1 files changed, 34 insertions, 7 deletions

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index dc1fd6239f24..362d5eda948b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -109,9 +109,12 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION;
  * SMK_ACCESSLEN: Maximum length for a rule access field
  * SMK_LOADLEN: Smack rule length
  */
-#define SMK_ACCESS    "rwxa"
-#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
-#define SMK_LOADLEN   (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
+#define SMK_OACCESS     "rwxa"
+#define SMK_ACCESS      "rwxat"
+#define SMK_OACCESSLEN  (sizeof(SMK_OACCESS) - 1)
+#define SMK_ACCESSLEN   (sizeof(SMK_ACCESS) - 1)
+#define SMK_OLOADLEN    (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
+#define SMK_LOADLEN     (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
 
 /**
  * smk_netlabel_audit_set - fill a netlbl_audit struct
@@ -121,7 +124,7 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap)
 {
         nap->loginuid = audit_get_loginuid(current);
         nap->sessionid = audit_get_sessionid(current);
-        nap->secid = smack_to_secid(current_security());
+        nap->secid = smack_to_secid(smk_of_current());
 }
 
 /*
@@ -175,6 +178,8 @@ static int load_seq_show(struct seq_file *s, void *v)
                 seq_putc(s, 'x');
         if (srp->smk_access & MAY_APPEND)
                 seq_putc(s, 'a');
+        if (srp->smk_access & MAY_TRANSMUTE)
+                seq_putc(s, 't');
         if (srp->smk_access == 0)
                 seq_putc(s, '-');
 
@@ -273,10 +278,15 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf,
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
 
-        if (*ppos != 0 || count != SMK_LOADLEN)
+        if (*ppos != 0)
+                return -EINVAL;
+        /*
+         * Minor hack for backward compatability
+         */
+        if (count < (SMK_OLOADLEN) || count > SMK_LOADLEN)
                 return -EINVAL;
 
-        data = kzalloc(count, GFP_KERNEL);
+        data = kzalloc(SMK_LOADLEN, GFP_KERNEL);
         if (data == NULL)
                 return -ENOMEM;
 
@@ -285,6 +295,12 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf,
                 goto out;
         }
 
+        /*
+         * More on the minor hack for backward compatability
+         */
+        if (count == (SMK_OLOADLEN))
+                data[SMK_OLOADLEN] = '-';
+
         rule = kzalloc(sizeof(*rule), GFP_KERNEL);
         if (rule == NULL) {
                 rc = -ENOMEM;
@@ -345,6 +361,17 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf,
                 goto out_free_rule;
         }
 
+        switch (data[SMK_LABELLEN + SMK_LABELLEN + 4]) {
+        case '-':
+                break;
+        case 't':
+        case 'T':
+                rule->smk_access |= MAY_TRANSMUTE;
+                break;
+        default:
+                goto out_free_rule;
+        }
+
         rc = smk_set_access(rule);
 
         if (!rc)
@@ -1160,7 +1187,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
                                  size_t count, loff_t *ppos)
 {
         char in[SMK_LABELLEN];
-        char *sp = current->cred->security;
+        char *sp = smk_of_task(current->cred->security);
 
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;