Smack: onlycap limits on CAP_MAC_ADMIN Smack is integrated with the POSIX capabilities scheme, using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to determine if a process is allowed to ignore Smack checks or change Smack related data respectively. Smack provides an additional restriction that if an onlycap value is set by writing to /smack/onlycap only tasks with that Smack label are allowed to use CAP_MAC_OVERRIDE. This change adds CAP_MAC_ADMIN as a capability that is affected by the onlycap mechanism. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

commit: 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e [log] [tgz]
author: Casey Schaufler <casey@schaufler-ca.com> Tue Jun 05 15:28:30 2012 -0700
committer: Casey Schaufler <casey@schaufler-ca.com> Fri Jul 13 15:49:23 2012 -0700
tree: fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50
parent: eb982cb4cf6405b97ea1f9e1d10864981f269d46 [diff] [blame]
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 76feb31..99b3612 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h

@@ -283,6 +283,19 @@
 }
 
 /*
+ * Is the task privileged and allowed to be privileged
+ * by the onlycap rule.
+ */
+static inline int smack_privileged(int cap)
+{
+	if (!capable(cap))
+		return 0;
+	if (smack_onlycap == NULL || smack_onlycap == smk_of_current())
+		return 1;
+	return 0;
+}
+
+/*
  * logging functions
  */
 #define SMACK_AUDIT_DENIED 0x1
commit	1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e	[log] [tgz]
author	Casey Schaufler <casey@schaufler-ca.com>	Tue Jun 05 15:28:30 2012 -0700
committer	Casey Schaufler <casey@schaufler-ca.com>	Fri Jul 13 15:49:23 2012 -0700
tree	fc4b9a2ca7c643a30cbe2260886fdbd969bf2b50
parent	eb982cb4cf6405b97ea1f9e1d10864981f269d46 [diff] [blame]