This patch adds a new security attribute to Smack called

SMACK64EXEC. It defines label that is used while task is
running.

Exception: in smack_task_wait() child task is checked
for write access to parent task using label inherited
from the task that forked it.

Fixed issues from previous submit:
- SMACK64EXEC was not read when SMACK64 was not set.
- inode security blob was not updated after setting
  SMACK64EXEC
- inode security blob was not updated when removing
  SMACK64EXEC

1 files changed, 30 insertions, 0 deletions

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 43ae747a5aa4..a2e2cdfab4ef 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -51,10 +51,16 @@ struct socket_smack {
  */
 struct inode_smack {
         char            *smk_inode;     /* label of the fso */
+        char            *smk_task;      /* label of the task */
         struct mutex    smk_lock;       /* initialization lock */
         int             smk_flags;      /* smack inode flags */
 };
 
+struct task_smack {
+        char            *smk_task;      /* label used for access control */
+        char            *smk_forked;    /* label when forked */
+};
+
 #define SMK_INODE_INSTANT       0x01    /* inode is instantiated */
 
 /*
@@ -243,6 +249,30 @@ static inline char *smk_of_inode(const struct inode *isp)
 }
 
 /*
+ * Present a pointer to the smack label in an task blob.
+ */
+static inline char *smk_of_task(const struct task_smack *tsp)
+{
+        return tsp->smk_task;
+}
+
+/*
+ * Present a pointer to the forked smack label in an task blob.
+ */
+static inline char *smk_of_forked(const struct task_smack *tsp)
+{
+        return tsp->smk_forked;
+}
+
+/*
+ * Present a pointer to the smack label in the curren task blob.
+ */
+static inline char *smk_of_current(void)
+{
+        return smk_of_task(current_security());
+}
+
+/*
  * logging functions
  */
 #define SMACK_AUDIT_DENIED 0x1