diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2012-06-05 18:28:30 -0400 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2012-07-13 18:49:23 -0400 |
commit | 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e (patch) | |
tree | fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50 /security/smack/smackfs.c | |
parent | eb982cb4cf6405b97ea1f9e1d10864981f269d46 (diff) |
Smack: onlycap limits on CAP_MAC_ADMIN
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.
This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smackfs.c')
-rw-r--r-- | security/smack/smackfs.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 3686db7e2c6b..21529658662b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -595,13 +595,12 @@ static int smk_open_load(struct inode *inode, struct file *file) | |||
595 | static ssize_t smk_write_load(struct file *file, const char __user *buf, | 595 | static ssize_t smk_write_load(struct file *file, const char __user *buf, |
596 | size_t count, loff_t *ppos) | 596 | size_t count, loff_t *ppos) |
597 | { | 597 | { |
598 | |||
599 | /* | 598 | /* |
600 | * Must have privilege. | 599 | * Must have privilege. |
601 | * No partial writes. | 600 | * No partial writes. |
602 | * Enough data must be present. | 601 | * Enough data must be present. |
603 | */ | 602 | */ |
604 | if (!capable(CAP_MAC_ADMIN)) | 603 | if (!smack_privileged(CAP_MAC_ADMIN)) |
605 | return -EPERM; | 604 | return -EPERM; |
606 | 605 | ||
607 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, | 606 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, |
@@ -787,7 +786,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, | |||
787 | * No partial writes. | 786 | * No partial writes. |
788 | * Enough data must be present. | 787 | * Enough data must be present. |
789 | */ | 788 | */ |
790 | if (!capable(CAP_MAC_ADMIN)) | 789 | if (!smack_privileged(CAP_MAC_ADMIN)) |
791 | return -EPERM; | 790 | return -EPERM; |
792 | if (*ppos != 0) | 791 | if (*ppos != 0) |
793 | return -EINVAL; | 792 | return -EINVAL; |
@@ -1090,7 +1089,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf, | |||
1090 | * "<addr/mask, as a.b.c.d/e><space><label>" | 1089 | * "<addr/mask, as a.b.c.d/e><space><label>" |
1091 | * "<addr, as a.b.c.d><space><label>" | 1090 | * "<addr, as a.b.c.d><space><label>" |
1092 | */ | 1091 | */ |
1093 | if (!capable(CAP_MAC_ADMIN)) | 1092 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1094 | return -EPERM; | 1093 | return -EPERM; |
1095 | if (*ppos != 0) | 1094 | if (*ppos != 0) |
1096 | return -EINVAL; | 1095 | return -EINVAL; |
@@ -1267,7 +1266,7 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf, | |||
1267 | char temp[80]; | 1266 | char temp[80]; |
1268 | int i; | 1267 | int i; |
1269 | 1268 | ||
1270 | if (!capable(CAP_MAC_ADMIN)) | 1269 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1271 | return -EPERM; | 1270 | return -EPERM; |
1272 | 1271 | ||
1273 | if (count >= sizeof(temp) || count == 0) | 1272 | if (count >= sizeof(temp) || count == 0) |
@@ -1334,7 +1333,7 @@ static ssize_t smk_write_direct(struct file *file, const char __user *buf, | |||
1334 | char temp[80]; | 1333 | char temp[80]; |
1335 | int i; | 1334 | int i; |
1336 | 1335 | ||
1337 | if (!capable(CAP_MAC_ADMIN)) | 1336 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1338 | return -EPERM; | 1337 | return -EPERM; |
1339 | 1338 | ||
1340 | if (count >= sizeof(temp) || count == 0) | 1339 | if (count >= sizeof(temp) || count == 0) |
@@ -1412,7 +1411,7 @@ static ssize_t smk_write_mapped(struct file *file, const char __user *buf, | |||
1412 | char temp[80]; | 1411 | char temp[80]; |
1413 | int i; | 1412 | int i; |
1414 | 1413 | ||
1415 | if (!capable(CAP_MAC_ADMIN)) | 1414 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1416 | return -EPERM; | 1415 | return -EPERM; |
1417 | 1416 | ||
1418 | if (count >= sizeof(temp) || count == 0) | 1417 | if (count >= sizeof(temp) || count == 0) |
@@ -1503,7 +1502,7 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf, | |||
1503 | char *data; | 1502 | char *data; |
1504 | int rc = count; | 1503 | int rc = count; |
1505 | 1504 | ||
1506 | if (!capable(CAP_MAC_ADMIN)) | 1505 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1507 | return -EPERM; | 1506 | return -EPERM; |
1508 | 1507 | ||
1509 | data = kzalloc(count + 1, GFP_KERNEL); | 1508 | data = kzalloc(count + 1, GFP_KERNEL); |
@@ -1586,7 +1585,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, | |||
1586 | char *sp = smk_of_task(current->cred->security); | 1585 | char *sp = smk_of_task(current->cred->security); |
1587 | int rc = count; | 1586 | int rc = count; |
1588 | 1587 | ||
1589 | if (!capable(CAP_MAC_ADMIN)) | 1588 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1590 | return -EPERM; | 1589 | return -EPERM; |
1591 | 1590 | ||
1592 | /* | 1591 | /* |
@@ -1664,7 +1663,7 @@ static ssize_t smk_write_logging(struct file *file, const char __user *buf, | |||
1664 | char temp[32]; | 1663 | char temp[32]; |
1665 | int i; | 1664 | int i; |
1666 | 1665 | ||
1667 | if (!capable(CAP_MAC_ADMIN)) | 1666 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1668 | return -EPERM; | 1667 | return -EPERM; |
1669 | 1668 | ||
1670 | if (count >= sizeof(temp) || count == 0) | 1669 | if (count >= sizeof(temp) || count == 0) |
@@ -1885,7 +1884,7 @@ static ssize_t smk_write_load2(struct file *file, const char __user *buf, | |||
1885 | /* | 1884 | /* |
1886 | * Must have privilege. | 1885 | * Must have privilege. |
1887 | */ | 1886 | */ |
1888 | if (!capable(CAP_MAC_ADMIN)) | 1887 | if (!smack_privileged(CAP_MAC_ADMIN)) |
1889 | return -EPERM; | 1888 | return -EPERM; |
1890 | 1889 | ||
1891 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, | 1890 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, |