releases/5.4.160/binder-use-cred-instead-of-task-for-getsecid.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Sat Nov 13 12:18:28 PM CET 2021
 From: Todd Kjos <tkjos@google.com>
 Date: Wed, 10 Nov 2021 15:00:25 -0800
 Subject: binder: use cred instead of task for getsecid
 To: stable@vger.kernel.org, gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, keescook@chromium.org, jannh@google.com, jeffv@google.com, zohar@linux.ibm.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, devel@driverdev.osuosl.org
 Cc: joel@joelfernandes.org, kernel-team@android.com, Todd Kjos <tkjos@google.com>, kernel test robot <lkp@intel.com>, Casey Schaufler <casey@schaufler-ca.com>
 Message-ID: <20211110230025.3272776-3-tkjos@google.com>

 From: Todd Kjos <tkjos@google.com>

 commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.

 Use the 'struct cred' saved at binder_open() to lookup
 the security ID via security_cred_getsecid(). This
 ensures that the security context that opened binder
 is the one used to generate the secctx.

 Cc: stable@vger.kernel.org # 5.4+
 Fixes: ec74136ded79 ("binder: create node flag to request sender's security context")
 Signed-off-by: Todd Kjos <tkjos@google.com>
 Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
 Reported-by: kernel test robot <lkp@intel.com>
 Acked-by: Casey Schaufler <casey@schaufler-ca.com>
 Signed-off-by: Paul Moore <paul@paul-moore.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/android/binder.c |    2 +-
  include/linux/security.h |    5 +++++
  2 files changed, 6 insertions(+), 1 deletion(-)

 --- a/drivers/android/binder.c
 +++ b/drivers/android/binder.c
 @@ -3106,7 +3106,7 @@ static void binder_transaction(struct bi
  		u32 secid;
  		size_t added_size;

 -		security_task_getsecid(proc->tsk, &secid);
 +		security_cred_getsecid(proc->cred, &secid);
  		ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
  		if (ret) {
  			return_error = BR_FAILED_REPLY;
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -985,6 +985,11 @@ static inline void security_transfer_cre
  {
  }

 +static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
 +{
 +	*secid = 0;
 +}
 +
  static inline int security_kernel_act_as(struct cred *cred, u32 secid)
  {
  	return 0;
	From foo@baz Sat Nov 13 12:18:28 PM CET 2021
	From: Todd Kjos <tkjos@google.com>
	Date: Wed, 10 Nov 2021 15:00:25 -0800
	Subject: binder: use cred instead of task for getsecid
	To: stable@vger.kernel.org, gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, keescook@chromium.org, jannh@google.com, jeffv@google.com, zohar@linux.ibm.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, devel@driverdev.osuosl.org
	Cc: joel@joelfernandes.org, kernel-team@android.com, Todd Kjos <tkjos@google.com>, kernel test robot <lkp@intel.com>, Casey Schaufler <casey@schaufler-ca.com>
	Message-ID: <20211110230025.3272776-3-tkjos@google.com>

	From: Todd Kjos <tkjos@google.com>

	commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream.

	Use the 'struct cred' saved at binder_open() to lookup
	the security ID via security_cred_getsecid(). This
	ensures that the security context that opened binder
	is the one used to generate the secctx.

	Cc: stable@vger.kernel.org # 5.4+
	Fixes: ec74136ded79 ("binder: create node flag to request sender's security context")
	Signed-off-by: Todd Kjos <tkjos@google.com>
	Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
	Reported-by: kernel test robot <lkp@intel.com>
	Acked-by: Casey Schaufler <casey@schaufler-ca.com>
	Signed-off-by: Paul Moore <paul@paul-moore.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/android/binder.c \| 2 +-
	include/linux/security.h \| 5 +++++
	2 files changed, 6 insertions(+), 1 deletion(-)

	--- a/drivers/android/binder.c
	+++ b/drivers/android/binder.c
	@@ -3106,7 +3106,7 @@ static void binder_transaction(struct bi
	u32 secid;
	size_t added_size;

	- security_task_getsecid(proc->tsk, &secid);
	+ security_cred_getsecid(proc->cred, &secid);
	ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
	if (ret) {
	return_error = BR_FAILED_REPLY;
	--- a/include/linux/security.h
	+++ b/include/linux/security.h
	@@ -985,6 +985,11 @@ static inline void security_transfer_cre
	{
	}

	+static inline void security_cred_getsecid(const struct cred c, u32 secid)
	+{
	+ *secid = 0;
	+}
	+
	static inline int security_kernel_act_as(struct cred *cred, u32 secid)
	{
	return 0;