diff options
| author | Roman Kubiak <r.kubiak@samsung.com> | 2016-07-06 10:59:58 +0900 |
|---|---|---|
| committer | jooseong lee <jooseong.lee@samsung.com> | 2016-07-07 02:14:49 -0700 |
| commit | 78f638087fc8b89ebac15ce8abad660671dcec15 (patch) | |
| tree | 601ade89806588fbba09b85d93d26c37d72ca38c /security | |
| parent | 25153d615a32fa8a6e99ff628d0611eb7eced247 (diff) | |
| download | linux-3.10-artik-78f638087fc8b89ebac15ce8abad660671dcec15.tar.gz linux-3.10-artik-78f638087fc8b89ebac15ce8abad660671dcec15.tar.bz2 linux-3.10-artik-78f638087fc8b89ebac15ce8abad660671dcec15.zip | |
Kernel threads excluded from smack checks
Adds an ignore case for kernel tasks,
so that they can access all resources.
Since kernel worker threads are spawned with
floor label, they are severely restricted by
Smack policy. It is not an issue without onlycap,
as these processes also run with root,
so CAP_MAC_OVERRIDE kicks in. But with onlycap
turned on, there is no way to change the label
for these processes.
Change-Id: I3d7a9b32155b70d8716ea0368dbddf35f0aa6cc6
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/smack/smack_access.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 88b23413218..a28adbc8a6c 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -662,6 +662,12 @@ int smack_privileged(int cap) struct smack_known *skp = smk_of_current(); struct smack_onlycap *sop; + /* + * All kernel tasks are privileged + */ + if (unlikely(current->flags & PF_KTHREAD)) + return 1; + if (!capable(cap)) return 0; |