diff options
| author |   José Bollo <jose.bollo@iot.bzh> | 2016-11-03 11:26:17 +0100 |
|---|---|---|
| committer |   Stephane Desneux <stephane.desneux@iot.bzh> | 2017-03-27 15:33:39 +0200 |
| commit | 827d7c1c4819737ca5442330c24588a83b72b87b (patch) | |
| tree | 4b1401d98ad99d08dedd8dc58b4279fe227bd15f /meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch | |
| parent | 532f6ad992ae7631dd44a74d0a0bd43126ce3bdf (diff) | |
Smack: fixup of bluetooth socket labelling
The sockets created by kernel thread will now be
tagged @ instead of _.
This problem was occuring during creation of AF_BLUETOOTH (but is
also latent AF_ALG, AF_IUCV, AF_SCTP, AF_TIPC as they don't go
through the normal socket creation process within linux).
Having the tag @ allows read/write to sockets without special
rules and tus solve the problem.
This solution from upstream linux patches backported and from
a patch made by Samsung for Tizen and that is currently
discussed within kernel lists.
Also add some improvements of the LSM Smack (valid caching and signal 0).
These improvements are backports of patches already available for
linux 4.9-rc3.
AGL-bug: SPEC-293 (https://jira.automotivelinux.org/browse/SPEC-293)
Change-Id: I5999a951a4bbeba7947ebfe5df091de07d59e57e
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
Diffstat (limited to 'meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch')
| -rw-r--r-- | meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch new file mode 100644 index 000000000..67761ae46 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch @@ -0,0 +1,39 @@ +From aa63c4f8ece0c54a9be735ac38667f11fcd6f44a Mon Sep 17 00:00:00 2001 +From: Rafal Krypa <r.krypa@samsung.com> +Date: Mon, 4 Apr 2016 11:14:53 +0200 +Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill + +Kill with signal number 0 is commonly used for checking PID existence. +Smack treated such cases like any other kills, although no signal is +actually delivered when sig == 0. + +Checking permissions when sig == 0 didn't prevent an unprivileged caller +from learning whether PID exists or not. When it existed, kernel returned +EPERM, when it didn't - ESRCH. The only effect of policy check in such +case is noise in audit logs. + +This change lets Smack silently ignore kill() invocations with sig == 0. + +Signed-off-by: Rafal Krypa <r.krypa@samsung.com> +Acked-by: Casey Schaufler <casey@schaufler-ca.com> +--- + security/smack/smack_lsm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b9393e3..c916f58 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2056,6 +2056,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, + struct smack_known *tkp = smk_of_task_struct(p); + int rc; + ++ if (!sig) ++ return 0; /* null signal; existence test */ ++ + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, p); + /* +-- +2.7.4 + |