From 7303515ae488ce767d3155358bae505dabd9ebe1 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 3 Jul 2020 10:44:22 -0700 Subject: Documentation: Clarify f_cred vs current_cred() use When making access control choices from a file-based context, f_cred must be used instead of current_cred() to avoid confused deputy attacks where an open file may get passed to a more privileged process. Add a short paragraph to explicitly state the rationale. Cc: Jonathan Corbet Cc: linux-doc@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescook Signed-off-by: Jonathan Corbet --- Documentation/security/credentials.rst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Documentation/security/credentials.rst') diff --git a/Documentation/security/credentials.rst b/Documentation/security/credentials.rst index 282e79feee6a..b7482f8ccf85 100644 --- a/Documentation/security/credentials.rst +++ b/Documentation/security/credentials.rst @@ -548,6 +548,10 @@ pointer will not change over the lifetime of the file struct, and nor will the contents of the cred struct pointed to, barring the exceptions listed above (see the Task Credentials section). +To avoid "confused deputy" privilege escalation attacks, access control checks +during subsequent operations on an opened file should use these credentials +instead of "current"'s credentials, as the file may have been passed to a more +privileged process. Overriding the VFS's Use of Credentials ======================================= -- cgit v1.2.3