en it existed, kernel returned
EPERM, when it didn't - ESRCH. The only effect of policy check in such
case is noise in audit logs.
This change lets Smack silently ignore kill() invocations with sig == 0.
Signed-off-by: Rafal Krypa
---
security/smack/smack_lsm.c | 3 +++
1 file changed, 3
e one used for onlycap
multiple labels are accepted, separated by space, which
replace the previous list upon write
Signed-off-by: Zbigniew Jasinski
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 10 ++
security/smack/smack.h | 4 +-
security/smack/smack_acc
urity/Smack.txt
Changes in v3:
* squashed into one commit
Changes in v4:
* switch from global list to per-task list
* since the per-task list is accessed only by the task itself
there is no need to use synchronization mechanisms on it
Signed-off-by: Zbigniew Jasinski
Signed-off-by: Rafal
running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 6 +-
security/sma
;] userspace+0x442/0x548
[<6001aa77>] ? interrupt_end+0x0/0x80
[<6001daae>] ? copy_chunk_to_user+0x0/0x2b
[<6002cb6b>] ? save_registers+0x1f/0x39
[<60032ef7>] ? arch_prctl+0xf5/0x170
[<6001a92d>] fork_handler+0x85/0x87
Signed-off-by: Rafal Krypa
---
security/s
running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 6 +-
security/sma
critical sections. Failing to do that could lead to memory races and
undefined behaviour in smackfs.
As a bonus, first patch also fixes a bug in smackfs that was found by
coincidence.
Rafal Krypa (2):
Smack: fix seq operations in smackfs
Smack: allow multiple labels in onlycap
Documentation
During UDS connection check, both sides are checked for write access to
the other side. But only the first check is performed with audit support.
The second one didn't produce any audit logs. This simple patch fixes that.
Signed-off-by: Rafal Krypa
---
security/smack/smack_lsm.c | 2 +-
1
terminated.
During investigation of all other calls leading to smk_parse_smack()
another similar issue was found in smk_write_onlycap().
This patch fixes both cases by ensuring that smk_parse_smack() by handling
of zero-length labels.
Signed-off-by: Rafal Krypa
---
security/smack/smack_lsm
characters and properly
return number of processed bytes. In case when user buffer is larger, it
will be additionally truncated. All characters after last \n will not get
parsed to avoid partial rule near input buffer boundary.
Signed-off-by: Rafal Krypa
---
security/smack/smackfs.c | 167
. This way was inefficient, non-atomic
and unnecessarily difficult.
New interface is intended to ease such modifications.
Changes in v2:
- dropped patches for smackfs seq list operations
- changed modification approach to simple integer assignment
Rafal Krypa (1):
Smack: add support for modification
ermissions will be left unchanged.
If no rule previously existed, it will be created.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 11 ++
security/smack/smackfs.c | 249 ++---
. This way was inefficient, non-atomic
and unnecessarily difficult.
New interface is intended to ease such modifications.
Changes in v2:
- dropped patches for smackfs seq list operations
- changed modification approach to simple integer assignment
Rafal Krypa (1):
Smack: add support for
ermissions will be left unchanged.
If no rule previously existed, it will be created.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 11 ++
security/smack/smackfs.c | 249 ++---
ermissions will be left unchanged.
If no rule previously existed, it will be created.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 11 ++
security/smack/smackfs.c | 219 +++--
master list. Appropriate seq_file functions have been
rewritten.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
security/smack/smackfs.c | 101 +-
1 file changed, 54 insertions(+), 47 deletions(-)
diff --git a
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
security/smack/smackfs.c | 50 +++---
1 file changed, 20 insertions(+), 30 deletions(-)
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index
smackfs seq operations code.
3. Add support for modification of existing rules
The actual patch with new interface.
A previous version of this one has posted previously
(http://thread.gmane.org/gmane.linux.documentation/6759),
but was proven to be wrong.
Rafal Krypa (3):
Smack: use RCU
This fixes audit logs for granting or denial of permissions to show
information about transmute bit.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
security/smack/smack_access.c |2 ++
1 file changed, 2 insertions(+)
diff --git a/security/smack
Special file /smack/revoke-subject will silently accept labels that are not
present on the subject label list. Nothing has to be done for such labels,
as there are no rules for them to revoke.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
security
ermissions will be left unchanged.
If no rule previously existed, it will be created.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt | 11 +++
security/smack/smackfs.c | 152 ---
Add /smack/revoke-subject special file. Writing a SMACK label to this file will
set the access to '-' for all access rules with that subject label.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
---
Documentation/security/Smack.txt |3 ++
ted when /smack/load or /smack/load2 is
read. This may cause clutter if many rules were disabled.
As a rule with access set to '-' is equivalent to no rule at all, they
may be safely hidden from the listing.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Ra
23 matches
Mail list logo