Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98c88651 authored by Casey Schaufler's avatar Casey Schaufler Committed by Kees Cook
Browse files

SELinux: Remove cred security blob poisoning 



The SELinux specific credential poisioning only makes sense
if SELinux is managing the credentials. As the intent of this
patch set is to move the blob management out of the modules
and into the infrastructure, the SELinux specific code has
to go. The poisioning could be introduced into the infrastructure
at some later date.

Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 0c6cfa62

kernel/cred.c

+0 −13
Original line number Diff line number Diff line
@@ -760,19 +760,6 @@ bool creds_are_invalid(const struct cred *cred) 
{

	if (cred->magic != CRED_MAGIC)

		return true;

#ifdef CONFIG_SECURITY_SELINUX

	/*

	 * cred->security == NULL if security_cred_alloc_blank() or

	 * security_prepare_creds() returned an error.

	 */

	if (selinux_is_enabled() && cred->security) {

		if ((unsigned long) cred->security < PAGE_SIZE)

			return true;

		if ((*(u32 *)cred->security & 0xffffff00) ==

		    (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))

			return true;

	}

#endif

	return false;

}

EXPORT_SYMBOL(creds_are_invalid);

security/selinux/hooks.c

+0 −6
Original line number Diff line number Diff line
@@ -3708,12 +3708,6 @@ static void selinux_cred_free(struct cred *cred) 
{

	struct task_security_struct *tsec = selinux_cred(cred);



	/*

	 * cred->security == NULL if security_cred_alloc_blank() or

	 * security_prepare_creds() returned an error.

	 */

	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);

	cred->security = (void *) 0x7UL;

	kfree(tsec);

}