On Wed, Feb 01, 2023 at 02:15:16PM +0100, Christian Göttsche wrote: > Add a note that querying a foreign process via its PID is inherently > racy. > > Suggested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: Jason Zaman <jason@xxxxxxxxxxxxx> And applied, thanks! > --- > libselinux/man/man3/getcon.3 | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 > index 1b4fe4b7..be60341b 100644 > --- a/libselinux/man/man3/getcon.3 > +++ b/libselinux/man/man3/getcon.3 > @@ -149,5 +149,9 @@ The retrieval functions might return success and set > .I *context > to NULL if and only if SELinux is not enabled. > > +Querying a foreign process via its PID, e.g. \fBgetpidcon\fR() or > +\fBgetpidprevcon\fR(), is inherently racy and therefore should never be relied > +upon for security purposes. > + > .SH "SEE ALSO" > .BR selinux "(8), " setexeccon "(3)" > -- > 2.39.1 >