task. Not only does this resolve the problem
> > reported by Jann, it is arguably the correct thing to do in these
> > cases.
> >
> > Cc: stable at vger.kernel.org
> > Fixes: eb1231f73c4d ("selinux: clarify task subjective and objective credentials")
> > Fixes: 1fb057dcde11 ("smack: differentiate between subjective and objective task credentials")
> > Reported-by: Jann Horn <jannh at google.com>
> > Acked-by: Eric W. Biederman <ebiederm at xmission.com>
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
>
> Acked-by: Casey Schaufler <casey at schaufler-ca.com>
Thanks Casey.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list