When making access control choices from a file-based context, f_cred
must be used instead of current_cred() to avoid confused deputy attacks
where an open file may get passed to a more privileged process. Add a
short paragraph to explicitly state the rationale.
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202007031038.8833A35DE4@keescook
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
contents of the cred struct pointed to, barring the exceptions listed above
(see the Task Credentials section).
+To avoid "confused deputy" privilege escalation attacks, access control checks
+during subsequent operations on an opened file should use these credentials
+instead of "current"'s credentials, as the file may have been passed to a more
+privileged process.
Overriding the VFS's Use of Credentials
=======================================