]> git.baikalelectronics.ru Git - kernel.git/commit
selinux: clarify task subjective and objective credentials
authorPaul Moore <paul@paul-moore.com>
Thu, 18 Feb 2021 20:13:40 +0000 (15:13 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 22 Mar 2021 19:24:01 +0000 (15:24 -0400)
commiteb1231f73c4d7dc26db55e08c070e6526eaf7ee5
treeade0ae5367df7c4b86ab11db169f12f14d641d91
parent4ebd7651bfc8992ba05b355a8036cb7fd0e8d7de
selinux: clarify task subjective and objective credentials

SELinux has a function, task_sid(), which returns the task's
objective credentials, but unfortunately is used in a few places
where the subjective task credentials should be used.  Most notably
in the new security_task_getsecid_subj() LSM hook.

This patch fixes this and attempts to make things more obvious by
introducing a new function, task_sid_subj(), and renaming the
existing task_sid() function to task_sid_obj().

This patch also adds an interesting function in task_sid_binder().
The task_sid_binder() function has a comment which hopefully
describes it's reason for being, but it basically boils down to the
simple fact that we can't safely access another task's subjective
credentials so in the case of binder we need to stick with the
objective credentials regardless.

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c