From: Casey Schaufler <casey@schaufler-ca.com> To: Matthew Garrett <mjg59@google.com>, linux-integrity@vger.kernel.org Cc: Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, Eric Paris <eparis@parisplace.org>, selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Mimi Zohar <zohar@linux.vnet.ibm.com>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Subject: Re: [PATCH V4 2/3] IMA: Use consistent creds Date: Wed, 3 Jan 2018 07:54:38 -0800 [thread overview] Message-ID: <cd89f3cf-b620-b098-a3db-c53f05d330bf@schaufler-ca.com> (raw) In-Reply-To: <20180103012017.7022-2-mjg59@google.com> On 1/2/2018 5:20 PM, Matthew Garrett wrote: > Right now most of the IMA code is using current->creds, but the LSM > checks are using security_task_getsecid() which ends up looking at > real_creds. Switch to using security_cred_getsecid() in order to make > this consistent. > > Signed-off-by: Matthew Garrett <mjg59@google.com> > Cc: Paul Moore <paul@paul-moore.com> > Cc: Stephen Smalley <sds@tycho.nsa.gov> > Cc: Eric Paris <eparis@parisplace.org> > Cc: selinux@tycho.nsa.gov > Cc: Casey Schaufler <casey@schaufler-ca.com> > Cc: linux-security-module@vger.kernel.org > Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> > Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> > Cc: linux-integrity@vger.kernel.org > --- > security/integrity/ima/ima_policy.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index ee4613fa5840..52951ac445ea 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void) > static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > enum ima_hooks func, int mask) > { > - struct task_struct *tsk = current; > const struct cred *cred = current_cred(); > int i; > > @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > case LSM_SUBJ_USER: > case LSM_SUBJ_ROLE: > case LSM_SUBJ_TYPE: > - security_task_getsecid(tsk, &sid); > + security_cred_getsecid(cred, &sid); > rc = security_filter_rule_match(sid, security_filter_rule_match() is security_audit_rule_match() in sheep's clothing. Using the cred secid in this case, where the task secid is used elsewhere is going to lead to tears. It's going to make *me* cry as I work on untangling secids for stacking/namespaces. I can't predict how else it's going to bite us, but I'm betting on it. > rule->lsm[i].type, > Audit_equal,
WARNING: multiple messages have this Message-ID (diff)
From: casey@schaufler-ca.com (Casey Schaufler) To: linux-security-module@vger.kernel.org Subject: [PATCH V4 2/3] IMA: Use consistent creds Date: Wed, 3 Jan 2018 07:54:38 -0800 [thread overview] Message-ID: <cd89f3cf-b620-b098-a3db-c53f05d330bf@schaufler-ca.com> (raw) In-Reply-To: <20180103012017.7022-2-mjg59@google.com> On 1/2/2018 5:20 PM, Matthew Garrett wrote: > Right now most of the IMA code is using current->creds, but the LSM > checks are using security_task_getsecid() which ends up looking at > real_creds. Switch to using security_cred_getsecid() in order to make > this consistent. > > Signed-off-by: Matthew Garrett <mjg59@google.com> > Cc: Paul Moore <paul@paul-moore.com> > Cc: Stephen Smalley <sds@tycho.nsa.gov> > Cc: Eric Paris <eparis@parisplace.org> > Cc: selinux at tycho.nsa.gov > Cc: Casey Schaufler <casey@schaufler-ca.com> > Cc: linux-security-module at vger.kernel.org > Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> > Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> > Cc: linux-integrity at vger.kernel.org > --- > security/integrity/ima/ima_policy.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index ee4613fa5840..52951ac445ea 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void) > static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > enum ima_hooks func, int mask) > { > - struct task_struct *tsk = current; > const struct cred *cred = current_cred(); > int i; > > @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > case LSM_SUBJ_USER: > case LSM_SUBJ_ROLE: > case LSM_SUBJ_TYPE: > - security_task_getsecid(tsk, &sid); > + security_cred_getsecid(cred, &sid); > rc = security_filter_rule_match(sid, security_filter_rule_match() is security_audit_rule_match() in sheep's clothing. Using the cred secid in this case, where the task secid is used elsewhere is going to lead to tears. It's going to make *me* cry as I work on untangling secids for stacking/namespaces. I can't predict how else it's going to bite us, but I'm betting on it. > rule->lsm[i].type, > Audit_equal, -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-01-03 15:54 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-01-03 1:20 [PATCH V4 1/3] security: Add a cred_getsecid hook Matthew Garrett 2018-01-03 1:20 ` Matthew Garrett 2018-01-03 1:20 ` [PATCH V4 2/3] IMA: Use consistent creds Matthew Garrett 2018-01-03 1:20 ` Matthew Garrett 2018-01-03 15:54 ` Casey Schaufler [this message] 2018-01-03 15:54 ` Casey Schaufler 2018-01-03 18:11 ` Matthew Garrett 2018-01-03 18:11 ` Matthew Garrett 2018-01-03 19:32 ` Casey Schaufler 2018-01-03 19:32 ` Casey Schaufler 2018-01-03 19:44 ` Matthew Garrett 2018-01-03 19:44 ` Matthew Garrett 2018-01-03 20:08 ` Casey Schaufler 2018-01-03 20:08 ` Casey Schaufler 2018-01-04 19:17 ` Matthew Garrett 2018-01-04 19:17 ` Matthew Garrett 2018-01-03 1:20 ` [PATCH V4 3/3] IMA: Support using new creds in appraisal policy Matthew Garrett 2018-01-03 1:20 ` Matthew Garrett
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=cd89f3cf-b620-b098-a3db-c53f05d330bf@schaufler-ca.com \ --to=casey@schaufler-ca.com \ --cc=dmitry.kasatkin@gmail.com \ --cc=eparis@parisplace.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ --cc=paul@paul-moore.com \ --cc=sds@tycho.nsa.gov \ --cc=selinux@tycho.nsa.gov \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.