On 5/29/2019 4:00 AM, David Howells wrote: > Jann Horn <jannh@xxxxxxxxxx> wrote: > >>> +void post_mount_notification(struct mount *changed, >>> + struct mount_notification *notify) >>> +{ >>> + const struct cred *cred = current_cred(); >> This current_cred() looks bogus to me. Can't mount topology changes >> come from all sorts of places? For example, umount_mnt() from >> umount_tree() from dissolve_on_fput() from __fput(), which could >> happen pretty much anywhere depending on where the last reference gets >> dropped? > IIRC, that's what Casey argued is the right thing to do from a security PoV. > Casey? You need to identify the credential of the subject that triggered the event. If it isn't current_cred(), the cred needs to be passed in to post_mount_notification(), or derived by some other means. > Maybe I should pass in NULL creds in the case that an event is being generated > because an object is being destroyed due to the last usage[*] being removed. You should pass the cred of the process that removed the last usage. If the last usage was removed by something like the power being turned off on a disk drive a system cred should be used. Someone or something caused the event. It can be important who it was. > [*] Usage, not ref - Superblocks are a bit weird in their accounting. > > David
Attachment:
signature.asc
Description: OpenPGP digital signature