From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH 5.14 099/100] selinux,smack: fix subjective/objective credential use mixups
Date: Fri, 24 Sep 2021 14:44:48 +0200 [thread overview]
Message-ID: <20210924124344.807935067@linuxfoundation.org> (raw)
In-Reply-To: <20210924124341.214446495@linuxfoundation.org>
From: Paul Moore <paul@paul-moore.com>
commit a3727a8bac0a9e77c70820655fd8715523ba3db7 upstream.
Jann Horn reported a problem with commit eb1231f73c4d ("selinux:
clarify task subjective and objective credentials") where some LSM
hooks were attempting to access the subjective credentials of a task
other than the current task. Generally speaking, it is not safe to
access another task's subjective credentials and doing so can cause
a number of problems.
Further, while looking into the problem, I realized that Smack was
suffering from a similar problem brought about by a similar commit
1fb057dcde11 ("smack: differentiate between subjective and objective
task credentials").
This patch addresses this problem by restoring the use of the task's
objective credentials in those cases where the task is other than the
current executing task. Not only does this resolve the problem
reported by Jann, it is arguably the correct thing to do in these
cases.
Cc: stable@vger.kernel.org
Fixes: eb1231f73c4d ("selinux: clarify task subjective and objective credentials")
Fixes: 1fb057dcde11 ("smack: differentiate between subjective and objective task credentials")
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 4 ++--
security/smack/smack_lsm.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2155,7 +2155,7 @@ static int selinux_ptrace_access_check(s
static int selinux_ptrace_traceme(struct task_struct *parent)
{
return avc_has_perm(&selinux_state,
- task_sid_subj(parent), task_sid_obj(current),
+ task_sid_obj(parent), task_sid_obj(current),
SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
}
@@ -6218,7 +6218,7 @@ static int selinux_msg_queue_msgrcv(stru
struct ipc_security_struct *isec;
struct msg_security_struct *msec;
struct common_audit_data ad;
- u32 sid = task_sid_subj(target);
+ u32 sid = task_sid_obj(target);
int rc;
isec = selinux_ipc(msq);
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2016,7 +2016,7 @@ static int smk_curacc_on_task(struct tas
const char *caller)
{
struct smk_audit_info ad;
- struct smack_known *skp = smk_of_task_struct_subj(p);
+ struct smack_known *skp = smk_of_task_struct_obj(p);
int rc;
smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
@@ -3480,7 +3480,7 @@ static void smack_d_instantiate(struct d
*/
static int smack_getprocattr(struct task_struct *p, char *name, char **value)
{
- struct smack_known *skp = smk_of_task_struct_subj(p);
+ struct smack_known *skp = smk_of_task_struct_obj(p);
char *cp;
int slen;
next prev parent reply other threads:[~2021-09-24 13:06 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-24 12:43 [PATCH 5.14 000/100] 5.14.8-rc1 review Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 001/100] PCI: pci-bridge-emul: Add PCIe Root Capabilities Register Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 002/100] PCI: aardvark: Fix reporting CRS value Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 003/100] console: consume APC, DM, DCS Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 004/100] staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 005/100] um: fix stub location calculation Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 006/100] coredump: fix memleak in dump_vma_snapshot() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 007/100] um: virtio_uml: fix memory leak on init failures Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 008/100] RDMA/hns: Enable stash feature of HIP09 Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 009/100] RDMA/mlx5: Fix xlt_chunk_align calculation Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 010/100] dmaengine: acpi: Avoid comparison GSI with Linux vIRQ Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 011/100] perf test: Fix bpf test sample mismatch reporting Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 012/100] perf symbol: Look for ImageBase in PE file to compute .text offset Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 013/100] perf tools: Allow build-id with trailing zeros Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 014/100] staging: rtl8723bs: fix wpa_set_auth_algs() function Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 015/100] n64cart: fix return value check in n64cart_probe() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 016/100] thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 017/100] 9p/trans_virtio: Remove sysfs file on probe failure Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 018/100] pwm: ab8500: Fix register offset calculation to not depend on probe order Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 019/100] prctl: allow to setup brk for et_dyn executables Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 020/100] nilfs2: use refcount_dec_and_lock() to fix potential UAF Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 021/100] profiling: fix shift-out-of-bounds bugs Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 022/100] PM: sleep: core: Avoid setting power.must_resume to false Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 023/100] thermal/drivers/qcom/spmi-adc-tm5: Dont abort probing if a sensor is not used Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 024/100] ceph: cancel delayed work instead of flushing on mdsc teardown Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 025/100] pwm: lpc32xx: Dont modify HW state in .probe() after the PWM chip was registered Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 026/100] pwm: mxs: " Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 027/100] dmanegine: idxd: cleanup all device related bits after disabling device Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 028/100] dmaengine: idxd: have command status always set Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 029/100] dmaengine: idxd: fix wq slot allocation index check Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 030/100] dmaengine: idxd: fix abort status check Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 031/100] dmaengine: idxd: clear block on fault flag when clear wq Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 032/100] platform/chrome: sensorhub: Add trace events for sample Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 033/100] platform/chrome: cros_ec_trace: Fix format warnings Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 034/100] s390/entry: make oklabel within CHKSTG macro local Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 035/100] SUNRPC: dont pause on incomplete allocation Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 036/100] math: RATIONAL_KUNIT_TEST should depend on RATIONAL instead of selecting it Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 037/100] init: move usermodehelper_enable() to populate_rootfs() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 038/100] Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 039/100] tools/bootconfig: Fix tracing_on option checking in ftrace2bconf.sh Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 040/100] tracing/boot: Fix to loop on only subkeys Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 041/100] thermal/core: Fix thermal_cooling_device_register() prototype Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 042/100] drm/amdgpu: Disable PCIE_DPM on Intel RKL Platform Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 043/100] drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 044/100] dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 045/100] dma-buf: DMABUF_DEBUG " Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 046/100] parisc: Move pci_dev_is_behind_card_dino to where it is used Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 047/100] iommu/amd: Relocate GAMSup check to early_enable_iommus Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 048/100] iommu/vt-d: Fix PASID leak in intel_svm_unbind_mm() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 049/100] iommu/vt-d: Fix a deadlock in intel_svm_drain_prq() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.14 050/100] arm64: mm: limit linear region to 51 bits for KVM in nVHE mode Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 051/100] drm/ttm: Fix a deadlock if the target BO is not idle during swap Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 052/100] of: property: Disable fw_devlink DT support for X86 Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 053/100] riscv: dts: microchip: mpfs-icicle: Fix serial console Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 054/100] perf tools: Fix hybrid config terms list corruption Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 055/100] dmaengine: idxd: depends on !UML Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 056/100] dmaengine: sprd: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 057/100] cxl: Move cxl_core to new directory Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 058/100] cxl/pci: Introduce cdevm_file_operations Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 059/100] dmaengine: ioat: depends on !UML Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 060/100] dmaengine: xilinx_dma: Set DMA mask for coherent APIs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 061/100] s390: add kmemleak annotation in stack_alloc() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 062/100] ASoC: audio-graph: respawn Platform Support Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 063/100] ACPI: PM: s2idle: Run both AMD and Microsoft methods if both are supported Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 064/100] ceph: fix memory leak on decode error in ceph_handle_caps Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 065/100] ceph: request Fw caps before updating the mtime in ceph_write_iter Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 066/100] ceph: remove the capsnaps when removing caps Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 067/100] ceph: lockdep annotations for try_nonblocking_invalidate Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 068/100] s390/unwind: use current_frame_address() to unwind current task Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 069/100] btrfs: update the bdev time directly when closing Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 070/100] btrfs: delay blkdev_put until after the device remove Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 071/100] btrfs: fix lockdep warning while mounting sprout fs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 072/100] nilfs2: fix memory leak in nilfs_sysfs_create_device_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 073/100] nilfs2: fix NULL pointer in nilfs_##name##_attr_release Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 074/100] nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 075/100] nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 076/100] nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 077/100] nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 078/100] thermal/drivers/rcar_gen3_thermal: Store TSC id as unsigned int Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 079/100] habanalabs: fix nullifying of destroyed mmu pgt pool Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 080/100] habanalabs: fix race between soft reset and heartbeat Greg Kroah-Hartman
2021-09-25 11:53 ` Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 081/100] drm/amdgpu: Fixes to returning VBIOS RAS EEPROM address Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 082/100] drm/amd/display: Fix memory leak reported by coverity Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 083/100] drm/amdgpu: fix fdinfo race with process exit Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 084/100] habanalabs: add validity check for event ID received from F/W Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 085/100] habanalabs: fix mmu node address resolution in debugfs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 086/100] habanalabs: add "in device creation" status Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 087/100] habanalabs: cannot sleep while holding spinlock Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 088/100] pwm: img: Dont modify HW state in .remove() callback Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 089/100] pwm: rockchip: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 090/100] pwm: stm32-lp: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 091/100] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 092/100] block: genhd: dont call blkdev_show() with major_names_lock held Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 093/100] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 094/100] blk-mq: allow 4x BLK_MAX_REQUEST_COUNT at blk_plug for multiple_queues Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 095/100] rtc: rx8010: select REGMAP_I2C Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 096/100] sched/idle: Make the idle timer expire in hard interrupt context Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 097/100] cifs: properly invalidate cached root handle when closing it Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.14 098/100] io_uring: fix off-by-one in BUILD_BUG_ON check of __REQ_F_LAST_BIT Greg Kroah-Hartman
2021-09-24 12:44 ` Greg Kroah-Hartman [this message]
2021-09-24 12:44 ` [PATCH 5.14 100/100] drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV Greg Kroah-Hartman
2021-09-24 14:21 ` [PATCH 5.14 000/100] 5.14.8-rc1 review Daniel Díaz
2021-09-25 11:50 ` Greg Kroah-Hartman
2021-09-24 20:10 ` Fox Chen
2021-09-24 21:52 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210924124344.807935067@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=casey@schaufler-ca.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox