[PATCH RFC 13/15] LSM: restrict security_cred_getsecid() to a single LSM
Paul Moore
paul at paul-moore.com
Tue Oct 14 23:13:01 UTC 2025
On Jun 21, 2025 Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> The LSM hook security_cred_getsecid() provides a single secid
> that is only used by the binder driver. Provide the first value
> available, and abandon any other hooks.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
> security/security.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/security/security.c b/security/security.c
> index dd167a872248..409b1cb10d35 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2740,8 +2740,13 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
> */
> void security_cred_getsecid(const struct cred *c, u32 *secid)
> {
> + struct lsm_static_call *scall;
> +
> *secid = 0;
> - call_void_hook(cred_getsecid, c, secid);
> + lsm_for_each_hook(scall, cred_getsecid) {
> + scall->hl->hook.cred_getsecid(c, secid);
> + break;
> + }
> }
> EXPORT_SYMBOL(security_cred_getsecid);
Another case of "would this be painful to do at registration time?"
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list