From: Casey Schaufler <casey@schaufler-ca.com>
To: Pankaj Kumar <pankaj13lvs3@gmail.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: pankaj.k2@samsung.com
Subject: Re: [PATCH] smack lsm bug fixes
Date: Fri, 11 Apr 2014 14:45:22 -0700 [thread overview]
Message-ID: <53486272.6020901@schaufler-ca.com> (raw)
In-Reply-To: <CABPv_jf7Sy26C=LUzFkYyDSFrvtk05Snv-PQJEu2fpm5dhJWrQ@mail.gmail.com>
On 2/20/2014 2:15 AM, Pankaj Kumar wrote:
> From: Pankaj Kumar <pankaj.k2@samsung.com>
>
> 1. In order to remove any SMACK extended attribute from a file, a user
> should have CAP_MAC_ADMIN capability. But any user without this
> capability is able to remove SMACK64MMAP security attribute. This error
> has been corrected by a modification in smack_inode_removexattr hook.
>
> 2. While setting extended attribute in smack_inode_setsecurity hook,
> '-EACCES' error is returned if extended attribute size or value is not
> correct. This is wrong error rather this is invalid extended attribute
> case. Corrected error '-EINVAL' shall be returned.
>
> Signed-off-by: Pankaj Kumar <pankaj.k2@samsung.com>
> Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Applied to git://git.gitorious.org/smack-next/kernel.git smack-for-3.16
> ---
> security/smack/smack_lsm.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 14f52be..e1b1650 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -938,7 +938,7 @@ static int smack_inode_removexattr(struct dentry
> *dentry, const char *name)
> strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
> strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
> strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
> - strcmp(name, XATTR_NAME_SMACKMMAP)) {
> + strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
> if (!smack_privileged(CAP_MAC_ADMIN))
> rc = -EPERM;
> } else
> @@ -2076,7 +2076,7 @@ static int smack_inode_setsecurity(struct inode
> *inode, const char *name,
> int rc = 0;
>
> if (value == NULL || size > SMK_LONGLABEL || size == 0)
> - return -EACCES;
> + return -EINVAL;
>
> skp = smk_import_entry(value, size);
> if (skp == NULL)
next prev parent reply other threads:[~2014-04-11 21:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-20 10:15 [PATCH] smack lsm bug fixes Pankaj Kumar
2014-04-11 21:45 ` Casey Schaufler [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-02-17 5:35 Pankaj Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53486272.6020901@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pankaj.k2@samsung.com \
--cc=pankaj13lvs3@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox