On Fri, 19 Feb 2021, Paul Moore wrote:
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index c119736ca56ac..39d501261108d 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2700,7 +2700,7 @@ static void binder_transaction(struct binder_proc *proc,
>
On Thu, 18 Feb 2021, Paul Moore wrote:
> Hi all,
>
> When looking into a problem I noticed that audit was recording the
> wrong subject label for a process.
Is this a public bug? It would be good to know what the extent of this
issue may be and whether it warrants a CVE.
--
James Morris
--
On 2/19/2021 3:28 PM, Paul Moore wrote:
> As discussed briefly on the list (lore link below), we are a little
> sloppy when it comes to using task credentials, mixing both the
> subjective and object credentials. This patch set attempts to fix
> this by replacing security_task_getsecid() with two
With the split of the security_task_getsecid() into subjective and
objective variants it's time to update Smack to ensure it is using
the correct task creds.
Signed-off-by: Paul Moore
---
security/smack/smack.h | 18 +-
security/smack/smack_lsm.c | 40
With the split of the security_task_getsecid() into subjective and
objective variants it's time to update AppArmor to ensure it is
using the correct task creds.
Signed-off-by: Paul Moore
---
security/apparmor/domain.c |2 +-
security/apparmor/include/cred.h | 19 ---
SELinux has a function, task_sid(), which returns the task's
objective credentials, but unfortunately is used in a few places
where the subjective task credentials should be used. Most notably
in the new security_task_getsecid_subj() LSM hook.
This patch fixes this and attempts to make things mor
As discussed briefly on the list (lore link below), we are a little
sloppy when it comes to using task credentials, mixing both the
subjective and object credentials. This patch set attempts to fix
this by replacing security_task_getsecid() with two new hooks that
return either the subjective (_su
Of the three LSMs that implement the security_task_getsecid() LSM
hook, all three LSMs provide the task's objective security
credentials. This turns out to be unfortunate as most of the hook's
callers seem to expect the task's subjective credentials, although
a small handful of callers do correctl
On 2021-02-19 01:26, Richard Guy Briggs wrote:
> On 2021-02-18 23:42, Florian Westphal wrote:
> > Richard Guy Briggs wrote:
> > > > If they appear in a batch tehy will be ignored, if the batch consists of
> > > > such non-modifying ops only then nf_tables_commit() returns early
> > > > because the
On Thu, Feb 18, 2021 at 4:40 PM Casey Schaufler wrote:
> On 2/18/2021 11:34 AM, Paul Moore wrote:
...
> > How do we want to fix this? The obvious fix is to change the SELinux,
> > AppArmor, and Smack security_task_getsecid() implementations to return
> > the subjective security ID (->cred), and
10 matches
Mail list logo