aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack
diff options
context:
space:
mode:
authorLukasz Pawelczyk <l.pawelczyk@partner.samsung.com>2014-03-11 12:07:04 -0400
committerCasey Schaufler <casey@schaufler-ca.com>2014-04-11 17:34:17 -0400
commit959e6c7f1eee42f14d31755b1134f5615db1d9bc (patch)
tree1931751fc4a9c37635c106498b7c2159e3f6576f /security/smack
parent55dfc5da1a9b7e623b6f35620c74280555df0288 (diff)
Smack: fix the subject/object order in smack_ptrace_traceme()
The order of subject/object is currently reversed in smack_ptrace_traceme(). It is currently checked if the tracee has a capability to trace tracer and according to this rule a decision is made whether the tracer will be allowed to trace tracee. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Diffstat (limited to 'security/smack')
-rw-r--r--security/smack/smack.h1
-rw-r--r--security/smack/smack_access.c33
-rw-r--r--security/smack/smack_lsm.c4
3 files changed, 29 insertions, 9 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index d072fd32212d..b9dfc4e1d3e0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *);
225 */ 225 */
226int smk_access_entry(char *, char *, struct list_head *); 226int smk_access_entry(char *, char *, struct list_head *);
227int smk_access(struct smack_known *, char *, int, struct smk_audit_info *); 227int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
228int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
228int smk_curacc(char *, u32, struct smk_audit_info *); 229int smk_curacc(char *, u32, struct smk_audit_info *);
229struct smack_known *smack_from_secid(const u32); 230struct smack_known *smack_from_secid(const u32);
230char *smk_parse_smack(const char *string, int len); 231char *smk_parse_smack(const char *string, int len);
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 14293cd9b1e5..f161debed02b 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -192,20 +192,21 @@ out_audit:
192} 192}
193 193
194/** 194/**
195 * smk_curacc - determine if current has a specific access to an object 195 * smk_tskacc - determine if a task has a specific access to an object
196 * @tsp: a pointer to the subject task
196 * @obj_label: a pointer to the object's Smack label 197 * @obj_label: a pointer to the object's Smack label
197 * @mode: the access requested, in "MAY" format 198 * @mode: the access requested, in "MAY" format
198 * @a : common audit data 199 * @a : common audit data
199 * 200 *
200 * This function checks the current subject label/object label pair 201 * This function checks the subject task's label/object label pair
201 * in the access rule list and returns 0 if the access is permitted, 202 * in the access rule list and returns 0 if the access is permitted,
202 * non zero otherwise. It allows that current may have the capability 203 * non zero otherwise. It allows that the task may have the capability
203 * to override the rules. 204 * to override the rules.
204 */ 205 */
205int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) 206int smk_tskacc(struct task_smack *subject, char *obj_label,
207 u32 mode, struct smk_audit_info *a)
206{ 208{
207 struct task_smack *tsp = current_security(); 209 struct smack_known *skp = smk_of_task(subject);
208 struct smack_known *skp = smk_of_task(tsp);
209 int may; 210 int may;
210 int rc; 211 int rc;
211 212
@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
219 * it can further restrict access. 220 * it can further restrict access.
220 */ 221 */
221 may = smk_access_entry(skp->smk_known, obj_label, 222 may = smk_access_entry(skp->smk_known, obj_label,
222 &tsp->smk_rules); 223 &subject->smk_rules);
223 if (may < 0) 224 if (may < 0)
224 goto out_audit; 225 goto out_audit;
225 if ((mode & may) == mode) 226 if ((mode & may) == mode)
@@ -241,6 +242,24 @@ out_audit:
241 return rc; 242 return rc;
242} 243}
243 244
245/**
246 * smk_curacc - determine if current has a specific access to an object
247 * @obj_label: a pointer to the object's Smack label
248 * @mode: the access requested, in "MAY" format
249 * @a : common audit data
250 *
251 * This function checks the current subject label/object label pair
252 * in the access rule list and returns 0 if the access is permitted,
253 * non zero otherwise. It allows that current may have the capability
254 * to override the rules.
255 */
256int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
257{
258 struct task_smack *tsp = current_security();
259
260 return smk_tskacc(tsp, obj_label, mode, a);
261}
262
244#ifdef CONFIG_AUDIT 263#ifdef CONFIG_AUDIT
245/** 264/**
246 * smack_str_from_perm : helper to transalate an int to a 265 * smack_str_from_perm : helper to transalate an int to a
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index efa42991235e..b23fbdd4cdad 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
207 if (rc != 0) 207 if (rc != 0)
208 return rc; 208 return rc;
209 209
210 skp = smk_of_task(task_security(ptp)); 210 skp = smk_of_task(current_security());
211 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 211 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
212 smk_ad_setfield_u_tsk(&ad, ptp); 212 smk_ad_setfield_u_tsk(&ad, ptp);
213 213
214 rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); 214 rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad);
215 return rc; 215 return rc;
216} 216}
217 217
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-22 04:05:47 -0500