On Thu, Sep 23, 2021 at 12:20 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> On 9/23/2021 8:47 AM, Paul Moore wrote:
> > Jann Horn reported a problem with commit eb1231f73c4d ("selinux:
> > clarify task subjective and objective credentials") where some LSM
> > hooks were attempting to access the subjective credentials of a task
> > other than the current task. Generally speaking, it is not safe to
> > access another task's subjective credentials and doing so can cause
> > a number of problems.
> >
> > Further, while looking into the problem, I realized that Smack was
> > suffering from a similar problem brought about by a similar commit
> > 1fb057dcde11 ("smack: differentiate between subjective and objective
> > task credentials").
> >
> > This patch addresses this problem by restoring the use of the task's
> > objective credentials in those cases where the task is other than the
> > current executing task. Not only does this resolve the problem
> > reported by Jann, it is arguably the correct thing to do in these
> > cases.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: eb1231f73c4d ("selinux: clarify task subjective and objective credentials")
> > Fixes: 1fb057dcde11 ("smack: differentiate between subjective and objective task credentials")
> > Reported-by: Jann Horn <jannh@xxxxxxxxxx>
> > Acked-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Thanks Casey.
--
paul moore
www.paul-moore.com
