On Fri, Feb 19, 2021 at 8:49 PM Casey Schaufler
<casey(a)schaufler-ca.com> wrote:
> On 2/19/2021 3:28 PM, Paul Moore wrote:
>> As discussed briefly on the list (lore link below), we are a little
>> sloppy when it comes to using task credentials, mixing both the
>> subjective and object credentials. This patch set attempts to fix
>> this by replacing security_task_getsecid() with two new hooks that
>> return either the subjective (_subj) or objective (_obj) credentials.
>>
>>
https://lore.kernel.org/linux-security-module/806848326.0ifERbkFSE@x2/T/
>>
>> Casey and John, I made a quick pass through the Smack and AppArmor
>> code in an effort to try and do the right thing, but I will admit
>> that I haven't tested those changes, just the SELinux code. I
>> would really appreciate your help in reviewing those changes. If
>> you find it easier, feel free to wholesale replace my Smack/AppArmor
>> patch with one of your own.
> A quick test pass didn't show up anything obviously
> amiss with the Smack changes. I have will do some more
> through inspection, but they look fine so far.
Thanks for testing it out and giving it a look. Beyond the Smack
specific changes, I'm also interested in making sure all the hook
callers are correct; I believe I made the correct substitutions, but a
second (or third (or fourth ...)) set of eyes is never a bad idea.
I'm still not seeing anything that looks wrong. I'd suggest that Mimi
have a look at the IMA bits.