From b8989f80149c12dbc36435722e4490c4d890367f Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Mon, 6 Nov 2023 11:02:57 -0800 Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [41/90]: LSM stacking v39: LSM: restrict security_cred_getsecid() to a single LSM BugLink: http://bugs.launchpad.net/bugs/2028253 The LSM hook security_cred_getsecid() provides a single secid that is only used by the binder driver. Provide the first value available, and abandon any other hooks. Signed-off-by: Casey Schaufler (cherry picked from commit 99a7fdaa09799cce3cbdfd5acacf120b7ba4daca https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next) Signed-off-by: Paolo Pisati --- security/security.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/security/security.c b/security/security.c index 17589f4d0759..a8c838e3b2bb 100644 --- a/security/security.c +++ b/security/security.c @@ -3174,13 +3174,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old) * @c: credentials * @secid: secid value * - * Retrieve the security identifier of the cred structure @c. In case of - * failure, @secid will be set to zero. + * Retrieve the first available security identifier of the + * cred structure @c. In case of failure, @secid will be set to zero. + * Currently only used by binder. */ void security_cred_getsecid(const struct cred *c, u32 *secid) { + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) { + hp->hook.cred_getsecid(c, secid); + return; + } + *secid = 0; - call_void_hook(cred_getsecid, c, secid); } EXPORT_SYMBOL(security_cred_getsecid);