mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-09-22 12:44:11 +08:00
Smack: fix the subject/object order in smack_ptrace_traceme()
The order of subject/object is currently reversed in smack_ptrace_traceme(). It is currently checked if the tracee has a capability to trace tracer and according to this rule a decision is made whether the tracer will be allowed to trace tracee. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
This commit is contained in:
parent
55dfc5da1a
commit
959e6c7f1e
@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *);
|
|||||||
*/
|
*/
|
||||||
int smk_access_entry(char *, char *, struct list_head *);
|
int smk_access_entry(char *, char *, struct list_head *);
|
||||||
int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
|
int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
|
||||||
|
int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
|
||||||
int smk_curacc(char *, u32, struct smk_audit_info *);
|
int smk_curacc(char *, u32, struct smk_audit_info *);
|
||||||
struct smack_known *smack_from_secid(const u32);
|
struct smack_known *smack_from_secid(const u32);
|
||||||
char *smk_parse_smack(const char *string, int len);
|
char *smk_parse_smack(const char *string, int len);
|
||||||
|
@ -192,20 +192,21 @@ out_audit:
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* smk_curacc - determine if current has a specific access to an object
|
* smk_tskacc - determine if a task has a specific access to an object
|
||||||
|
* @tsp: a pointer to the subject task
|
||||||
* @obj_label: a pointer to the object's Smack label
|
* @obj_label: a pointer to the object's Smack label
|
||||||
* @mode: the access requested, in "MAY" format
|
* @mode: the access requested, in "MAY" format
|
||||||
* @a : common audit data
|
* @a : common audit data
|
||||||
*
|
*
|
||||||
* This function checks the current subject label/object label pair
|
* This function checks the subject task's label/object label pair
|
||||||
* in the access rule list and returns 0 if the access is permitted,
|
* in the access rule list and returns 0 if the access is permitted,
|
||||||
* non zero otherwise. It allows that current may have the capability
|
* non zero otherwise. It allows that the task may have the capability
|
||||||
* to override the rules.
|
* to override the rules.
|
||||||
*/
|
*/
|
||||||
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
|
int smk_tskacc(struct task_smack *subject, char *obj_label,
|
||||||
|
u32 mode, struct smk_audit_info *a)
|
||||||
{
|
{
|
||||||
struct task_smack *tsp = current_security();
|
struct smack_known *skp = smk_of_task(subject);
|
||||||
struct smack_known *skp = smk_of_task(tsp);
|
|
||||||
int may;
|
int may;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
|
|||||||
* it can further restrict access.
|
* it can further restrict access.
|
||||||
*/
|
*/
|
||||||
may = smk_access_entry(skp->smk_known, obj_label,
|
may = smk_access_entry(skp->smk_known, obj_label,
|
||||||
&tsp->smk_rules);
|
&subject->smk_rules);
|
||||||
if (may < 0)
|
if (may < 0)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
if ((mode & may) == mode)
|
if ((mode & may) == mode)
|
||||||
@ -241,6 +242,24 @@ out_audit:
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* smk_curacc - determine if current has a specific access to an object
|
||||||
|
* @obj_label: a pointer to the object's Smack label
|
||||||
|
* @mode: the access requested, in "MAY" format
|
||||||
|
* @a : common audit data
|
||||||
|
*
|
||||||
|
* This function checks the current subject label/object label pair
|
||||||
|
* in the access rule list and returns 0 if the access is permitted,
|
||||||
|
* non zero otherwise. It allows that current may have the capability
|
||||||
|
* to override the rules.
|
||||||
|
*/
|
||||||
|
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
|
||||||
|
{
|
||||||
|
struct task_smack *tsp = current_security();
|
||||||
|
|
||||||
|
return smk_tskacc(tsp, obj_label, mode, a);
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_AUDIT
|
#ifdef CONFIG_AUDIT
|
||||||
/**
|
/**
|
||||||
* smack_str_from_perm : helper to transalate an int to a
|
* smack_str_from_perm : helper to transalate an int to a
|
||||||
|
@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
|
|||||||
if (rc != 0)
|
if (rc != 0)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
skp = smk_of_task(task_security(ptp));
|
skp = smk_of_task(current_security());
|
||||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
|
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
|
||||||
smk_ad_setfield_u_tsk(&ad, ptp);
|
smk_ad_setfield_u_tsk(&ad, ptp);
|
||||||
|
|
||||||
rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad);
|
rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user