git.baikalelectronics.ru Git - kernel.git/commit

author	Paul Moore <paul@paul-moore.com>
	Thu, 23 Sep 2021 13:50:11 +0000 (09:50 -0400)
committer	Paul Moore <paul@paul-moore.com>
	Thu, 23 Sep 2021 16:30:59 +0000 (12:30 -0400)
commit	66b8122f46a1bcaf595a3b4d1e0f27de5ea590a4
tree	0bd4ae04db68606c0f991a68fa8c3cb9c683e336	tree \| snapshot
parent	b901123b83fca756ffcd85ea50a6cd9637d66d0c	commit \| diff

selinux,smack: fix subjective/objective credential use mixups

Jann Horn reported a problem with commit 621d6012c4db ("selinux:
clarify task subjective and objective credentials") where some LSM
hooks were attempting to access the subjective credentials of a task
other than the current task. Generally speaking, it is not safe to
access another task's subjective credentials and doing so can cause
a number of problems.

Further, while looking into the problem, I realized that Smack was
suffering from a similar problem brought about by a similar commit
eec788c0cba0 ("smack: differentiate between subjective and objective
task credentials").

This patch addresses this problem by restoring the use of the task's
objective credentials in those cases where the task is other than the
current executing task. Not only does this resolve the problem
reported by Jann, it is arguably the correct thing to do in these
cases.

Cc: stable@vger.kernel.org
Fixes: 621d6012c4db ("selinux: clarify task subjective and objective credentials")
Fixes: eec788c0cba0 ("smack: differentiate between subjective and objective task credentials")
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/selinux/hooks.c		diff \| blob \| history
security/smack/smack_lsm.c		diff \| blob \| history