diff options
author | Himanshu Shukla <himanshu.sh@samsung.com> | 2016-11-10 16:17:49 +0530 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2016-11-10 11:21:52 -0800 |
commit | 7128ea159d60a91b3f0a7d10a1ea7d62b53cda93 (patch) | |
tree | 619eac3e523d6f16292dea2704cc9aa217a5b4d9 | |
parent | 2097f59920ea81516d7783396683cad22c26d140 (diff) |
SMACK: Do not apply star label in smack_setprocattr hook
Smack prohibits processes from using the star ("*") and web ("@") labels.
Checks have been added in other functions. In smack_setprocattr()
hook, only check for web ("@") label has been added and restricted
from applying web ("@") label.
Check for star ("*") label should also be added in smack_setprocattr()
hook. Return error should be "-EINVAL" not "-EPERM" as permission
is there for setting label but not the label value as star ("*") or
web ("@").
Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
-rw-r--r-- | security/smack/smack_lsm.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 788a5faf3774..3a5684b47354 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name, return PTR_ERR(skp); /* - * No process is ever allowed the web ("@") label. + * No process is ever allowed the web ("@") label + * and the star ("*") label. */ - if (skp == &smack_known_web) - return -EPERM; + if (skp == &smack_known_web || skp == &smack_known_star) + return -EINVAL; if (!smack_privileged(CAP_MAC_ADMIN)) { rc = -EPERM; |