This series fixes the possible use of an incorrect security context
when checking selinux permissions, getting a security ID, or lookup
up the euid.
The previous behavior was to save the group_leader 'struct task_struct'
in binder_open() and using that to obtain security IDs or euids.
This has been shown to be unreliable, so this series instead saves the
'struct cred' of the task that called binder_open(). This cred is used
for these lookups instead of the task.
v1 and v2 of this series were a single patch "binder: use euid from"
cred instead of using task". During review, Stephen Smalley identified
two more related issues so the corresponding patches were added to
the series.
Todd Kjos (3):
binder: use cred instead of task for selinux checks
binder: use cred instead of task for getsecid
binder: use euid from cred instead of using task
Set a transaction's sender_euid from the the 'struct cred'
saved at binder_open() instead of looking up the euid
from the binder proc's 'struct task'. This ensures
the euid is associated with the security context that
of the task that opened binder.
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Signed-off-by: Todd Kjos <[email protected]>
Stephen Smalley <[email protected]>
Cc: [email protected] # 4.4+
---
v3: added this patch to series
drivers/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 989afd0804ca..26382e982c5e 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2711,7 +2711,7 @@ static void binder_transaction(struct binder_proc *proc,
t->from = thread;
else
t->from = NULL;
- t->sender_euid = task_euid(proc->tsk);
+ t->sender_euid = proc->cred->euid;
t->to_proc = target_proc;
t->to_thread = target_thread;
t->code = tr->code;
--
2.33.0.800.g4c38ced690-goog
On Wed, Oct 6, 2021 at 12:46 PM Todd Kjos <[email protected]> wrote:
>
> Set a transaction's sender_euid from the the 'struct cred'
> saved at binder_open() instead of looking up the euid
> from the binder proc's 'struct task'. This ensures
> the euid is associated with the security context that
> of the task that opened binder.
>
> Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> Signed-off-by: Todd Kjos <[email protected]>
> Stephen Smalley <[email protected]>
This should have been "Suggested-by: Stephen Smalley
<[email protected]>"
> Cc: [email protected] # 4.4+
> ---
> v3: added this patch to series
>
> drivers/android/binder.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 989afd0804ca..26382e982c5e 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2711,7 +2711,7 @@ static void binder_transaction(struct binder_proc *proc,
> t->from = thread;
> else
> t->from = NULL;
> - t->sender_euid = task_euid(proc->tsk);
> + t->sender_euid = proc->cred->euid;
> t->to_proc = target_proc;
> t->to_thread = target_thread;
> t->code = tr->code;
> --
> 2.33.0.800.g4c38ced690-goog
>
On Wed, Oct 6, 2021 at 12:55 PM Todd Kjos <[email protected]> wrote:
>
> On Wed, Oct 6, 2021 at 12:46 PM Todd Kjos <[email protected]> wrote:
> >
> > Set a transaction's sender_euid from the the 'struct cred'
Sigh...and I forgot to run checkpatch before submitting which would
have caught this "the the"
> > saved at binder_open() instead of looking up the euid
> > from the binder proc's 'struct task'. This ensures
> > the euid is associated with the security context that
> > of the task that opened binder.
> >
> > Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
> > Signed-off-by: Todd Kjos <[email protected]>
> > Stephen Smalley <[email protected]>
>
> This should have been "Suggested-by: Stephen Smalley
> <[email protected]>"
>
> > Cc: [email protected] # 4.4+
> > ---
> > v3: added this patch to series
> >
> > drivers/android/binder.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > index 989afd0804ca..26382e982c5e 100644
> > --- a/drivers/android/binder.c
> > +++ b/drivers/android/binder.c
> > @@ -2711,7 +2711,7 @@ static void binder_transaction(struct binder_proc *proc,
> > t->from = thread;
> > else
> > t->from = NULL;
> > - t->sender_euid = task_euid(proc->tsk);
> > + t->sender_euid = proc->cred->euid;
> > t->to_proc = target_proc;
> > t->to_thread = target_thread;
> > t->code = tr->code;
> > --
> > 2.33.0.800.g4c38ced690-goog
> >