review.tizen.org Git - platform/kernel/linux-stable.git/commit

author	Zbigniew Jasinski <z.jasinski@samsung.com>
	Mon, 19 Oct 2015 16:23:53 +0000 (18:23 +0200)
committer	Rafal Krypa <r.krypa@samsung.com>
	Mon, 21 Nov 2016 16:02:07 +0000 (17:02 +0100)
commit	396913e6ca74ce3c7163b4d84c45f5f3ddc38d7b
tree	7ceb3a1d8d7969ac6edb2b3271d799cecc2a67da	tree \| snapshot
parent	afee0aebca68ee2cc759389eefd549776a2c5c6b	commit \| diff

BACKPORT: Smack: limited capability for changing process label

This feature introduces new kernel interface:

- <smack_fs>/relabel-self - for setting transition labels list

This list is used to control smack label transition mechanism.
List is set by, and per process. Process can transit to new label only if
label is on the list. Only process with CAP_MAC_ADMIN capability can add
labels to this list. With this list, process can change it's label without
CAP_MAC_ADMIN but only once. After label changing, list is unset.

Changes in v2:
* use list_for_each_entry instead of _rcu during label write
* added missing description in security/Smack.txt

Changes in v3:
* squashed into one commit

Changes in v4:
* switch from global list to per-task list
* since the per-task list is accessed only by the task itself
  there is no need to use synchronization mechanisms on it

Changes in v5:
* change smackfs interface of relabel-self to the one used for onlycap
  multiple labels are accepted, separated by space, which
  replace the previous list upon write

Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream 38416e53936ecf896948fdeffc36b76979117952)

Documentation/security/Smack.txt		diff \| blob \| history
security/smack/smack.h		diff \| blob \| history
security/smack/smack_access.c		diff \| blob \| history
security/smack/smack_lsm.c		diff \| blob \| history
security/smack/smackfs.c		diff \| blob \| history