Re: [PATCH] lsm: security_task_getsecid_subj() -> security_current_getsecid_subj()

From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <paul@paul-moore.com>,
	selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
	James Morris <jmorris@namei.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] lsm: security_task_getsecid_subj() -> security_current_getsecid_subj()
Date: Mon, 22 Nov 2021 16:40:39 -0800	[thread overview]
Message-ID: <ec1fa864-6611-41c8-b405-41e3d713d590@schaufler-ca.com> (raw)
In-Reply-To: <CAHC9VhREpJ3bkcU+cOz_Cg7KaF=QokngvXyhCpus--=d8HSP_g@mail.gmail.com>

On 11/22/2021 3:12 PM, Paul Moore wrote:
> On Fri, Nov 19, 2021 at 5:52 PM Paul Moore <paul@paul-moore.com> wrote:
>> On Wed, Sep 29, 2021 at 3:17 PM Paul Moore <paul@paul-moore.com> wrote:
>>> The security_task_getsecid_subj() LSM hook invites misuse by allowing
>>> callers to specify a task even though the hook is only safe when the
>>> current task is referenced.  Fix this by removing the task_struct
>>> argument to the hook, requiring LSM implementations to use the
>>> current task.  While we are changing the hook declaration we also
>>> rename the function to security_current_getsecid_subj() in an effort
>>> to reinforce that the hook captures the subjective credentials of the
>>> current task and not an arbitrary task on the system.
>>>
>>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>>> ---
>>>   include/linux/lsm_hook_defs.h         |    3 +--
>>>   include/linux/lsm_hooks.h             |    8 +++-----
>>>   include/linux/security.h              |    4 ++--
>>>   kernel/audit.c                        |    4 ++--
>>>   kernel/auditfilter.c                  |    3 +--
>>>   kernel/auditsc.c                      |   10 +++++++++-
>>>   net/netlabel/netlabel_unlabeled.c     |    2 +-
>>>   net/netlabel/netlabel_user.h          |    2 +-
>>>   security/apparmor/lsm.c               |   13 ++++++++++---
>>>   security/integrity/ima/ima_appraise.c |    2 +-
>>>   security/integrity/ima/ima_main.c     |   14 +++++++-------
>>>   security/security.c                   |    6 +++---
>>>   security/selinux/hooks.c              |   19 +++----------------
>>>   security/smack/smack.h                |   16 ----------------
>>>   security/smack/smack_lsm.c            |    9 ++++-----
>>>   15 files changed, 48 insertions(+), 67 deletions(-)
>> I never saw any comments, positive or negative, on this patch so I'll
>> plan on merging it early next week.  If you've got objections, now is
>> the time to speak up.
> I just merged this patch, with the AppArmor tweak suggested by Serge,
> into selinux/next.  Thanks everyone.

Has the security tree been abandoned as a path for general LSM
changes? Except for the initial Landlock pull and a couple touch-ups
to capabilities nothing has gone in via security this year. This
change should have gone in through security, not selinux. I'm glad
that this change is going in, don't get me wrong on that. I am
somewhat concerned about the LSM infrastructure work I'm doing,
and how it's going to get upstream. The diffstats from that look
a lot like the one here. I seriously doubt that taking the full
set of changes for stacking through the Smack tree is going to fly. ;)