On Fri, Jul 7, 2017 at 1:09 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jul 7, 2017 at 1:04 PM, Linus Torvalds > <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: >> >> It looks like Kees went through the security modules [..] > > i take that back. It looks like Kees looked at smack, but not at > SElinux, for example. Well, I looked at the all but misthought about SELinux. > selinux_bprm_secureexec() seems to just look at current_security(), > not at the new stuff in bprm at all. I was looking for cred. Yeah, I'll see what should happen here... > Which would seem to be exactly the wrong thing to do, and is insane > (why pass in bprm at all?) but comes from the fact that we used to > call bprm_secureexec() in an insane place. > > So I think this patch series is sadly broken - I think it does the > right thing, but the security modules definitely look like they need > to be updated for that right thing. Yeah, I'll rev this once SELinux is more clear... -Kees -- Kees Cook Pixel Security
