* [PATCH] Documentation: Clarify f_cred vs current_cred() use
@ 2020-07-03 17:44 Kees Cook
2020-07-05 20:05 ` Jonathan Corbet
0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2020-07-03 17:44 UTC (permalink / raw)
To: Jonathan Corbet; +Cc: Linus Torvalds, Dominik Czarnota, linux-kernel, linux-doc
When making access control choices from a file-based context, f_cred
must be used instead of current_cred() to avoid confused deputy attacks
where an open file may get passed to a more privileged process. Add a
short paragraph to explicitly state the rationale.
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
I forgot to include this patch in my kallsyms_show_value() f_cred series:
https://lore.kernel.org/lkml/20200702232638.2946421-1-keescook@chromium.org/
I can either take this in that series, or it can go via docs?
---
Documentation/security/credentials.rst | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Documentation/security/credentials.rst b/Documentation/security/credentials.rst
index 282e79feee6a..b7482f8ccf85 100644
--- a/Documentation/security/credentials.rst
+++ b/Documentation/security/credentials.rst
@@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the
contents of the cred struct pointed to, barring the exceptions listed above
(see the Task Credentials section).
+To avoid "confused deputy" privilege escalation attacks, access control checks
+during subsequent operations on an opened file should use these credentials
+instead of "current"'s credentials, as the file may have been passed to a more
+privileged process.
Overriding the VFS's Use of Credentials
=======================================
--
2.25.1
--
Kees Cook
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Documentation: Clarify f_cred vs current_cred() use
2020-07-03 17:44 [PATCH] Documentation: Clarify f_cred vs current_cred() use Kees Cook
@ 2020-07-05 20:05 ` Jonathan Corbet
0 siblings, 0 replies; 2+ messages in thread
From: Jonathan Corbet @ 2020-07-05 20:05 UTC (permalink / raw)
To: Kees Cook; +Cc: Linus Torvalds, Dominik Czarnota, linux-kernel, linux-doc
On Fri, 3 Jul 2020 10:44:22 -0700
Kees Cook <keescook@chromium.org> wrote:
> When making access control choices from a file-based context, f_cred
> must be used instead of current_cred() to avoid confused deputy attacks
> where an open file may get passed to a more privileged process. Add a
> short paragraph to explicitly state the rationale.
>
> Cc: Jonathan Corbet <corbet@lwn.net>
> Cc: linux-doc@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> I forgot to include this patch in my kallsyms_show_value() f_cred series:
> https://lore.kernel.org/lkml/20200702232638.2946421-1-keescook@chromium.org/
> I can either take this in that series, or it can go via docs?
> ---
> Documentation/security/credentials.rst | 4 ++++
> 1 file changed, 4 insertions(+)
I've applied it, thanks.
jon
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-05 20:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-03 17:44 [PATCH] Documentation: Clarify f_cred vs current_cred() use Kees Cook
2020-07-05 20:05 ` Jonathan Corbet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).