Smack: Privilege check on key operations Smack: Privilege check on key operations Operations on key objects are subjected to Smack policy even if the process is privileged. This is inconsistent with the general behavior of Smack and may cause issues with authentication by privileged daemons. This patch allows processes with CAP_MAC_OVERRIDE to access keys even if the Smack rules indicate otherwise. Reported-by: Jose Bollo <jobol@nonadev.net> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

commit: d19dfe58b7ecbef3bd0c403c650200c57913ba1b [log] [tgz]
author: Casey Schaufler <casey@schaufler-ca.com> Mon Jan 08 10:25:32 2018 -0800
committer: Casey Schaufler <casey@schaufler-ca.com> Wed Jan 10 09:29:14 2018 -0800
tree: 59ab1001fe590143cda52657a71b5d3087ae6b91
parent: da49b5dad18aad357ab8841ee65d415f683efc6f [diff] [blame]
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 6a71fc7..f7db791 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h

@@ -321,6 +321,7 @@
 void smk_insert_entry(struct smack_known *skp);
 struct smack_known *smk_find_entry(const char *);
 bool smack_privileged(int cap);
+bool smack_privileged_cred(int cap, const struct cred *cred);
 void smk_destroy_label_list(struct list_head *list);
 
 /*
commit	d19dfe58b7ecbef3bd0c403c650200c57913ba1b	[log] [tgz]
author	Casey Schaufler <casey@schaufler-ca.com>	Mon Jan 08 10:25:32 2018 -0800
committer	Casey Schaufler <casey@schaufler-ca.com>	Wed Jan 10 09:29:14 2018 -0800
tree	59ab1001fe590143cda52657a71b5d3087ae6b91
parent	da49b5dad18aad357ab8841ee65d415f683efc6f [diff] [blame]