diff options
Diffstat (limited to 'security/smack/smack_access.c')
| -rw-r--r-- | security/smack/smack_access.c | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 247cec3b5a43..2e0b83e77ffe 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
| @@ -15,15 +15,8 @@ | |||
| 15 | #include <linux/sched.h> | 15 | #include <linux/sched.h> |
| 16 | #include "smack.h" | 16 | #include "smack.h" |
| 17 | 17 | ||
| 18 | struct smack_known smack_known_unset = { | ||
| 19 | .smk_next = NULL, | ||
| 20 | .smk_known = "UNSET", | ||
| 21 | .smk_secid = 1, | ||
| 22 | .smk_cipso = NULL, | ||
| 23 | }; | ||
| 24 | |||
| 25 | struct smack_known smack_known_huh = { | 18 | struct smack_known smack_known_huh = { |
| 26 | .smk_next = &smack_known_unset, | 19 | .smk_next = NULL, |
| 27 | .smk_known = "?", | 20 | .smk_known = "?", |
| 28 | .smk_secid = 2, | 21 | .smk_secid = 2, |
| 29 | .smk_cipso = NULL, | 22 | .smk_cipso = NULL, |
| @@ -57,7 +50,14 @@ struct smack_known smack_known_invalid = { | |||
| 57 | .smk_cipso = NULL, | 50 | .smk_cipso = NULL, |
| 58 | }; | 51 | }; |
| 59 | 52 | ||
| 60 | struct smack_known *smack_known = &smack_known_invalid; | 53 | struct smack_known smack_known_web = { |
| 54 | .smk_next = &smack_known_invalid, | ||
| 55 | .smk_known = "@", | ||
| 56 | .smk_secid = 7, | ||
| 57 | .smk_cipso = NULL, | ||
| 58 | }; | ||
| 59 | |||
| 60 | struct smack_known *smack_known = &smack_known_web; | ||
| 61 | 61 | ||
| 62 | /* | 62 | /* |
| 63 | * The initial value needs to be bigger than any of the | 63 | * The initial value needs to be bigger than any of the |
| @@ -99,6 +99,16 @@ int smk_access(char *subject_label, char *object_label, int request) | |||
| 99 | strcmp(subject_label, smack_known_star.smk_known) == 0) | 99 | strcmp(subject_label, smack_known_star.smk_known) == 0) |
| 100 | return -EACCES; | 100 | return -EACCES; |
| 101 | /* | 101 | /* |
| 102 | * An internet object can be accessed by any subject. | ||
| 103 | * Tasks cannot be assigned the internet label. | ||
| 104 | * An internet subject can access any object. | ||
| 105 | */ | ||
| 106 | if (object_label == smack_known_web.smk_known || | ||
| 107 | subject_label == smack_known_web.smk_known || | ||
| 108 | strcmp(object_label, smack_known_web.smk_known) == 0 || | ||
| 109 | strcmp(subject_label, smack_known_web.smk_known) == 0) | ||
| 110 | return 0; | ||
| 111 | /* | ||
| 102 | * A star object can be accessed by any subject. | 112 | * A star object can be accessed by any subject. |
| 103 | */ | 113 | */ |
| 104 | if (object_label == smack_known_star.smk_known || | 114 | if (object_label == smack_known_star.smk_known || |