From d9fc4910ebc2bd86d7b67a8c62b661104a4e5253 Mon Sep 17 00:00:00 2001
From: Roman Kubiak <r.kubiak@samsung.com>
Date: Mon, 10 Aug 2015 16:54:25 +0200
Subject: [PATCH] BACKPORT: Kernel threads excluded from smack checks

Adds an ignore case for kernel tasks,
so that they can access all resources.

Since kernel worker threads are spawned with
floor label, they are severely restricted by
Smack policy. It is not an issue without onlycap,
as these processes also run with root,
so CAP_MAC_OVERRIDE kicks in. But with onlycap
turned on, there is no way to change the label
for these processes.

Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream 41a2d5751616e38d1e293e3cb35a6e2bc7a03473)
---
 security/smack/smack_access.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 98e7da10af9f..8aef66fb2e03 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -639,6 +639,12 @@ int smack_privileged(int cap)
 	struct smack_known *skp = smk_of_current();
 	struct smack_onlycap *sop;
 
+	/*
+	 * All kernel tasks are privileged
+	 */
+	if (unlikely(current->flags & PF_KTHREAD))
+		return 1;
+
 	if (!capable(cap))
 		return 0;
 
-- 
2.34.1