summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorHimanshu Shukla <himanshu.sh@samsung.com>2016-11-10 11:47:49 +0100
committerCasey Schaufler <casey@schaufler-ca.com>2016-11-10 20:21:52 +0100
commit7128ea159d60a91b3f0a7d10a1ea7d62b53cda93 (patch)
tree619eac3e523d6f16292dea2704cc9aa217a5b4d9 /security
parentsmack: parse mnt opts after privileges check (diff)
downloadlinux-7128ea159d60a91b3f0a7d10a1ea7d62b53cda93.tar.xz
linux-7128ea159d60a91b3f0a7d10a1ea7d62b53cda93.zip
SMACK: Do not apply star label in smack_setprocattr hook
Smack prohibits processes from using the star ("*") and web ("@") labels. Checks have been added in other functions. In smack_setprocattr() hook, only check for web ("@") label has been added and restricted from applying web ("@") label. Check for star ("*") label should also be added in smack_setprocattr() hook. Return error should be "-EINVAL" not "-EPERM" as permission is there for setting label but not the label value as star ("*") or web ("@"). Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_lsm.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 788a5faf3774..3a5684b47354 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
return PTR_ERR(skp);
/*
- * No process is ever allowed the web ("@") label.
+ * No process is ever allowed the web ("@") label
+ * and the star ("*") label.
*/
- if (skp == &smack_known_web)
- return -EPERM;
+ if (skp == &smack_known_web || skp == &smack_known_star)
+ return -EINVAL;
if (!smack_privileged(CAP_MAC_ADMIN)) {
rc = -EPERM;