| Message ID | 1478774869-4738-1-git-send-email-himanshu.sh@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 11/10/2016 2:47 AM, Himanshu Shukla wrote: > Smack prohibits processes from using the star ("*") and web ("@") labels. > Checks have been added in other functions. In smack_setprocattr() > hook, only check for web ("@") label has been added and restricted > from applying web ("@") label. > Check for star ("*") label should also be added in smack_setprocattr() > hook. Return error should be "-EINVAL" not "-EPERM" as permission > is there for setting label but not the label value as star ("*") or > web ("@"). > > Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Applied to git://github.com/cschaufler/smack-next.git#smack-for-4.10 > --- > security/smack/smack_lsm.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 1cb0602..a72ab3e 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -3661,10 +3661,11 @@ static int smack_setprocattr(struct task_struct *p, char *name, > return PTR_ERR(skp); > > /* > - * No process is ever allowed the web ("@") label. > + * No process is ever allowed the web ("@") label > + * and the star ("*") label. > */ > - if (skp == &smack_known_web) > - return -EPERM; > + if (skp == &smack_known_web || skp == &smack_known_star) > + return -EINVAL; > > if (!smack_privileged(CAP_MAC_ADMIN)) { > rc = -EPERM; -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1cb0602..a72ab3e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3661,10 +3661,11 @@ static int smack_setprocattr(struct task_struct *p, char *name, return PTR_ERR(skp); /* - * No process is ever allowed the web ("@") label. + * No process is ever allowed the web ("@") label + * and the star ("*") label. */ - if (skp == &smack_known_web) - return -EPERM; + if (skp == &smack_known_web || skp == &smack_known_star) + return -EINVAL; if (!smack_privileged(CAP_MAC_ADMIN)) { rc = -EPERM;
Smack prohibits processes from using the star ("*") and web ("@") labels. Checks have been added in other functions. In smack_setprocattr() hook, only check for web ("@") label has been added and restricted from applying web ("@") label. Check for star ("*") label should also be added in smack_setprocattr() hook. Return error should be "-EINVAL" not "-EPERM" as permission is there for setting label but not the label value as star ("*") or web ("@"). Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> --- security/smack/smack_lsm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)