Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
a39f44fa
cloud-kernel
项目概览
openanolis
/
cloud-kernel
接近 2 年 前同步成功
通知
170
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
a39f44fa
编写于
9月 15, 2016
作者:
J
James Morris
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'smack-for-4.9' of
http://github.com/cschaufler/smack-next
into next
上级
8ccc7d6b
c60b9066
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
32 addition
and
15 deletion
+32
-15
security/smack/Kconfig
security/smack/Kconfig
+12
-0
security/smack/smack.h
security/smack/smack.h
+10
-0
security/smack/smack_lsm.c
security/smack/smack_lsm.c
+7
-7
security/smack/smackfs.c
security/smack/smackfs.c
+3
-8
未找到文件。
security/smack/Kconfig
浏览文件 @
a39f44fa
...
...
@@ -40,3 +40,15 @@ config SECURITY_SMACK_NETFILTER
This enables security marking of network packets using
Smack labels.
If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_APPEND_SIGNALS
bool "Treat delivering signals as an append operation"
depends on SECURITY_SMACK
default n
help
Sending a signal has been treated as a write operation to the
receiving process. If this option is selected, the delivery
will be an append operation instead. This makes it possible
to differentiate between delivering a network packet and
delivering a signal in the Smack rules.
If you are unsure how to answer this question, answer N.
security/smack/smack.h
浏览文件 @
a39f44fa
...
...
@@ -256,6 +256,16 @@ enum {
#define MAY_LOCK 0x00002000
/* Locks should be writes, but ... */
#define MAY_BRINGUP 0x00004000
/* Report use of this rule */
/*
* The policy for delivering signals is configurable.
* It is usually "write", but can be "append".
*/
#ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS
#define MAY_DELIVER MAY_APPEND
/* Signal delivery requires append */
#else
#define MAY_DELIVER MAY_WRITE
/* Signal delivery requires write */
#endif
#define SMACK_BRINGUP_ALLOW 1
/* Allow bringup mode */
#define SMACK_UNCONFINED_SUBJECT 2
/* Allow unconfined label */
#define SMACK_UNCONFINED_OBJECT 3
/* Allow unconfined label */
...
...
security/smack/smack_lsm.c
浏览文件 @
a39f44fa
...
...
@@ -1857,14 +1857,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
/* we don't log here as rc can be overriden */
skp
=
file
->
f_security
;
rc
=
smk_access
(
skp
,
tkp
,
MAY_
WRITE
,
NULL
);
rc
=
smk_bu_note
(
"sigiotask"
,
skp
,
tkp
,
MAY_
WRITE
,
rc
);
rc
=
smk_access
(
skp
,
tkp
,
MAY_
DELIVER
,
NULL
);
rc
=
smk_bu_note
(
"sigiotask"
,
skp
,
tkp
,
MAY_
DELIVER
,
rc
);
if
(
rc
!=
0
&&
has_capability
(
tsk
,
CAP_MAC_OVERRIDE
))
rc
=
0
;
smk_ad_init
(
&
ad
,
__func__
,
LSM_AUDIT_DATA_TASK
);
smk_ad_setfield_u_tsk
(
&
ad
,
tsk
);
smack_log
(
skp
->
smk_known
,
tkp
->
smk_known
,
MAY_
WRITE
,
rc
,
&
ad
);
smack_log
(
skp
->
smk_known
,
tkp
->
smk_known
,
MAY_
DELIVER
,
rc
,
&
ad
);
return
rc
;
}
...
...
@@ -2265,8 +2265,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* can write the receiver.
*/
if
(
secid
==
0
)
{
rc
=
smk_curacc
(
tkp
,
MAY_
WRITE
,
&
ad
);
rc
=
smk_bu_task
(
p
,
MAY_
WRITE
,
rc
);
rc
=
smk_curacc
(
tkp
,
MAY_
DELIVER
,
&
ad
);
rc
=
smk_bu_task
(
p
,
MAY_
DELIVER
,
rc
);
return
rc
;
}
/*
...
...
@@ -2275,8 +2275,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* we can't take privilege into account.
*/
skp
=
smack_from_secid
(
secid
);
rc
=
smk_access
(
skp
,
tkp
,
MAY_
WRITE
,
&
ad
);
rc
=
smk_bu_note
(
"USB signal"
,
skp
,
tkp
,
MAY_
WRITE
,
rc
);
rc
=
smk_access
(
skp
,
tkp
,
MAY_
DELIVER
,
&
ad
);
rc
=
smk_bu_note
(
"USB signal"
,
skp
,
tkp
,
MAY_
DELIVER
,
rc
);
return
rc
;
}
...
...
security/smack/smackfs.c
浏览文件 @
a39f44fa
...
...
@@ -2523,14 +2523,9 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
if
(
count
==
0
||
count
>
SMK_LONGLABEL
)
return
-
EINVAL
;
data
=
kzalloc
(
count
,
GFP_KERNEL
);
if
(
data
==
NULL
)
return
-
ENOMEM
;
if
(
copy_from_user
(
data
,
buf
,
count
)
!=
0
)
{
rc
=
-
EFAULT
;
goto
out_data
;
}
data
=
memdup_user
(
buf
,
count
);
if
(
IS_ERR
(
data
))
return
PTR_ERR
(
data
);
cp
=
smk_parse_smack
(
data
,
count
);
if
(
IS_ERR
(
cp
))
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录