From patchwork Wed Jan  3 01:20:16 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <mjg59@google.com>
X-Patchwork-Id: 10141559
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DC92C60594
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed,  3 Jan 2018 01:20:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D087928ED2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed,  3 Jan 2018 01:20:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C548028ED4; Wed,  3 Jan 2018 01:20:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC92128ED2
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed,  3 Jan 2018 01:20:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750996AbeACBU0 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 2 Jan 2018 20:20:26 -0500
Received: from mail-oi0-f73.google.com ([209.85.218.73]:47417 "EHLO
	mail-oi0-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750928AbeACBUZ (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 2 Jan 2018 20:20:25 -0500
Received: by mail-oi0-f73.google.com with SMTP id q67so86315oig.14
	for <linux-security-module@vger.kernel.org>;
	Tue, 02 Jan 2018 17:20:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:in-reply-to:message-id:references:subject:from:to
	:cc; bh=XqUF9Fy6D7lxnLcCH1MkDjqCTLaoIs4a56up3qkMY04=;
	b=BFi4WxItzjffN5cD1wjCU3WGYdF/jXWaUaVGaLabO1NNAltaNwmxMEui9bbQq4uuEr
	3ilwXvvxOVn2mMjobDbn6y69tUV6yfOCqKq33qLCPC/Sbx67hnYktTneCTfcR2PiZfvn
	ChUI4xQUPIbWb8OG7FRrs0eloF4XVbmLjLOd+sTDlhGpDajw3ADIzaz4td00G/Gvfboi
	zQd86ZvKMhHdkmuy3nw96blYhAmzMHYaKom81AVT2rsX3hQ4pi51sJm9dXnyxwI3zp5r
	rPnGP4NmQqLZNcaoY2O+oecAo/D7fGZSmoRSy+j/5RmYqEJir5/oqZegqKMGyWx3pVzQ
	hGAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:in-reply-to:message-id
	:references:subject:from:to:cc;
	bh=XqUF9Fy6D7lxnLcCH1MkDjqCTLaoIs4a56up3qkMY04=;
	b=uA567QBdTnOlk3JoHg4pNlnwJow0ZCYwhJhcfIBxLhi55D6wRBSdOXfGmPFNKRIekC
	rjOzpFugLF80pPbofVSELuXW+RJJgxwe/vfboW6I3HFID8iXREGz0JqLQagRNFI65/5P
	99bRL9xzwctZtUEmj3yCei8ZW3CDwxOzVFHO119f5n868B2/T+TGNxeScpvJ/2ADVSrl
	o3qD2E49Gsp4YSw7S4dOmGvV0WP63rt8MaLjFbhYMTiQvwpDsuhumfhbqBxbh9ZxCBlM
	lqR5eFNukDO6j33cBLet2nheDA4f2vydOmzCAkIZ16wn5H+QYeCO5mRfIlG4l45xvDFf
	3OuQ==
X-Gm-Message-State: AKGB3mJc6aip3PO2bHYmKLCvwFRthrQKA5E9RcrGqStY/ekkx0WM35o9
	j4lYW+0qqnURSk5JzLPwwB80pIx9osO+be45bzLPZg==
X-Google-Smtp-Source: 
 ACJfBouNtDrKEOdzL8dyvoBOtxKEYYrYvfdzN48Oi76BeqbpnxqmAcZt4KPgfJZCJwX7k1CDflcu6BcUdzPp0VZyrtvAFQ==
MIME-Version: 1.0
X-Received: by 10.157.22.252 with SMTP id s57mr16899020ots.19.1514942424320;
	Tue, 02 Jan 2018 17:20:24 -0800 (PST)
Date: Tue,  2 Jan 2018 17:20:16 -0800
In-Reply-To: <20180103012017.7022-1-mjg59@google.com>
Message-Id: <20180103012017.7022-2-mjg59@google.com>
References: <20180103012017.7022-1-mjg59@google.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
Subject: [PATCH V4 2/3] IMA: Use consistent creds
From: Matthew Garrett <mjg59@google.com>
To: linux-integrity@vger.kernel.org
Cc: Matthew Garrett <mjg59@google.com>, Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>, selinux@tycho.nsa.gov,
	Casey Schaufler <casey@schaufler-ca.com>,
	linux-security-module@vger.kernel.org,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Right now most of the IMA code is using current->creds, but the LSM
checks are using security_task_getsecid() which ends up looking at
real_creds. Switch to using security_cred_getsecid() in order to make
this consistent.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: selinux@tycho.nsa.gov
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: linux-integrity@vger.kernel.org
---
 security/integrity/ima/ima_policy.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ee4613fa5840..52951ac445ea 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void)
 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 			    enum ima_hooks func, int mask)
 {
-	struct task_struct *tsk = current;
 	const struct cred *cred = current_cred();
 	int i;
 
@@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			security_task_getsecid(tsk, &sid);
+			security_cred_getsecid(cred, &sid);
 			rc = security_filter_rule_match(sid,
 							rule->lsm[i].type,
 							Audit_equal,