From 1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Tue, 5 Jun 2012 15:28:30 -0700 Subject: Smack: onlycap limits on CAP_MAC_ADMIN Smack is integrated with the POSIX capabilities scheme, using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to determine if a process is allowed to ignore Smack checks or change Smack related data respectively. Smack provides an additional restriction that if an onlycap value is set by writing to /smack/onlycap only tasks with that Smack label are allowed to use CAP_MAC_OVERRIDE. This change adds CAP_MAC_ADMIN as a capability that is affected by the onlycap mechanism. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler --- security/smack/smack.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'security/smack/smack.h') diff --git a/security/smack/smack.h b/security/smack/smack.h index 76feb31eb82..99b36124f71 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -282,6 +282,19 @@ static inline char *smk_of_current(void) return smk_of_task(current_security()); } +/* + * Is the task privileged and allowed to be privileged + * by the onlycap rule. + */ +static inline int smack_privileged(int cap) +{ + if (!capable(cap)) + return 0; + if (smack_onlycap == NULL || smack_onlycap == smk_of_current()) + return 1; + return 0; +} + /* * logging functions */ -- cgit v1.2.3-18-g5258