meta-tizen-adaptation-oe-core/recipes-kernel/linux/linux-yocto/0001-Smack-Cgroup-filesystem-access.patch

   1 From: Casey Schaufler <casey@schaufler-ca.com>
   2 Date: Thu, 21 Nov 2013 10:55:10 +0200
   3 Subject: Smack: Cgroup filesystem access
   4
   5 The cgroup filesystems are not mounted using conventional
   6 mechanisms. This prevents the use of mount options to
   7 set Smack attributes. This patch makes the behavior
   8 of cgroup filesystems compatable with the way systemd
   9 uses them.
  10
  11 Change-Id: I1e0429f133db9e14117dc754d682dec08221354c
  12 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
  13 Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
  14 ---
  15  security/smack/smack_lsm.c | 30 ++++++++++++++++++------------
  16  1 file changed, 18 insertions(+), 12 deletions(-)
  17
  18 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
  19 index 14f52be..acd8574 100644
  20 --- a/security/smack/smack_lsm.c
  21 +++ b/security/smack/smack_lsm.c
  22 @@ -2713,6 +2713,15 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
  23          * of the superblock.
  24          */
  25         if (opt_dentry->d_parent == opt_dentry) {
  26 +               if (sbp->s_magic == CGROUP_SUPER_MAGIC) {
  27 +                       /*
  28 +                        * The cgroup filesystem is never mounted,
  29 +                        * so there's no opportunity to set the mount
  30 +                        * options.
  31 +                        */
  32 +                       sbsp->smk_root = smack_known_star.smk_known;
  33 +                       sbsp->smk_default = smack_known_star.smk_known;
  34 +               }
  35                 isp->smk_inode = sbsp->smk_root;
  36                 isp->smk_flags |= SMK_INODE_INSTANT;
  37                 goto unlockandout;
  38 @@ -2726,16 +2735,20 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
  39          */
  40         switch (sbp->s_magic) {
  41         case SMACK_MAGIC:
  42 +       case PIPEFS_MAGIC:
  43 +       case SOCKFS_MAGIC:
  44 +       case CGROUP_SUPER_MAGIC:
  45                 /*
  46                  * Casey says that it's a little embarrassing
  47                  * that the smack file system doesn't do
  48                  * extended attributes.
  49 -                */
  50 -               final = smack_known_star.smk_known;
  51 -               break;
  52 -       case PIPEFS_MAGIC:
  53 -               /*
  54 +                *
  55                  * Casey says pipes are easy (?)
  56 +                *
  57 +                * Socket access is controlled by the socket
  58 +                * structures associated with the task involved.
  59 +                *
  60 +                * Cgroupfs is special
  61                  */
  62                 final = smack_known_star.smk_known;
  63                 break;
  64 @@ -2747,13 +2760,6 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
  65                  */
  66                 final = ckp->smk_known;
  67                 break;
  68 -       case SOCKFS_MAGIC:
  69 -               /*
  70 -                * Socket access is controlled by the socket
  71 -                * structures associated with the task involved.
  72 -                */
  73 -               final = smack_known_star.smk_known;
  74 -               break;
  75         case PROC_SUPER_MAGIC:
  76                 /*
  77                  * Casey says procfs appears not to care.