From fffea214abf66a8672cfd6697fae65e743e22f11 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Fri, 14 Mar 2014 17:44:49 +0000 Subject: smack: fix key permission verification For any keyring access type SMACK always used MAY_READWRITE access check. It prevents reading the key with label "_", which should be allowed for anyone. This patch changes default access check to MAY_READ and use MAY_READWRITE in only appropriate cases. Signed-off-by: Dmitry Kasatkin Signed-off-by: David Howells Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'security/smack') diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c47dd8ca019c..8177e7df8c2d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3511,6 +3511,7 @@ static int smack_key_permission(key_ref_t key_ref, struct key *keyp; struct smk_audit_info ad; struct smack_known *tkp = smk_of_task(cred->security); + int request = 0; keyp = key_ref_to_ptr(key_ref); if (keyp == NULL) @@ -3531,7 +3532,11 @@ static int smack_key_permission(key_ref_t key_ref, ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key_desc = keyp->description; #endif - return smk_access(tkp, keyp->security, MAY_READWRITE, &ad); + if (perm & KEY_NEED_READ) + request = MAY_READ; + if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) + request = MAY_WRITE; + return smk_access(tkp, keyp->security, request, &ad); } #endif /* CONFIG_KEYS */ -- cgit v1.2.3-58-ga151