diff options
author | Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> | 2014-03-11 12:07:04 -0400 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2014-04-11 17:34:17 -0400 |
commit | 959e6c7f1eee42f14d31755b1134f5615db1d9bc (patch) | |
tree | 1931751fc4a9c37635c106498b7c2159e3f6576f /security | |
parent | 55dfc5da1a9b7e623b6f35620c74280555df0288 (diff) |
Smack: fix the subject/object order in smack_ptrace_traceme()
The order of subject/object is currently reversed in
smack_ptrace_traceme(). It is currently checked if the tracee has a
capability to trace tracer and according to this rule a decision is made
whether the tracer will be allowed to trace tracee.
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/smack/smack.h | 1 | ||||
-rw-r--r-- | security/smack/smack_access.c | 33 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 4 |
3 files changed, 29 insertions, 9 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index d072fd32212d..b9dfc4e1d3e0 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *); | |||
225 | */ | 225 | */ |
226 | int smk_access_entry(char *, char *, struct list_head *); | 226 | int smk_access_entry(char *, char *, struct list_head *); |
227 | int smk_access(struct smack_known *, char *, int, struct smk_audit_info *); | 227 | int smk_access(struct smack_known *, char *, int, struct smk_audit_info *); |
228 | int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *); | ||
228 | int smk_curacc(char *, u32, struct smk_audit_info *); | 229 | int smk_curacc(char *, u32, struct smk_audit_info *); |
229 | struct smack_known *smack_from_secid(const u32); | 230 | struct smack_known *smack_from_secid(const u32); |
230 | char *smk_parse_smack(const char *string, int len); | 231 | char *smk_parse_smack(const char *string, int len); |
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 14293cd9b1e5..f161debed02b 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
@@ -192,20 +192,21 @@ out_audit: | |||
192 | } | 192 | } |
193 | 193 | ||
194 | /** | 194 | /** |
195 | * smk_curacc - determine if current has a specific access to an object | 195 | * smk_tskacc - determine if a task has a specific access to an object |
196 | * @tsp: a pointer to the subject task | ||
196 | * @obj_label: a pointer to the object's Smack label | 197 | * @obj_label: a pointer to the object's Smack label |
197 | * @mode: the access requested, in "MAY" format | 198 | * @mode: the access requested, in "MAY" format |
198 | * @a : common audit data | 199 | * @a : common audit data |
199 | * | 200 | * |
200 | * This function checks the current subject label/object label pair | 201 | * This function checks the subject task's label/object label pair |
201 | * in the access rule list and returns 0 if the access is permitted, | 202 | * in the access rule list and returns 0 if the access is permitted, |
202 | * non zero otherwise. It allows that current may have the capability | 203 | * non zero otherwise. It allows that the task may have the capability |
203 | * to override the rules. | 204 | * to override the rules. |
204 | */ | 205 | */ |
205 | int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) | 206 | int smk_tskacc(struct task_smack *subject, char *obj_label, |
207 | u32 mode, struct smk_audit_info *a) | ||
206 | { | 208 | { |
207 | struct task_smack *tsp = current_security(); | 209 | struct smack_known *skp = smk_of_task(subject); |
208 | struct smack_known *skp = smk_of_task(tsp); | ||
209 | int may; | 210 | int may; |
210 | int rc; | 211 | int rc; |
211 | 212 | ||
@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) | |||
219 | * it can further restrict access. | 220 | * it can further restrict access. |
220 | */ | 221 | */ |
221 | may = smk_access_entry(skp->smk_known, obj_label, | 222 | may = smk_access_entry(skp->smk_known, obj_label, |
222 | &tsp->smk_rules); | 223 | &subject->smk_rules); |
223 | if (may < 0) | 224 | if (may < 0) |
224 | goto out_audit; | 225 | goto out_audit; |
225 | if ((mode & may) == mode) | 226 | if ((mode & may) == mode) |
@@ -241,6 +242,24 @@ out_audit: | |||
241 | return rc; | 242 | return rc; |
242 | } | 243 | } |
243 | 244 | ||
245 | /** | ||
246 | * smk_curacc - determine if current has a specific access to an object | ||
247 | * @obj_label: a pointer to the object's Smack label | ||
248 | * @mode: the access requested, in "MAY" format | ||
249 | * @a : common audit data | ||
250 | * | ||
251 | * This function checks the current subject label/object label pair | ||
252 | * in the access rule list and returns 0 if the access is permitted, | ||
253 | * non zero otherwise. It allows that current may have the capability | ||
254 | * to override the rules. | ||
255 | */ | ||
256 | int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) | ||
257 | { | ||
258 | struct task_smack *tsp = current_security(); | ||
259 | |||
260 | return smk_tskacc(tsp, obj_label, mode, a); | ||
261 | } | ||
262 | |||
244 | #ifdef CONFIG_AUDIT | 263 | #ifdef CONFIG_AUDIT |
245 | /** | 264 | /** |
246 | * smack_str_from_perm : helper to transalate an int to a | 265 | * smack_str_from_perm : helper to transalate an int to a |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index efa42991235e..b23fbdd4cdad 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
207 | if (rc != 0) | 207 | if (rc != 0) |
208 | return rc; | 208 | return rc; |
209 | 209 | ||
210 | skp = smk_of_task(task_security(ptp)); | 210 | skp = smk_of_task(current_security()); |
211 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); | 211 | smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); |
212 | smk_ad_setfield_u_tsk(&ad, ptp); | 212 | smk_ad_setfield_u_tsk(&ad, ptp); |
213 | 213 | ||
214 | rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); | 214 | rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad); |
215 | return rc; | 215 | return rc; |
216 | } | 216 | } |
217 | 217 | ||