Commit 19f2e267 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull smack updates from James Morris:
 "Two Smack patches for 4.21.

  Jose's patch adds missing documentation and Zoran's fleshes out the
  access checks on keyrings"

* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: Improve Documentation
  smack: fix access permissions for keyring
parents 1ac5cd49 20bb4cb4
...@@ -818,6 +818,10 @@ Smack supports some mount options: ...@@ -818,6 +818,10 @@ Smack supports some mount options:
specifies a label to which all labels set on the specifies a label to which all labels set on the
filesystem must have read access. Not yet enforced. filesystem must have read access. Not yet enforced.
smackfstransmute=label:
behaves exactly like smackfsroot except that it also
sets the transmute flag on the root of the mount
These mount options apply to all file system types. These mount options apply to all file system types.
Smack auditing Smack auditing
......
...@@ -4333,6 +4333,12 @@ static int smack_key_permission(key_ref_t key_ref, ...@@ -4333,6 +4333,12 @@ static int smack_key_permission(key_ref_t key_ref,
int request = 0; int request = 0;
int rc; int rc;
/*
* Validate requested permissions
*/
if (perm & ~KEY_NEED_ALL)
return -EINVAL;
keyp = key_ref_to_ptr(key_ref); keyp = key_ref_to_ptr(key_ref);
if (keyp == NULL) if (keyp == NULL)
return -EINVAL; return -EINVAL;
...@@ -4356,10 +4362,10 @@ static int smack_key_permission(key_ref_t key_ref, ...@@ -4356,10 +4362,10 @@ static int smack_key_permission(key_ref_t key_ref,
ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key = keyp->serial;
ad.a.u.key_struct.key_desc = keyp->description; ad.a.u.key_struct.key_desc = keyp->description;
#endif #endif
if (perm & KEY_NEED_READ) if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
request = MAY_READ; request |= MAY_READ;
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
request = MAY_WRITE; request |= MAY_WRITE;
rc = smk_access(tkp, keyp->security, request, &ad); rc = smk_access(tkp, keyp->security, request, &ad);
rc = smk_bu_note("key access", tkp, keyp->security, request, rc); rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
return rc; return rc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment