projects / platform / kernel / linux-exynos.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 922249e)
Smack: fix d_instantiate logic for sockfs and pipefs accepted/tizen/3.0/common/20161227.101955 accepted/tizen/3.0/ivi/20161227.010309 accepted/tizen/3.0/mobile/20161227.010220 accepted/tizen/3.0/tv/20161227.010235 accepted/tizen/3.0/wearable/20161227.010256 submit/tizen_3.0/20161226.054516
authorRafal Krypa <r.krypa@samsung.com>
Tue, 13 Dec 2016 02:25:11 +0000 (11:25 +0900)
committerSeung-Woo Kim <sw0312.kim@samsung.com>
Fri, 16 Dec 2016 00:14:20 +0000 (09:14 +0900)
Since 4b936885a (v2.6.32) all inodes on sockfs and pipefs are disconnected.
It caused filesystem specific code in smack_d_instantiate to be skipped,
because all inodes on those pseudo filesystems were treated as root inodes.
As a result all sockfs inodes had the Smack label set to floor.

In most cases access checks for sockets use socket_smack data so the inode
label is not important. But there are special cases that were broken.
One example would be calling fcntl with F_SETOWN command on a socket fd.

Now smack_d_instantiate expects all pipefs and sockfs inodes to be
disconnected and has the logic in appropriate place.

Change-Id: I87ab9fa19cea3e8df8f2c814946e56a9df20d36d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
security/smack/smack_lsm.c patch | blob | history

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 38135fc9b802edb7bf8be44e676cda1de0c98aba..23ab1fb9c552fc434af7aa20c6b400b897b4e7ec 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3374,6 +3374,13 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
                case PIPEFS_MAGIC:
                        isp->smk_inode = smk_of_current();
                        break;
+               case SOCKFS_MAGIC:
+                       /*
+                        * Socket access is controlled by the socket
+                        * structures associated with the task involved.
+                        */
+                       isp->smk_inode = &smack_known_star;
+                       break;
                default:
                        isp->smk_inode = sbsp->smk_root;
                        break;
@@ -3390,19 +3397,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
         */
        switch (sbp->s_magic) {
        case SMACK_MAGIC:
-       case PIPEFS_MAGIC:
-       case SOCKFS_MAGIC:
        case CGROUP_SUPER_MAGIC:
                /*
                 * Casey says that it's a little embarrassing
                 * that the smack file system doesn't do
                 * extended attributes.
                 *
-                * Casey says pipes are easy (?)
-                *
-                * Socket access is controlled by the socket
-                * structures associated with the task involved.
-                *
                 * Cgroupfs is special
                 */
                final = &smack_known_star;
Domain: System / Kernel;