[PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single LSM
Casey Schaufler
casey at schaufler-ca.com
Fri Dec 15 22:16:35 UTC 2023
The LSM hook security_cred_getsecid() provides a single secid
that is only used by the binder driver. Provide the first value
available, and abandon any other hooks.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
security/security.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/security/security.c b/security/security.c
index f1bff6b5b076..504dfc6d05fa 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3157,13 +3157,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
* @c: credentials
* @secid: secid value
*
- * Retrieve the security identifier of the cred structure @c. In case of
- * failure, @secid will be set to zero.
+ * Retrieve the first available security identifier of the
+ * cred structure @c. In case of failure, @secid will be set to zero.
+ * Currently only used by binder.
*/
void security_cred_getsecid(const struct cred *c, u32 *secid)
{
+ struct security_hook_list *hp;
+
+ hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) {
+ hp->hook.cred_getsecid(c, secid);
+ return;
+ }
+
*secid = 0;
- call_void_hook(cred_getsecid, c, secid);
}
EXPORT_SYMBOL(security_cred_getsecid);
--
2.41.0
More information about the Linux-security-module-archive
mailing list