• Casey Schaufler's avatar
    Smack: Implement lock security mode · c0ab6e56
    Casey Schaufler authored
    Linux file locking does not follow the same rules
    as other mechanisms. Even though it is a write operation
    a process can set a read lock on files which it has open
    only for read access. Two programs with read access to
    a file can use read locks to communicate.
    
    This is not acceptable in a Mandatory Access Control
    environment. Smack treats setting a read lock as the
    write operation that it is. Unfortunately, many programs
    assume that setting a read lock is a read operation.
    These programs are unhappy in the Smack environment.
    
    This patch introduces a new access mode (lock) to address
    this problem. A process with lock access to a file can
    set a read lock. A process with write access to a file can
    set a read lock or a write lock. This prevents a situation
    where processes are granted write access just so they can
    set read locks.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    c0ab6e56
smack_access.c 14.3 KB