diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2018-01-08 10:25:32 -0800 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2018-01-10 09:29:14 -0800 |
commit | d19dfe58b7ecbef3bd0c403c650200c57913ba1b (patch) | |
tree | 59ab1001fe590143cda52657a71b5d3087ae6b91 /security/smack/smack_lsm.c | |
parent | da49b5dad18aad357ab8841ee65d415f683efc6f (diff) | |
download | lwn-d19dfe58b7ecbef3bd0c403c650200c57913ba1b.tar.gz lwn-d19dfe58b7ecbef3bd0c403c650200c57913ba1b.zip |
Smack: Privilege check on key operations
Smack: Privilege check on key operations
Operations on key objects are subjected to Smack policy
even if the process is privileged. This is inconsistent
with the general behavior of Smack and may cause issues
with authentication by privileged daemons. This patch
allows processes with CAP_MAC_OVERRIDE to access keys
even if the Smack rules indicate otherwise.
Reported-by: Jose Bollo <jobol@nonadev.net>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r-- | security/smack/smack_lsm.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 30f2c3d1c11c..03fdecba93bb 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, */ if (tkp == NULL) return -EACCES; + + if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) + return 0; + #ifdef CONFIG_AUDIT smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); ad.a.u.key_struct.key = keyp->serial; |