diff options
Diffstat (limited to 'meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch')
| -rw-r--r-- | meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch | 62 |
1 files changed, 0 insertions, 62 deletions
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch deleted file mode 100644 index b0c5ee8..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 2e65b888820ea372984d412cee3bd7dcba05d7d2 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler <casey@schaufler-ca.com> -Date: Mon, 7 Dec 2015 14:34:32 -0800 -Subject: [PATCH 1/4] Smack: File receive for sockets - -The existing file receive hook checks for access on -the file inode even for UDS. This is not right, as -the inode is not used by Smack to make access checks -for sockets. This change checks for an appropriate -access relationship between the receiving (current) -process and the socket. If the process can't write -to the socket's send label or the socket's receive -label can't write to the process fail. - -This will allow the legitimate cases, where the -socket sender and socket receiver can freely communicate. -Only strangly set socket labels should cause a problem. - -Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b644757..487b2f3 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1672,9 +1672,31 @@ static int smack_file_receive(struct file *file) - int may = 0; - struct smk_audit_info ad; - struct inode *inode = file_inode(file); -+ struct socket *sock; -+ struct task_smack *tsp; -+ struct socket_smack *ssp; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); - smk_ad_setfield_u_fs_path(&ad, file->f_path); -+ -+ if (S_ISSOCK(inode->i_mode)) { -+ sock = SOCKET_I(inode); -+ ssp = sock->sk->sk_security; -+ tsp = current_security(); -+ /* -+ * If the receiving process can't write to the -+ * passed socket or if the passed socket can't -+ * write to the receiving process don't accept -+ * the passed socket. -+ */ -+ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ if (rc < 0) -+ return rc; -+ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ return rc; -+ } - /* - * This code relies on bitmasks. - */ --- -2.7.4 - |