From: Casey Schaufler <casey@schaufler-ca.com>
To: Matthew Garrett <mjg59@google.com>, linux-integrity@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Subject: Re: [PATCH V4 2/3] IMA: Use consistent creds
Date: Wed, 3 Jan 2018 07:54:38 -0800 [thread overview]
Message-ID: <cd89f3cf-b620-b098-a3db-c53f05d330bf@schaufler-ca.com> (raw)
In-Reply-To: <20180103012017.7022-2-mjg59@google.com>
On 1/2/2018 5:20 PM, Matthew Garrett wrote:
> Right now most of the IMA code is using current->creds, but the LSM
> checks are using security_task_getsecid() which ends up looking at
> real_creds. Switch to using security_cred_getsecid() in order to make
> this consistent.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Cc: Eric Paris <eparis@parisplace.org>
> Cc: selinux@tycho.nsa.gov
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: linux-security-module@vger.kernel.org
> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> Cc: linux-integrity@vger.kernel.org
> ---
> security/integrity/ima/ima_policy.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index ee4613fa5840..52951ac445ea 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void)
> static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> enum ima_hooks func, int mask)
> {
> - struct task_struct *tsk = current;
> const struct cred *cred = current_cred();
> int i;
>
> @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> case LSM_SUBJ_USER:
> case LSM_SUBJ_ROLE:
> case LSM_SUBJ_TYPE:
> - security_task_getsecid(tsk, &sid);
> + security_cred_getsecid(cred, &sid);
> rc = security_filter_rule_match(sid,
security_filter_rule_match() is security_audit_rule_match() in
sheep's clothing. Using the cred secid in this case, where the
task secid is used elsewhere is going to lead to tears. It's
going to make *me* cry as I work on untangling secids for
stacking/namespaces. I can't predict how else it's going to
bite us, but I'm betting on it.
> rule->lsm[i].type,
> Audit_equal,
WARNING: multiple messages have this Message-ID (diff)
From: casey@schaufler-ca.com (Casey Schaufler)
To: linux-security-module@vger.kernel.org
Subject: [PATCH V4 2/3] IMA: Use consistent creds
Date: Wed, 3 Jan 2018 07:54:38 -0800 [thread overview]
Message-ID: <cd89f3cf-b620-b098-a3db-c53f05d330bf@schaufler-ca.com> (raw)
In-Reply-To: <20180103012017.7022-2-mjg59@google.com>
On 1/2/2018 5:20 PM, Matthew Garrett wrote:
> Right now most of the IMA code is using current->creds, but the LSM
> checks are using security_task_getsecid() which ends up looking at
> real_creds. Switch to using security_cred_getsecid() in order to make
> this consistent.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Cc: Eric Paris <eparis@parisplace.org>
> Cc: selinux at tycho.nsa.gov
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: linux-security-module at vger.kernel.org
> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> Cc: linux-integrity at vger.kernel.org
> ---
> security/integrity/ima/ima_policy.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index ee4613fa5840..52951ac445ea 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void)
> static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> enum ima_hooks func, int mask)
> {
> - struct task_struct *tsk = current;
> const struct cred *cred = current_cred();
> int i;
>
> @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> case LSM_SUBJ_USER:
> case LSM_SUBJ_ROLE:
> case LSM_SUBJ_TYPE:
> - security_task_getsecid(tsk, &sid);
> + security_cred_getsecid(cred, &sid);
> rc = security_filter_rule_match(sid,
security_filter_rule_match() is security_audit_rule_match() in
sheep's clothing. Using the cred secid in this case, where the
task secid is used elsewhere is going to lead to tears. It's
going to make *me* cry as I work on untangling secids for
stacking/namespaces. I can't predict how else it's going to
bite us, but I'm betting on it.
> rule->lsm[i].type,
> Audit_equal,
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-01-03 15:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-03 1:20 [PATCH V4 1/3] security: Add a cred_getsecid hook Matthew Garrett
2018-01-03 1:20 ` Matthew Garrett
2018-01-03 1:20 ` [PATCH V4 2/3] IMA: Use consistent creds Matthew Garrett
2018-01-03 1:20 ` Matthew Garrett
2018-01-03 15:54 ` Casey Schaufler [this message]
2018-01-03 15:54 ` Casey Schaufler
2018-01-03 18:11 ` Matthew Garrett
2018-01-03 18:11 ` Matthew Garrett
2018-01-03 19:32 ` Casey Schaufler
2018-01-03 19:32 ` Casey Schaufler
2018-01-03 19:44 ` Matthew Garrett
2018-01-03 19:44 ` Matthew Garrett
2018-01-03 20:08 ` Casey Schaufler
2018-01-03 20:08 ` Casey Schaufler
2018-01-04 19:17 ` Matthew Garrett
2018-01-04 19:17 ` Matthew Garrett
2018-01-03 1:20 ` [PATCH V4 3/3] IMA: Support using new creds in appraisal policy Matthew Garrett
2018-01-03 1:20 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd89f3cf-b620-b098-a3db-c53f05d330bf@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eparis@parisplace.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.