Hi!

> While working on backporting the fix for CVE-2021-39686 in the
>Android-"version" of the 4.4.y kernel I noticed the missing
>cred_getsecid hook introduced in e.g. 4.19.y by
>3ec30113264a7bcd389f51d1738e42da0f41bb5a (
>https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/?h=linux-4.19.y&id=3ec30113264a7bcd389f51d1738e42da0f41bb5a
>)
...
> Anyway: Are there any plans to synchronize the hooks in 4.4 with those in more recent kernels?
>

Let me see. 4.19 has that commit; it was merged during merge
window. 4.9 does not have that commit.

If CVE-2021-39686 is important to you, right way forward would be to
backport neccessary changes to 4.9, first. We would rather not have
changes in 4.4-st that are not present in 4.9.X.

I don't think we have any plans to work in this area.

commit 3ec30113264a7bcd389f51d1738e42da0f41bb5a
Author: Matthew Garrett <mjg59@google.com>
Date:   Mon Jan 8 13:36:19 2018 -0800

    security: Add a cred_getsecid hook
    
    For IMA purposes, we want to be able to obtain the prepared secid in the
    bprm structure before the credentials are committed. Add a cred_getsecid
    hook that makes this possible.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany