Re: [PATCH] Split bprm_apply_creds into two functions

[Chris Wright]

* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> The security_bprm_apply_creds() function is called from
> fs/exec.c:compute_creds() under task_lock(current).  SELinux must
> perform some work which is unsafe in that context, and therefore
> explicitly drops the task_lock, does the work, and re-acquires the
> task_lock.  This is unsafe if other security modules are stacked after
> SELinux, as their bprm_apply_creds assumes that the 'unsafe' variable is
> still meaningful, that is, that the task_lock has not been dropped.

I don't like this approach.  The whole point is to ensure safety, and
avoid races that have been found in the past.  This gives a new interface
that could be easily used under the wrong conditions, and breaking
the interface into two pieces looks kinda hackish.  Is there no other
solution?  I looked at this once before and wondered why task_unlock()
is needed to call avc_audit?  audit should be as lock friendly as printk
IMO, and I don't recall seeing any deadlock after short review of it.
But I didn't get much beyond that.  Is it all the flushing that can't
hold task_lock?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/