On Tue, Oct 17, 2017 at 12:07 PM, Mimi Zohar [off-list ref] wrote:

On Mon, 2017-10-16 at 13:37 -0700, Matthew Garrett wrote:

quoted

              case LSM_SUBJ_TYPE:
-                     security_task_getsecid(tsk, &sid);
+                     security_cred_getsecid(cred, &sid);
                      rc = security_filter_rule_match(sid,
                                                      rule->lsm[i].type,
                                                      Audit_equal,

By replacing the call from security_task_getsec() to
security_cred_getsecid(), I assume you're expecting different results.
 Will this change break existing IMA policies?

No, for BPRM_CHECK they'll use the same creds that were previously
checked. CREDS_CHECK will behave differently to BPRM_CHECK.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html