• Stephen Smalley's avatar
    selinux: clean up cred usage and simplify · be0554c9
    Stephen Smalley authored
    SELinux was sometimes using the task "objective" credentials when
    it could/should use the "subjective" credentials.  This was sometimes
    hidden by the fact that we were unnecessarily passing around pointers
    to the current task, making it appear as if the task could be something
    other than current, so eliminate all such passing of current.  Inline
    various permission checking helper functions that can be reduced to a
    single avc_has_perm() call.
    
    Since the credentials infrastructure only allows a task to alter
    its own credentials, we can always assume that current must be the same
    as the target task in selinux_setprocattr after the check. We likely
    should move this check from selinux_setprocattr() to proc_pid_attr_write()
    and drop the task argument to the security hook altogether; it can only
    serve to confuse things.
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    be0554c9
objsec.h 3.82 KB