Merge: migrate appfw from meta-agl-extra

Change-Id: Ic56b86228bb748a54352e79acadf0da1c947be76 Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
author: Stephane Desneux <stephane.desneux@iot.bzh> 2017-03-27 16:44:59 +0200
committer: Stephane Desneux <stephane.desneux@iot.bzh> 2017-03-27 16:46:17 +0200
commit: 7fcf42ba21c2a00a60f32140924fefc3cc39ad28 (patch)
tree: 49b2eaa11dd2c241dd7fe77b74b7ced1ac1d1d81 /meta-app-framework/recipes-kernel
parent: 5875cc45a671b1a3e7671ec84ec6ebb1ab17696a (diff)
parent: 976e5d5e866d4099e55a50e0fa8d898ea36ad371 (diff)
12 files changed, 417 insertions, 0 deletions
diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
new file mode 100644
index 000000000..02595efdf
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
+SRC_URI_append_smack = " file://audit.cfg"
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend
new file mode 100644
index 000000000..c1c657201
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend
@@ -0,0 +1,12 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.1:"
+
+#-------------------------------------------------------------------------
+# smack patches for handling bluetooth
+
+SRC_URI_append_smack = "\
+	file://0001-Smack-File-receive-for-sockets.patch \
+	file://0002-smack-fix-cache-of-access-labels.patch \
+	file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \
+	file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \
+"
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend
new file mode 100644
index 000000000..51df08719
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.4:"
+
+#-------------------------------------------------------------------------
+# smack patches for handling bluetooth
+
+SRC_URI_append_smack = "\
+	file://0002-smack-fix-cache-of-access-labels.patch \
+	file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \
+	file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \
+"
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/audit.cfg b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 000000000..214dbe33f
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch
new file mode 100644
index 000000000..b0c5ee8f4
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch
@@ -0,0 +1,62 @@
+From 2e65b888820ea372984d412cee3bd7dcba05d7d2 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 7 Dec 2015 14:34:32 -0800
+Subject: [PATCH 1/4] Smack: File receive for sockets
+
+The existing file receive hook checks for access on
+the file inode even for UDS. This is not right, as
+the inode is not used by Smack to make access checks
+for sockets. This change checks for an appropriate
+access relationship between the receiving (current)
+process and the socket. If the process can't write
+to the socket's send label or the socket's receive
+label can't write to the process fail.
+
+This will allow the legitimate cases, where the
+socket sender and socket receiver can freely communicate.
+Only strangly set socket labels should cause a problem.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b644757..487b2f3 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1672,9 +1672,31 @@ static int smack_file_receive(struct file *file)
+ 	int may = 0;
+ 	struct smk_audit_info ad;
+ 	struct inode *inode = file_inode(file);
++	struct socket *sock;
++	struct task_smack *tsp;
++	struct socket_smack *ssp;
+ 
+ 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+ 	smk_ad_setfield_u_fs_path(&ad, file->f_path);
++
++	if (S_ISSOCK(inode->i_mode)) {
++		sock = SOCKET_I(inode);
++		ssp = sock->sk->sk_security;
++		tsp = current_security();
++		/*
++		 * If the receiving process can't write to the
++		 * passed socket or if the passed socket can't
++		 * write to the receiving process don't accept
++		 * the passed socket.
++		 */
++		rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
++		rc = smk_bu_file(file, may, rc);
++		if (rc < 0)
++			return rc;
++		rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
++		rc = smk_bu_file(file, may, rc);
++		return rc;
++	}
+ 	/*
+ 	 * This code relies on bitmasks.
+ 	 */
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch
new file mode 100644
index 000000000..51c3b31ec
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch
@@ -0,0 +1,43 @@
+From 5bcea0fc4e5360deca133e211fdc76717a1693a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Tue, 12 Jan 2016 21:23:40 +0100
+Subject: [PATCH 2/4] smack: fix cache of access labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before this commit, removing the access property of
+a file, aka, the extended attribute security.SMACK64
+was not effictive until the cache had been cleaned.
+
+This patch fixes that problem.
+
+Signed-off-by: José Bollo <jobol@nonadev.net>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 487b2f3..b9393e3 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1256,9 +1256,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+ 	 * Don't do anything special for these.
+ 	 *	XATTR_NAME_SMACKIPIN
+ 	 *	XATTR_NAME_SMACKIPOUT
+-	 *	XATTR_NAME_SMACKEXEC
+ 	 */
+-	if (strcmp(name, XATTR_NAME_SMACK) == 0)
++	if (strcmp(name, XATTR_NAME_SMACK) == 0) {
++		struct super_block *sbp = d_backing_inode(dentry)->i_sb;
++		struct superblock_smack *sbsp = sbp->s_security;
++
++		isp->smk_inode = sbsp->smk_default;
++	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
+ 		isp->smk_task = NULL;
+ 	else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+ 		isp->smk_mmap = NULL;
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
new file mode 100644
index 000000000..67761ae46
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
@@ -0,0 +1,39 @@
+From aa63c4f8ece0c54a9be735ac38667f11fcd6f44a Mon Sep 17 00:00:00 2001
+From: Rafal Krypa <r.krypa@samsung.com>
+Date: Mon, 4 Apr 2016 11:14:53 +0200
+Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill
+
+Kill with signal number 0 is commonly used for checking PID existence.
+Smack treated such cases like any other kills, although no signal is
+actually delivered when sig == 0.
+
+Checking permissions when sig == 0 didn't prevent an unprivileged caller
+from learning whether PID exists or not. When it existed, kernel returned
+EPERM, when it didn't - ESRCH. The only effect of policy check in such
+case is noise in audit logs.
+
+This change lets Smack silently ignore kill() invocations with sig == 0.
+
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b9393e3..c916f58 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2056,6 +2056,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ 	struct smack_known *tkp = smk_of_task_struct(p);
+ 	int rc;
+ 
++	if (!sig)
++		return 0; /* null signal; existence test */
++
+ 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ 	smk_ad_setfield_u_tsk(&ad, p);
+ 	/*
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
new file mode 100644
index 000000000..4281c201c
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
@@ -0,0 +1,49 @@
+From b2b9e7ec8e79ede841104f76464f4b77c057b011 Mon Sep 17 00:00:00 2001
+From: jooseong lee <jooseong.lee@samsung.com>
+Date: Thu, 3 Nov 2016 10:55:43 +0100
+Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
+
+Creating struct sock by sk_alloc function in various kernel subsystems
+like bluetooth dosen't call smack_socket_post_create(). In such case,
+received sock label is the floor('_') label and makes access deny.
+
+Refers-to: https://review.tizen.org/gerrit/#/c/80717/4
+
+Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8
+Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ security/smack/smack_lsm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index c916f58..cc6769b 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2138,8 +2138,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
+ 	if (ssp == NULL)
+ 		return -ENOMEM;
+ 
+-	ssp->smk_in = skp;
+-	ssp->smk_out = skp;
++	/*
++	 * Sockets created by kernel threads receive web label.
++	 */
++	if (unlikely(current->flags & PF_KTHREAD)) {
++		ssp->smk_in = &smack_known_web;
++		ssp->smk_out = &smack_known_web;
++	} else {
++		ssp->smk_in = skp;
++		ssp->smk_out = skp;
++	}
+ 	ssp->smk_packet = NULL;
+ 
+ 	sk->sk_security = ssp;
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch
new file mode 100644
index 000000000..4021e5d38
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch
@@ -0,0 +1,65 @@
+From 2b206c36b16e72cfe41cd22448d8527359ffd962 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 7 Dec 2015 14:34:32 -0800
+Subject: [PATCH 1/4] Smack: File receive for sockets
+
+The existing file receive hook checks for access on
+the file inode even for UDS. This is not right, as
+the inode is not used by Smack to make access checks
+for sockets. This change checks for an appropriate
+access relationship between the receiving (current)
+process and the socket. If the process can't write
+to the socket's send label or the socket's receive
+label can't write to the process fail.
+
+This will allow the legitimate cases, where the
+socket sender and socket receiver can freely communicate.
+Only strangly set socket labels should cause a problem.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index ff81026..b20ef06 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1860,12 +1860,34 @@ static int smack_file_receive(struct file *file)
+ 	int may = 0;
+ 	struct smk_audit_info ad;
+ 	struct inode *inode = file_inode(file);
++	struct socket *sock;
++	struct task_smack *tsp;
++	struct socket_smack *ssp;
+ 
+ 	if (unlikely(IS_PRIVATE(inode)))
+ 		return 0;
+ 
+ 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+ 	smk_ad_setfield_u_fs_path(&ad, file->f_path);
++
++	if (S_ISSOCK(inode->i_mode)) {
++		sock = SOCKET_I(inode);
++		ssp = sock->sk->sk_security;
++		tsp = current_security();
++		/*
++		 * If the receiving process can't write to the
++		 * passed socket or if the passed socket can't
++		 * write to the receiving process don't accept
++		 * the passed socket.
++		 */
++		rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
++		rc = smk_bu_file(file, may, rc);
++		if (rc < 0)
++			return rc;
++		rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
++		rc = smk_bu_file(file, may, rc);
++		return rc;
++	}
+ 	/*
+ 	 * This code relies on bitmasks.
+ 	 */
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch
new file mode 100644
index 000000000..c516f3aa5
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch
@@ -0,0 +1,43 @@
+From 99267706991ab84bd44ceaea9a7ec886bbdd58e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Tue, 12 Jan 2016 21:23:40 +0100
+Subject: [PATCH 2/4] smack: fix cache of access labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before this commit, removing the access property of
+a file, aka, the extended attribute security.SMACK64
+was not effictive until the cache had been cleaned.
+
+This patch fixes that problem.
+
+Signed-off-by: José Bollo <jobol@nonadev.net>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b20ef06..b2bcb14 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1444,9 +1444,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+ 	 * Don't do anything special for these.
+ 	 *	XATTR_NAME_SMACKIPIN
+ 	 *	XATTR_NAME_SMACKIPOUT
+-	 *	XATTR_NAME_SMACKEXEC
+ 	 */
+-	if (strcmp(name, XATTR_NAME_SMACK) == 0)
++	if (strcmp(name, XATTR_NAME_SMACK) == 0) {
++		struct super_block *sbp = d_backing_inode(dentry)->i_sb;
++		struct superblock_smack *sbsp = sbp->s_security;
++
++		isp->smk_inode = sbsp->smk_default;
++	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
+ 		isp->smk_task = NULL;
+ 	else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+ 		isp->smk_mmap = NULL;
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
new file mode 100644
index 000000000..c9180bb9f
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
@@ -0,0 +1,39 @@
+From ec4eb03af07b0fbc330aecca6ac4ebd6accd8825 Mon Sep 17 00:00:00 2001
+From: Rafal Krypa <r.krypa@samsung.com>
+Date: Mon, 4 Apr 2016 11:14:53 +0200
+Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill
+
+Kill with signal number 0 is commonly used for checking PID existence.
+Smack treated such cases like any other kills, although no signal is
+actually delivered when sig == 0.
+
+Checking permissions when sig == 0 didn't prevent an unprivileged caller
+from learning whether PID exists or not. When it existed, kernel returned
+EPERM, when it didn't - ESRCH. The only effect of policy check in such
+case is noise in audit logs.
+
+This change lets Smack silently ignore kill() invocations with sig == 0.
+
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b2bcb14..cf8a93f 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2239,6 +2239,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ 	struct smack_known *tkp = smk_of_task_struct(p);
+ 	int rc;
+ 
++	if (!sig)
++		return 0; /* null signal; existence test */
++
+ 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ 	smk_ad_setfield_u_tsk(&ad, p);
+ 	/*
+-- 
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
new file mode 100644
index 000000000..a1eeac3d7
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
@@ -0,0 +1,49 @@
+From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001
+From: jooseong lee <jooseong.lee@samsung.com>
+Date: Thu, 3 Nov 2016 10:55:43 +0100
+Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
+
+Creating struct sock by sk_alloc function in various kernel subsystems
+like bluetooth dosen't call smack_socket_post_create(). In such case,
+received sock label is the floor('_') label and makes access deny.
+
+Refers-to: https://review.tizen.org/gerrit/#/c/80717/4
+
+Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8
+Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ security/smack/smack_lsm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index cf8a93f..21651bc 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2321,8 +2321,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
+ 	if (ssp == NULL)
+ 		return -ENOMEM;
+ 
+-	ssp->smk_in = skp;
+-	ssp->smk_out = skp;
++	/*
++	 * Sockets created by kernel threads receive web label.
++	 */
++	if (unlikely(current->flags & PF_KTHREAD)) {
++		ssp->smk_in = &smack_known_web;
++		ssp->smk_out = &smack_known_web;
++	} else {
++		ssp->smk_in = skp;
++		ssp->smk_out = skp;
++	}
+ 	ssp->smk_packet = NULL;
+ 
+ 	sk->sk_security = ssp;
+-- 
+2.7.4
+
author	Stephane Desneux <stephane.desneux@iot.bzh>	2017-03-27 16:44:59 +0200
committer	Stephane Desneux <stephane.desneux@iot.bzh>	2017-03-27 16:46:17 +0200
commit	7fcf42ba21c2a00a60f32140924fefc3cc39ad28 (patch)
tree	49b2eaa11dd2c241dd7fe77b74b7ced1ac1d1d81 /meta-app-framework/recipes-kernel
parent	5875cc45a671b1a3e7671ec84ec6ebb1ab17696a (diff)
parent	976e5d5e866d4099e55a50e0fa8d898ea36ad371 (diff)