Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fffea214 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by David Howells
Browse files

smack: fix key permission verification 



For any keyring access type SMACK always used MAY_READWRITE access check.
It prevents reading the key with label "_", which should be allowed for anyone.

This patch changes default access check to MAY_READ and use MAY_READWRITE in only
appropriate cases.

Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
parent f5895943

security/smack/smack_lsm.c

+6 −1
Original line number Diff line number Diff line
@@ -3511,6 +3511,7 @@ static int smack_key_permission(key_ref_t key_ref, 
	struct key *keyp;

	struct smk_audit_info ad;

	struct smack_known *tkp = smk_of_task(cred->security);

	int request = 0;



	keyp = key_ref_to_ptr(key_ref);

	if (keyp == NULL)
@@ -3531,7 +3532,11 @@ static int smack_key_permission(key_ref_t key_ref, 
	ad.a.u.key_struct.key = keyp->serial;

	ad.a.u.key_struct.key_desc = keyp->description;

#endif

	return smk_access(tkp, keyp->security, MAY_READWRITE, &ad);

	if (perm & KEY_NEED_READ)

		request = MAY_READ;

	if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))

		request = MAY_WRITE;

	return smk_access(tkp, keyp->security, request, &ad);

}

#endif /* CONFIG_KEYS */