On 4/17/2019 7:57 AM, Oleg Nesterov wrote:
On 04/17, Paul Moore wrote:
I'm tempted to simply return an error in selinux_setprocattr() if
the task's credentials are not the same as its real_cred;
What about other modules? I have no idea what smack_setprocattr() is,
but it too does prepare_creds/commit creds.
For what it's worth, my test for Smack does not reproduce
the problem.
it seems that the simplest workaround should simply add the additional
cred == real_cred into proc_pid_attr_write().
Oleg.
