selinux: clarify task subjective and objective credentials (eb1231f7) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit eb1231f7 authored Feb 18, 2021 by

Paul Moore

selinux: clarify task subjective and objective credentials



SELinux has a function, task_sid(), which returns the task's
objective credentials, but unfortunately is used in a few places
where the subjective task credentials should be used.  Most notably
in the new security_task_getsecid_subj() LSM hook.

This patch fixes this and attempts to make things more obvious by
introducing a new function, task_sid_subj(), and renaming the
existing task_sid() function to task_sid_obj().

This patch also adds an interesting function in task_sid_binder().
The task_sid_binder() function has a comment which hopefully
describes it's reason for being, but it basically boils down to the
simple fact that we can't safely access another task's subjective
credentials so in the case of binder we need to stick with the
objective credentials regardless.

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 4ebd7651

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit bef2b32a
· Sep 27, 2021

mentioned in commit bef2b32a

mentioned in commit bef2b32a149030babba8ad5d2b6c121638fb911d

Toggle commit list

Please register or to comment