From 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e Mon Sep 17 00:00:00 2001
From: Casey Schaufler <casey@schaufler-ca.com>
Date: Tue, 5 Jun 2012 15:28:30 -0700
Subject: Smack: onlycap limits on CAP_MAC_ADMIN

Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.

This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.

Targeted for git://git.gitorious.org/smack-next/kernel.git

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/smack/smack.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'security/smack/smack.h')

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 76feb31eb823..99b36124f712 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -282,6 +282,19 @@ static inline char *smk_of_current(void)
 	return smk_of_task(current_security());
 }
 
+/*
+ * Is the task privileged and allowed to be privileged
+ * by the onlycap rule.
+ */
+static inline int smack_privileged(int cap)
+{
+	if (!capable(cap))
+		return 0;
+	if (smack_onlycap == NULL || smack_onlycap == smk_of_current())
+		return 1;
+	return 0;
+}
+
 /*
  * logging functions
  */
-- 
cgit v1.2.3