Commit 959e6c7f authored by Lukasz Pawelczyk's avatar Lukasz Pawelczyk Committed by Casey Schaufler

Smack: fix the subject/object order in smack_ptrace_traceme()

The order of subject/object is currently reversed in
smack_ptrace_traceme(). It is currently checked if the tracee has a
capability to trace tracer and according to this rule a decision is made
whether the tracer will be allowed to trace tracee.
Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
parent 55dfc5da
...@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *); ...@@ -225,6 +225,7 @@ struct inode_smack *new_inode_smack(char *);
*/ */
int smk_access_entry(char *, char *, struct list_head *); int smk_access_entry(char *, char *, struct list_head *);
int smk_access(struct smack_known *, char *, int, struct smk_audit_info *); int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
int smk_curacc(char *, u32, struct smk_audit_info *); int smk_curacc(char *, u32, struct smk_audit_info *);
struct smack_known *smack_from_secid(const u32); struct smack_known *smack_from_secid(const u32);
char *smk_parse_smack(const char *string, int len); char *smk_parse_smack(const char *string, int len);
......
...@@ -192,20 +192,21 @@ int smk_access(struct smack_known *subject_known, char *object_label, ...@@ -192,20 +192,21 @@ int smk_access(struct smack_known *subject_known, char *object_label,
} }
/** /**
* smk_curacc - determine if current has a specific access to an object * smk_tskacc - determine if a task has a specific access to an object
* @tsp: a pointer to the subject task
* @obj_label: a pointer to the object's Smack label * @obj_label: a pointer to the object's Smack label
* @mode: the access requested, in "MAY" format * @mode: the access requested, in "MAY" format
* @a : common audit data * @a : common audit data
* *
* This function checks the current subject label/object label pair * This function checks the subject task's label/object label pair
* in the access rule list and returns 0 if the access is permitted, * in the access rule list and returns 0 if the access is permitted,
* non zero otherwise. It allows that current may have the capability * non zero otherwise. It allows that the task may have the capability
* to override the rules. * to override the rules.
*/ */
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) int smk_tskacc(struct task_smack *subject, char *obj_label,
u32 mode, struct smk_audit_info *a)
{ {
struct task_smack *tsp = current_security(); struct smack_known *skp = smk_of_task(subject);
struct smack_known *skp = smk_of_task(tsp);
int may; int may;
int rc; int rc;
...@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) ...@@ -219,7 +220,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
* it can further restrict access. * it can further restrict access.
*/ */
may = smk_access_entry(skp->smk_known, obj_label, may = smk_access_entry(skp->smk_known, obj_label,
&tsp->smk_rules); &subject->smk_rules);
if (may < 0) if (may < 0)
goto out_audit; goto out_audit;
if ((mode & may) == mode) if ((mode & may) == mode)
...@@ -241,6 +242,24 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) ...@@ -241,6 +242,24 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
return rc; return rc;
} }
/**
* smk_curacc - determine if current has a specific access to an object
* @obj_label: a pointer to the object's Smack label
* @mode: the access requested, in "MAY" format
* @a : common audit data
*
* This function checks the current subject label/object label pair
* in the access rule list and returns 0 if the access is permitted,
* non zero otherwise. It allows that current may have the capability
* to override the rules.
*/
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
{
struct task_smack *tsp = current_security();
return smk_tskacc(tsp, obj_label, mode, a);
}
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
/** /**
* smack_str_from_perm : helper to transalate an int to a * smack_str_from_perm : helper to transalate an int to a
......
...@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp) ...@@ -207,11 +207,11 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
if (rc != 0) if (rc != 0)
return rc; return rc;
skp = smk_of_task(task_security(ptp)); skp = smk_of_task(current_security());
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ptp); smk_ad_setfield_u_tsk(&ad, ptp);
rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad); rc = smk_tskacc(ptp, skp->smk_known, MAY_READWRITE, &ad);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment