From ede19ea0c47fb23f3fc779833d1e57cf76f3371e Mon Sep 17 00:00:00 2001 From: Yannick GICQUEL Date: Mon, 19 Oct 2015 15:57:07 +0200 Subject: kernel: smack security backport from kernel 4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Here is the backport of all patches relating to smack support on kernel side. For more details, see file: meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README Please note that patches are applied only if "smack" is in the ditro features. Here are the 2 lines to add in the local.conf OVERRIDES .= ":smack" DISTRO_FEATURES_append = " smack" Change-Id: I147a3532aec531f977d6ec34c576261835711f1e Signed-off-by: Yannick GICQUEL Signed-off-by: José Bollo --- ...he-subject-object-order-in-smack_ptrace_t.patch | 118 +++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch') diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch new file mode 100644 index 0000000..a2fc123 --- /dev/null +++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0024-Smack-fix-the-subject-object-order-in-smack_ptrace_t.patch @@ -0,0 +1,118 @@ +From bf371cf1c4093db6a7a9c201edb6ca0e4231055c Mon Sep 17 00:00:00 2001 +From: Lukasz Pawelczyk +Date: Tue, 11 Mar 2014 17:07:04 +0100 +Subject: [PATCH 24/54] Smack: fix the subject/object order in + smack_ptrace_traceme() + +The order of subject/object is currently reversed in +smack_ptrace_traceme(). It is currently checked if the tracee has a +capability to trace tracer and according to this rule a decision is made +whether the tracer will be allowed to trace tracee. + +Signed-off-by: Lukasz Pawelczyk +Signed-off-by: Rafal Krypa +--- + security/smack/smack.h | 1 + + security/smack/smack_access.c | 33 ++++++++++++++++++++++++++------- + security/smack/smack_lsm.c | 4 ++-- + 3 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index d072fd3..b9dfc4e 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *); + */ + int smk_access_entry(char *, char *, struct list_head *); + int smk_access(struct smack_known *, char *, int, struct smk_audit_info *); ++int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *); + int smk_curacc(char *, u32, struct smk_audit_info *); + struct smack_known *smack_from_secid(const u32); + char *smk_parse_smack(const char *string, int len); +diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c +index 14293cd..f161deb 100644 +--- a/security/smack/smack_access.c ++++ b/security/smack/smack_access.c +@@ -192,20 +192,21 @@ out_audit: + } + + /** +- * smk_curacc - determine if current has a specific access to an object ++ * smk_tskacc - determine if a task has a specific access to an object ++ * @tsp: a pointer to the subject task + * @obj_label: a pointer to the object's Smack label + * @mode: the access requested, in "MAY" format + * @a : common audit data + * +- * This function checks the current subject label/object label pair ++ * This function checks the subject task's label/object label pair + * in the access rule list and returns 0 if the access is permitted, +- * non zero otherwise. It allows that current may have the capability ++ * non zero otherwise. It allows that the task may have the capability + * to override the rules. + */ +-int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) ++int smk_tskacc(struct task_smack *subject, char *obj_label, ++ u32 mode, struct smk_audit_info *a) + { +- struct task_smack *tsp = current_security(); +- struct smack_known *skp = smk_of_task(tsp); ++ struct smack_known *skp = smk_of_task(subject); + int may; + int rc; + +@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) + * it can further restrict access. + */ + may = smk_access_entry(skp->smk_known, obj_label, +- &tsp->smk_rules); ++ &subject->smk_rules); + if (may < 0) + goto out_audit; + if ((mode & may) == mode) +@@ -241,6 +242,24 @@ out_audit: + return rc; + } + ++/** ++ * smk_curacc - determine if current has a specific access to an object ++ * @obj_label: a pointer to the object's Smack label ++ * @mode: the access requested, in "MAY" format ++ * @a : common audit data ++ * ++ * This function checks the current subject label/object label pair ++ * in the access rule list and returns 0 if the access is permitted, ++ * non zero otherwise. It allows that current may have the capability ++ * to override the rules. ++ */ ++int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) ++{ ++ struct task_smack *tsp = current_security(); ++ ++ return smk_tskacc(tsp, obj_label, mode, a); ++} ++ + #ifdef CONFIG_AUDIT + /** + * smack_str_from_perm : helper to transalate an int to a +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b093463..0bea427 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp) + if (rc != 0) + return rc; + +- skp = smk_of_task(task_security(ptp)); ++ skp = smk_of_task(current_security()); + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, ptp); + +- rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); ++ rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad); + return rc; + } + +-- +2.1.4 + -- cgit 1.2.3-korg