From nobody Sat Apr 18 00:20:16 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E89A479DA for ; Thu, 12 Feb 2026 18:00:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770919261; cv=none; b=lPzJsWBhhNCfwW8uwxcL7OwknOQnSRQrmvZMQGKwd3YN64x2KjA9sNxnCHmd75B13FPEG/qHeDWkxgGaS90MTREzcswJ9EsDSEDgYNzOrRPBAN+DCNrMPBEIOU7SLdh4RPeWb8oRYwAffPbiv60YRhU6ZyJ4oFcuveh6v7WYOzI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770919261; c=relaxed/simple; bh=ej0RY+FuHEgA0KT10wzva5i8NGoO/QxeSqlWKr+amPk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=lIjtnxUjDi83QFc1laM3pzwMINpNZ7ANIbELvXIEYCG+Sepc8AhQOuERWfoU2pqUDsIY9rhK8LmX+dhV2eUVgNuBhYtDFu3dSZkfPnNhp5rquR3KaDBwnygw3/GZ+BZ/LHsAOEmcG3LSax0PfgU0czp0DyB4zv+Yp9a9Xw7dUrE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=3W20vMuD; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="3W20vMuD" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4806b0963a9so3205e9.0 for ; Thu, 12 Feb 2026 10:00:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1770919258; x=1771524058; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=Pl/cLN4GI/TuYiyS1grr0MRZDEkOTzvjCuNXUWtNefA=; b=3W20vMuDtq7cmxy9lA0FYA7cAI5TVzSQ3rKKRmxxAAdpvEoAX74hCvT0FHaG9WKS4T it50EC9iz19MzFCnvn41SpGGiuT6JXHDwWA3IIvGVGMbeIBRY8IZu5DH+E2HuEVwAMSn vZBMwQt2yWHWx9lAq0ui9yUs5Vxfd5iJqc4EkMs1AmpqiY8StyoPcjj6+/f6lBVhjXYm EJqj/UHFxl04X2r0HtUEDnl6hLcDTq0dy4RtFmH1/bbew2YbjvG1QgVsH9EVPNqmO2GZ ZEkvHwCYxJvDJ7AgzJaGyBwBmJ+ns9NTfNRud1gOyXEp/kWXTZd7I5WX6/jU8g9EP90T 5kGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770919258; x=1771524058; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Pl/cLN4GI/TuYiyS1grr0MRZDEkOTzvjCuNXUWtNefA=; b=mxq+/fVrGyvkAng07AIsdabLPMrFktepzqC8RkX3Tm4aXUP9HcHkUDz3taQ8VOGXb9 KWVLl/8DlkNMPMyZ/6eM0IWh5dbIjeG8fncKPuz7S6UXpdqb38XyzzBJcgkvrYIDkZ7B AlWirluj0UVfuqL77BxBqxgjvUsVG5FiWhnTAdov5G/ucmut4ZCcitupjIWkpKObJ6tl XoCIucKLYykpl+pNa8TxI/61vbaO0G9x0C8RPZMwNrZl7VeeNkvNSZabzYzDCNIb79xU 0/XxXEMY0xCMkE3WdFIQmriasfRFXgTm+iqc4MQZTisboWwSr9JwxloZAhDVj46Foxy6 pNNw== X-Forwarded-Encrypted: i=1; AJvYcCXa0Lk6KrvJ324zFALX5NBG+ep3leVgdUK0OiYr9ztPGo6YmdYQed24XbbhCMCs6+QzZCT1u2auD27SqVE=@vger.kernel.org X-Gm-Message-State: AOJu0YxW/9q6TdUTIFQ9po15nSl76oO3iRkf+R3O1AJdGyXBVOFrb9Pk tkwXi8FQKPntUC9rSrR89nBX8BIX04FC+WGfTs8IW6rB6e/INMVBjN9T98dyz91k0g== X-Gm-Gg: AZuq6aKWM9aMpTsB831L5Izju0gXsk9HYe/o1uyx4aCpBfYc/IZSWjI/5+2oUADX6sE k2S0E/JAzze6O8Erc18Xc0IKyMXkNaZZRIQ7ubIbnUrVxh1/sh0rsB2BAJEzoAKMVtfHN9FF5zK vKgiKuj5Cet9KNsv4Kc94aQywnjYgot7v4BAbl27rw5A23XTVkZ5caKvCoYYVvODpj9CaqqA/kB QqcC81z1aXeAw7V2egd4qfT1ZMAmXTy27cL5aS4z+G2qWq+qZm4R9qu43WAcT3BDyx6/mLauHmQ ZvEjvDxFlwrQYRGgW42RXpDYCaS1kN8OaXb3+ZtQ7RuKs7BzJ08/MaBA8AwWI7kfCGpRhrwpr/J rxTrOOO5KrDgDZzgfuCZMvJprt1FxRj048jSRXeTTDHu5UcKZXC9eAYxzpbUmaTptQBtFPRYNXs vxKCwW3nOUO7GrSRpYBPEecc6dUg8Do7uprKB4U+wsPYMu0KMg544= X-Received: by 2002:a05:600c:a14:b0:480:4a7b:228 with SMTP id 5b1f17b1804b1-48366d1fd3amr875395e9.1.1770919257888; Thu, 12 Feb 2026 10:00:57 -0800 (PST) Received: from localhost ([2a00:79e0:288a:8:11ea:f041:437e:7de8]) by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-4834d5ebd34sm221155765e9.7.2026.02.12.10.00.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 10:00:56 -0800 (PST) From: Jann Horn Date: Thu, 12 Feb 2026 19:00:49 +0100 Subject: [PATCH] rust: task: clarify comments on task UID accessors Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260212-rust-uid-v1-1-deff4214c766@google.com> X-B4-Tracking: v=1; b=H4sIAFAVjmkC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIzMDI0Mj3aLS4hLd0swU3TTDJONEE9NkCwMLEyWg8oKi1LTMCrBR0bG1tQC m9qX9WgAAAA== X-Change-ID: 20260212-rust-uid-f1b3a45c8084 To: Miguel Ojeda , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich Cc: Greg Kroah-Hartman , =?utf-8?q?Arve_Hj=C3=B8nnev=C3=A5g?= , Todd Kjos , Carlos Llamas , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, Christian Brauner , Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1770919252; l=2635; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=ej0RY+FuHEgA0KT10wzva5i8NGoO/QxeSqlWKr+amPk=; b=ffWdWbX4t/7CwCD5OBpKK9/ns/QmKZruw8v3OE9d8/8pcSBK4yUr6RKBu64DgDZB98s6yN+QJ Gpkc4KnHZ4SB4ujrAnC3wiuo12q1RU3mD9beXkKUTmsSHYbJTPyhOtI X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= Linux has separate subjective and objective task credentials, see the comment above `struct cred`. Clarify which accessor functions operate on which set of credentials. Also document that Task::euid() is a very weird operation. You can see how weird it is by grepping for task_euid() - binder is its only user. Task::euid() obtains the objective effective UID - it looks at the credentials of the task for purposes of acting on it as an object, but then accesses the effective UID (which the credentials.7 man page describes as "[...] used by the kernel to determine the permissions that the process will have when accessing shared resources [...]"). For context: Arguably, binder's use of task_euid() is a theoretical security problem, which only has no impact on Android because Android has no setuid binaries executable by apps. commit 29bc22ac5e5b ("binder: use euid from cred instead of using task") fixed that by removing that only user of task_euid(), but the fix got reverted in commit c21a80ca0684 ("binder: fix test regression due to sender_euid change") because some Android test started failing. Signed-off-by: Jann Horn --- rust/kernel/task.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rust/kernel/task.rs b/rust/kernel/task.rs index 49fad6de0674..33e6d44b9a15 100644 --- a/rust/kernel/task.rs +++ b/rust/kernel/task.rs @@ -223,14 +223,17 @@ pub fn pid(&self) -> Pid { unsafe { *ptr::addr_of!((*self.as_ptr()).pid) } } =20 - /// Returns the UID of the given task. + /// Returns the objective real UID of the given task. #[inline] pub fn uid(&self) -> Kuid { // SAFETY: It's always safe to call `task_uid` on a valid task. Kuid::from_raw(unsafe { bindings::task_uid(self.as_ptr()) }) } =20 - /// Returns the effective UID of the given task. + /// Returns the objective effective UID of the given task. + /// + /// You should probably not be using this; the effective UID is normal= ly + /// only relevant in subjective credentials. #[inline] pub fn euid(&self) -> Kuid { // SAFETY: It's always safe to call `task_euid` on a valid task. @@ -363,7 +366,7 @@ unsafe fn dec_ref(obj: ptr::NonNull) { } =20 impl Kuid { - /// Get the current euid. + /// Get the current subjective euid. #[inline] pub fn current_euid() -> Kuid { // SAFETY: Just an FFI call. --- base-commit: 192c0159402e6bfbe13de6f8379546943297783d change-id: 20260212-rust-uid-f1b3a45c8084 -- =20 Jann Horn