From: jooseong.lee Date: Wed, 25 Mar 2015 02:03:13 +0000 (+0900) Subject: Smack: Lock mode for the floor and hat labels X-Git-Tag: submit/tizen/20160422.055611~1^2~69 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=47e656db08c5fae5f25c0cefa731c4928b67434a;p=sdk%2Femulator%2Femulator-kernel.git Smack: Lock mode for the floor and hat labels The lock access mode allows setting a read lock on a file for with the process has only read access. The floor label is defined to make it easy to have the basic system installed such that everyone can read it. Once there's a desire to read lock (rationally or otherwise) a floor file a rule needs to get set. This happens all the time, so make the floor label a little bit more special and allow everyone lock access, too. By implication, give processes with the hat label (hat can read everything) lock access as well. This reduces clutter in the Smack rule set. Change-Id: I09b6d234701b3efc67aad30bc3ea09da35c61792 Signed-off-by: jooseong.lee --- diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index c062e9467b62..821f283b2417 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -157,10 +157,11 @@ int smk_access(struct smack_known *subject_known, char *object_label, if (subject_known->smk_known == object_label) goto out_audit; /* - * A hat subject can read any object. - * A floor object can be read by any subject. + * A hat subject can read or lock any object. + * A floor object can be read or locked by any subject. */ - if ((request & MAY_ANYREAD) == request) { + if ((request & MAY_ANYREAD) == request || + (request & MAY_LOCK) == request) { if (object_label == smack_known_floor.smk_known) goto out_audit; if (subject_known == &smack_known_hat)