On 1/2/2018 5:20 PM, Matthew Garrett wrote: > Right now most of the IMA code is using current->creds, but the LSM > checks are using security_task_getsecid() which ends up looking at > real_creds. Switch to using security_cred_getsecid() in order to make > this consistent. > > Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> > Cc: Paul Moore <paul@xxxxxxxxxxxxxx> > Cc: Stephen Smalley <sds@xxxxxxxxxxxxx> > Cc: Eric Paris <eparis@xxxxxxxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxx > Cc: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > Cc: linux-security-module@xxxxxxxxxxxxxxx > Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > Cc: Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> > Cc: linux-integrity@xxxxxxxxxxxxxxx > --- > security/integrity/ima/ima_policy.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index ee4613fa5840..52951ac445ea 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void) > static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > enum ima_hooks func, int mask) > { > - struct task_struct *tsk = current; > const struct cred *cred = current_cred(); > int i; > > @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > case LSM_SUBJ_USER: > case LSM_SUBJ_ROLE: > case LSM_SUBJ_TYPE: > - security_task_getsecid(tsk, &sid); > + security_cred_getsecid(cred, &sid); > rc = security_filter_rule_match(sid, security_filter_rule_match() is security_audit_rule_match() in sheep's clothing. Using the cred secid in this case, where the task secid is used elsewhere is going to lead to tears. It's going to make *me* cry as I work on untangling secids for stacking/namespaces. I can't predict how else it's going to bite us, but I'm betting on it. > rule->lsm[i].type, > Audit_equal,