Re: [RFC PATCH 0/4] Split security_task_getsecid() into subj and obj variants

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/19/2021 3:28 PM, Paul Moore wrote:
> As discussed briefly on the list (lore link below), we are a little
> sloppy when it comes to using task credentials, mixing both the
> subjective and object credentials.  This patch set attempts to fix
> this by replacing security_task_getsecid() with two new hooks that
> return either the subjective (_subj) or objective (_obj) credentials.
>
> https://lore.kernel.org/linux-security-module/806848326.0ifERbkFSE@x2/T/
>
> Casey and John, I made a quick pass through the Smack and AppArmor
> code in an effort to try and do the right thing, but I will admit
> that I haven't tested those changes, just the SELinux code.  I
> would really appreciate your help in reviewing those changes.  If
> you find it easier, feel free to wholesale replace my Smack/AppArmor
> patch with one of your own.

A quick test pass didn't show up anything obviously
amiss with the Smack changes. I have will do some more
through inspection, but they look fine so far. 

>
> ---
>
> Paul Moore (4):
>       lsm: separate security_task_getsecid() into subjective and objective variants
>       selinux: clarify task subjective and objective credentials
>       smack: differentiate between subjective and objective task credentials
>       apparmor: differentiate between subjective and objective task credentials
>
>
>  security/apparmor/domain.c       |  2 +-
>  security/apparmor/include/cred.h | 19 +++++--
>  security/apparmor/include/task.h |  3 +-
>  security/apparmor/lsm.c          | 23 ++++++---
>  security/apparmor/task.c         | 23 +++++++--
>  security/selinux/hooks.c         | 85 ++++++++++++++++++--------------
>  security/smack/smack.h           | 18 ++++++-
>  security/smack/smack_lsm.c       | 40 ++++++++++-----
>  8 files changed, 147 insertions(+), 66 deletions(-)
>
> --
> Signature



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux