Documentation: Clarify f_cred vs current_cred() use

When making access control choices from a file-based context, f_cred must be used instead of current_cred() to avoid confused deputy attacks where an open file may get passed to a more privileged process. Add a short paragraph to explicitly state the rationale. Cc: Jonathan Corbet <corbet@lwn.net> Cc: linux-doc@vger.kernel.org Signed-off-by: N Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescookSigned-off-by: N Jonathan Corbet <corbet@lwn.net>

Documentation: Clarify f_cred vs current_cred() use
When making access control choices from a file-based context, f_cred must be used instead of current_cred() to avoid confused deputy attacks where an open file may get passed to a more privileged process. Add a short paragraph to explicitly state the rationale. Cc: Jonathan Corbet <corbet@lwn.net> Cc: linux-doc@vger.kernel.org Signed-off-by: N Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescookSigned-off-by: N Jonathan Corbet <corbet@lwn.net>
7303515a · Kees Cook · Jonathan Corbet · 559394d3 · 7303515a
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

Documentation/security/credentials.rst Documentation/security/credentials.rst +4 -0

未找到文件。
--- a/Documentation/security/credentials.rst
+++ b/Documentation/security/credentials.rst
@@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the
 contents of the cred struct pointed to, barring the exceptions listed above
 (see the Task Credentials section).

+To avoid "confused deputy" privilege escalation attacks, access control checks
+during subsequent operations on an opened file should use these credentials
+instead of "current"'s credentials, as the file may have been passed to a more
+privileged process.

 Overriding the VFS's Use of Credentials
 =======================================