Re: [4.4.y] cred_getsecid hook


Pavel Machek
 

Hi!

While working on backporting the fix for CVE-2021-39686 in the
Android-"version" of the 4.4.y kernel I noticed the missing
cred_getsecid hook introduced in e.g. 4.19.y by
3ec30113264a7bcd389f51d1738e42da0f41bb5a (
https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/?h=linux-4.19.y&id=3ec30113264a7bcd389f51d1738e42da0f41bb5a
)
...
Anyway: Are there any plans to synchronize the hooks in 4.4 with those in more recent kernels?
Let me see. 4.19 has that commit; it was merged during merge
window. 4.9 does not have that commit.

If CVE-2021-39686 is important to you, right way forward would be to
backport neccessary changes to 4.9, first. We would rather not have
changes in 4.4-st that are not present in 4.9.X.

I don't think we have any plans to work in this area.

commit 3ec30113264a7bcd389f51d1738e42da0f41bb5a
Author: Matthew Garrett <mjg59@...>
Date: Mon Jan 8 13:36:19 2018 -0800

security: Add a cred_getsecid hook

For IMA purposes, we want to be able to obtain the prepared secid in the
bprm structure before the credentials are committed. Add a cred_getsecid
hook that makes this possible.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Join cip-dev@lists.cip-project.org to automatically receive all group messages.