From e98bbd0216a00716c351f39e17511367e77e0866 Mon Sep 17 00:00:00 2001 From: Jan-Simon Moeller Date: Mon, 18 Oct 2021 14:07:53 +0200 Subject: Prepare master for new framework integration During the last workshop the transition to the new framework was presented. This change essentially deprecates the SMACK-based application framework. To prepare the integration of it, we remove the deprecated components: - meta-agl-core: remove Smack kernel patches - meta-app-framework - meta-pipewire/dynamic-layers/meta-app-framework/ Bug-AGL: SPEC-4121 Signed-off-by: Jan-Simon Moeller Change-Id: Icdaeadfb5d2193f3a4c535168c88da6073423e67 --- .../Smack-Privilege-check-on-key-operations.patch | 109 --------------------- 1 file changed, 109 deletions(-) delete mode 100644 meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch (limited to 'meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch') diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch deleted file mode 100644 index 4100bb8fd..000000000 --- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch +++ /dev/null @@ -1,109 +0,0 @@ -Smack: Privilege check on key operations - -Operations on key objects are subjected to Smack policy -even if the process is privileged. This is inconsistent -with the general behavior of Smack and may cause issues -with authentication by privileged daemons. This patch -allows processes with CAP_MAC_OVERRIDE to access keys -even if the Smack rules indicate otherwise. - -Reported-by: Jose Bollo -Signed-off-by: Casey Schaufler ---- - security/smack/smack.h | 1 + - security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++----------- - security/smack/smack_lsm.c | 4 ++++ - 3 files changed, 34 insertions(+), 11 deletions(-) - -diff --git a/security/smack/smack.h b/security/smack/smack.h -index 6a71fc7..f7db791 100644 ---- a/security/smack/smack.h -+++ b/security/smack/smack.h -@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); - void smk_insert_entry(struct smack_known *skp); - struct smack_known *smk_find_entry(const char *); - bool smack_privileged(int cap); -+bool smack_privileged_cred(int cap, const struct cred *cred); - void smk_destroy_label_list(struct list_head *list); - - /* -diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c -index 1a30041..141ffac 100644 ---- a/security/smack/smack_access.c -+++ b/security/smack/smack_access.c -@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid) - LIST_HEAD(smack_onlycap_list); - DEFINE_MUTEX(smack_onlycap_lock); - --/* -+/** -+ * smack_privileged_cred - are all privilege requirements met by cred -+ * @cap: The requested capability -+ * @cred: the credential to use -+ * - * Is the task privileged and allowed to be privileged - * by the onlycap rule. - * - * Returns true if the task is allowed to be privileged, false if it's not. - */ --bool smack_privileged(int cap) -+bool smack_privileged_cred(int cap, const struct cred *cred) - { -- struct smack_known *skp = smk_of_current(); -+ struct task_smack *tsp = cred->security; -+ struct smack_known *skp = tsp->smk_task; - struct smack_known_list_elem *sklep; - int rc; - -- /* -- * All kernel tasks are privileged -- */ -- if (unlikely(current->flags & PF_KTHREAD)) -- return true; -- -- rc = cap_capable(current_cred(), &init_user_ns, cap, -- SECURITY_CAP_AUDIT); -+ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT); - if (rc) - return false; - -@@ -662,3 +660,23 @@ bool smack_privileged(int cap) - - return false; - } -+ -+/** -+ * smack_privileged - are all privilege requirements met -+ * @cap: The requested capability -+ * -+ * Is the task privileged and allowed to be privileged -+ * by the onlycap rule. -+ * -+ * Returns true if the task is allowed to be privileged, false if it's not. -+ */ -+bool smack_privileged(int cap) -+{ -+ /* -+ * All kernel tasks are privileged -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) -+ return true; -+ -+ return smack_privileged_cred(cap, current_cred()); -+} -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 30f2c3d..03fdecb 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, - */ - if (tkp == NULL) - return -EACCES; -+ -+ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) -+ return 0; -+ - #ifdef CONFIG_AUDIT - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); - ad.a.u.key_struct.key = keyp->serial; - -- cgit 1.2.3-korg