summaryrefslogtreecommitdiff
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2018-01-08 21:25:32 +0300
committerCasey Schaufler <casey@schaufler-ca.com>2018-01-10 20:29:14 +0300
commitd19dfe58b7ecbef3bd0c403c650200c57913ba1b (patch)
tree59ab1001fe590143cda52657a71b5d3087ae6b91 /security/smack/smack_lsm.c
parentda49b5dad18aad357ab8841ee65d415f683efc6f (diff)
downloadlinux-d19dfe58b7ecbef3bd0c403c650200c57913ba1b.tar.xz
Smack: Privilege check on key operations
Smack: Privilege check on key operations Operations on key objects are subjected to Smack policy even if the process is privileged. This is inconsistent with the general behavior of Smack and may cause issues with authentication by privileged daemons. This patch allows processes with CAP_MAC_OVERRIDE to access keys even if the Smack rules indicate otherwise. Reported-by: Jose Bollo <jobol@nonadev.net> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 30f2c3d1c11c..03fdecba93bb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
*/
if (tkp == NULL)
return -EACCES;
+
+ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
+ return 0;
+
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
ad.a.u.key_struct.key = keyp->serial;