Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 20bb4cb4 authored by James Morris's avatar James Morris
Browse files

Merge branch 'smack-for-4.21-a' of https://github.com/cschaufler/next-smack into next-smack 

From Casey.

"I have two Smack patches for 4.21. One Jose's patch adds
missing documentation and Zoran's fleshes out the access checks
on keyrings."
parents 1072bd67 55b078f0

Documentation/admin-guide/LSM/Smack.rst

+4 −0
Original line number Diff line number Diff line
@@ -818,6 +818,10 @@ Smack supports some mount options: 
	specifies a label to which all labels set on the

	filesystem must have read access. Not yet enforced.



  smackfstransmute=label:

	behaves exactly like smackfsroot except that it also

	sets the transmute flag on the root of the mount



These mount options apply to all file system types.



Smack auditing

security/smack/smack_lsm.c

+9 −3
Original line number Diff line number Diff line
@@ -4333,6 +4333,12 @@ static int smack_key_permission(key_ref_t key_ref, 
	int request = 0;

	int rc;



	/*

	 * Validate requested permissions

	 */

	if (perm & ~KEY_NEED_ALL)

		return -EINVAL;



	keyp = key_ref_to_ptr(key_ref);

	if (keyp == NULL)

		return -EINVAL;
@@ -4356,10 +4362,10 @@ static int smack_key_permission(key_ref_t key_ref, 
	ad.a.u.key_struct.key = keyp->serial;

	ad.a.u.key_struct.key_desc = keyp->description;

#endif

	if (perm & KEY_NEED_READ)

		request = MAY_READ;

	if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))

		request |= MAY_READ;

	if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))

		request = MAY_WRITE;

		request |= MAY_WRITE;

	rc = smk_access(tkp, keyp->security, request, &ad);

	rc = smk_bu_note("key access", tkp, keyp->security, request, rc);

	return rc;