From patchwork Wed Jan  3 01:20:16 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <mjg59@google.com>
X-Patchwork-Id: 10141557
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7AB3560594 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed,  3 Jan 2018 01:20:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6DEC628EC2
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed,  3 Jan 2018 01:20:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 62AA428ED4; Wed,  3 Jan 2018 01:20:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 583DA28EC2
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Wed,  3 Jan 2018 01:20:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750997AbeACBU0 (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Tue, 2 Jan 2018 20:20:26 -0500
Received: from mail-oi0-f74.google.com ([209.85.218.74]:41366 "EHLO
	mail-oi0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750960AbeACBUZ (ORCPT
	<rfc822;linux-integrity@vger.kernel.org>);
	Tue, 2 Jan 2018 20:20:25 -0500
Received: by mail-oi0-f74.google.com with SMTP id u128so88943oib.8
	for <linux-integrity@vger.kernel.org>;
	Tue, 02 Jan 2018 17:20:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:in-reply-to:message-id:references:subject:from:to
	:cc; bh=XqUF9Fy6D7lxnLcCH1MkDjqCTLaoIs4a56up3qkMY04=;
	b=BFi4WxItzjffN5cD1wjCU3WGYdF/jXWaUaVGaLabO1NNAltaNwmxMEui9bbQq4uuEr
	3ilwXvvxOVn2mMjobDbn6y69tUV6yfOCqKq33qLCPC/Sbx67hnYktTneCTfcR2PiZfvn
	ChUI4xQUPIbWb8OG7FRrs0eloF4XVbmLjLOd+sTDlhGpDajw3ADIzaz4td00G/Gvfboi
	zQd86ZvKMhHdkmuy3nw96blYhAmzMHYaKom81AVT2rsX3hQ4pi51sJm9dXnyxwI3zp5r
	rPnGP4NmQqLZNcaoY2O+oecAo/D7fGZSmoRSy+j/5RmYqEJir5/oqZegqKMGyWx3pVzQ
	hGAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:in-reply-to:message-id
	:references:subject:from:to:cc;
	bh=XqUF9Fy6D7lxnLcCH1MkDjqCTLaoIs4a56up3qkMY04=;
	b=a5VTFwIiunUsGSYrFPbxnZcU3ej6lqHPIfMdZKVSzdvwFjWaF3je/Z2X7D9ltCh4Cm
	iriod3vO2RLq21VVsUdcgYH3qF2WqN/TXYIbtwwSBZVRi2Hvh+g6zroOCzdPcKO9cd1o
	/Zze4TlZX2Exu8RTJJJE0kiJd9AsmtDf83qJYPa/bVp/Yr+lmSKKEHXHbc8lc4R19hkL
	l6i7Wm20ip4NZNVBck9SxdphT+Dma2gVfdWQGGO418MdLpl+ImnczXkWUlpsxozTho6h
	O2HTKqkJvOkdlcRFNBA5C12oANmXeYTa3FUGw1FQyR2Ead3fcisYRuLs4PadCbVvMJ9a
	uFgQ==
X-Gm-Message-State: AKGB3mJJj44zf+V1YPrI/DrQoGk+i8qPDZMYoc9a4aC/ji/OSJBlAVaL
	XESzMjVFbB1/WVed/tS8zeRFwNR4tRRCYgC9U53IfWHnZRDWazFfTayWpNEXAJ41dSuZ9jlQ0QT
	CsdyvyWMXqLAYlQy+6DoNxSx2q0oQzCTpAPg=
X-Google-Smtp-Source: 
 ACJfBouNtDrKEOdzL8dyvoBOtxKEYYrYvfdzN48Oi76BeqbpnxqmAcZt4KPgfJZCJwX7k1CDflcu6BcUdzPp0VZyrtvAFQ==
MIME-Version: 1.0
X-Received: by 10.157.22.252 with SMTP id s57mr16899020ots.19.1514942424320;
	Tue, 02 Jan 2018 17:20:24 -0800 (PST)
Date: Tue,  2 Jan 2018 17:20:16 -0800
In-Reply-To: <20180103012017.7022-1-mjg59@google.com>
Message-Id: <20180103012017.7022-2-mjg59@google.com>
References: <20180103012017.7022-1-mjg59@google.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
Subject: [PATCH V4 2/3] IMA: Use consistent creds
From: Matthew Garrett <mjg59@google.com>
To: linux-integrity@vger.kernel.org
Cc: Matthew Garrett <mjg59@google.com>, Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>, selinux@tycho.nsa.gov,
	Casey Schaufler <casey@schaufler-ca.com>,
	linux-security-module@vger.kernel.org,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Right now most of the IMA code is using current->creds, but the LSM
checks are using security_task_getsecid() which ends up looking at
real_creds. Switch to using security_cred_getsecid() in order to make
this consistent.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: selinux@tycho.nsa.gov
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org
---
 security/integrity/ima/ima_policy.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ee4613fa5840..52951ac445ea 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void)
 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 			    enum ima_hooks func, int mask)
 {
-	struct task_struct *tsk = current;
 	const struct cred *cred = current_cred();
 	int i;
 
@@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			security_task_getsecid(tsk, &sid);
+			security_cred_getsecid(cred, &sid);
 			rc = security_filter_rule_match(sid,
 							rule->lsm[i].type,
 							Audit_equal,