Smack: Lock mode for the floor and hat labels

The lock access mode allows setting a read lock on a file for with the process has only read access. The floor label is defined to make it easy to have the basic system installed such that everyone can read it. Once there's a desire to read lock (rationally or otherwise) a floor file a rule needs to get set. This happens all the time, so make the floor label a little bit more special and allow everyone lock access, too. By implication, give processes with the hat label (hat can read everything) lock access as well. This reduces clutter in the Smack rule set. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: Lock mode for the floor and hat labels
The lock access mode allows setting a read lock on a file for with the process has only read access. The floor label is defined to make it easy to have the basic system installed such that everyone can read it. Once there's a desire to read lock (rationally or otherwise) a floor file a rule needs to get set. This happens all the time, so make the floor label a little bit more special and allow everyone lock access, too. By implication, give processes with the hat label (hat can read everything) lock access as well. This reduces clutter in the Smack rule set. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler
1 parent 594081ee71
Showing 1 changed file with 5 additions and 5 deletions Side-by-side Diff
security/smack/smack_access.c
@@ -142,8 +142,7 @@
 	 * Tasks cannot be assigned the internet label.
 	 * An internet subject can access any object.
 	 */
-	if (object == &smack_known_web ||
-	    subject == &smack_known_web)
+	if (object == &smack_known_web || subject == &smack_known_web)
 		goto out_audit;
 	/*
 	 * A star object can be accessed by any subject.
  
@@ -157,10 +156,11 @@
 	if (subject->smk_known == object->smk_known)
 		goto out_audit;
 	/*
-	 * A hat subject can read any object.
-	 * A floor object can be read by any subject.
+	 * A hat subject can read or lock any object.
+	 * A floor object can be read or locked by any subject.
 	 */
-	if ((request & MAY_ANYREAD) == request) {
+	if ((request & MAY_ANYREAD) == request ||
+	    (request & MAY_LOCK) == request) {
 		if (object == &smack_known_floor)
 			goto out_audit;
 		if (subject == &smack_known_hat)
...	...	@@ -142,8 +142,7 @@
142	142	* Tasks cannot be assigned the internet label.
143	143	* An internet subject can access any object.
144	144	*/
145		- if (object == &smack_known_web \|\|
146		- subject == &smack_known_web)
	145	+ if (object == &smack_known_web \|\| subject == &smack_known_web)
147	146	goto out_audit;
148	147	/*
149	148	* A star object can be accessed by any subject.
150	149
...	...	@@ -157,10 +156,11 @@
157	156	if (subject->smk_known == object->smk_known)
158	157	goto out_audit;
159	158	/*
160		- * A hat subject can read any object.
161		- * A floor object can be read by any subject.
	159	+ * A hat subject can read or lock any object.
	160	+ * A floor object can be read or locked by any subject.
162	161	*/
163		- if ((request & MAY_ANYREAD) == request) {
	162	+ if ((request & MAY_ANYREAD) == request \|\|
	163	+ (request & MAY_LOCK) == request) {
164	164	if (object == &smack_known_floor)
165	165	goto out_audit;
166	166	if (subject == &smack_known_hat)