diff options
author | James Morris <james.morris@microsoft.com> | 2018-12-14 06:30:33 +0300 |
---|---|---|
committer | James Morris <james.morris@microsoft.com> | 2018-12-14 06:30:33 +0300 |
commit | 20bb4cb4fb9fb994d757932abc4404cf0f0f56cc (patch) | |
tree | 77d80d5d3541d01bf198ebe581e86083d0c77f1d | |
parent | 1072bd678547f8663cfb81a22fdb50c589e4976e (diff) | |
parent | 55b078f031f556ea18963bd808e79a1dfaa4be44 (diff) | |
download | linux-20bb4cb4fb9fb994d757932abc4404cf0f0f56cc.tar.xz |
Merge branch 'smack-for-4.21-a' of https://github.com/cschaufler/next-smack into next-smack
From Casey.
"I have two Smack patches for 4.21. One Jose's patch adds
missing documentation and Zoran's fleshes out the access checks
on keyrings."
-rw-r--r-- | Documentation/admin-guide/LSM/Smack.rst | 4 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 12 |
2 files changed, 13 insertions, 3 deletions
diff --git a/Documentation/admin-guide/LSM/Smack.rst b/Documentation/admin-guide/LSM/Smack.rst index 6a5826a13aea..6d44f4fdbf59 100644 --- a/Documentation/admin-guide/LSM/Smack.rst +++ b/Documentation/admin-guide/LSM/Smack.rst @@ -818,6 +818,10 @@ Smack supports some mount options: specifies a label to which all labels set on the filesystem must have read access. Not yet enforced. + smackfstransmute=label: + behaves exactly like smackfsroot except that it also + sets the transmute flag on the root of the mount + These mount options apply to all file system types. Smack auditing diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 81fb4c1631e9..cd720c06b78c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4333,6 +4333,12 @@ static int smack_key_permission(key_ref_t key_ref, int request = 0; int rc; + /* + * Validate requested permissions + */ + if (perm & ~KEY_NEED_ALL) + return -EINVAL; + keyp = key_ref_to_ptr(key_ref); if (keyp == NULL) return -EINVAL; @@ -4356,10 +4362,10 @@ static int smack_key_permission(key_ref_t key_ref, ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key_desc = keyp->description; #endif - if (perm & KEY_NEED_READ) - request = MAY_READ; + if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) + request |= MAY_READ; if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) - request = MAY_WRITE; + request |= MAY_WRITE; rc = smk_access(tkp, keyp->security, request, &ad); rc = smk_bu_note("key access", tkp, keyp->security, request, rc); return rc; |