Stephen Smalley avatar Stephen Smalley committed 02c6cc3

Fix security_binder_transfer_binder hook.

Drop the owning task argument to security_binder_transfer_binder
since ref->node->proc can be NULL (dead owner?).
Revise the SELinux checking to apply a single transfer check between
the source and destination tasks. Owning task is no longer relevant.
Drop the receive permission definition as it is no longer used.

This makes the transfer permission similar to the call permission; it is only
useful if you want to allow a binder IPC between two tasks (call permission)
but deny passing of binder references between them (transfer permission).

Comments (0)

Files changed (6)

drivers/staging/android/binder.c

 					fp->cookie, node->cookie);
 				goto err_binder_get_ref_for_node_failed;
 			}
-			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk, node->proc->tsk)) {
+			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
 				return_error = BR_FAILED_REPLY;
 				goto err_binder_get_ref_for_node_failed;
 			}
 				return_error = BR_FAILED_REPLY;
 				goto err_binder_get_ref_failed;
 			}
-			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk, ref->node->proc->tsk)) {
+			if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
 				return_error = BR_FAILED_REPLY;
 				goto err_binder_get_ref_failed;
 			}

include/linux/security.h

 
 	int (*binder_set_context_mgr) (struct task_struct *mgr);
 	int (*binder_transaction) (struct task_struct *from, struct task_struct *to);
-	int (*binder_transfer_binder) (struct task_struct *from, struct task_struct *to, struct task_struct *owner);
+	int (*binder_transfer_binder) (struct task_struct *from, struct task_struct *to);
 	int (*binder_transfer_file) (struct task_struct *from, struct task_struct *to, struct file *file);
 
 	int (*ptrace_access_check) (struct task_struct *child, unsigned int mode);
 /* Security operations */
 int security_binder_set_context_mgr(struct task_struct *mgr);
 int security_binder_transaction(struct task_struct *from, struct task_struct *to);
-int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner);
+int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to);
 int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file);
 int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
 int security_ptrace_traceme(struct task_struct *parent);
 	return 0;
 }
 
-static inline int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+static inline int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
 	return 0;
 }

security/capability.c

 	return 0;
 }
 
-static int cap_binder_transfer_binder(struct task_struct *from, struct task_strut *to, struct task_struct *owner)
+static int cap_binder_transfer_binder(struct task_struct *from, struct task_strut *to)
 {
 	return 0;
 }

security/security.c

 	return security_ops->binder_transaction(from, to);
 }
 
-int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+int security_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
-	return security_ops->binder_transfer_binder(from, to, owner);
+	return security_ops->binder_transfer_binder(from, to);
 }
 
 int security_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)

security/selinux/hooks.c

 	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, NULL);
 }
 
-static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to, struct task_struct *owner)
+static int selinux_binder_transfer_binder(struct task_struct *from, struct task_struct *to)
 {
 	u32 fromsid = task_sid(from);
 	u32 tosid = task_sid(to);
-	u32 ownersid = task_sid(owner);
-	int rc;
-
-	rc = avc_has_perm(fromsid, ownersid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
-	if (rc)
-		return rc;
-
-	return avc_has_perm(tosid, ownersid, SECCLASS_BINDER, BINDER__RECEIVE, NULL);
+	return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, NULL);
 }
 
 static int selinux_binder_transfer_file(struct task_struct *from, struct task_struct *to, struct file *file)

security/selinux/include/classmap.h

 	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
 	{ "tun_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
-	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", "receive", NULL } },
+	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", NULL } },
 	{ NULL }
   };
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.