SMACK: Do not apply star label in smack_setprocattr hook
Smack prohibits processes from using the star ("*") and web ("@") labels. Checks have been added in other functions. In smack_setprocattr() hook, only check for web ("@") label has been added and restricted from applying web ("@") label. Check for star ("*") label should also be added in smack_setprocattr() hook. Return error should be "-EINVAL" not "-EPERM" as permission is there for setting label but not the label value as star ("*") or web ("@"). Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
This commit is contained in:
parent
2097f59920
commit
7128ea159d
|
@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
|
|||
return PTR_ERR(skp);
|
||||
|
||||
/*
|
||||
* No process is ever allowed the web ("@") label.
|
||||
* No process is ever allowed the web ("@") label
|
||||
* and the star ("*") label.
|
||||
*/
|
||||
if (skp == &smack_known_web)
|
||||
return -EPERM;
|
||||
if (skp == &smack_known_web || skp == &smack_known_star)
|
||||
return -EINVAL;
|
||||
|
||||
if (!smack_privileged(CAP_MAC_ADMIN)) {
|
||||
rc = -EPERM;
|
||||
|
|
Loading…
Reference in New Issue