Right now most of the IMA code is using current->creds, but the LSM checks are using security_task_getsecid() which ends up looking at real_creds. Switch to using security_cred_getsecid() in order to make this consistent.
Signed-off-by: Matthew Garrett <[email protected]> Cc: Paul Moore <[email protected]> Cc: Stephen Smalley <[email protected]> Cc: Eric Paris <[email protected]> Cc: [email protected] Cc: Casey Schaufler <[email protected]> Cc: [email protected] Cc: Mimi Zohar <[email protected]> Cc: Dmitry Kasatkin <[email protected]> Cc: [email protected] --- security/integrity/ima/ima_policy.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index ee4613fa5840..52951ac445ea 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -249,7 +249,6 @@ static void ima_lsm_update_rules(void) static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, enum ima_hooks func, int mask) { - struct task_struct *tsk = current; const struct cred *cred = current_cred(); int i; @@ -305,7 +304,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, case LSM_SUBJ_USER: case LSM_SUBJ_ROLE: case LSM_SUBJ_TYPE: - security_task_getsecid(tsk, &sid); + security_cred_getsecid(cred, &sid); rc = security_filter_rule_match(sid, rule->lsm[i].type, Audit_equal, -- 2.15.1.620.gb9897f4670-goog
