Documentation: Clarify f_cred vs current_cred() use
When making access control choices from a file-based context, f_cred must be used instead of current_cred() to avoid confused deputy attacks where an open file may get passed to a more privileged process. Add a short paragraph to explicitly state the rationale. Cc: Jonathan Corbet <corbet@lwn.net> Cc: linux-doc@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
Родитель
559394d304
Коммит
7303515ae4
|
@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the
|
||||||
contents of the cred struct pointed to, barring the exceptions listed above
|
contents of the cred struct pointed to, barring the exceptions listed above
|
||||||
(see the Task Credentials section).
|
(see the Task Credentials section).
|
||||||
|
|
||||||
|
To avoid "confused deputy" privilege escalation attacks, access control checks
|
||||||
|
during subsequent operations on an opened file should use these credentials
|
||||||
|
instead of "current"'s credentials, as the file may have been passed to a more
|
||||||
|
privileged process.
|
||||||
|
|
||||||
Overriding the VFS's Use of Credentials
|
Overriding the VFS's Use of Credentials
|
||||||
=======================================
|
=======================================
|
||||||
|
|
Загрузка…
Ссылка в новой задаче