diff options
author | Yannick GICQUEL <yannick.gicquel@iot.bzh> | 2015-10-19 15:57:07 +0200 |
---|---|---|
committer | Gerrit Code Review <gerrit@172.30.200.200> | 2015-11-06 15:23:36 +0000 |
commit | ede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch) | |
tree | 47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0027-bugfix-patch-for-SMACK.patch | |
parent | 1cd8ab18abca96e4ee108f80225058d875b28347 (diff) |
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support
on kernel side. For more details, see file:
meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README
Please note that patches are applied only if "smack" is in the
ditro features. Here are the 2 lines to add in the local.conf
OVERRIDES .= ":smack"
DISTRO_FEATURES_append = " smack"
Change-Id: I147a3532aec531f977d6ec34c576261835711f1e
Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0027-bugfix-patch-for-SMACK.patch')
-rw-r--r-- | meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0027-bugfix-patch-for-SMACK.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0027-bugfix-patch-for-SMACK.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0027-bugfix-patch-for-SMACK.patch new file mode 100644 index 0000000..5f78abf --- /dev/null +++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0027-bugfix-patch-for-SMACK.patch @@ -0,0 +1,43 @@ +From 20a88e69ded71ba364c477c824c8173efeab873f Mon Sep 17 00:00:00 2001 +From: Pankaj Kumar <pankaj.k2@samsung.com> +Date: Fri, 13 Dec 2013 15:12:22 +0530 +Subject: [PATCH 27/54] bugfix patch for SMACK + +1. In order to remove any SMACK extended attribute from a file, a user +should have CAP_MAC_ADMIN capability. But user without having this +capability is able to remove SMACK64MMAP security attribute. + +2. While validating size and value of smack extended attribute in +smack_inode_setsecurity hook, wrong error code is returned. + +Signed-off-by: Pankaj Kumar <pamkaj.k2@samsung.com> +Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> +--- + security/smack/smack_lsm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 91a447a..b47fd5f 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1018,7 +1018,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) + strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || + strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || + strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || +- strcmp(name, XATTR_NAME_SMACKMMAP)) { ++ strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { + if (!smack_privileged(CAP_MAC_ADMIN)) + rc = -EPERM; + } else +@@ -2156,7 +2156,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, + int rc = 0; + + if (value == NULL || size > SMK_LONGLABEL || size == 0) +- return -EACCES; ++ return -EINVAL; + + skp = smk_import_entry(value, size); + if (skp == NULL) +-- +2.1.4 + |