kdbus_proc_permission (Re: [GIT PULL] kdbus updates for Greg)

From: Andy Lutomirski
Date: Sun Aug 09 2015 - 22:43:43 EST


I spotted this:

+/**
+ * kdbus_proc_permission() - check /proc permissions on target pid
+ * @pid_ns: namespace we operate in
+ * @cred: credentials of requestor
+ * @target: target process
+ *
+ * This checks whether a process with credentials @cred can access information
+ * of @target in the namespace @pid_ns. This tries to follow /proc permissions,
+ * but is slightly more restrictive.
+ *
+ * Return: The /proc access level (KDBUS_META_PROC_*) is returned.
+ */
+static unsigned int kdbus_proc_permission(const struct pid_namespace *pid_ns,
+ const struct cred *cred,
+ struct pid *target)

That code ended up in a pull request, although AFAICT it was never in
any patch email sent to me or to any public mailing list. I suspect
it was at least partially a response to one of my old reviews.

I haven't checked the context in which it's used, but in order for
kdbus_proc_permission to do what it claims to do, it appears to be
missing calls to security_inode_permission and
security_file_permission.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/