+8 -4

security/smack/smack.h

reviewed

··· 177 177 #define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */ 178 178 179 179 /* 180 180 - * Flag for transmute access 180 180 + * Flags for untraditional access modes. 181 181 + * It shouldn't be necessary to avoid conflicts with definitions 182 182 + * in fs.h, but do so anyway. 181 183 */ 182 182 - #define MAY_TRANSMUTE 64 184 184 + #define MAY_TRANSMUTE 0x00001000 /* Controls directory labeling */ 185 185 + #define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */ 186 186 + 183 187 /* 184 188 * Just to make the common cases easier to deal with 185 189 */ ··· 192 188 #define MAY_NOT 0 193 189 194 190 /* 195 195 - * Number of access types used by Smack (rwxat) 191 191 + * Number of access types used by Smack (rwxatl) 196 192 */ 197 197 - #define SMK_NUM_ACCESS_TYPE 5 193 193 + #define SMK_NUM_ACCESS_TYPE 6 198 194 199 195 /* SMACK data */ 200 196 struct smack_audit_data {

+10

security/smack/smack_access.c

reviewed

··· 84 84 * 85 85 * Do the object check first because that is more 86 86 * likely to differ. 87 87 + * 88 88 + * Allowing write access implies allowing locking. 87 89 */ 88 90 int smk_access_entry(char *subject_label, char *object_label, 89 91 struct list_head *rule_list) ··· 101 99 } 102 100 } 103 101 102 102 + /* 103 103 + * MAY_WRITE implies MAY_LOCK. 104 104 + */ 105 105 + if ((may & MAY_WRITE) == MAY_WRITE) 106 106 + may |= MAY_LOCK; 104 107 return may; 105 108 } 106 109 ··· 252 245 static inline void smack_str_from_perm(char *string, int access) 253 246 { 254 247 int i = 0; 248 248 + 255 249 if (access & MAY_READ) 256 250 string[i++] = 'r'; 257 251 if (access & MAY_WRITE) ··· 263 255 string[i++] = 'a'; 264 256 if (access & MAY_TRANSMUTE) 265 257 string[i++] = 't'; 258 258 + if (access & MAY_LOCK) 259 259 + string[i++] = 'l'; 266 260 string[i] = '\0'; 267 261 } 268 262 /**

+8 -3

security/smack/smack_lsm.c

reviewed

··· 185 185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 186 186 smk_ad_setfield_u_tsk(&ad, ctp); 187 187 188 188 - rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); 188 188 + rc = smk_curacc(skp->smk_known, mode, &ad); 189 189 return rc; 190 190 } 191 191 ··· 1146 1146 * @file: the object 1147 1147 * @cmd: unused 1148 1148 * 1149 1149 - * Returns 0 if current has write access, error code otherwise 1149 1149 + * Returns 0 if current has lock access, error code otherwise 1150 1150 */ 1151 1151 static int smack_file_lock(struct file *file, unsigned int cmd) 1152 1152 { ··· 1154 1154 1155 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1156 1156 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1157 1157 - return smk_curacc(file->f_security, MAY_WRITE, &ad); 1157 1157 + return smk_curacc(file->f_security, MAY_LOCK, &ad); 1158 1158 } 1159 1159 1160 1160 /** ··· 1178 1178 1179 1179 switch (cmd) { 1180 1180 case F_GETLK: 1181 1181 + break; 1181 1182 case F_SETLK: 1182 1183 case F_SETLKW: 1184 1184 + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1185 1185 + smk_ad_setfield_u_fs_path(&ad, file->f_path); 1186 1186 + rc = smk_curacc(file->f_security, MAY_LOCK, &ad); 1187 1187 + break; 1183 1188 case F_SETOWN: 1184 1189 case F_SETSIG: 1185 1190 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);

+8 -2

security/smack/smackfs.c

reviewed

··· 139 139 * SMK_LOADLEN: Smack rule length 140 140 */ 141 141 #define SMK_OACCESS "rwxa" 142 142 - #define SMK_ACCESS "rwxat" 142 142 + #define SMK_ACCESS "rwxatl" 143 143 #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1) 144 144 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) 145 145 #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) ··· 281 281 case 't': 282 282 case 'T': 283 283 perm |= MAY_TRANSMUTE; 284 284 + break; 285 285 + case 'l': 286 286 + case 'L': 287 287 + perm |= MAY_LOCK; 284 288 break; 285 289 default: 286 290 return perm; ··· 456 452 /* 457 453 * Minor hack for backward compatibility 458 454 */ 459 459 - if (count != SMK_OLOADLEN && count != SMK_LOADLEN) 455 455 + if (count < SMK_OLOADLEN || count > SMK_LOADLEN) 460 456 return -EINVAL; 461 457 } else { 462 458 if (count >= PAGE_SIZE) { ··· 596 592 seq_putc(s, 'a'); 597 593 if (srp->smk_access & MAY_TRANSMUTE) 598 594 seq_putc(s, 't'); 595 595 + if (srp->smk_access & MAY_LOCK) 596 596 + seq_putc(s, 'l'); 599 597 600 598 seq_putc(s, '\n'); 601 599 }