From: Himanshu Shukla <himanshu.sh@samsung.com>
Date: Thu, 10 Nov 2016 10:47:49 +0000 (+0530)
Subject: BACKPORT: SMACK: Do not apply star label in smack_setprocattr hook
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e63a19a45a3b1810bec2d2ed7a9be2db24c5d2bd;p=platform%2Fkernel%2Flinux-stable.git

BACKPORT: SMACK: Do not apply star label in smack_setprocattr hook

Smack prohibits processes from using the star ("*") and web ("@") labels.
Checks have been added in other functions. In smack_setprocattr()
hook, only check for web ("@") label has been added and restricted
from applying web ("@") label.
Check for star ("*") label should also be added in smack_setprocattr()
hook. Return error should be "-EINVAL" not "-EPERM" as permission
is there for setting label but not the label value as star ("*") or
web ("@").

Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream 7128ea159d60a91b3f0a7d10a1ea7d62b53cda93)
---

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 23658ac8b163..68ba4250ad2d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3647,10 +3647,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
 		return PTR_ERR(skp);
 
 	/*
-	 * No process is ever allowed the web ("@") label.
+	 * No process is ever allowed the web ("@") label
+	 * and the star ("*") label.
 	 */
-	if (skp == &smack_known_web)
-		return -EPERM;
+	if (skp == &smack_known_web || skp == &smack_known_star)
+		return -EINVAL;
 
 	if (!smack_privileged(CAP_MAC_ADMIN)) {
 		rc = -EPERM;