• Zoran Markovic's avatar
    smack: fix access permissions for keyring · 5b841bfa
    Zoran Markovic authored
    Function smack_key_permission() only issues smack requests for the
    following operations:
     - KEY_NEED_READ (issues MAY_READ)
     - KEY_NEED_WRITE (issues MAY_WRITE)
     - KEY_NEED_LINK (issues MAY_WRITE)
     - KEY_NEED_SETATTR (issues MAY_WRITE)
    A blank smack request is issued in all other cases, resulting in
    smack access being granted if there is any rule defined between
    subject and object, or denied with -EACCES otherwise.
    
    Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW.
    Fix the logic in the unlikely case when both MAY_READ and
    MAY_WRITE are needed. Validate access permission field for valid
    contents.
    Signed-off-by: default avatarZoran Markovic <zmarkovic@sierrawireless.com>
    Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Cc: Casey Schaufler <casey@schaufler-ca.com>
    Cc: James Morris <jmorris@namei.org>
    Cc: "Serge E. Hallyn" <serge@hallyn.com>
    5b841bfa
smack_lsm.c 118 KB