[PATCH] selinux, smack: fix subjective/objective credential use mixups

Paul Moore paul at paul-moore.com
Thu Sep 23 19:04:57 UTC 2021


On Thu, Sep 23, 2021 at 11:47 AM Paul Moore <paul at paul-moore.com> wrote:
>
> Jann Horn reported a problem with commit eb1231f73c4d ("selinux:
> clarify task subjective and objective credentials") where some LSM
> hooks were attempting to access the subjective credentials of a task
> other than the current task.  Generally speaking, it is not safe to
> access another task's subjective credentials and doing so can cause
> a number of problems.
>
> Further, while looking into the problem, I realized that Smack was
> suffering from a similar problem brought about by a similar commit
> 1fb057dcde11 ("smack: differentiate between subjective and objective
> task credentials").
>
> This patch addresses this problem by restoring the use of the task's
> objective credentials in those cases where the task is other than the
> current executing task.  Not only does this resolve the problem
> reported by Jann, it is arguably the correct thing to do in these
> cases.
>
> Cc: stable at vger.kernel.org
> Fixes: eb1231f73c4d ("selinux: clarify task subjective and objective credentials")
> Fixes: 1fb057dcde11 ("smack: differentiate between subjective and objective task credentials")
> Reported-by: Jann Horn <jannh at google.com>
> Acked-by: Eric W. Biederman <ebiederm at xmission.com>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  security/selinux/hooks.c   |    4 ++--
>  security/smack/smack_lsm.c |    4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)

FYI, I just merged this into selinux/stable-5.15.

-- 
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list