1 files changed, 43 insertions, 15 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index f4fac64c4da8..7ba8478f599e 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -67,6 +67,46 @@ static u32 smack_next_secid = 10;
 int log_policy = SMACK_AUDIT_DENIED;
 /**
+ * smk_access_entry - look up matching access rule
+ * @subject_label: a pointer to the subject's Smack label
+ * @object_label: a pointer to the object's Smack label
+ *
+ * This function looks up the subject/object pair in the
+ * access rule list and returns pointer to the matching rule if found,
+ * NULL otherwise.
+ *
+ * NOTE:
+ * Even though Smack labels are usually shared on smack_list
+ * labels that come in off the network can't be imported
+ * and added to the list for locking reasons.
+ *
+ * Therefore, it is necessary to check the contents of the labels,
+ * not just the pointer values. Of course, in most cases the labels
+ * will be on the list, so checking the pointers may be a worthwhile
+ * optimization.
+ */
+int smk_access_entry(char *subject_label, char *object_label)
+{
+        u32 may = MAY_NOT;
+        struct smack_rule *srp;
+        rcu_read_lock();
+        list_for_each_entry_rcu(srp, &smack_rule_list, list) {
+                if (srp->smk_subject == subject_label ||
+                    strcmp(srp->smk_subject, subject_label) == 0) {
+                        if (srp->smk_object == object_label ||
+                            strcmp(srp->smk_object, object_label) == 0) {
+                                may = srp->smk_access;
+                                break;
+                        }
+                }
+        }
+        rcu_read_unlock();
+        return may;
+}
+/**
 * smk_access - determine if a subject has a specific access to an object
 * @subject_label: a pointer to the subject's Smack label
 * @object_label: a pointer to the object's Smack label
@@ -90,7 +130,6 @@ int smk_access(char *subject_label, char *object_label, int request,
               struct smk_audit_info *a)
 {
        u32 may = MAY_NOT;
-        struct smack_rule *srp;
        int rc = 0;
        /*
@@ -144,18 +183,7 @@ int smk_access(char *subject_label, char *object_label, int request,
         * access (e.g. read is included in readwrite) it's
         * good.
         */
-        rcu_read_lock();
+        may = smk_access_entry(subject_label, object_label);
-        list_for_each_entry_rcu(srp, &smack_rule_list, list) {
-                if (srp->smk_subject == subject_label ||
-                    strcmp(srp->smk_subject, subject_label) == 0) {
-                        if (srp->smk_object == object_label ||
-                            strcmp(srp->smk_object, object_label) == 0) {
-                                may = srp->smk_access;
-                                break;
-                        }
-                }
-        }
-        rcu_read_unlock();
        /*
         * This is a bit map operation.
         */
@@ -185,7 +213,7 @@ out_audit:
 int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
 {
        int rc;
-        char *sp = current_security();
+        char *sp = smk_of_current();
        rc = smk_access(sp, obj_label, mode, NULL);
        if (rc == 0)
@@ -196,7 +224,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
         * only one that gets privilege and current does not
         * have that label.
         */
-        if (smack_onlycap != NULL && smack_onlycap != current->cred->security)
+        if (smack_onlycap != NULL && smack_onlycap != sp)
                goto out_audit;
        if (capable(CAP_MAC_OVERRIDE))