[RFC PATCH v3 1/5] kdbus: add creator credentials to the endpoints
Stephen Smalley
sds at tycho.nsa.gov
Fri Oct 9 14:31:07 UTC 2015
On 10/07/2015 07:08 PM, Paul Moore wrote:
> In order to effectively enforce LSM based access controls we need to
> have more information about the kdbus endpoint creator than the
> uid/gid currently stored in the kdbus_node_type struct. This patch
> replaces the uid/gid values with a reference to the node creator's
> credential struct which serves the needs of both the kdbus DAC access
> controls as well as the LSM's access controls.
>
> Two macros have also been created, kdbus_node_[uid,gid](), which can
> be used to easily extract the euid/egid information from the new
> credential reference. The effective uid/gid is used as it was used
> in all areas of the previous kdbus code except for areas where the
> uid/gid was never set beyond the basic initialization to zero/root;
> I expect this was a bug that was never caught as the node creator in
> these cases was always expect to be root.
>
> Signed-off-by: Paul Moore <pmoore at redhat.com>
>
> ---
> ChangeLog:
> - v3
> * Ported to the 4.3-rc4 based kdbus tree
> - v2
> * Initial draft
> ---
> ipc/kdbus/bus.c | 13 +++++--------
> ipc/kdbus/endpoint.c | 14 ++++----------
> ipc/kdbus/endpoint.h | 3 +--
> ipc/kdbus/fs.c | 4 ++--
> ipc/kdbus/node.c | 11 ++++-------
> ipc/kdbus/node.h | 5 +++--
> 6 files changed, 19 insertions(+), 31 deletions(-)
>
> diff --git a/ipc/kdbus/node.c b/ipc/kdbus/node.c
> index 89f58bc..cd0c1a0 100644
> --- a/ipc/kdbus/node.c
> +++ b/ipc/kdbus/node.c
> @@ -12,6 +12,7 @@
> */
>
> #include <linux/atomic.h>
> +#include <linux/cred.h>
> #include <linux/fs.h>
> #include <linux/idr.h>
> #include <linux/kdev_t.h>
> @@ -170,13 +171,7 @@
> * node initialization. They must remain constant. If
> * NULL, they're skipped.
> *
> - * * node->mode: filesystem access modes
mode still remains
More information about the Linux-audit
mailing list