summaryrefslogtreecommitdiffstats
path: root/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch')
-rw-r--r--meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch118
1 files changed, 118 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch
new file mode 100644
index 0000000..a2fc123
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch
@@ -0,0 +1,118 @@
+From bf371cf1c4093db6a7a9c201edb6ca0e4231055c Mon Sep 17 00:00:00 2001
+From: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Date: Tue, 11 Mar 2014 17:07:04 +0100
+Subject: [PATCH 24/54] Smack: fix the subject/object order in
+ smack_ptrace_traceme()
+
+The order of subject/object is currently reversed in
+smack_ptrace_traceme(). It is currently checked if the tracee has a
+capability to trace tracer and according to this rule a decision is made
+whether the tracer will be allowed to trace tracee.
+
+Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ security/smack/smack.h | 1 +
+ security/smack/smack_access.c | 33 ++++++++++++++++++++++++++-------
+ security/smack/smack_lsm.c | 4 ++--
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index d072fd3..b9dfc4e 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *);
+ */
+ int smk_access_entry(char *, char *, struct list_head *);
+ int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
++int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
+ int smk_curacc(char *, u32, struct smk_audit_info *);
+ struct smack_known *smack_from_secid(const u32);
+ char *smk_parse_smack(const char *string, int len);
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index 14293cd..f161deb 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -192,20 +192,21 @@ out_audit:
+ }
+
+ /**
+- * smk_curacc - determine if current has a specific access to an object
++ * smk_tskacc - determine if a task has a specific access to an object
++ * @tsp: a pointer to the subject task
+ * @obj_label: a pointer to the object's Smack label
+ * @mode: the access requested, in "MAY" format
+ * @a : common audit data
+ *
+- * This function checks the current subject label/object label pair
++ * This function checks the subject task's label/object label pair
+ * in the access rule list and returns 0 if the access is permitted,
+- * non zero otherwise. It allows that current may have the capability
++ * non zero otherwise. It allows that the task may have the capability
+ * to override the rules.
+ */
+-int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
++int smk_tskacc(struct task_smack *subject, char *obj_label,
++ u32 mode, struct smk_audit_info *a)
+ {
+- struct task_smack *tsp = current_security();
+- struct smack_known *skp = smk_of_task(tsp);
++ struct smack_known *skp = smk_of_task(subject);
+ int may;
+ int rc;
+
+@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
+ * it can further restrict access.
+ */
+ may = smk_access_entry(skp->smk_known, obj_label,
+- &tsp->smk_rules);
++ &subject->smk_rules);
+ if (may < 0)
+ goto out_audit;
+ if ((mode & may) == mode)
+@@ -241,6 +242,24 @@ out_audit:
+ return rc;
+ }
+
++/**
++ * smk_curacc - determine if current has a specific access to an object
++ * @obj_label: a pointer to the object's Smack label
++ * @mode: the access requested, in "MAY" format
++ * @a : common audit data
++ *
++ * This function checks the current subject label/object label pair
++ * in the access rule list and returns 0 if the access is permitted,
++ * non zero otherwise. It allows that current may have the capability
++ * to override the rules.
++ */
++int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
++{
++ struct task_smack *tsp = current_security();
++
++ return smk_tskacc(tsp, obj_label, mode, a);
++}
++
+ #ifdef CONFIG_AUDIT
+ /**
+ * smack_str_from_perm : helper to transalate an int to a
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b093463..0bea427 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
+ if (rc != 0)
+ return rc;
+
+- skp = smk_of_task(task_security(ptp));
++ skp = smk_of_task(current_security());
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, ptp);
+
+- rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad);
++ rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad);
+ return rc;
+ }
+
+--
+2.1.4
+