Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / c0d77c884461fc0dec0411e49797dc3f3651c31b^! / . / security / smack / smack.h
commitc0d77c884461fc0dec0411e49797dc3f3651c31b[log] [tgz]
authorRafal Krypa <r.krypa@samsung.com>Tue Jun 02 11:23:48 2015 +0200
committerCasey Schaufler <casey@schaufler-ca.com>Tue Jun 02 11:53:42 2015 -0700
treec526c2ae841b0fc358d29af69cddcdb63ae72431
parent01fa8474fba7e80f6a2ac31d0790385a993cb7ba [diff] [blame]
Smack: allow multiple labels in onlycap

Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
processes running with the configured label. But having single privileged
label is not enough in some real use cases. On a complex system like Tizen,
there maybe few programs that need to configure Smack policy in run-time
and running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.

Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

diff --git a/security/smack/smack.h b/security/smack/smack.h
index b8c1a86..244e035 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h

@@ -138,6 +138,11 @@
 	struct smack_known	*smk_out;	/* outgoing label */
 };
 
+struct smack_onlycap {
+	struct list_head	list;
+	struct smack_known	*smk_label;
+};
+
 /*
  * Mount options
  */
@@ -249,6 +254,7 @@
 struct smack_known *smk_import_entry(const char *, int);
 void smk_insert_entry(struct smack_known *skp);
 struct smack_known *smk_find_entry(const char *);
+int smack_privileged(int cap);
 
 /*
  * Shared data.
@@ -257,7 +263,6 @@
 extern int smack_cipso_direct;
 extern int smack_cipso_mapped;
 extern struct smack_known *smack_net_ambient;
-extern struct smack_known *smack_onlycap;
 extern struct smack_known *smack_syslog_label;
 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 extern struct smack_known *smack_unconfined;
@@ -276,6 +281,9 @@
 extern struct list_head smack_known_list;
 extern struct list_head smk_netlbladdr_list;
 
+extern struct mutex     smack_onlycap_lock;
+extern struct list_head smack_onlycap_list;
+
 #define SMACK_HASH_SLOTS 16
 extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
 
@@ -332,21 +340,6 @@
 }
 
 /*
- * Is the task privileged and allowed to be privileged
- * by the onlycap rule.
- */
-static inline int smack_privileged(int cap)
-{
-	struct smack_known *skp = smk_of_current();
-
-	if (!capable(cap))
-		return 0;
-	if (smack_onlycap == NULL || smack_onlycap == skp)
-		return 1;
-	return 0;
-}
-
-/*
  * logging functions
  */
 #define SMACK_AUDIT_DENIED 0x1