Smack: onlycap limits on CAP_MAC_ADMIN

Smack is integrated with the POSIX capabilities scheme, using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to determine if a process is allowed to ignore Smack checks or change Smack related data respectively. Smack provides an additional restriction that if an onlycap value is set by writing to /smack/onlycap only tasks with that Smack label are allowed to use CAP_MAC_OVERRIDE. This change adds CAP_MAC_ADMIN as a capability that is affected by the onlycap mechanism. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
author: Casey Schaufler <casey@schaufler-ca.com> 2012-06-05 18:28:30 -0400
committer: Casey Schaufler <casey@schaufler-ca.com> 2012-07-13 18:49:23 -0400
commit: 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e (patch)
tree: fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50 /security/smack/smackfs.c
parent: eb982cb4cf6405b97ea1f9e1d10864981f269d46 (diff)
1 files changed, 10 insertions, 11 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 3686db7e2c6b..21529658662b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -595,13 +595,12 @@ static int smk_open_load(struct inode *inode, struct file *file)
 static ssize_t smk_write_load(struct file *file, const char __user *buf,
                              size_t count, loff_t *ppos)
 {
        /*
         * Must have privilege.
         * No partial writes.
         * Enough data must be present.
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
@@ -787,7 +786,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
         * No partial writes.
         * Enough data must be present.
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (*ppos != 0)
                return -EINVAL;
@@ -1090,7 +1089,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
         * "<addr/mask, as a.b.c.d/e><space><label>"
         * "<addr, as a.b.c.d><space><label>"
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (*ppos != 0)
                return -EINVAL;
@@ -1267,7 +1266,7 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf,
        char temp[80];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1334,7 +1333,7 @@ static ssize_t smk_write_direct(struct file *file, const char __user *buf,
        char temp[80];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1412,7 +1411,7 @@ static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
        char temp[80];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1503,7 +1502,7 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
        char *data;
        int rc = count;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        data = kzalloc(count + 1, GFP_KERNEL);
@@ -1586,7 +1585,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
        char *sp = smk_of_task(current->cred->security);
        int rc = count;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        /*
@@ -1664,7 +1663,7 @@ static ssize_t smk_write_logging(struct file *file, const char __user *buf,
        char temp[32];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1885,7 +1884,7 @@ static ssize_t smk_write_load2(struct file *file, const char __user *buf,
        /*
         * Must have privilege.
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
author	Casey Schaufler <casey@schaufler-ca.com>	2012-06-05 18:28:30 -0400
committer	Casey Schaufler <casey@schaufler-ca.com>	2012-07-13 18:49:23 -0400
commit	1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e (patch)
tree	fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50 /security/smack/smackfs.c
parent	eb982cb4cf6405b97ea1f9e1d10864981f269d46 (diff)

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 3686db7e2c6b..21529658662b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c
@@ -595,13 +595,12 @@ static int smk_open_load(struct inode inode, struct file file)
595	static ssize_t smk_write_load(struct file file, const char __user buf,	595	static ssize_t smk_write_load(struct file file, const char __user buf,
596	size_t count, loff_t *ppos)	596	size_t count, loff_t *ppos)
597	{	597	{
598
599	/*	598	/*
600	* Must have privilege.	599	* Must have privilege.
601	* No partial writes.	600	* No partial writes.
602	* Enough data must be present.	601	* Enough data must be present.
603	*/	602	*/
604	if (!capable(CAP_MAC_ADMIN))	603	if (!smack_privileged(CAP_MAC_ADMIN))
605	return -EPERM;	604	return -EPERM;
606		605
607	return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,	606	return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
@@ -787,7 +786,7 @@ static ssize_t smk_set_cipso(struct file file, const char __user buf,
787	* No partial writes.	786	* No partial writes.
788	* Enough data must be present.	787	* Enough data must be present.
789	*/	788	*/
790	if (!capable(CAP_MAC_ADMIN))	789	if (!smack_privileged(CAP_MAC_ADMIN))
791	return -EPERM;	790	return -EPERM;
792	if (*ppos != 0)	791	if (*ppos != 0)
793	return -EINVAL;	792	return -EINVAL;
@@ -1090,7 +1089,7 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
1090	* "<addr/mask, as a.b.c.d/e><space><label>"	1089	* "<addr/mask, as a.b.c.d/e><space><label>"
1091	* "<addr, as a.b.c.d><space><label>"	1090	* "<addr, as a.b.c.d><space><label>"
1092	*/	1091	*/
1093	if (!capable(CAP_MAC_ADMIN))	1092	if (!smack_privileged(CAP_MAC_ADMIN))
1094	return -EPERM;	1093	return -EPERM;
1095	if (*ppos != 0)	1094	if (*ppos != 0)
1096	return -EINVAL;	1095	return -EINVAL;
@@ -1267,7 +1266,7 @@ static ssize_t smk_write_doi(struct file file, const char __user buf,
1267	char temp[80];	1266	char temp[80];
1268	int i;	1267	int i;
1269		1268
1270	if (!capable(CAP_MAC_ADMIN))	1269	if (!smack_privileged(CAP_MAC_ADMIN))
1271	return -EPERM;	1270	return -EPERM;
1272		1271
1273	if (count >= sizeof(temp) \|\| count == 0)	1272	if (count >= sizeof(temp) \|\| count == 0)
@@ -1334,7 +1333,7 @@ static ssize_t smk_write_direct(struct file file, const char __user buf,
1334	char temp[80];	1333	char temp[80];
1335	int i;	1334	int i;
1336		1335
1337	if (!capable(CAP_MAC_ADMIN))	1336	if (!smack_privileged(CAP_MAC_ADMIN))
1338	return -EPERM;	1337	return -EPERM;
1339		1338
1340	if (count >= sizeof(temp) \|\| count == 0)	1339	if (count >= sizeof(temp) \|\| count == 0)
@@ -1412,7 +1411,7 @@ static ssize_t smk_write_mapped(struct file file, const char __user buf,
1412	char temp[80];	1411	char temp[80];
1413	int i;	1412	int i;
1414		1413
1415	if (!capable(CAP_MAC_ADMIN))	1414	if (!smack_privileged(CAP_MAC_ADMIN))
1416	return -EPERM;	1415	return -EPERM;
1417		1416
1418	if (count >= sizeof(temp) \|\| count == 0)	1417	if (count >= sizeof(temp) \|\| count == 0)
@@ -1503,7 +1502,7 @@ static ssize_t smk_write_ambient(struct file file, const char __user buf,
1503	char *data;	1502	char *data;
1504	int rc = count;	1503	int rc = count;
1505		1504
1506	if (!capable(CAP_MAC_ADMIN))	1505	if (!smack_privileged(CAP_MAC_ADMIN))
1507	return -EPERM;	1506	return -EPERM;
1508		1507
1509	data = kzalloc(count + 1, GFP_KERNEL);	1508	data = kzalloc(count + 1, GFP_KERNEL);
@@ -1586,7 +1585,7 @@ static ssize_t smk_write_onlycap(struct file file, const char __user buf,
1586	char *sp = smk_of_task(current->cred->security);	1585	char *sp = smk_of_task(current->cred->security);
1587	int rc = count;	1586	int rc = count;
1588		1587
1589	if (!capable(CAP_MAC_ADMIN))	1588	if (!smack_privileged(CAP_MAC_ADMIN))
1590	return -EPERM;	1589	return -EPERM;
1591		1590
1592	/*	1591	/*
@@ -1664,7 +1663,7 @@ static ssize_t smk_write_logging(struct file file, const char __user buf,
1664	char temp[32];	1663	char temp[32];
1665	int i;	1664	int i;
1666		1665
1667	if (!capable(CAP_MAC_ADMIN))	1666	if (!smack_privileged(CAP_MAC_ADMIN))
1668	return -EPERM;	1667	return -EPERM;
1669		1668
1670	if (count >= sizeof(temp) \|\| count == 0)	1669	if (count >= sizeof(temp) \|\| count == 0)
@@ -1885,7 +1884,7 @@ static ssize_t smk_write_load2(struct file file, const char __user buf,
1885	/*	1884	/*
1886	* Must have privilege.	1885	* Must have privilege.
1887	*/	1886	*/
1888	if (!capable(CAP_MAC_ADMIN))	1887	if (!smack_privileged(CAP_MAC_ADMIN))
1889	return -EPERM;	1888	return -EPERM;
1890		1889
1891	return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,	1890	return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,