| From foo@baz Sat Nov 13 12:18:28 PM CET 2021 |
| From: Todd Kjos <tkjos@google.com> |
| Date: Wed, 10 Nov 2021 15:00:25 -0800 |
| Subject: binder: use cred instead of task for getsecid |
| To: stable@vger.kernel.org, gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, keescook@chromium.org, jannh@google.com, jeffv@google.com, zohar@linux.ibm.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, devel@driverdev.osuosl.org |
| Cc: joel@joelfernandes.org, kernel-team@android.com, Todd Kjos <tkjos@google.com>, kernel test robot <lkp@intel.com>, Casey Schaufler <casey@schaufler-ca.com> |
| Message-ID: <20211110230025.3272776-3-tkjos@google.com> |
| |
| From: Todd Kjos <tkjos@google.com> |
| |
| commit 4d5b5539742d2554591751b4248b0204d20dcc9d upstream. |
| |
| Use the 'struct cred' saved at binder_open() to lookup |
| the security ID via security_cred_getsecid(). This |
| ensures that the security context that opened binder |
| is the one used to generate the secctx. |
| |
| Cc: stable@vger.kernel.org # 5.4+ |
| Fixes: ec74136ded79 ("binder: create node flag to request sender's security context") |
| Signed-off-by: Todd Kjos <tkjos@google.com> |
| Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> |
| Reported-by: kernel test robot <lkp@intel.com> |
| Acked-by: Casey Schaufler <casey@schaufler-ca.com> |
| Signed-off-by: Paul Moore <paul@paul-moore.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/android/binder.c | 2 +- |
| include/linux/security.h | 5 +++++ |
| 2 files changed, 6 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/android/binder.c |
| +++ b/drivers/android/binder.c |
| @@ -3106,7 +3106,7 @@ static void binder_transaction(struct bi |
| u32 secid; |
| size_t added_size; |
| |
| - security_task_getsecid(proc->tsk, &secid); |
| + security_cred_getsecid(proc->cred, &secid); |
| ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); |
| if (ret) { |
| return_error = BR_FAILED_REPLY; |
| --- a/include/linux/security.h |
| +++ b/include/linux/security.h |
| @@ -985,6 +985,11 @@ static inline void security_transfer_cre |
| { |
| } |
| |
| +static inline void security_cred_getsecid(const struct cred *c, u32 *secid) |
| +{ |
| + *secid = 0; |
| +} |
| + |
| static inline int security_kernel_act_as(struct cred *cred, u32 secid) |
| { |
| return 0; |