Kernel threads excluded from smack checks

Adds an ignore case for kernel tasks, so that they can access all resources. Since kernel worker threads are spawned with floor label, they are severely restricted by Smack policy. It is not an issue without onlycap, as these processes also run with root, so CAP_MAC_OVERRIDE kicks in. But with onlycap turned on, there is no way to change the label for these processes. Signed-off-by: N Roman Kubiak <r.kubiak@samsung.com> Acked-by: N Casey Schaufler <casey@schaufler-ca.com>

Kernel threads excluded from smack checks
Adds an ignore case for kernel tasks, so that they can access all resources. Since kernel worker threads are spawned with floor label, they are severely restricted by Smack policy. It is not an issue without onlycap, as these processes also run with root, so CAP_MAC_OVERRIDE kicks in. But with onlycap turned on, there is no way to change the label for these processes. Signed-off-by: N Roman Kubiak <r.kubiak@samsung.com> Acked-by: N Casey Schaufler <casey@schaufler-ca.com>
41a2d575 · Roman Kubiak · Casey Schaufler · 1eddfe8e · 41a2d575
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

security/smack/smack_access.c security/smack/smack_access.c +6 -0

未找到文件。
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -639,6 +639,12 @@ int smack_privileged(int cap)
 	struct smack_known *skp = smk_of_current();
 	struct smack_onlycap *sop;

+	/*
+	 * All kernel tasks are privileged
+	 */
+	if (unlikely(current->flags & PF_KTHREAD))
+		return 1;
+
 	if (!capable(cap))
 		return 0;