diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2013-11-21 10:55:10 +0200 |
|---|---|---|
| committer | Damian Hobson-Garcia <dhobsong@igel.co.jp> | 2014-12-11 16:53:22 +0900 |
| commit | 3794825034906b25122d39e7d0421be331163d54 (patch) | |
| tree | 314a687ff56e076f67da262ed9bfc21f4c8a8ece | |
| parent | 71043e2a6ef7d6305867fdeb97155233f6e52033 (diff) | |
| download | renesas_kernel-3794825034906b25122d39e7d0421be331163d54.tar.gz renesas_kernel-3794825034906b25122d39e7d0421be331163d54.tar.bz2 renesas_kernel-3794825034906b25122d39e7d0421be331163d54.zip | |
Smack: Cgroup filesystem access
The cgroup filesystems are not mounted using conventional
mechanisms. This prevents the use of mount options to
set Smack attributes. This patch makes the behavior
of cgroup filesystems compatable with the way systemd
uses them.
Change-Id: I1e0429f133db9e14117dc754d682dec08221354c
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
(cherry picked from commit 30b87ac2002207a5c6a74cd18d843bdb3b01fe92)
Signed-off-by: Damian Hobson-Garcia <dhobsong@igel.co.jp>
| -rw-r--r-- | security/smack/smack_lsm.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 14f52be78c7..acd857471f9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2713,6 +2713,15 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) * of the superblock. */ if (opt_dentry->d_parent == opt_dentry) { + if (sbp->s_magic == CGROUP_SUPER_MAGIC) { + /* + * The cgroup filesystem is never mounted, + * so there's no opportunity to set the mount + * options. + */ + sbsp->smk_root = smack_known_star.smk_known; + sbsp->smk_default = smack_known_star.smk_known; + } isp->smk_inode = sbsp->smk_root; isp->smk_flags |= SMK_INODE_INSTANT; goto unlockandout; @@ -2726,16 +2735,20 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) */ switch (sbp->s_magic) { case SMACK_MAGIC: + case PIPEFS_MAGIC: + case SOCKFS_MAGIC: + case CGROUP_SUPER_MAGIC: /* * Casey says that it's a little embarrassing * that the smack file system doesn't do * extended attributes. - */ - final = smack_known_star.smk_known; - break; - case PIPEFS_MAGIC: - /* + * * Casey says pipes are easy (?) + * + * Socket access is controlled by the socket + * structures associated with the task involved. + * + * Cgroupfs is special */ final = smack_known_star.smk_known; break; @@ -2747,13 +2760,6 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) */ final = ckp->smk_known; break; - case SOCKFS_MAGIC: - /* - * Socket access is controlled by the socket - * structures associated with the task involved. - */ - final = smack_known_star.smk_known; - break; case PROC_SUPER_MAGIC: /* * Casey says procfs appears not to care. |