On 9/24/21 11:12 AM, Stephen Smalley wrote:
On Fri, Sep 24, 2021 at 10:22 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
On Thu, Sep 23, 2021 at 5:18 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
The original SELinux lockdown implementation in 59438b46471a
("security,lockdown,selinux: implement SELinux lockdown") used the
current task's credentials as both the subject and object in the
SELinux lockdown hook, selinux_lockdown(). Unfortunately that
proved to be incorrect in a number of cases as the core kernel was
calling the LSM lockdown hook in places where the credentials from
the "current" task_struct were not the correct credentials to use
in the SELinux access check.
Attempts were made to resolve this by adding a credential pointer
to the LSM lockdown hook as well as suggesting that the single hook
be split into two: one for user tasks, one for kernel tasks; however
neither approach was deemed acceptable by Linus.
In order to resolve the problem of an incorrect SELinux domain being
used in the lockdown check, this patch makes the decision to perform
all of the lockdown access control checks against the
SECINITSID_KERNEL domain. This is far from ideal, but it is what
we have available to us at this point in time.
Can we get Linux distro and Android folks to speak as to whether they
consider the check in this reduced form to still be useful or whether
we should just remove it altogether?
FWIW, I think the check should be removed.
--
Chris PeBenito
