diff options
| author |   Casey Schaufler <casey@schaufler-ca.com> | 2012-06-05 15:28:30 -0700 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2012-07-13 15:49:23 -0700 |
| commit | 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e (patch) | |
| tree | fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50 /security/smack/smack_access.c | |
| parent | Smack: fix smack_new_inode bogosities (diff) | |
| download | linux-dev-1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e.tar.xz linux-dev-1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e.zip | |
Smack: onlycap limits on CAP_MAC_ADMIN
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.
This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack_access.c')
| -rw-r--r-- | security/smack/smack_access.c | 9 |
1 files changed, 2 insertions, 7 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 9f3705e92712..db14689a21e0 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -220,14 +220,9 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) } /* - * Return if a specific label has been designated as the - * only one that gets privilege and current does not - * have that label. + * Allow for priviliged to override policy. */ - if (smack_onlycap != NULL && smack_onlycap != sp) - goto out_audit; - - if (capable(CAP_MAC_OVERRIDE)) + if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) rc = 0; out_audit: |