| Message ID | 1479882585-36208-1-git-send-email-himanshu.sh@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 11/22/2016 10:29 PM, Himanshu Shukla wrote: > smack_file_open() is first checking the capability of calling subject, > this check will skip the SMACK logging for success case. Use smk_tskacc() > for proper logging and SMACK access check. > > Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> I have queued this for 4.11 as it's too late for 4.10. > --- > security/smack/smack_lsm.c | 5 +---- > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 1cb0602..e7b83fa 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -1940,12 +1940,9 @@ static int smack_file_open(struct file *file, const struct cred *cred) > struct smk_audit_info ad; > int rc; > > - if (smack_privileged(CAP_MAC_OVERRIDE)) > - return 0; > - > smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); > smk_ad_setfield_u_fs_path(&ad, file->f_path); > - rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); > + rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); > rc = smk_bu_credfile(cred, file, MAY_READ, rc); > > return rc; -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1cb0602..e7b83fa 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1940,12 +1940,9 @@ static int smack_file_open(struct file *file, const struct cred *cred) struct smk_audit_info ad; int rc; - if (smack_privileged(CAP_MAC_OVERRIDE)) - return 0; - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); smk_ad_setfield_u_fs_path(&ad, file->f_path); - rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); + rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); rc = smk_bu_credfile(cred, file, MAY_READ, rc); return rc;
smack_file_open() is first checking the capability of calling subject, this check will skip the SMACK logging for success case. Use smk_tskacc() for proper logging and SMACK access check. Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> --- security/smack/smack_lsm.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)