Smack: Fix wrong semantics in smk_access_entry()

In the smk_access_entry() function, if no matching rule is found in the rust_list, a negative error code will be used to perform bit operations with the MAY_ enumeration value. This is semantically wrong. This patch fixes this issue. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
author: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 2021-07-15 17:17:24 +0800
committer: Casey Schaufler <casey@schaufler-ca.com> 2021-07-20 09:17:36 -0700
commit: 6d14f5c7028eea70760df284057fe198ce7778dd (patch)
tree: 46d0550c4a1377d867486aa00653c3b65cbaf800 /security
parent: 2734d6c1b1a089fb593ef6a23d4b70903526fe0c (diff)
1 files changed, 8 insertions, 9 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 1f391f6a3d47..d2186e2757be 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -81,23 +81,22 @@ int log_policy = SMACK_AUDIT_DENIED;
 int smk_access_entry(char *subject_label, char *object_label,
 			struct list_head *rule_list)
 {
-	int may = -ENOENT;
 	struct smack_rule *srp;
 
 	list_for_each_entry_rcu(srp, rule_list, list) {
 		if (srp->smk_object->smk_known == object_label &&
 		    srp->smk_subject->smk_known == subject_label) {
-			may = srp->smk_access;
-			break;
+			int may = srp->smk_access;
+			/*
+			 * MAY_WRITE implies MAY_LOCK.
+			 */
+			if ((may & MAY_WRITE) == MAY_WRITE)
+				may |= MAY_LOCK;
+			return may;
 		}
 	}
 
-	/*
-	 * MAY_WRITE implies MAY_LOCK.
-	 */
-	if ((may & MAY_WRITE) == MAY_WRITE)
-		may |= MAY_LOCK;
-	return may;
+	return -ENOENT;
 }
 
 /**
author	Tianjia Zhang <tianjia.zhang@linux.alibaba.com>	2021-07-15 17:17:24 +0800
committer	Casey Schaufler <casey@schaufler-ca.com>	2021-07-20 09:17:36 -0700
commit	6d14f5c7028eea70760df284057fe198ce7778dd (patch)
tree	46d0550c4a1377d867486aa00653c3b65cbaf800 /security
parent	2734d6c1b1a089fb593ef6a23d4b70903526fe0c (diff)