diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2012-06-05 18:28:30 -0400 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2012-07-13 18:49:23 -0400 |
| commit | 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e (patch) | |
| tree | fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50 /security/smack/smack.h | |
| parent | eb982cb4cf6405b97ea1f9e1d10864981f269d46 (diff) | |
Smack: onlycap limits on CAP_MAC_ADMIN
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.
This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack.h')
| -rw-r--r-- | security/smack/smack.h | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 76feb31eb823..99b36124f712 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
| @@ -283,6 +283,19 @@ static inline char *smk_of_current(void) | |||
| 283 | } | 283 | } |
| 284 | 284 | ||
| 285 | /* | 285 | /* |
| 286 | * Is the task privileged and allowed to be privileged | ||
| 287 | * by the onlycap rule. | ||
| 288 | */ | ||
| 289 | static inline int smack_privileged(int cap) | ||
| 290 | { | ||
| 291 | if (!capable(cap)) | ||
| 292 | return 0; | ||
| 293 | if (smack_onlycap == NULL || smack_onlycap == smk_of_current()) | ||
| 294 | return 1; | ||
| 295 | return 0; | ||
| 296 | } | ||
| 297 | |||
| 298 | /* | ||
| 286 | * logging functions | 299 | * logging functions |
| 287 | */ | 300 | */ |
| 288 | #define SMACK_AUDIT_DENIED 0x1 | 301 | #define SMACK_AUDIT_DENIED 0x1 |