diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2014-04-28 18:23:01 -0400 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2014-04-30 13:49:33 -0400 |
| commit | 36ea735b522d09826ae0dac0e540f294436c52f3 (patch) | |
| tree | 1ac278374b75442609e8245f55059e53005cbece | |
| parent | a6834c0b9114c06106efee8e9f2a11fbbb104567 (diff) | |
Smack: Label cgroup files for systemd
The cgroup filesystem isn't ready for an LSM to
properly use extented attributes. This patch makes
files created in the cgroup filesystem usable by
a system running Smack and systemd.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
| -rw-r--r-- | security/smack/smack_lsm.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 7bcf9edf768d..9cb7559d60b2 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -2821,6 +2821,15 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
| 2821 | * of the superblock. | 2821 | * of the superblock. |
| 2822 | */ | 2822 | */ |
| 2823 | if (opt_dentry->d_parent == opt_dentry) { | 2823 | if (opt_dentry->d_parent == opt_dentry) { |
| 2824 | if (sbp->s_magic == CGROUP_SUPER_MAGIC) { | ||
| 2825 | /* | ||
| 2826 | * The cgroup filesystem is never mounted, | ||
| 2827 | * so there's no opportunity to set the mount | ||
| 2828 | * options. | ||
| 2829 | */ | ||
| 2830 | sbsp->smk_root = smack_known_star.smk_known; | ||
| 2831 | sbsp->smk_default = smack_known_star.smk_known; | ||
| 2832 | } | ||
| 2824 | isp->smk_inode = sbsp->smk_root; | 2833 | isp->smk_inode = sbsp->smk_root; |
| 2825 | isp->smk_flags |= SMK_INODE_INSTANT; | 2834 | isp->smk_flags |= SMK_INODE_INSTANT; |
| 2826 | goto unlockandout; | 2835 | goto unlockandout; |
| @@ -2834,16 +2843,20 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
| 2834 | */ | 2843 | */ |
| 2835 | switch (sbp->s_magic) { | 2844 | switch (sbp->s_magic) { |
| 2836 | case SMACK_MAGIC: | 2845 | case SMACK_MAGIC: |
| 2846 | case PIPEFS_MAGIC: | ||
| 2847 | case SOCKFS_MAGIC: | ||
| 2848 | case CGROUP_SUPER_MAGIC: | ||
| 2837 | /* | 2849 | /* |
| 2838 | * Casey says that it's a little embarrassing | 2850 | * Casey says that it's a little embarrassing |
| 2839 | * that the smack file system doesn't do | 2851 | * that the smack file system doesn't do |
| 2840 | * extended attributes. | 2852 | * extended attributes. |
| 2841 | */ | 2853 | * |
| 2842 | final = smack_known_star.smk_known; | ||
| 2843 | break; | ||
| 2844 | case PIPEFS_MAGIC: | ||
| 2845 | /* | ||
| 2846 | * Casey says pipes are easy (?) | 2854 | * Casey says pipes are easy (?) |
| 2855 | * | ||
| 2856 | * Socket access is controlled by the socket | ||
| 2857 | * structures associated with the task involved. | ||
| 2858 | * | ||
| 2859 | * Cgroupfs is special | ||
| 2847 | */ | 2860 | */ |
| 2848 | final = smack_known_star.smk_known; | 2861 | final = smack_known_star.smk_known; |
| 2849 | break; | 2862 | break; |
| @@ -2855,13 +2868,6 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) | |||
| 2855 | */ | 2868 | */ |
| 2856 | final = ckp->smk_known; | 2869 | final = ckp->smk_known; |
| 2857 | break; | 2870 | break; |
| 2858 | case SOCKFS_MAGIC: | ||
| 2859 | /* | ||
| 2860 | * Socket access is controlled by the socket | ||
| 2861 | * structures associated with the task involved. | ||
| 2862 | */ | ||
| 2863 | final = smack_known_star.smk_known; | ||
| 2864 | break; | ||
| 2865 | case PROC_SUPER_MAGIC: | 2871 | case PROC_SUPER_MAGIC: |
| 2866 | /* | 2872 | /* |
| 2867 | * Casey says procfs appears not to care. | 2873 | * Casey says procfs appears not to care. |