提交 7303515a 编写于 作者: K Kees Cook 提交者: Jonathan Corbet

Documentation: Clarify f_cred vs current_cred() use

When making access control choices from a file-based context, f_cred
must be used instead of current_cred() to avoid confused deputy attacks
where an open file may get passed to a more privileged process. Add a
short paragraph to explicitly state the rationale.

Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Signed-off-by: NKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescookSigned-off-by: NJonathan Corbet <corbet@lwn.net>
上级 559394d3
...@@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the ...@@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the
contents of the cred struct pointed to, barring the exceptions listed above contents of the cred struct pointed to, barring the exceptions listed above
(see the Task Credentials section). (see the Task Credentials section).
To avoid "confused deputy" privilege escalation attacks, access control checks
during subsequent operations on an opened file should use these credentials
instead of "current"'s credentials, as the file may have been passed to a more
privileged process.
Overriding the VFS's Use of Credentials Overriding the VFS's Use of Credentials
======================================= =======================================
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册