diff options
author | Tianjia Zhang <tianjia.zhang@linux.alibaba.com> | 2021-07-15 12:17:24 +0300 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2021-07-20 19:17:36 +0300 |
commit | 6d14f5c7028eea70760df284057fe198ce7778dd (patch) | |
tree | 46d0550c4a1377d867486aa00653c3b65cbaf800 /security/smack | |
parent | 2734d6c1b1a089fb593ef6a23d4b70903526fe0c (diff) | |
download | linux-6d14f5c7028eea70760df284057fe198ce7778dd.tar.xz |
Smack: Fix wrong semantics in smk_access_entry()
In the smk_access_entry() function, if no matching rule is found
in the rust_list, a negative error code will be used to perform bit
operations with the MAY_ enumeration value. This is semantically
wrong. This patch fixes this issue.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack')
-rw-r--r-- | security/smack/smack_access.c | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 1f391f6a3d47..d2186e2757be 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -81,23 +81,22 @@ int log_policy = SMACK_AUDIT_DENIED; int smk_access_entry(char *subject_label, char *object_label, struct list_head *rule_list) { - int may = -ENOENT; struct smack_rule *srp; list_for_each_entry_rcu(srp, rule_list, list) { if (srp->smk_object->smk_known == object_label && srp->smk_subject->smk_known == subject_label) { - may = srp->smk_access; - break; + int may = srp->smk_access; + /* + * MAY_WRITE implies MAY_LOCK. + */ + if ((may & MAY_WRITE) == MAY_WRITE) + may |= MAY_LOCK; + return may; } } - /* - * MAY_WRITE implies MAY_LOCK. - */ - if ((may & MAY_WRITE) == MAY_WRITE) - may |= MAY_LOCK; - return may; + return -ENOENT; } /** |