On Fri, Apr 19, 2019 at 4:27 PM James Morris <jmorris@xxxxxxxxx> wrote: > On Fri, 19 Apr 2019, Paul Moore wrote: > > On Fri, Apr 19, 2019 at 2:55 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > Prevent userspace from changing the the /proc/PID/attr values if the > > > task's credentials are currently overriden. This not only makes sense > > > conceptually, it also prevents some really bizarre error cases caused > > > when trying to commit credentials to a task with overridden > > > credentials. > > > > > > Cc: <stable@xxxxxxxxxxxxxxx> > > > Reported-by: "chengjian (D)" <cj.chengjian@xxxxxxxxxx> > > > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > > --- > > > fs/proc/base.c | 5 +++++ > > > 1 file changed, 5 insertions(+) > > > > I sent this to the LSM list as I figure it should probably go via > > James' linux-security tree since it is cross-LSM and doesn't really > > contain any LSM specific code. That said, if you don't want this > > James let me know and I'll send it via the SELinux tree assuming I can > > get ACKs from John and Casey (this should only affect SELinux, > > AppArmor, and Smack). > > This is fine to go via your tree. Okay. I just merged this into selinux/next. I was sitting on this patch to see how the other thread developed, but that doesn't really seem to be reaching any conclusion and I really want this to get at least one week in -next before the merge window opens. Thanks everyone. -- paul moore www.paul-moore.com
