kernel_optimize_test/security/smack
Seth Forshee 809c02e091 Smack: Handle labels consistently in untrusted mounts
The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
differently in untrusted mounts. This is confusing and
potentically problematic. Change this to handle them all the same
way that SMACK64 is currently handled; that is, read the label
from disk and check it at use time. For SMACK64 and SMACK64MMAP
access is denied if the label does not match smk_root. To be
consistent with suid, a SMACK64EXEC label which does not match
smk_root will still allow execution of the file but will not run
with the label supplied in the xattr.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2016-06-24 11:02:22 -05:00
..
Kconfig Smack: secmark support for netfilter 2015-01-20 16:34:25 -08:00
Makefile Smack: Repair netfilter dependency 2015-01-23 10:08:19 -08:00
smack_access.c Smack: limited capability for changing process label 2015-10-19 12:06:47 -07:00
smack_lsm.c Smack: Handle labels consistently in untrusted mounts 2016-06-24 11:02:22 -05:00
smack_netfilter.c smack: use skb_to_full_sk() helper 2015-11-08 20:56:38 -05:00
smack.h Smack: Add support for unprivileged mounts from user namespaces 2016-06-24 10:40:42 -05:00
smackfs.c convert a bunch of open-coded instances of memdup_user_nul() 2016-01-04 10:26:58 -05:00