• Seth Forshee's avatar
    Smack: Handle labels consistently in untrusted mounts · a4c35a50
    Seth Forshee authored
    The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
    differently in untrusted mounts. This is confusing and
    potentically problematic. Change this to handle them all the same
    way that SMACK64 is currently handled; that is, read the label
    from disk and check it at use time. For SMACK64 and SMACK64MMAP
    access is denied if the label does not match smk_root. To be
    consistent with suid, a SMACK64EXEC label which does not match
    smk_root will still allow execution of the file but will not run
    with the label supplied in the xattr.
    Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
    Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    a4c35a50
smack_lsm.c 116 KB