diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2018-01-08 13:25:32 -0500 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2018-01-10 12:29:14 -0500 |
| commit | d19dfe58b7ecbef3bd0c403c650200c57913ba1b (patch) | |
| tree | 59ab1001fe590143cda52657a71b5d3087ae6b91 /security/smack/smack.h | |
| parent | da49b5dad18aad357ab8841ee65d415f683efc6f (diff) | |
Smack: Privilege check on key operations
Smack: Privilege check on key operations
Operations on key objects are subjected to Smack policy
even if the process is privileged. This is inconsistent
with the general behavior of Smack and may cause issues
with authentication by privileged daemons. This patch
allows processes with CAP_MAC_OVERRIDE to access keys
even if the Smack rules indicate otherwise.
Reported-by: Jose Bollo <jobol@nonadev.net>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack.h')
| -rw-r--r-- | security/smack/smack.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 6a71fc7831ab..f7db791fb566 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
| @@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); | |||
| 321 | void smk_insert_entry(struct smack_known *skp); | 321 | void smk_insert_entry(struct smack_known *skp); |
| 322 | struct smack_known *smk_find_entry(const char *); | 322 | struct smack_known *smk_find_entry(const char *); |
| 323 | bool smack_privileged(int cap); | 323 | bool smack_privileged(int cap); |
| 324 | bool smack_privileged_cred(int cap, const struct cred *cred); | ||
| 324 | void smk_destroy_label_list(struct list_head *list); | 325 | void smk_destroy_label_list(struct list_head *list); |
| 325 | 326 | ||
| 326 | /* | 327 | /* |