This is a backport of two upstream (3.13) patches:
commit
b5dfd8075bc26636d11c3d8888940198afbf5112
Smack: Ptrace access check mode
When the ptrace security hooks were split the addition of
a mode parameter was not taken advantage of in the Smack
ptrace access check. This changes the access check from
always looking for read and write access to using the
passed mode. This will make use of /proc much happier.
commit
c0ab6e56dcb7ca9903d460247cb464e769ae6e77
Smack: Implement lock security mode
Linux file locking does not follow the same rules
as other mechanisms. Even though it is a write operation
a process can set a read lock on files which it has open
only for read access. Two programs with read access to
a file can use read locks to communicate.
This is not acceptable in a Mandatory Access Control
environment. Smack treats setting a read lock as the
write operation that it is. Unfortunately, many programs
assume that setting a read lock is a read operation.
These programs are unhappy in the Smack environment.
This patch introduces a new access mode (lock) to address
this problem. A process with lock access to a file can
set a read lock. A process with write access to a file can
set a read lock or a write lock. This prevents a situation
where processes are granted write access just so they can
set read locks.
Also, a provisonal fix for setting the Smack value on the
cgroup filesystem root to "*". Cgroupfs is not a real filesystem
and does not get mounted in the usual way.
Change-Id: I2a6c5448a379db636aa6452664414c75a6b63da5
Signed-off-by: William Douglas <william.douglas@intel.com>