diff options
| author |   Yannick GICQUEL <yannick.gicquel@iot.bzh> | 2015-10-19 15:57:07 +0200 |
|---|---|---|
| committer |   Gerrit Code Review <gerrit@172.30.200.200> | 2015-11-06 15:23:36 +0000 |
| commit | ede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch) | |
| tree | 47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0022-smack-fix-key-permission-verification.patch | |
| parent | 1cd8ab18abca96e4ee108f80225058d875b28347 (diff) | |
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support
on kernel side. For more details, see file:
meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README
Please note that patches are applied only if "smack" is in the
ditro features. Here are the 2 lines to add in the local.conf
OVERRIDES .= ":smack"
DISTRO_FEATURES_append = " smack"
Change-Id: I147a3532aec531f977d6ec34c576261835711f1e
Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0022-smack-fix-key-permission-verification.patch')
| -rw-r--r-- | meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0022-smack-fix-key-permission-verification.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0022-smack-fix-key-permission-verification.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0022-smack-fix-key-permission-verification.patch new file mode 100644 index 0000000..b61c2ef --- /dev/null +++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0022-smack-fix-key-permission-verification.patch @@ -0,0 +1,55 @@ +From 618719c14729b2c9ef82cb462308671d11284a38 Mon Sep 17 00:00:00 2001 +From: Dmitry Kasatkin <d.kasatkin@samsung.com> +Date: Fri, 14 Mar 2014 17:44:49 +0000 +Subject: [PATCH 22/54] smack: fix key permission verification + +For any keyring access type SMACK always used MAY_READWRITE access check. +It prevents reading the key with label "_", which should be allowed for anyone. + +This patch changes default access check to MAY_READ and use MAY_READWRITE in only +appropriate cases. + +Change-Id: I372968d614550d4c691301b2ef4b6478e76c62bf +Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Casey Schaufler <casey@schaufler-ca.com> +--- + security/smack/smack_lsm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 14f52be..16dcf7f 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3465,6 +3465,7 @@ static void smack_inet_csk_clone(struct sock *sk, + * If you care about keys please have a look. + */ + #ifdef CONFIG_KEYS ++#include "../keys/internal.h" /* HACK FOR THE BACKPORT */ + + /** + * smack_key_alloc - Set the key security blob +@@ -3511,6 +3512,7 @@ static int smack_key_permission(key_ref_t key_ref, + struct key *keyp; + struct smk_audit_info ad; + struct smack_known *tkp = smk_of_task(cred->security); ++ int request = 0; + + keyp = key_ref_to_ptr(key_ref); + if (keyp == NULL) +@@ -3531,7 +3533,11 @@ static int smack_key_permission(key_ref_t key_ref, + ad.a.u.key_struct.key = keyp->serial; + ad.a.u.key_struct.key_desc = keyp->description; + #endif +- return smk_access(tkp, keyp->security, MAY_READWRITE, &ad); ++ if (perm & KEY_READ) ++ request = MAY_READ; ++ if (perm & (KEY_WRITE | KEY_LINK | KEY_SETATTR)) ++ request = MAY_WRITE; ++ return smk_access(tkp, keyp->security, request, &ad); + } + #endif /* CONFIG_KEYS */ + +-- +2.1.4 + |