提交 7128ea15 编写于 作者: H Himanshu Shukla 提交者: Casey Schaufler

SMACK: Do not apply star label in smack_setprocattr hook

Smack prohibits processes from using the star ("*") and web ("@") labels.
Checks have been added in other functions. In smack_setprocattr()
hook, only check for web ("@") label has been added and restricted
from applying web ("@") label.
Check for star ("*") label should also be added in smack_setprocattr()
hook. Return error should be "-EINVAL" not "-EPERM" as permission
is there for setting label but not the label value as star ("*") or
web ("@").
Signed-off-by: NHimanshu Shukla <himanshu.sh@samsung.com>
Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
上级 2097f599
...@@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name, ...@@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
return PTR_ERR(skp); return PTR_ERR(skp);
/* /*
* No process is ever allowed the web ("@") label. * No process is ever allowed the web ("@") label
* and the star ("*") label.
*/ */
if (skp == &smack_known_web) if (skp == &smack_known_web || skp == &smack_known_star)
return -EPERM; return -EINVAL;
if (!smack_privileged(CAP_MAC_ADMIN)) { if (!smack_privileged(CAP_MAC_ADMIN)) {
rc = -EPERM; rc = -EPERM;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册