On 7/24/20 1:32 PM, Casey Schaufler wrote: > Verify that the tasks on the ends of a binder transaction > use the same "display" security module. This prevents confusion > of security "contexts". >
Reviewed-by: John Johansen <[email protected]> > Reviewed-by: Kees Cook <[email protected]> > Acked-by: Stephen Smalley <[email protected]> > Signed-off-by: Casey Schaufler <[email protected]> > --- > security/security.c | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/security/security.c b/security/security.c > index ddbaf2073b02..95b48721fb17 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -788,9 +788,38 @@ int security_binder_set_context_mgr(struct task_struct > *mgr) > return call_int_hook(binder_set_context_mgr, 0, mgr); > } > > +/** > + * security_binder_transaction - Binder driver transaction check > + * @from: source of the transaction > + * @to: destination of the transaction > + * > + * Verify that the tasks have the same LSM "display", then > + * call the security module hooks. > + * > + * Returns -EINVAL if the displays don't match, or the > + * result of the security module checks. > + */ > int security_binder_transaction(struct task_struct *from, > struct task_struct *to) > { > + int from_display = lsm_task_display(from); > + int to_display = lsm_task_display(to); > + > + /* > + * If the display is LSMBLOB_INVALID the first module that has > + * an entry is used. This will be in the 0 slot. > + * > + * This is currently only required if the server has requested > + * peer contexts, but it would be unwieldly to have too much of > + * the binder driver detail here. > + */ > + if (from_display == LSMBLOB_INVALID) > + from_display = 0; > + if (to_display == LSMBLOB_INVALID) > + to_display = 0; > + if (from_display != to_display) > + return -EINVAL; > + > return call_int_hook(binder_transaction, 0, from, to); > } > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
