From: Alice Ryhl <aliceryhl@google.com>
To: Jann Horn <jannh@google.com>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@google.com>,
"Carlos Llamas" <cmllamas@google.com>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
"Christian Brauner" <brauner@kernel.org>
Subject: Re: [PATCH] rust: task: clarify comments on task UID accessors
Date: Fri, 13 Feb 2026 08:20:34 +0000 [thread overview]
Message-ID: <aY7e0g-6-x1XPSjC@google.com> (raw)
In-Reply-To: <20260212-rust-uid-v1-1-deff4214c766@google.com>
On Thu, Feb 12, 2026 at 07:00:49PM +0100, Jann Horn wrote:
> Linux has separate subjective and objective task credentials, see the
> comment above `struct cred`. Clarify which accessor functions operate on
> which set of credentials.
>
> Also document that Task::euid() is a very weird operation. You can see how
> weird it is by grepping for task_euid() - binder is its only user.
> Task::euid() obtains the objective effective UID - it looks at the
> credentials of the task for purposes of acting on it as an object, but then
> accesses the effective UID (which the credentials.7 man page describes as
> "[...] used by the kernel to determine the permissions that the process
> will have when accessing shared resources [...]").
>
> For context:
> Arguably, binder's use of task_euid() is a theoretical security problem,
> which only has no impact on Android because Android has no setuid binaries
> executable by apps.
> commit 29bc22ac5e5b ("binder: use euid from cred instead of using task")
> fixed that by removing that only user of task_euid(), but the fix got
> reverted in commit c21a80ca0684 ("binder: fix test regression due to
> sender_euid change") because some Android test started failing.
>
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
> rust/kernel/task.rs | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs
> index 49fad6de0674..33e6d44b9a15 100644
> --- a/rust/kernel/task.rs
> +++ b/rust/kernel/task.rs
> @@ -223,14 +223,17 @@ pub fn pid(&self) -> Pid {
> unsafe { *ptr::addr_of!((*self.as_ptr()).pid) }
> }
>
> - /// Returns the UID of the given task.
> + /// Returns the objective real UID of the given task.
> #[inline]
> pub fn uid(&self) -> Kuid {
> // SAFETY: It's always safe to call `task_uid` on a valid task.
> Kuid::from_raw(unsafe { bindings::task_uid(self.as_ptr()) })
> }
>
> - /// Returns the effective UID of the given task.
> + /// Returns the objective effective UID of the given task.
> + ///
> + /// You should probably not be using this; the effective UID is normally
> + /// only relevant in subjective credentials.
> #[inline]
> pub fn euid(&self) -> Kuid {
Should this be renamed if it's a weird operation?
Alice
next prev parent reply other threads:[~2026-02-13 8:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 18:00 [PATCH] rust: task: clarify comments on task UID accessors Jann Horn
2026-02-13 8:20 ` Alice Ryhl [this message]
2026-02-13 13:44 ` Jann Horn
2026-02-13 8:52 ` Gary Guo
2026-02-13 14:43 ` Jann Horn
2026-02-13 16:21 ` Alice Ryhl
2026-02-13 21:12 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aY7e0g-6-x1XPSjC@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=arve@android.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tkjos@google.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.