diff options
| author |   Paul Moore <paul@paul-moore.com> | 2021-02-18 15:13:40 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2021-03-22 15:24:01 -0400 |
| commit | eb1231f73c4d7dc26db55e08c070e6526eaf7ee5 (patch) | |
| tree | ade0ae5367df7c4b86ab11db169f12f14d641d91 /security/smack | |
| parent | lsm: separate security_task_getsecid() into subjective and objective variants (diff) | |
| download | linux-dev-eb1231f73c4d7dc26db55e08c070e6526eaf7ee5.tar.xz linux-dev-eb1231f73c4d7dc26db55e08c070e6526eaf7ee5.zip | |
selinux: clarify task subjective and objective credentials
SELinux has a function, task_sid(), which returns the task's
objective credentials, but unfortunately is used in a few places
where the subjective task credentials should be used. Most notably
in the new security_task_getsecid_subj() LSM hook.
This patch fixes this and attempts to make things more obvious by
introducing a new function, task_sid_subj(), and renaming the
existing task_sid() function to task_sid_obj().
This patch also adds an interesting function in task_sid_binder().
The task_sid_binder() function has a comment which hopefully
describes it's reason for being, but it basically boils down to the
simple fact that we can't safely access another task's subjective
credentials so in the case of binder we need to stick with the
objective credentials regardless.
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/smack')
0 files changed, 0 insertions, 0 deletions