diff mbox

SMACK: Do not apply star label in smack_setprocattr hook

Message ID 1478774869-4738-1-git-send-email-himanshu.sh@samsung.com (mailing list archive)
State New, archived
Headers show

Commit Message

Himanshu Shukla Nov. 10, 2016, 10:47 a.m. UTC
Smack prohibits processes from using the star ("*") and web ("@") labels.
Checks have been added in other functions. In smack_setprocattr()
hook, only check for web ("@") label has been added and restricted
from applying web ("@") label.
Check for star ("*") label should also be added in smack_setprocattr()
hook. Return error should be "-EINVAL" not "-EPERM" as permission
is there for setting label but not the label value as star ("*") or
web ("@").

Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
---
 security/smack/smack_lsm.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Casey Schaufler Nov. 10, 2016, 7:23 p.m. UTC | #1
On 11/10/2016 2:47 AM, Himanshu Shukla wrote:
> Smack prohibits processes from using the star ("*") and web ("@") labels.
> Checks have been added in other functions. In smack_setprocattr()
> hook, only check for web ("@") label has been added and restricted
> from applying web ("@") label.
> Check for star ("*") label should also be added in smack_setprocattr()
> hook. Return error should be "-EINVAL" not "-EPERM" as permission
> is there for setting label but not the label value as star ("*") or
> web ("@").
>
> Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Applied to git://github.com/cschaufler/smack-next.git#smack-for-4.10

> ---
>  security/smack/smack_lsm.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 1cb0602..a72ab3e 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3661,10 +3661,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
>  		return PTR_ERR(skp);
>  
>  	/*
> -	 * No process is ever allowed the web ("@") label.
> +	 * No process is ever allowed the web ("@") label
> +	 * and the star ("*") label.
>  	 */
> -	if (skp == &smack_known_web)
> -		return -EPERM;
> +	if (skp == &smack_known_web || skp == &smack_known_star)
> +		return -EINVAL;
>  
>  	if (!smack_privileged(CAP_MAC_ADMIN)) {
>  		rc = -EPERM;

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1cb0602..a72ab3e 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3661,10 +3661,11 @@  static int smack_setprocattr(struct task_struct *p, char *name,
 		return PTR_ERR(skp);
 
 	/*
-	 * No process is ever allowed the web ("@") label.
+	 * No process is ever allowed the web ("@") label
+	 * and the star ("*") label.
 	 */
-	if (skp == &smack_known_web)
-		return -EPERM;
+	if (skp == &smack_known_web || skp == &smack_known_star)
+		return -EINVAL;
 
 	if (!smack_privileged(CAP_MAC_ADMIN)) {
 		rc = -EPERM;