Add a note that querying a foreign process via its PID is inherently racy. Suggested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libselinux/man/man3/getcon.3 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 index 1b4fe4b7..be60341b 100644 --- a/libselinux/man/man3/getcon.3 +++ b/libselinux/man/man3/getcon.3 @@ -149,5 +149,9 @@ The retrieval functions might return success and set .I *context to NULL if and only if SELinux is not enabled. +Querying a foreign process via its PID, e.g. \fBgetpidcon\fR() or +\fBgetpidprevcon\fR(), is inherently racy and therefore should never be relied +upon for security purposes. + .SH "SEE ALSO" .BR selinux "(8), " setexeccon "(3)" -- 2.39.1
