summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoman Kubiak <r.kubiak@samsung.com>2015-08-10 10:54:25 -0400
committerCasey Schaufler <casey@schaufler-ca.com>2015-08-10 18:15:50 -0400
commit41a2d5751616e38d1e293e3cb35a6e2bc7a03473 (patch)
tree110e07d1d5baab0d2614bb62a2c4d1d24389a4f1 /security
parent1eddfe8edb8f85a0d7f793090abcbdf8741455de (diff)
Kernel threads excluded from smack checks
Adds an ignore case for kernel tasks, so that they can access all resources. Since kernel worker threads are spawned with floor label, they are severely restricted by Smack policy. It is not an issue without onlycap, as these processes also run with root, so CAP_MAC_OVERRIDE kicks in. But with onlycap turned on, there is no way to change the label for these processes. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_access.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 00f6b38bffbd..bc1053fb5d1d 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -639,6 +639,12 @@ int smack_privileged(int cap)
639 struct smack_known *skp = smk_of_current(); 639 struct smack_known *skp = smk_of_current();
640 struct smack_onlycap *sop; 640 struct smack_onlycap *sop;
641 641
642 /*
643 * All kernel tasks are privileged
644 */
645 if (unlikely(current->flags & PF_KTHREAD))
646 return 1;
647
642 if (!capable(cap)) 648 if (!capable(cap))
643 return 0; 649 return 0;
644 650