apfs/linux-apfs
0
0
Fork 0
mirror of https://github.com/linux-apfs/linux-apfs.git synced 2026-05-01 15:00:59 -07:00
Code Issues Packages Projects Releases Wiki Activity

Smack: onlycap limits on CAP_MAC_ADMIN

Browse Source 
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.

This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.

Targeted for git://git.gitorious.org/smack-next/kernel.git

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
This commit is contained in:
Casey Schaufler
2012-06-05 15:28:30 -07:00
parent eb982cb4cf
commit 1880eff77e
4 changed files with 34 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
security/smack/smack_access.c
+2 -7
View File
@@ -220,14 +220,9 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
}
/*
* Return if a specific label has been designated as the
* only one that gets privilege and current does not
* have that label.
* Allow for priviliged to override policy.
*/
if (smack_onlycap != NULL && smack_onlycap != sp)
goto out_audit;
if (capable(CAP_MAC_OVERRIDE))
if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE))
rc = 0;
out_audit: