* [PATCH] lsm: hold cred_guard_mutex for lsm_set_self_attr()
@ 2026-05-13 18:05 Stephen Smalley
2026-05-14 20:47 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Smalley @ 2026-05-13 18:05 UTC (permalink / raw)
To: selinux
Cc: paul, omosnace, casey, serge, john.johansen,
linux-security-module, Stephen Smalley
Just as proc_pid_attr_write() already does before calling the LSM
hook. This only matters for SELinux and AppArmor which check
whether the process is being ptraced and if so, whether to
allow the transition.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/lsm_syscalls.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
index 5648b1f0ce9c..08a017669c02 100644
--- a/security/lsm_syscalls.c
+++ b/security/lsm_syscalls.c
@@ -57,7 +57,14 @@ u64 lsm_name_to_attr(const char *name)
SYSCALL_DEFINE4(lsm_set_self_attr, unsigned int, attr, struct lsm_ctx __user *,
ctx, u32, size, u32, flags)
{
- return security_setselfattr(attr, ctx, size, flags);
+ int rc;
+
+ rc = mutex_lock_interruptible(¤t->signal->cred_guard_mutex);
+ if (rc < 0)
+ return rc;
+ rc = security_setselfattr(attr, ctx, size, flags);
+ mutex_unlock(¤t->signal->cred_guard_mutex);
+ return rc;
}
/**
--
2.54.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] lsm: hold cred_guard_mutex for lsm_set_self_attr()
2026-05-13 18:05 [PATCH] lsm: hold cred_guard_mutex for lsm_set_self_attr() Stephen Smalley
@ 2026-05-14 20:47 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2026-05-14 20:47 UTC (permalink / raw)
To: Stephen Smalley, selinux
Cc: omosnace, casey, serge, john.johansen, linux-security-module,
Stephen Smalley
On May 13, 2026 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
>
> Just as proc_pid_attr_write() already does before calling the LSM
> hook. This only matters for SELinux and AppArmor which check
> whether the process is being ptraced and if so, whether to
> allow the transition.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> security/lsm_syscalls.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
Thanks Stephen. I'm going to merge this into lsm/stable-7.1 now, but
hold on to it until next week before sending it to Linus. While I
can't see why John would have any objections to this, the extra time
should give him a chance to respond.
--
paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-14 20:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-13 18:05 [PATCH] lsm: hold cred_guard_mutex for lsm_set_self_attr() Stephen Smalley
2026-05-14 20:47 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.