diff options
| author | Zbigniew Jasinski <z.jasinski@samsung.com> | 2015-10-19 18:23:53 +0200 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2015-10-19 12:06:47 -0700 |
| commit | 38416e53936ecf896948fdeffc36b76979117952 (patch) | |
| tree | b0ac68de5a0b4a7953ab38e7dcc6fa1d8a83d10a /security/smack/smack.h | |
| parent | 8da4aba5bf9869f58d2a6bb30daaf54b2fa72569 (diff) | |
| download | linux-38416e53936ecf896948fdeffc36b76979117952.tar.gz | |
Smack: limited capability for changing process label
This feature introduces new kernel interface: - <smack_fs>/relabel-self - for setting transition labels list This list is used to control smack label transition mechanism. List is set by, and per process. Process can transit to new label only if label is on the list. Only process with CAP_MAC_ADMIN capability can add labels to this list. With this list, process can change it's label without CAP_MAC_ADMIN but only once. After label changing, list is unset. Changes in v2: * use list_for_each_entry instead of _rcu during label write * added missing description in security/Smack.txt Changes in v3: * squashed into one commit Changes in v4: * switch from global list to per-task list * since the per-task list is accessed only by the task itself there is no need to use synchronization mechanisms on it Changes in v5: * change smackfs interface of relabel-self to the one used for onlycap multiple labels are accepted, separated by space, which replace the previous list upon write Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack.h')
| -rw-r--r-- | security/smack/smack.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index fff0c612bbb7..6c91156ae225 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -115,6 +115,7 @@ struct task_smack { struct smack_known *smk_forked; /* label when forked */ struct list_head smk_rules; /* per task access rules */ struct mutex smk_rules_lock; /* lock for the rules */ + struct list_head smk_relabel; /* transit allowed labels */ }; #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */ @@ -169,7 +170,7 @@ struct smk_port_label { }; #endif /* SMACK_IPV6_PORT_LABELING */ -struct smack_onlycap { +struct smack_known_list_elem { struct list_head list; struct smack_known *smk_label; }; @@ -301,6 +302,7 @@ struct smack_known *smk_import_entry(const char *, int); void smk_insert_entry(struct smack_known *skp); struct smack_known *smk_find_entry(const char *); int smack_privileged(int cap); +void smk_destroy_label_list(struct list_head *list); /* * Shared data. |