[PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single LSM

From: Casey Schaufler
Date: Fri Dec 15 2023 - 17:48:39 EST


The LSM hook security_cred_getsecid() provides a single secid
that is only used by the binder driver. Provide the first value
available, and abandon any other hooks.

Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
security/security.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/security.c b/security/security.c
index f1bff6b5b076..504dfc6d05fa 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3157,13 +3157,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
* @c: credentials
* @secid: secid value
*
- * Retrieve the security identifier of the cred structure @c. In case of
- * failure, @secid will be set to zero.
+ * Retrieve the first available security identifier of the
+ * cred structure @c. In case of failure, @secid will be set to zero.
+ * Currently only used by binder.
*/
void security_cred_getsecid(const struct cred *c, u32 *secid)
{
+ struct security_hook_list *hp;
+
+ hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) {
+ hp->hook.cred_getsecid(c, secid);
+ return;
+ }
+
*secid = 0;
- call_void_hook(cred_getsecid, c, secid);
}
EXPORT_SYMBOL(security_cred_getsecid);

--
2.41.0