]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f300f6d) | patch
Smack: Handle labels consistently in untrusted mounts
authorSeth Forshee <seth.forshee@canonical.com>
Tue, 26 Apr 2016 19:36:22 +0000 (14:36 -0500)
committerEric W. Biederman <ebiederm@xmission.com>
Fri, 24 Jun 2016 16:02:22 +0000 (11:02 -0500)
commitb4b9c6f00b7e362e5b014cf71aac9395c550f0d0
tree4d1667543575f79ec9e1d905081fed3aedf3e531tree | snapshot
parentf300f6d58c8c4587237edcb4eeaa400f8f828998commit | diff
Smack: Handle labels consistently in untrusted mounts

The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
differently in untrusted mounts. This is confusing and
potentically problematic. Change this to handle them all the same
way that SMACK64 is currently handled; that is, read the label
from disk and check it at use time. For SMACK64 and SMACK64MMAP
access is denied if the label does not match smk_root. To be
consistent with suid, a SMACK64EXEC label which does not match
smk_root will still allow execution of the file but will not run
with the label supplied in the xattr.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
security/smack/smack_lsm.c diff | blob | history
Linux Kernel Source Tree.