Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1912300pxb; Mon, 11 Oct 2021 16:13:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDZTbxkNhh3pN0nZCeTMo7Hu9PndommFkdCZqFJYRLYZmxvEq419skr14coeF2fUL9VoZO X-Received: by 2002:a17:906:2e85:: with SMTP id o5mr28178701eji.543.1633994033266; Mon, 11 Oct 2021 16:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633994033; cv=none; d=google.com; s=arc-20160816; b=XLCWEamRr8huR/ILZMhiBVy2d1vcdCfIyJn46e07Exejw/T7cqIce5sVOvNx8HJ7Ts 8SuOVwbFrMO9k4W27CCqTRNMcCoTAw/F2vMABdBUUO/B48ikYrCNhwUrDOvp6+48OcUy L7rAwyr/KrEkc1nRaRR4ovQII3+ub8wP6LLSgT34W9ukFGCR1LYeovntkyRL7cO6Snq5 bBpm2U43/PAHNeL19V2NhjHUCsechG/BC9UmmIGmDlF3hF6gBwrIOms4mWFJVE3+4hfI sjBc/Zph1dmiom0oCydqX/CkEwG2SPsFAZ1XaPN9hjrRU7sNb6B4wYqNakdv9sONnSMy L3LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=h1aojVMiAC+dTJJ9CxG9nUezJ612JW4LOoadws/Wdgg=; b=wTi5P5sMIw/xivAO9GqT9jgxDn5LYEuyXb/W+/MH3zzLySUteUB9GTKCkkO1tg0nYI GBcXs++dQgaS4YMAoSIglaDudiosxL9hlAi18baR7NEj9z2/YcwZPvhBL5XSV0HuHibP 3dpLkp8NmpHU04Gu1yHUdIeWlgogJbpMK8UK7ZVpWVwG3Ap5i6CkrOpLxVvgsKfPrxAY l0axTkCVuXEZTUTWiBpqtFxH9TF441w9OUATKleZ2rudQAQRH5Rg7aTUS6MEQwwxQ2WM p/G65q+uulWpo4KCPaYpAkLCQ/0eaB54gwYBXvZYL62lggULzl5W4usHu/MBxDddtAv+ TA0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=ibryuqSl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x12si370826ejf.380.2021.10.11.16.13.21; Mon, 11 Oct 2021 16:13:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=ibryuqSl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232227AbhJKXNH (ORCPT + 99 others); Mon, 11 Oct 2021 19:13:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233420AbhJKXNG (ORCPT ); Mon, 11 Oct 2021 19:13:06 -0400 Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C35DC06161C for ; Mon, 11 Oct 2021 16:11:05 -0700 (PDT) Received: by mail-ed1-x535.google.com with SMTP id g8so73627430edt.7 for ; Mon, 11 Oct 2021 16:11:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=h1aojVMiAC+dTJJ9CxG9nUezJ612JW4LOoadws/Wdgg=; b=ibryuqSlxRvY3tcfhcqgvog5M3wbrRAapyw8XCWWSuXm8vG56eJfeVmy2Xbv4z/zZF 8pwYzCKKrrdVgveJzQeaCsghTrjV9hu5ZmSJw/V1tjPokRHPYnJWZtsathabPyNqFzvp ESHhUWgDfmPsALNVSkGr/+18KBjVZbyQUSHD3IFzJccyCVaLrt+lPkvNk0F3vbRguonh HGJpf5sRFAFTZjGWFFNnp3x/BmvQka0TlBfhM6FBuSZ3aCZmx4LDDx+WUPQ5mU42hbKq G67TAms50uVImTBEpvs00E7JyuGMsYa7gPtrZ5+ethDTWjDBKPQamhJw707s8Sm1/1vk +yQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=h1aojVMiAC+dTJJ9CxG9nUezJ612JW4LOoadws/Wdgg=; b=iyb1OxIn3UD08Ok+wB6GZ+ODSbhCf1Cm/OVAGK7fq6y0U+THb1iTYnZbfwhlaAYDQW jtc9o3oW2SnsP7PZnueydjomy83F6QEIBRCCpj6dN8fqL04jq0r/DKQkHgArdpRHZOrB NiZh6tdZNM3a96kmo7euSoN/fh6/EJwSmaKVaj2hm1jk9QYPIpge/GBBSdM13o/7V3sM St5piSvgMLK1wZWpxGNkzLSlPkDgRjKfUfpB+k1Jg8iGhCxxfANDC80uNa6irB1gQgfd kbZd45oueyReNKHl0O5Jaxb5pxcPjKnhfF/0tT3ttFm2mHkxAkSY6kZbvEimkWW+9KtU 0vKA== X-Gm-Message-State: AOAM5323V+NcnKSuYTqk5FpaNM1OmZ7k4ALBv2ldgYFWI2pJ4ktxE1u8 9+q5joVfUC4z2zrC0r/4Gm2a/kJL0NiOPNg4TbkP X-Received: by 2002:a17:907:784b:: with SMTP id lb11mr29565002ejc.307.1633993863523; Mon, 11 Oct 2021 16:11:03 -0700 (PDT) MIME-Version: 1.0 References: <20211007004629.1113572-1-tkjos@google.com> <20211007004629.1113572-3-tkjos@google.com> <8c07f9b7-58b8-18b5-84f8-9b6c78acb08b@schaufler-ca.com> In-Reply-To: <8c07f9b7-58b8-18b5-84f8-9b6c78acb08b@schaufler-ca.com> From: Paul Moore Date: Mon, 11 Oct 2021 19:10:52 -0400 Message-ID: Subject: Re: [PATCH v4 2/3] binder: use cred instead of task for getsecid To: Casey Schaufler Cc: Todd Kjos , gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, James Morris , Serge Hallyn , Stephen Smalley , Eric Paris , keescook@chromium.org, jannh@google.com, Jeffrey Vander Stoep , zohar@linux.ibm.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, joel@joelfernandes.org, kernel-team@android.com, kernel test robot , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 11, 2021 at 5:59 PM Casey Schaufler wrote: > On 10/11/2021 2:33 PM, Paul Moore wrote: > > On Wed, Oct 6, 2021 at 8:46 PM Todd Kjos wrote: > >> Use the 'struct cred' saved at binder_open() to lookup > >> the security ID via security_cred_getsecid(). This > >> ensures that the security context that opened binder > >> is the one used to generate the secctx. > >> > >> Fixes: ec74136ded79 ("binder: create node flag to request sender's > >> security context") > >> Signed-off-by: Todd Kjos > >> Suggested-by: Stephen Smalley > >> Reported-by: kernel test robot > >> Cc: stable@vger.kernel.org # 5.4+ > >> --- > >> v3: added this patch to series > >> v4: fix build-break for !CONFIG_SECURITY > >> > >> drivers/android/binder.c | 11 +---------- > >> include/linux/security.h | 4 ++++ > >> 2 files changed, 5 insertions(+), 10 deletions(-) > >> > >> diff --git a/drivers/android/binder.c b/drivers/android/binder.c > >> index ca599ebdea4a..989afd0804ca 100644 > >> --- a/drivers/android/binder.c > >> +++ b/drivers/android/binder.c > >> @@ -2722,16 +2722,7 @@ static void binder_transaction(struct binder_proc *proc, > >> u32 secid; > >> size_t added_size; > >> > >> - /* > >> - * Arguably this should be the task's subjective LSM secid but > >> - * we can't reliably access the subjective creds of a task > >> - * other than our own so we must use the objective creds, which > >> - * are safe to access. The downside is that if a task is > >> - * temporarily overriding it's creds it will not be reflected > >> - * here; however, it isn't clear that binder would handle that > >> - * case well anyway. > >> - */ > >> - security_task_getsecid_obj(proc->tsk, &secid); > >> + security_cred_getsecid(proc->cred, &secid); > >> ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); > >> if (ret) { > >> return_error = BR_FAILED_REPLY; > >> diff --git a/include/linux/security.h b/include/linux/security.h > >> index 6344d3362df7..f02cc0211b10 100644 > >> --- a/include/linux/security.h > >> +++ b/include/linux/security.h > >> @@ -1041,6 +1041,10 @@ static inline void security_transfer_creds(struct cred *new, > >> { > >> } > >> > >> +static inline void security_cred_getsecid(const struct cred *c, u32 *secid) > >> +{ > >> +} > > > > Since security_cred_getsecid() doesn't return an error code we should > > probably set the secid to 0 in this case, for example: > > > > static inline void security_cred_getsecid(...) > > { > > *secid = 0; > > } > > If CONFIG_SECURITY is unset there shouldn't be any case where > the secid value is ever used for anything. Are you suggesting that > it be set out of an abundance of caution? It follows a pattern with the other LSM hooks when !CONFIG_SECURITY, and I'd much rather us keep things consistent. -- paul moore www.paul-moore.com