From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id vBFMZxpF016915 for ; Fri, 15 Dec 2017 17:35:59 -0500 Received: by mail-it0-f48.google.com with SMTP id 68so21730984ite.4 for ; Fri, 15 Dec 2017 14:35:57 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <20171026084055.25482-1-mjg59@google.com> <20171026084055.25482-2-mjg59@google.com> <1511902135.3473.5.camel@linux.vnet.ibm.com> <1511904917.3473.15.camel@linux.vnet.ibm.com> <1511908390.3473.30.camel@linux.vnet.ibm.com> From: Matthew Garrett Date: Fri, 15 Dec 2017 14:35:56 -0800 Message-ID: To: Mimi Zohar Cc: linux-integrity , Paul Moore , Stephen Smalley , Eric Paris , selinux@tycho.nsa.gov, Casey Schaufler , LSM List , Dmitry Kasatkin Content-Type: text/plain; charset="UTF-8" Subject: Re: [PATCH V3 2/2] IMA: Support using new creds in appraisal policy List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Fri, Dec 15, 2017 at 2:24 PM, Matthew Garrett wrote: > Hm, sorry, missed this mail. > > On Tue, Nov 28, 2017 at 2:33 PM, Mimi Zohar wrote: >> On Tue, 2017-11-28 at 13:37 -0800, Matthew Garrett wrote: >>> security_task_getsecid(current) will give the same results as >>> security_cred_getsecid(current_creds()) >> >> Unwinding security_task_getsecid(current) looks like it is using >> real_cred, while current_cred() is using cred. > > Good question, and there's a current_real_cred() macro, so I should > just use that instead. Hm. Actually, I'm not sure. For most checks we were using cred, and only using real_cred for the secid lookup. This feels somewhat inconsistent. From mboxrd@z Thu Jan 1 00:00:00 1970 From: mjg59@google.com (Matthew Garrett) Date: Fri, 15 Dec 2017 14:35:56 -0800 Subject: [PATCH V3 2/2] IMA: Support using new creds in appraisal policy In-Reply-To: References: <20171026084055.25482-1-mjg59@google.com> <20171026084055.25482-2-mjg59@google.com> <1511902135.3473.5.camel@linux.vnet.ibm.com> <1511904917.3473.15.camel@linux.vnet.ibm.com> <1511908390.3473.30.camel@linux.vnet.ibm.com> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, Dec 15, 2017 at 2:24 PM, Matthew Garrett wrote: > Hm, sorry, missed this mail. > > On Tue, Nov 28, 2017 at 2:33 PM, Mimi Zohar wrote: >> On Tue, 2017-11-28 at 13:37 -0800, Matthew Garrett wrote: >>> security_task_getsecid(current) will give the same results as >>> security_cred_getsecid(current_creds()) >> >> Unwinding security_task_getsecid(current) looks like it is using >> real_cred, while current_cred() is using cred. > > Good question, and there's a current_real_cred() macro, so I should > just use that instead. Hm. Actually, I'm not sure. For most checks we were using cred, and only using real_cred for the secid lookup. This feels somewhat inconsistent. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html