summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorMarcin Lis <m.lis@samsung.com>2015-01-22 17:40:33 +0300
committerCasey Schaufler <casey@schaufler-ca.com>2015-03-23 23:19:37 +0300
commit7412301b76bd53ee53b860f611fc3b5b1c2245b5 (patch)
tree0454d89419798f10e2f11640be3aa53768dae612 /security
parent74f0414b2f9a6b12df208a69baa21e22178a2463 (diff)
downloadlinux-7412301b76bd53ee53b860f611fc3b5b1c2245b5.tar.xz
Smack: Assign smack_known_web as default smk_in label for kernel thread's socket
This change fixes the bug associated with sockets owned by kernel threads. These sockets, created usually by network devices' drivers tasks, received smk_in label from the task that created them - the "floor" label in the most cases. The result was that they were not able to receive data packets because of missing smack rules. The main reason of the access deny is that the socket smk_in label is placed as the object during smk check, kernel thread's capabilities are omitted. Signed-off-by: Marcin Lis <m.lis@samsung.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack_lsm.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c934311812f1..a097dc7d4669 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2452,7 +2452,21 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
static int smack_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- if (family != PF_INET || sock->sk == NULL)
+ struct socket_smack *ssp;
+
+ if (sock->sk == NULL)
+ return 0;
+
+ /*
+ * Sockets created by kernel threads receive web label.
+ */
+ if (unlikely(current->flags & PF_KTHREAD)) {
+ ssp = sock->sk->sk_security;
+ ssp->smk_in = &smack_known_web;
+ ssp->smk_out = &smack_known_web;
+ }
+
+ if (family != PF_INET)
return 0;
/*
* Set the outbound netlbl.