[v4,0/3] binder: use cred instead of task for security context

Message ID	20211007004629.1113572-1-tkjos@google.com (mailing list archive)
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Date: Wed, 6 Oct 2021 17:46:26 -0700 Message-Id: <20211007004629.1113572-1-tkjos@google.com> Mime-Version: 1.0 Subject: [PATCH v4 0/3] binder: use cred instead of task for security context From: Todd Kjos <tkjos@google.com> To: gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com, maco@android.com, christian@brauner.io, jmorris@namei.org, serge@hallyn.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, keescook@chromium.org, jannh@google.com, jeffv@google.com, zohar@linux.ibm.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org Cc: joel@joelfernandes.org, kernel-team@android.com, Todd Kjos <tkjos@google.com> Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	binder: use cred instead of task for security context \| expand [v4,0/3] binder: use cred instead of task for security context [v4,1/3] binder: use cred instead of task for selinux checks [v4,2/3] binder: use cred instead of task for getsecid [v4,3/3] binder: use euid from cred instead of using task

Message ID

20211007004629.1113572-1-tkjos@google.com (mailing list archive)

Headers

Date: Wed,  6 Oct 2021 17:46:26 -0700
Message-Id: <20211007004629.1113572-1-tkjos@google.com>
Mime-Version: 1.0
Subject: [PATCH v4 0/3] binder: use cred instead of task for security context
From: Todd Kjos <tkjos@google.com>
To: gregkh@linuxfoundation.org, arve@android.com, tkjos@android.com,
        maco@android.com, christian@brauner.io, jmorris@namei.org,
        serge@hallyn.com, paul@paul-moore.com,
        stephen.smalley.work@gmail.com, eparis@parisplace.org,
        keescook@chromium.org, jannh@google.com, jeffv@google.com,
        zohar@linux.ibm.com, linux-security-module@vger.kernel.org,
        selinux@vger.kernel.org, devel@driverdev.osuosl.org,
        linux-kernel@vger.kernel.org
Cc: joel@joelfernandes.org, kernel-team@android.com,
        Todd Kjos <tkjos@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

Series

binder: use cred instead of task for security context | expand

Message

Todd Kjos Oct. 7, 2021, 12:46 a.m. UTC

This series fixes the possible use of an incorrect security context
when checking selinux permissions, getting a security ID, or lookup
up the euid.

The previous behavior was to save the group_leader 'struct task_struct'
in binder_open() and using that to obtain security IDs or euids.

This has been shown to be unreliable, so this series instead saves the
'struct cred' of the task that called binder_open(). This cred is used
for these lookups instead of the task.

v1 and v2 of this series were a single patch "binder: use euid from"
cred instead of using task". During review, Stephen Smalley identified
two more related issues so the corresponding patches were added to
the series.

v3:
- add 2 patches to fix getsecid and euid

v4:
- fix minor checkpatch issues
- fix build-break for !CONFIG_SECURITY

Todd Kjos (3):
  binder: use cred instead of task for selinux checks
  binder: use cred instead of task for getsecid
  binder: use euid from cred instead of using task

 drivers/android/binder.c          | 14 ++++++++------
 drivers/android/binder_internal.h |  4 ++++
 include/linux/lsm_hook_defs.h     | 14 +++++++-------
 include/linux/lsm_hooks.h         | 14 +++++++-------
 include/linux/security.h          | 28 ++++++++++++++--------------
 security/security.c               | 14 +++++++-------
 security/selinux/hooks.c          | 48 +++++++++++++-----------------------------------
 7 files changed, 60 insertions(+), 76 deletions(-)