Kernel threads excluded from smack checks

Adds an ignore case for kernel tasks,
so that they can access all resources.

Since kernel worker threads are spawned with
floor label, they are severely restricted by
Smack policy. It is not an issue without onlycap,
as these processes also run with root,
so CAP_MAC_OVERRIDE kicks in. But with onlycap
turned on, there is no way to change the label
for these processes.

Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>

diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 012785a789737993136f94ca3f6a83642b3c3a2e..89d18bfae53a85e061776fed485e2892f1b28d99 100644 (file)
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -651,6 +651,12 @@ int smack_privileged(int cap)
        struct smack_known *skp = smk_of_current();
        struct smack_onlycap *sop;
 
+       /*
+        * All kernel tasks are privileged
+        */
+       if (unlikely(current->flags & PF_KTHREAD))
+               return 1;
+
        if (!capable(cap))
                return 0;