Hi Greg. I'll post backports for these this week.
On Mon, Nov 8, 2021 at 11:23 PM <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
>
> The patch below does not apply to the 4.4-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@xxxxxxxxxxxxxxx>.
>
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From 29bc22ac5e5bc63275e850f0c8fc549e3d0e306b Mon Sep 17 00:00:00 2001
> From: Todd Kjos <tkjos@xxxxxxxxxx>
> Date: Tue, 12 Oct 2021 09:56:12 -0700
> Subject: [PATCH] binder: use euid from cred instead of using task
>
> Save the 'struct cred' associated with a binder process
> at initial open to avoid potential race conditions
> when converting to an euid.
>
> Set a transaction's sender_euid from the 'struct cred'
> saved at binder_open() instead of looking up the euid
> from the binder proc's 'struct task'. This ensures
> the euid is associated with the security context that
> of the task that opened binder.
>
> Cc: stable@xxxxxxxxxxxxxxx # 4.4+
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Todd Kjos <tkjos@xxxxxxxxxx>
> Suggested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> Suggested-by: Jann Horn <jannh@xxxxxxxxxx>
> Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index d9030cb6b1e4..231cff9b3b75 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2702,7 +2702,7 @@ static void binder_transaction(struct binder_proc *proc,
> t->from = thread;
> else
> t->from = NULL;
> - t->sender_euid = task_euid(proc->tsk);
> + t->sender_euid = proc->cred->euid;
> t->to_proc = target_proc;
> t->to_thread = target_thread;
> t->code = tr->code;
> @@ -4343,6 +4343,7 @@ static void binder_free_proc(struct binder_proc *proc)
> }
> binder_alloc_deferred_release(&proc->alloc);
> put_task_struct(proc->tsk);
> + put_cred(proc->cred);
> binder_stats_deleted(BINDER_STAT_PROC);
> kfree(proc);
> }
> @@ -5021,6 +5022,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
> spin_lock_init(&proc->outer_lock);
> get_task_struct(current->group_leader);
> proc->tsk = current->group_leader;
> + proc->cred = get_cred(filp->f_cred);
> INIT_LIST_HEAD(&proc->todo);
> init_waitqueue_head(&proc->freeze_wait);
> proc->default_priority = task_nice(current);
> diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h
> index 810c0b84d3f8..e7d4920b3368 100644
> --- a/drivers/android/binder_internal.h
> +++ b/drivers/android/binder_internal.h
> @@ -364,6 +364,9 @@ struct binder_ref {
> * (invariant after initialized)
> * @tsk task_struct for group_leader of process
> * (invariant after initialized)
> + * @cred struct cred associated with the `struct file`
> + * in binder_open()
> + * (invariant after initialized)
> * @deferred_work_node: element for binder_deferred_list
> * (protected by binder_deferred_lock)
> * @deferred_work: bitmap of deferred work to perform
> @@ -424,6 +427,7 @@ struct binder_proc {
> struct list_head waiting_threads;
> int pid;
> struct task_struct *tsk;
> + const struct cred *cred;
> struct hlist_node deferred_work_node;
> int deferred_work;
> int outstanding_txns;
>
