* [PATCH v5 0/2] Delete task_euid()
@ 2026-07-03 6:57 Alice Ryhl
2026-07-03 6:57 ` [PATCH v5 1/2] rust: task: clarify comments on task UID accessors Alice Ryhl
2026-07-03 6:57 ` [PATCH v5 2/2] cred: delete task_euid() Alice Ryhl
0 siblings, 2 replies; 6+ messages in thread
From: Alice Ryhl @ 2026-07-03 6:57 UTC (permalink / raw)
To: Paul Moore, Serge Hallyn, Jonathan Corbet, Greg Kroah-Hartman,
Shuah Khan, Alex Shi, Yanteng Si, Dongliang Mu
Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Trevor Gross, Danilo Krummrich,
Jann Horn, linux-security-module, linux-doc, linux-kernel,
rust-for-linux, Alice Ryhl
The task_euid() method is a very weird method, and Binder was the only
user. As of commit 65b672152289 ("binder: use current_euid() for
transaction sender identity") Binder doesn't use task_euid() anymore,
so we can delete this method.
My suggestion would be to merge this through the LSM tree.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
Changes in v5:
- Rebase on v7.2-rc1.
- Reword patch 1 commit message to take into account that usage has now
been removed from Binder.
- Pick up Gary's Reviewed-by.
- Link to v4: https://lore.kernel.org/r/20260529-remove-task-euid-v4-0-07cbdf3af980@google.com
Changes in v4:
- Reword 'euid' -> 'effective UID' in 'Kuid::current_euid()' docs.
- Link to v3: https://lore.kernel.org/r/20260507-remove-task-euid-v3-0-27f22f335c2c@google.com
Changes in v3:
- Include 'task' clarification commit in series.
- Rebase and resend.
- Link to v2: https://lore.kernel.org/r/20260227-remove-task-euid-v2-1-9a9c80a82eb6@google.com
Changes in v2:
- Update translation as per Alex Shi.
- Pick up Reviewed-by Gary.
- Update commit title to use cred: prefix.
- Link to v1: https://lore.kernel.org/r/20260219-remove-task-euid-v1-1-904060826e07@google.com
---
Alice Ryhl (1):
cred: delete task_euid()
Jann Horn (1):
rust: task: clarify comments on task UID accessors
Documentation/security/credentials.rst | 6 ++----
Documentation/translations/zh_CN/security/credentials.rst | 4 +---
include/linux/cred.h | 1 -
rust/helpers/task.c | 5 -----
rust/kernel/task.rs | 11 ++---------
5 files changed, 5 insertions(+), 22 deletions(-)
---
base-commit: dc59e4fea9d83f03bad6bddf3fa2e52491777482
change-id: 20260219-remove-task-euid-19e4b00beebe
Best regards,
--
Alice Ryhl <aliceryhl@google.com>
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH v5 1/2] rust: task: clarify comments on task UID accessors 2026-07-03 6:57 [PATCH v5 0/2] Delete task_euid() Alice Ryhl @ 2026-07-03 6:57 ` Alice Ryhl 2026-07-07 19:10 ` Paul Moore 2026-07-03 6:57 ` [PATCH v5 2/2] cred: delete task_euid() Alice Ryhl 1 sibling, 1 reply; 6+ messages in thread From: Alice Ryhl @ 2026-07-03 6:57 UTC (permalink / raw) To: Paul Moore, Serge Hallyn, Jonathan Corbet, Greg Kroah-Hartman, Shuah Khan, Alex Shi, Yanteng Si, Dongliang Mu Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg, Trevor Gross, Danilo Krummrich, Jann Horn, linux-security-module, linux-doc, linux-kernel, rust-for-linux, Alice Ryhl From: Jann Horn <jannh@google.com> Linux has separate subjective and objective task credentials, see the comment above `struct cred`. Clarify which accessor functions operate on which set of credentials. Also document that Task::euid() is a very weird operation. You can see how weird it is by grepping for task_euid() in the history - binder was its only user. Task::euid() obtains the objective effective UID - it looks at the credentials of the task for purposes of acting on it as an object, but then accesses the effective UID (which the credentials.7 man page describes as "[...] used by the kernel to determine the permissions that the process will have when accessing shared resources [...]"). For context: Arguably, binder's use of task_euid() is a theoretical security problem, which only has no impact on Android because Android has no setuid binaries executable by apps. commit 29bc22ac5e5b ("binder: use euid from cred instead of using task") originally fixed that by removing that only user of task_euid(), but the fix got reverted in commit c21a80ca0684 ("binder: fix test regression due to sender_euid change") because some Android test started failing. It was since fixed again by commit 65b672152289 ("binder: use current_euid() for transaction sender identity"), which uses current_euid() instead. Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Gary Guo <gary@garyguo.net> Signed-off-by: Alice Ryhl <aliceryhl@google.com> --- Originally sent as: https://lore.kernel.org/r/20260212-rust-uid-v1-1-deff4214c766@google.com --- rust/kernel/task.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs index 38273f4eedb5..eabd65bfde12 100644 --- a/rust/kernel/task.rs +++ b/rust/kernel/task.rs @@ -210,14 +210,17 @@ pub fn pid(&self) -> Pid { unsafe { *ptr::addr_of!((*self.as_ptr()).pid) } } - /// Returns the UID of the given task. + /// Returns the objective real UID of the given task. #[inline] pub fn uid(&self) -> Kuid { // SAFETY: It's always safe to call `task_uid` on a valid task. Kuid::from_raw(unsafe { bindings::task_uid(self.as_ptr()) }) } - /// Returns the effective UID of the given task. + /// Returns the objective effective UID of the given task. + /// + /// You should probably not be using this; the effective UID is normally + /// only relevant in subjective credentials. #[inline] pub fn euid(&self) -> Kuid { // SAFETY: It's always safe to call `task_euid` on a valid task. @@ -371,7 +374,7 @@ fn eq(&self, other: &Self) -> bool { impl Eq for Task {} impl Kuid { - /// Get the current euid. + /// Get the current subjective effective UID. #[inline] pub fn current_euid() -> Kuid { // SAFETY: Just an FFI call. -- 2.55.0.rc0.799.gd6f94ed593-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v5 1/2] rust: task: clarify comments on task UID accessors 2026-07-03 6:57 ` [PATCH v5 1/2] rust: task: clarify comments on task UID accessors Alice Ryhl @ 2026-07-07 19:10 ` Paul Moore 2026-07-07 21:40 ` Alice Ryhl 0 siblings, 1 reply; 6+ messages in thread From: Paul Moore @ 2026-07-07 19:10 UTC (permalink / raw) To: Alice Ryhl, Serge Hallyn, Jonathan Corbet, Greg Kroah-Hartman, Shuah Khan, Alex Shi, Yanteng Si, Dongliang Mu Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg, Trevor Gross, Danilo Krummrich, Jann Horn, linux-security-module, linux-doc, linux-kernel, rust-for-linux, Alice Ryhl On Jul 3, 2026 Alice Ryhl <aliceryhl@google.com> wrote: > > Linux has separate subjective and objective task credentials, see the > comment above `struct cred`. Clarify which accessor functions operate on > which set of credentials. > > Also document that Task::euid() is a very weird operation. You can see how > weird it is by grepping for task_euid() in the history - binder was its > only user. Task::euid() obtains the objective effective UID - it looks > at the credentials of the task for purposes of acting on it as an > object, but then accesses the effective UID (which the credentials.7 man > page describes as "[...] used by the kernel to determine the permissions > that the process will have when accessing shared resources [...]"). > > For context: > Arguably, binder's use of task_euid() is a theoretical security problem, > which only has no impact on Android because Android has no setuid binaries > executable by apps. > commit 29bc22ac5e5b ("binder: use euid from cred instead of using task") > originally fixed that by removing that only user of task_euid(), but the > fix got reverted in commit c21a80ca0684 ("binder: fix test regression > due to sender_euid change") because some Android test started failing. > It was since fixed again by commit 65b672152289 ("binder: use > current_euid() for transaction sender identity"), which uses > current_euid() instead. > > Signed-off-by: Jann Horn <jannh@google.com> > Reviewed-by: Gary Guo <gary@garyguo.net> > Signed-off-by: Alice Ryhl <aliceryhl@google.com> > --- > Originally sent as: > https://lore.kernel.org/r/20260212-rust-uid-v1-1-deff4214c766@google.com > --- > rust/kernel/task.rs | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) Merged into lsm/dev, thanks! -- paul-moore.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v5 1/2] rust: task: clarify comments on task UID accessors 2026-07-07 19:10 ` Paul Moore @ 2026-07-07 21:40 ` Alice Ryhl 0 siblings, 0 replies; 6+ messages in thread From: Alice Ryhl @ 2026-07-07 21:40 UTC (permalink / raw) To: Paul Moore Cc: Serge Hallyn, Jonathan Corbet, Greg Kroah-Hartman, Shuah Khan, Alex Shi, Yanteng Si, Dongliang Mu, Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg, Trevor Gross, Danilo Krummrich, Jann Horn, linux-security-module, linux-doc, linux-kernel, rust-for-linux On Tue, Jul 7, 2026 at 9:10 PM Paul Moore <paul@paul-moore.com> wrote: > > On Jul 3, 2026 Alice Ryhl <aliceryhl@google.com> wrote: > > > > Linux has separate subjective and objective task credentials, see the > > comment above `struct cred`. Clarify which accessor functions operate on > > which set of credentials. > > > > Also document that Task::euid() is a very weird operation. You can see how > > weird it is by grepping for task_euid() in the history - binder was its > > only user. Task::euid() obtains the objective effective UID - it looks > > at the credentials of the task for purposes of acting on it as an > > object, but then accesses the effective UID (which the credentials.7 man > > page describes as "[...] used by the kernel to determine the permissions > > that the process will have when accessing shared resources [...]"). > > > > For context: > > Arguably, binder's use of task_euid() is a theoretical security problem, > > which only has no impact on Android because Android has no setuid binaries > > executable by apps. > > commit 29bc22ac5e5b ("binder: use euid from cred instead of using task") > > originally fixed that by removing that only user of task_euid(), but the > > fix got reverted in commit c21a80ca0684 ("binder: fix test regression > > due to sender_euid change") because some Android test started failing. > > It was since fixed again by commit 65b672152289 ("binder: use > > current_euid() for transaction sender identity"), which uses > > current_euid() instead. > > > > Signed-off-by: Jann Horn <jannh@google.com> > > Reviewed-by: Gary Guo <gary@garyguo.net> > > Signed-off-by: Alice Ryhl <aliceryhl@google.com> > > --- > > Originally sent as: > > https://lore.kernel.org/r/20260212-rust-uid-v1-1-deff4214c766@google.com > > --- > > rust/kernel/task.rs | 9 ++++++--- > > 1 file changed, 6 insertions(+), 3 deletions(-) > > Merged into lsm/dev, thanks! Thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v5 2/2] cred: delete task_euid() 2026-07-03 6:57 [PATCH v5 0/2] Delete task_euid() Alice Ryhl 2026-07-03 6:57 ` [PATCH v5 1/2] rust: task: clarify comments on task UID accessors Alice Ryhl @ 2026-07-03 6:57 ` Alice Ryhl 2026-07-07 19:10 ` Paul Moore 1 sibling, 1 reply; 6+ messages in thread From: Alice Ryhl @ 2026-07-03 6:57 UTC (permalink / raw) To: Paul Moore, Serge Hallyn, Jonathan Corbet, Greg Kroah-Hartman, Shuah Khan, Alex Shi, Yanteng Si, Dongliang Mu Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg, Trevor Gross, Danilo Krummrich, Jann Horn, linux-security-module, linux-doc, linux-kernel, rust-for-linux, Alice Ryhl task_euid() is a very weird operation. You can see how weird it is by grepping for task_euid() - binder is its only user. task_euid() obtains the objective effective UID - it looks at the credentials of the task for purposes of acting on it as an object, but then accesses the effective UID (which the credentials.7 man page describes as "[...] used by the kernel to determine the permissions that the process will have when accessing shared resources [...]"). Since usage in Binder has now been removed, get rid of the resulting dead code. Changes to the zh_CN translation was carried out with the help of Gemini and Google Translate, and since adjusted as per Alex Shi's feedback. Suggested-by: Jann Horn <jannh@google.com> Reviewed-by: Gary Guo <gary@garyguo.net> Signed-off-by: Alice Ryhl <aliceryhl@google.com> --- Documentation/security/credentials.rst | 6 ++---- Documentation/translations/zh_CN/security/credentials.rst | 4 +--- include/linux/cred.h | 1 - rust/helpers/task.c | 5 ----- rust/kernel/task.rs | 10 ---------- 5 files changed, 3 insertions(+), 23 deletions(-) diff --git a/Documentation/security/credentials.rst b/Documentation/security/credentials.rst index 4996838491b1..a39a2a2f67aa 100644 --- a/Documentation/security/credentials.rst +++ b/Documentation/security/credentials.rst @@ -393,16 +393,14 @@ the credentials so obtained when they're finished with. The result of ``__task_cred()`` should not be passed directly to ``get_cred()`` as this may race with ``commit_cred()``. -There are a couple of convenience functions to access bits of another task's -credentials, hiding the RCU magic from the caller:: +There is a convenience function to access bits of another task's credentials, +hiding the RCU magic from the caller:: uid_t task_uid(task) Task's real UID - uid_t task_euid(task) Task's effective UID If the caller is holding the RCU read lock at the time anyway, then:: __task_cred(task)->uid - __task_cred(task)->euid should be used instead. Similarly, if multiple aspects of a task's credentials need to be accessed, RCU read lock should be used, ``__task_cred()`` called, diff --git a/Documentation/translations/zh_CN/security/credentials.rst b/Documentation/translations/zh_CN/security/credentials.rst index 88fcd9152ffe..20c8696f8198 100644 --- a/Documentation/translations/zh_CN/security/credentials.rst +++ b/Documentation/translations/zh_CN/security/credentials.rst @@ -337,15 +337,13 @@ const指针上操作,因此不需要进行类型转换,但需要临时放弃 ``__task_cred()`` 的结果不应直接传递给 ``get_cred()`` , 因为这可能与 ``commit_cred()`` 发生竞争条件。 -还有一些方便的函数可以访问另一个任务凭据的特定部分,将RCU操作对调用方隐藏起来:: +有一个方便的函数可用于访问另一个任务凭据的特定部分,从而对调用方隐藏RCU机制:: uid_t task_uid(task) Task's real UID - uid_t task_euid(task) Task's effective UID 如果调用方在此时已经持有RCU读锁,则应使用:: __task_cred(task)->uid - __task_cred(task)->euid 类似地,如果需要访问任务凭据的多个方面,应使用RCU读锁,调用 ``__task_cred()`` 函数,将结果存储在临时指针中,然后从临时指针中调用凭据的各个方面,最后释放锁。 diff --git a/include/linux/cred.h b/include/linux/cred.h index c6676265a985..6ef1750c93e2 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -371,7 +371,6 @@ DEFINE_FREE(put_cred, struct cred *, if (!IS_ERR_OR_NULL(_T)) put_cred(_T)) }) #define task_uid(task) (task_cred_xxx((task), uid)) -#define task_euid(task) (task_cred_xxx((task), euid)) #define task_ucounts(task) (task_cred_xxx((task), ucounts)) #define current_cred_xxx(xxx) \ diff --git a/rust/helpers/task.c b/rust/helpers/task.c index c0e1a06ede78..b46b1433a67e 100644 --- a/rust/helpers/task.c +++ b/rust/helpers/task.c @@ -28,11 +28,6 @@ __rust_helper kuid_t rust_helper_task_uid(struct task_struct *task) return task_uid(task); } -__rust_helper kuid_t rust_helper_task_euid(struct task_struct *task) -{ - return task_euid(task); -} - #ifndef CONFIG_USER_NS __rust_helper uid_t rust_helper_from_kuid(struct user_namespace *to, kuid_t uid) { diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs index eabd65bfde12..c2b3457b700c 100644 --- a/rust/kernel/task.rs +++ b/rust/kernel/task.rs @@ -217,16 +217,6 @@ pub fn uid(&self) -> Kuid { Kuid::from_raw(unsafe { bindings::task_uid(self.as_ptr()) }) } - /// Returns the objective effective UID of the given task. - /// - /// You should probably not be using this; the effective UID is normally - /// only relevant in subjective credentials. - #[inline] - pub fn euid(&self) -> Kuid { - // SAFETY: It's always safe to call `task_euid` on a valid task. - Kuid::from_raw(unsafe { bindings::task_euid(self.as_ptr()) }) - } - /// Determines whether the given task has pending signals. #[inline] pub fn signal_pending(&self) -> bool { -- 2.55.0.rc0.799.gd6f94ed593-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v5 2/2] cred: delete task_euid() 2026-07-03 6:57 ` [PATCH v5 2/2] cred: delete task_euid() Alice Ryhl @ 2026-07-07 19:10 ` Paul Moore 0 siblings, 0 replies; 6+ messages in thread From: Paul Moore @ 2026-07-07 19:10 UTC (permalink / raw) To: Alice Ryhl, Serge Hallyn, Jonathan Corbet, Greg Kroah-Hartman, Shuah Khan, Alex Shi, Yanteng Si, Dongliang Mu Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin, Andreas Hindborg, Trevor Gross, Danilo Krummrich, Jann Horn, linux-security-module, linux-doc, linux-kernel, rust-for-linux, Alice Ryhl On Jul 3, 2026 Alice Ryhl <aliceryhl@google.com> wrote: > > task_euid() is a very weird operation. You can see how weird it is by > grepping for task_euid() - binder is its only user. task_euid() obtains > the objective effective UID - it looks at the credentials of the task > for purposes of acting on it as an object, but then accesses the > effective UID (which the credentials.7 man page describes as "[...] used > by the kernel to determine the permissions that the process will have > when accessing shared resources [...]"). > > Since usage in Binder has now been removed, get rid of the resulting > dead code. > > Changes to the zh_CN translation was carried out with the help of > Gemini and Google Translate, and since adjusted as per Alex Shi's > feedback. > > Suggested-by: Jann Horn <jannh@google.com> > Reviewed-by: Gary Guo <gary@garyguo.net> > Signed-off-by: Alice Ryhl <aliceryhl@google.com> > --- > Documentation/security/credentials.rst | 6 ++---- > Documentation/translations/zh_CN/security/credentials.rst | 4 +--- > include/linux/cred.h | 1 - > rust/helpers/task.c | 5 ----- > rust/kernel/task.rs | 10 ---------- > 5 files changed, 3 insertions(+), 23 deletions(-) Merged into lsm/dev, thanks! -- paul-moore.com ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-07-07 21:40 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-03 6:57 [PATCH v5 0/2] Delete task_euid() Alice Ryhl 2026-07-03 6:57 ` [PATCH v5 1/2] rust: task: clarify comments on task UID accessors Alice Ryhl 2026-07-07 19:10 ` Paul Moore 2026-07-07 21:40 ` Alice Ryhl 2026-07-03 6:57 ` [PATCH v5 2/2] cred: delete task_euid() Alice Ryhl 2026-07-07 19:10 ` Paul Moore
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox