On Tue, Oct 17, 2017 at 12:07 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Mon, 2017-10-16 at 13:37 -0700, Matthew Garrett wrote: >> case LSM_SUBJ_TYPE: >> - security_task_getsecid(tsk, &sid); >> + security_cred_getsecid(cred, &sid); >> rc = security_filter_rule_match(sid, >> rule->lsm[i].type, >> Audit_equal, > > By replacing the call from security_task_getsec() to > security_cred_getsecid(), I assume you're expecting different results. > Will this change break existing IMA policies? No, for BPRM_CHECK they'll use the same creds that were previously checked. CREDS_CHECK will behave differently to BPRM_CHECK.
