On Thu, Sep 23, 2021 at 11:47 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> Jann Horn reported a problem with commit eb1231f73c4d ("selinux:
> clarify task subjective and objective credentials") where some LSM
> hooks were attempting to access the subjective credentials of a task
> other than the current task. Generally speaking, it is not safe to
> access another task's subjective credentials and doing so can cause
> a number of problems.
>
> Further, while looking into the problem, I realized that Smack was
> suffering from a similar problem brought about by a similar commit
> 1fb057dcde11 ("smack: differentiate between subjective and objective
> task credentials").
>
> This patch addresses this problem by restoring the use of the task's
> objective credentials in those cases where the task is other than the
> current executing task. Not only does this resolve the problem
> reported by Jann, it is arguably the correct thing to do in these
> cases.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: eb1231f73c4d ("selinux: clarify task subjective and objective credentials")
> Fixes: 1fb057dcde11 ("smack: differentiate between subjective and objective task credentials")
> Reported-by: Jann Horn <jannh@xxxxxxxxxx>
> Acked-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 4 ++--
> security/smack/smack_lsm.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
FYI, I just merged this into selinux/stable-5.15.
--
paul moore
www.paul-moore.com
