From: Paul Moore <paul@paul-moore.com>
To: Todd Kjos <tkjos@google.com>
Cc: gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com,
maco@android.com, christian@brauner.io,
James Morris <jmorris@namei.org>, Serge Hallyn <serge@hallyn.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
keescook@chromium.org, jannh@google.com,
Jeffrey Vander Stoep <jeffv@google.com>,
zohar@linux.ibm.com, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org, devel@driverdev.osuosl.org,
linux-kernel@vger.kernel.org, joel@joelfernandes.org,
kernel-team@android.com, kernel test robot <lkp@intel.com>,
stable@vger.kernel.org
Subject: Re: [PATCH v4 2/3] binder: use cred instead of task for getsecid
Date: Mon, 11 Oct 2021 17:33:21 -0400 [thread overview]
Message-ID: <CAHC9VhSDnwapGk6Pvn5iuKv0zCtZSbfnGAkZwKcxVYLVRH6CLg@mail.gmail.com> (raw)
In-Reply-To: <20211007004629.1113572-3-tkjos@google.com>
On Wed, Oct 6, 2021 at 8:46 PM Todd Kjos <tkjos@google.com> wrote:
>
> Use the 'struct cred' saved at binder_open() to lookup
> the security ID via security_cred_getsecid(). This
> ensures that the security context that opened binder
> is the one used to generate the secctx.
>
> Fixes: ec74136ded79 ("binder: create node flag to request sender's
> security context")
> Signed-off-by: Todd Kjos <tkjos@google.com>
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Reported-by: kernel test robot <lkp@intel.com>
> Cc: stable@vger.kernel.org # 5.4+
> ---
> v3: added this patch to series
> v4: fix build-break for !CONFIG_SECURITY
>
> drivers/android/binder.c | 11 +----------
> include/linux/security.h | 4 ++++
> 2 files changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index ca599ebdea4a..989afd0804ca 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2722,16 +2722,7 @@ static void binder_transaction(struct binder_proc *proc,
> u32 secid;
> size_t added_size;
>
> - /*
> - * Arguably this should be the task's subjective LSM secid but
> - * we can't reliably access the subjective creds of a task
> - * other than our own so we must use the objective creds, which
> - * are safe to access. The downside is that if a task is
> - * temporarily overriding it's creds it will not be reflected
> - * here; however, it isn't clear that binder would handle that
> - * case well anyway.
> - */
> - security_task_getsecid_obj(proc->tsk, &secid);
> + security_cred_getsecid(proc->cred, &secid);
> ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
> if (ret) {
> return_error = BR_FAILED_REPLY;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 6344d3362df7..f02cc0211b10 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1041,6 +1041,10 @@ static inline void security_transfer_creds(struct cred *new,
> {
> }
>
> +static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
> +{
> +}
Since security_cred_getsecid() doesn't return an error code we should
probably set the secid to 0 in this case, for example:
static inline void security_cred_getsecid(...)
{
*secid = 0;
}
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2021-10-11 21:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 0:46 [PATCH v4 0/3] binder: use cred instead of task for security context Todd Kjos
2021-10-07 0:46 ` [PATCH v4 1/3] binder: use cred instead of task for selinux checks Todd Kjos
2021-10-07 0:46 ` [PATCH v4 2/3] binder: use cred instead of task for getsecid Todd Kjos
2021-10-11 21:33 ` Paul Moore [this message]
2021-10-11 21:59 ` Casey Schaufler
2021-10-11 23:10 ` Paul Moore
2021-10-12 9:41 ` Dan Carpenter
2021-10-12 14:13 ` Paul Moore
2021-10-07 0:46 ` [PATCH v4 3/3] binder: use euid from cred instead of using task Todd Kjos
2021-10-08 21:12 ` Paul Moore
2021-10-08 21:24 ` Todd Kjos
2021-10-11 21:39 ` Paul Moore
2021-10-11 23:39 ` Todd Kjos
2021-10-12 12:24 ` Stephen Smalley
2021-10-12 16:52 ` Todd Kjos
2021-10-08 21:25 ` Casey Schaufler
2021-10-11 21:34 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhSDnwapGk6Pvn5iuKv0zCtZSbfnGAkZwKcxVYLVRH6CLg@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=arve@android.com \
--cc=christian@brauner.io \
--cc=devel@driverdev.osuosl.org \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jeffv@google.com \
--cc=jmorris@namei.org \
--cc=joel@joelfernandes.org \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lkp@intel.com \
--cc=maco@android.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tkjos@android.com \
--cc=tkjos@google.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.