From 676dac4b1bee0469d6932f698aeb77e8489f5861 Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Thu, 2 Dec 2010 06:43:39 -0800 Subject: This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running. Exception: in smack_task_wait() child task is checked for write access to parent task using label inherited from the task that forked it. Fixed issues from previous submit: - SMACK64EXEC was not read when SMACK64 was not set. - inode security blob was not updated after setting SMACK64EXEC - inode security blob was not updated when removing SMACK64EXEC --- security/smack/smack_access.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security/smack/smack_access.c') diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index f4fac64c4da..42becbc1ce3 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -185,7 +185,7 @@ out_audit: int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) { int rc; - char *sp = current_security(); + char *sp = smk_of_current(); rc = smk_access(sp, obj_label, mode, NULL); if (rc == 0) @@ -196,7 +196,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) * only one that gets privilege and current does not * have that label. */ - if (smack_onlycap != NULL && smack_onlycap != current->cred->security) + if (smack_onlycap != NULL && smack_onlycap != sp) goto out_audit; if (capable(CAP_MAC_OVERRIDE)) -- cgit v1.2.3