From 49e65b85d6241ab297edf8a57fb03a15967e9734 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 1 Feb 2023 14:15:16 +0100
Subject: [PATCH] libselinux: getcon.3: add note about PID races
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a note that querying a foreign process via its PID is inherently
racy.

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Jason Zaman <jason@perfinion.com>
---
 libselinux/man/man3/getcon.3 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
index 1b4fe4b790..be60341b4b 100644
--- a/libselinux/man/man3/getcon.3
+++ b/libselinux/man/man3/getcon.3
@@ -149,5 +149,9 @@ The retrieval functions might return success and set
 .I *context
 to NULL if and only if SELinux is not enabled.
 
+Querying a foreign process via its PID, e.g. \fBgetpidcon\fR() or
+\fBgetpidprevcon\fR(), is inherently racy and therefore should never be relied
+upon for security purposes.
+
 .SH "SEE ALSO"
 .BR selinux "(8), " setexeccon "(3)"