[PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single LSM

Casey Schaufler casey at schaufler-ca.com
Fri Dec 15 22:16:35 UTC 2023


The LSM hook security_cred_getsecid() provides a single secid
that is only used by the binder driver. Provide the first value
available, and abandon any other hooks.

Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
 security/security.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/security.c b/security/security.c
index f1bff6b5b076..504dfc6d05fa 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3157,13 +3157,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
  * @c: credentials
  * @secid: secid value
  *
- * Retrieve the security identifier of the cred structure @c.  In case of
- * failure, @secid will be set to zero.
+ * Retrieve the first available security identifier of the
+ * cred structure @c.  In case of failure, @secid will be set to zero.
+ * Currently only used by binder.
  */
 void security_cred_getsecid(const struct cred *c, u32 *secid)
 {
+	struct security_hook_list *hp;
+
+	hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) {
+		hp->hook.cred_getsecid(c, secid);
+		return;
+	}
+
 	*secid = 0;
-	call_void_hook(cred_getsecid, c, secid);
 }
 EXPORT_SYMBOL(security_cred_getsecid);
 
-- 
2.41.0




More information about the Linux-security-module-archive mailing list