summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2020-07-03 20:44:22 +0300
committerJonathan Corbet <corbet@lwn.net>2020-07-05 23:04:45 +0300
commit7303515ae488ce767d3155358bae505dabd9ebe1 (patch)
tree3dc0035777144d17213d56a2115a6c6e77c5e6d8
parent559394d3045ec31d0812fac3d6d603bfcb30f2ac (diff)
downloadlinux-7303515ae488ce767d3155358bae505dabd9ebe1.tar.xz
Documentation: Clarify f_cred vs current_cred() use
When making access control choices from a file-based context, f_cred must be used instead of current_cred() to avoid confused deputy attacks where an open file may get passed to a more privileged process. Add a short paragraph to explicitly state the rationale. Cc: Jonathan Corbet <corbet@lwn.net> Cc: linux-doc@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net>
-rw-r--r--Documentation/security/credentials.rst4
1 files changed, 4 insertions, 0 deletions
diff --git a/Documentation/security/credentials.rst b/Documentation/security/credentials.rst
index 282e79feee6a..b7482f8ccf85 100644
--- a/Documentation/security/credentials.rst
+++ b/Documentation/security/credentials.rst
@@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the
contents of the cred struct pointed to, barring the exceptions listed above
(see the Task Credentials section).
+To avoid "confused deputy" privilege escalation attacks, access control checks
+during subsequent operations on an opened file should use these credentials
+instead of "current"'s credentials, as the file may have been passed to a more
+privileged process.
Overriding the VFS's Use of Credentials
=======================================