projects / platform / kernel / linux-stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1f53691)
BACKPORT: smack: fix key permission verification
authorDmitry Kasatkin <d.kasatkin@samsung.com>
Fri, 14 Mar 2014 17:44:49 +0000 (17:44 +0000)
committerRafal Krypa <r.krypa@samsung.com>
Tue, 22 Mar 2016 11:48:59 +0000 (12:48 +0100)
For any keyring access type SMACK always used MAY_READWRITE access check.
It prevents reading the key with label "_", which should be allowed for anyone.

This patch changes default access check to MAY_READ and use MAY_READWRITE in only
appropriate cases.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream fffea214abf66a8672cfd6697fae65e743e22f11)

security/smack/smack_lsm.c patch | blob | history

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d6256a336fe6b797bb54b37a645a22b7ae259a6d..d557d532cf28fadf18874a031f01f8c56c50ece5 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3514,6 +3514,7 @@ static int smack_key_permission(key_ref_t key_ref,
        struct key *keyp;
        struct smk_audit_info ad;
        struct smack_known *tkp = smk_of_task(cred->security);
+       int request = 0;
 
        keyp = key_ref_to_ptr(key_ref);
        if (keyp == NULL)
@@ -3534,7 +3535,11 @@ static int smack_key_permission(key_ref_t key_ref,
        ad.a.u.key_struct.key = keyp->serial;
        ad.a.u.key_struct.key_desc = keyp->description;
 #endif
-       return smk_access(tkp, keyp->security, MAY_READWRITE, &ad);
+       if (perm & KEY_NEED_READ)
+               request = MAY_READ;
+       if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
+               request = MAY_WRITE;
+       return smk_access(tkp, keyp->security, request, &ad);
 }
 #endif /* CONFIG_KEYS */
 
Domain: System / Kernel;