Merge tag 'Smack-for-6.19' of https://github.com/cschaufler/smack-next

+13 -3

Documentation/admin-guide/LSM/Smack.rst

··· 601 601 Task Attribute 602 602 ~~~~~~~~~~~~~~ 603 603 604 - The Smack label of a process can be read from /proc/<pid>/attr/current. A 605 - process can read its own Smack label from /proc/self/attr/current. A 604 + The Smack label of a process can be read from ``/proc/<pid>/attr/current``. A 605 + process can read its own Smack label from ``/proc/self/attr/current``. A 606 606 privileged process can change its own Smack label by writing to 607 - /proc/self/attr/current but not the label of another process. 607 + ``/proc/self/attr/current`` but not the label of another process. 608 + 609 + Format of writing is : only the label or the label followed by one of the 610 + 3 trailers: ``\n`` (by common agreement for ``/proc/...`` interfaces), 611 + ``\0`` (because some applications incorrectly include it), 612 + ``\n\0`` (because we think some applications may incorrectly include it). 608 613 609 614 File Attribute 610 615 ~~~~~~~~~~~~~~ ··· 700 695 The Smack label transmitted with outgoing packets. 701 696 A privileged program may set this to match the label of another 702 697 task with which it hopes to communicate. 698 + 699 + UNIX domain socket (UDS) with a BSD address functions both as a file in a 700 + filesystem and as a socket. As a file, it carries the SMACK64 attribute. This 701 + attribute is not involved in Smack security enforcement and is immutably 702 + assigned the label "*". 703 703 704 704 Smack Netlabel Exceptions 705 705 ~~~~~~~~~~~~~~~~~~~~~~~~~

+3

security/smack/smack.h

··· 300 300 int smk_curacc(struct smack_known *, u32, struct smk_audit_info *); 301 301 int smack_str_from_perm(char *string, int access); 302 302 struct smack_known *smack_from_secid(const u32); 303 + int smk_parse_label_len(const char *string, int len); 303 304 char *smk_parse_smack(const char *string, int len); 304 305 int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int); 305 306 struct smack_known *smk_import_entry(const char *, int); 307 + struct smack_known *smk_import_valid_label(const char *label, int label_len, 308 + gfp_t gfp); 306 309 void smk_insert_entry(struct smack_known *skp); 307 310 struct smack_known *smk_find_entry(const char *); 308 311 bool smack_privileged(int cap);

+74 -22

security/smack/smack_access.c

··· 443 443 } 444 444 445 445 /** 446 - * smk_parse_smack - parse smack label from a text string 447 - * @string: a text string that might contain a Smack label 448 - * @len: the maximum size, or zero if it is NULL terminated. 446 + * smk_parse_label_len - calculate the length of the starting segment 447 + * in the string that constitutes a valid smack label 448 + * @string: a text string that might contain a Smack label at the beginning 449 + * @len: the maximum size to look into, may be zero if string is null-terminated 449 450 * 450 - * Returns a pointer to the clean label or an error code. 451 + * Returns the length of the segment (0 < L < SMK_LONGLABEL) or an error code. 451 452 */ 452 - char *smk_parse_smack(const char *string, int len) 453 + int smk_parse_label_len(const char *string, int len) 453 454 { 454 - char *smack; 455 455 int i; 456 456 457 - if (len <= 0) 458 - len = strlen(string) + 1; 457 + if (len <= 0 || len > SMK_LONGLABEL) 458 + len = SMK_LONGLABEL; 459 459 460 460 /* 461 461 * Reserve a leading '-' as an indicator that ··· 463 463 * including /smack/cipso and /smack/cipso2 464 464 */ 465 465 if (string[0] == '-') 466 - return ERR_PTR(-EINVAL); 466 + return -EINVAL; 467 467 468 468 for (i = 0; i < len; i++) 469 469 if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || ··· 471 471 break; 472 472 473 473 if (i == 0 || i >= SMK_LONGLABEL) 474 + return -EINVAL; 475 + 476 + return i; 477 + } 478 + 479 + /** 480 + * smk_parse_smack - copy the starting segment in the string 481 + * that constitutes a valid smack label 482 + * @string: a text string that might contain a Smack label at the beginning 483 + * @len: the maximum size to look into, may be zero if string is null-terminated 484 + * 485 + * Returns a pointer to the copy of the label or an error code. 486 + */ 487 + char *smk_parse_smack(const char *string, int len) 488 + { 489 + char *smack; 490 + int i = smk_parse_label_len(string, len); 491 + 492 + if (i < 0) 474 493 return ERR_PTR(-EINVAL); 475 494 476 495 smack = kstrndup(string, i, GFP_NOFS); ··· 573 554 } 574 555 575 556 /** 576 - * smk_import_entry - import a label, return the list entry 577 - * @string: a text string that might be a Smack label 578 - * @len: the maximum size, or zero if it is NULL terminated. 557 + * smk_import_valid_allocated_label - import a label, return the list entry 558 + * @smack: a text string that is a valid Smack label and may be kfree()ed. 559 + * It is consumed: either becomes a part of the entry or kfree'ed. 560 + * @gfp: Allocation type 579 561 * 580 - * Returns a pointer to the entry in the label list that 581 - * matches the passed string, adding it if necessary, 582 - * or an error code. 562 + * Returns: see description of smk_import_entry() 583 563 */ 584 - struct smack_known *smk_import_entry(const char *string, int len) 564 + static struct smack_known * 565 + smk_import_allocated_label(char *smack, gfp_t gfp) 585 566 { 586 567 struct smack_known *skp; 587 - char *smack; 588 568 int rc; 589 - 590 - smack = smk_parse_smack(string, len); 591 - if (IS_ERR(smack)) 592 - return ERR_CAST(smack); 593 569 594 570 mutex_lock(&smack_known_lock); 595 571 ··· 592 578 if (skp != NULL) 593 579 goto freeout; 594 580 595 - skp = kzalloc(sizeof(*skp), GFP_NOFS); 581 + skp = kzalloc(sizeof(*skp), gfp); 596 582 if (skp == NULL) { 597 583 skp = ERR_PTR(-ENOMEM); 598 584 goto freeout; ··· 620 606 mutex_unlock(&smack_known_lock); 621 607 622 608 return skp; 609 + } 610 + 611 + /** 612 + * smk_import_entry - import a label, return the list entry 613 + * @string: a text string that might contain a Smack label at the beginning 614 + * @len: the maximum size to look into, may be zero if string is null-terminated 615 + * 616 + * Returns a pointer to the entry in the label list that 617 + * matches the passed string, adding it if necessary, 618 + * or an error code. 619 + */ 620 + struct smack_known *smk_import_entry(const char *string, int len) 621 + { 622 + char *smack = smk_parse_smack(string, len); 623 + 624 + if (IS_ERR(smack)) 625 + return ERR_CAST(smack); 626 + 627 + return smk_import_allocated_label(smack, GFP_NOFS); 628 + } 629 + 630 + /** 631 + * smk_import_valid_label - import a label, return the list entry 632 + * @label: a text string that is a valid Smack label, not null-terminated 633 + * @label_len: the length of the text string in the @label 634 + * @gfp: the GFP mask used for allocating memory for the @label text string copy 635 + * 636 + * Return: see description of smk_import_entry() 637 + */ 638 + struct smack_known * 639 + smk_import_valid_label(const char *label, int label_len, gfp_t gfp) 640 + { 641 + char *smack = kstrndup(label, label_len, gfp); 642 + 643 + if (!smack) 644 + return ERR_PTR(-ENOMEM); 645 + 646 + return smk_import_allocated_label(smack, gfp); 623 647 } 624 648 625 649 /**

+184 -93

security/smack/smack_lsm.c

··· 963 963 } 964 964 965 965 /** 966 + * smk_rule_transmutes - does access rule for (subject,object) contain 't'? 967 + * @subject: a pointer to the subject's Smack label entry 968 + * @object: a pointer to the object's Smack label entry 969 + */ 970 + static bool 971 + smk_rule_transmutes(struct smack_known *subject, 972 + const struct smack_known *object) 973 + { 974 + int may; 975 + 976 + rcu_read_lock(); 977 + may = smk_access_entry(subject->smk_known, object->smk_known, 978 + &subject->smk_rules); 979 + rcu_read_unlock(); 980 + return (may > 0) && (may & MAY_TRANSMUTE); 981 + } 982 + 983 + static int 984 + xattr_dupval(struct xattr *xattrs, int *xattr_count, 985 + const char *name, const void *value, unsigned int vallen) 986 + { 987 + struct xattr * const xattr = lsm_get_xattr_slot(xattrs, xattr_count); 988 + 989 + if (!xattr) 990 + return 0; 991 + 992 + xattr->value = kmemdup(value, vallen, GFP_NOFS); 993 + if (!xattr->value) 994 + return -ENOMEM; 995 + 996 + xattr->value_len = vallen; 997 + xattr->name = name; 998 + return 0; 999 + } 1000 + 1001 + /** 966 1002 * smack_inode_init_security - copy out the smack from an inode 967 1003 * @inode: the newly created inode 968 1004 * @dir: containing directory object ··· 1013 977 struct xattr *xattrs, int *xattr_count) 1014 978 { 1015 979 struct task_smack *tsp = smack_cred(current_cred()); 1016 - struct inode_smack *issp = smack_inode(inode); 1017 - struct smack_known *skp = smk_of_task(tsp); 1018 - struct smack_known *isp = smk_of_inode(inode); 980 + struct inode_smack * const issp = smack_inode(inode); 1019 981 struct smack_known *dsp = smk_of_inode(dir); 1020 - struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 1021 - int may; 982 + int rc = 0; 983 + int transflag = 0; 984 + bool trans_cred; 985 + bool trans_rule; 1022 986 987 + /* 988 + * UNIX domain sockets use lower level socket data. Let 989 + * UDS inode have fixed * label to keep smack_inode_permission() calm 990 + * when called from unix_find_bsd() 991 + */ 992 + if (S_ISSOCK(inode->i_mode)) { 993 + /* forced label, no need to save to xattrs */ 994 + issp->smk_inode = &smack_known_star; 995 + goto instant_inode; 996 + } 1023 997 /* 1024 998 * If equal, transmuting already occurred in 1025 999 * smack_dentry_create_files_as(). No need to check again. 1026 1000 */ 1027 - if (tsp->smk_task != tsp->smk_transmuted) { 1028 - rcu_read_lock(); 1029 - may = smk_access_entry(skp->smk_known, dsp->smk_known, 1030 - &skp->smk_rules); 1031 - rcu_read_unlock(); 1032 - } 1001 + trans_cred = (tsp->smk_task == tsp->smk_transmuted); 1002 + if (!trans_cred) 1003 + trans_rule = smk_rule_transmutes(smk_of_task(tsp), dsp); 1033 1004 1034 1005 /* 1035 1006 * In addition to having smk_task equal to smk_transmuted, ··· 1044 1001 * requests transmutation then by all means transmute. 1045 1002 * Mark the inode as changed. 1046 1003 */ 1047 - if ((tsp->smk_task == tsp->smk_transmuted) || 1048 - (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1049 - smk_inode_transmutable(dir))) { 1050 - struct xattr *xattr_transmute; 1051 - 1004 + if (trans_cred || (trans_rule && smk_inode_transmutable(dir))) { 1052 1005 /* 1053 1006 * The caller of smack_dentry_create_files_as() 1054 1007 * should have overridden the current cred, so the 1055 1008 * inode label was already set correctly in 1056 1009 * smack_inode_alloc_security(). 1057 1010 */ 1058 - if (tsp->smk_task != tsp->smk_transmuted) 1059 - isp = issp->smk_inode = dsp; 1011 + if (!trans_cred) 1012 + issp->smk_inode = dsp; 1060 1013 1061 - issp->smk_flags |= SMK_INODE_TRANSMUTE; 1062 - xattr_transmute = lsm_get_xattr_slot(xattrs, 1063 - xattr_count); 1064 - if (xattr_transmute) { 1065 - xattr_transmute->value = kmemdup(TRANS_TRUE, 1066 - TRANS_TRUE_SIZE, 1067 - GFP_NOFS); 1068 - if (!xattr_transmute->value) 1069 - return -ENOMEM; 1014 + if (S_ISDIR(inode->i_mode)) { 1015 + transflag = SMK_INODE_TRANSMUTE; 1070 1016 1071 - xattr_transmute->value_len = TRANS_TRUE_SIZE; 1072 - xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1017 + if (xattr_dupval(xattrs, xattr_count, 1018 + XATTR_SMACK_TRANSMUTE, 1019 + TRANS_TRUE, 1020 + TRANS_TRUE_SIZE 1021 + )) 1022 + rc = -ENOMEM; 1073 1023 } 1074 1024 } 1075 1025 1076 - issp->smk_flags |= SMK_INODE_INSTANT; 1077 - 1078 - if (xattr) { 1079 - xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1080 - if (!xattr->value) 1081 - return -ENOMEM; 1082 - 1083 - xattr->value_len = strlen(isp->smk_known); 1084 - xattr->name = XATTR_SMACK_SUFFIX; 1085 - } 1086 - 1087 - return 0; 1026 + if (rc == 0) 1027 + if (xattr_dupval(xattrs, xattr_count, 1028 + XATTR_SMACK_SUFFIX, 1029 + issp->smk_inode->smk_known, 1030 + strlen(issp->smk_inode->smk_known) 1031 + )) 1032 + rc = -ENOMEM; 1033 + instant_inode: 1034 + issp->smk_flags |= (SMK_INODE_INSTANT | transflag); 1035 + return rc; 1088 1036 } 1089 1037 1090 1038 /** ··· 1349 1315 int check_import = 0; 1350 1316 int check_star = 0; 1351 1317 int rc = 0; 1318 + umode_t const i_mode = d_backing_inode(dentry)->i_mode; 1352 1319 1353 1320 /* 1354 1321 * Check label validity here so import won't fail in post_setxattr 1355 1322 */ 1356 - if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1357 - strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1358 - strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1323 + if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1324 + /* 1325 + * UDS inode has fixed label 1326 + */ 1327 + if (S_ISSOCK(i_mode)) { 1328 + rc = -EINVAL; 1329 + } else { 1330 + check_priv = 1; 1331 + check_import = 1; 1332 + } 1333 + } else if (strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1334 + strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1359 1335 check_priv = 1; 1360 1336 check_import = 1; 1361 1337 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || ··· 1375 1331 check_star = 1; 1376 1332 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1377 1333 check_priv = 1; 1378 - if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1334 + if (!S_ISDIR(i_mode) || 1379 1335 size != TRANS_TRUE_SIZE || 1380 1336 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1381 1337 rc = -EINVAL; ··· 1506 1462 * Don't do anything special for these. 1507 1463 * XATTR_NAME_SMACKIPIN 1508 1464 * XATTR_NAME_SMACKIPOUT 1465 + * XATTR_NAME_SMACK if S_ISSOCK (UDS inode has fixed label) 1509 1466 */ 1510 1467 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1511 - struct super_block *sbp = dentry->d_sb; 1512 - struct superblock_smack *sbsp = smack_superblock(sbp); 1468 + if (!S_ISSOCK(d_backing_inode(dentry)->i_mode)) { 1469 + struct super_block *sbp = dentry->d_sb; 1470 + struct superblock_smack *sbsp = smack_superblock(sbp); 1513 1471 1514 - isp->smk_inode = sbsp->smk_default; 1472 + isp->smk_inode = sbsp->smk_default; 1473 + } 1515 1474 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1516 1475 isp->smk_task = NULL; 1517 1476 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) ··· 3632 3585 */ 3633 3586 3634 3587 /* 3635 - * UNIX domain sockets use lower level socket data. 3588 + * UDS inode has fixed label (*) 3636 3589 */ 3637 3590 if (S_ISSOCK(inode->i_mode)) { 3638 3591 final = &smack_known_star; ··· 3710 3663 * @attr: which attribute to fetch 3711 3664 * @ctx: buffer to receive the result 3712 3665 * @size: available size in, actual size out 3713 - * @flags: unused 3666 + * @flags: reserved, currently zero 3714 3667 * 3715 3668 * Fill the passed user space @ctx with the details of the requested 3716 3669 * attribute. ··· 3771 3724 * Sets the Smack value of the task. Only setting self 3772 3725 * is permitted and only with privilege 3773 3726 * 3774 - * Returns the length of the smack label or an error code 3727 + * Returns zero on success or an error code 3775 3728 */ 3776 - static int do_setattr(u64 attr, void *value, size_t size) 3729 + static int do_setattr(unsigned int attr, void *value, size_t size) 3777 3730 { 3778 3731 struct task_smack *tsp = smack_cred(current_cred()); 3779 3732 struct cred *new; 3780 3733 struct smack_known *skp; 3781 - struct smack_known_list_elem *sklep; 3782 - int rc; 3734 + int label_len; 3783 3735 3784 - if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3785 - return -EPERM; 3786 - 3736 + /* 3737 + * let unprivileged user validate input, check permissions later 3738 + */ 3787 3739 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3788 3740 return -EINVAL; 3789 3741 3790 - if (attr != LSM_ATTR_CURRENT) 3791 - return -EOPNOTSUPP; 3792 - 3793 - skp = smk_import_entry(value, size); 3794 - if (IS_ERR(skp)) 3795 - return PTR_ERR(skp); 3742 + label_len = smk_parse_label_len(value, size); 3743 + if (label_len < 0 || label_len != size) 3744 + return -EINVAL; 3796 3745 3797 3746 /* 3798 3747 * No process is ever allowed the web ("@") label 3799 3748 * and the star ("*") label. 3800 3749 */ 3801 - if (skp == &smack_known_web || skp == &smack_known_star) 3802 - return -EINVAL; 3750 + if (label_len == 1 /* '@', '*' */) { 3751 + const char c = *(const char *)value; 3752 + 3753 + if (c == *smack_known_web.smk_known || 3754 + c == *smack_known_star.smk_known) 3755 + return -EPERM; 3756 + } 3803 3757 3804 3758 if (!smack_privileged(CAP_MAC_ADMIN)) { 3805 - rc = -EPERM; 3806 - list_for_each_entry(sklep, &tsp->smk_relabel, list) 3807 - if (sklep->smk_label == skp) { 3808 - rc = 0; 3809 - break; 3810 - } 3811 - if (rc) 3812 - return rc; 3759 + const struct smack_known_list_elem *sklep; 3760 + list_for_each_entry(sklep, &tsp->smk_relabel, list) { 3761 + const char *cp = sklep->smk_label->smk_known; 3762 + 3763 + if (strlen(cp) == label_len && 3764 + strncmp(cp, value, label_len) == 0) 3765 + goto in_relabel; 3766 + } 3767 + return -EPERM; 3768 + in_relabel: 3769 + ; 3813 3770 } 3771 + 3772 + skp = smk_import_valid_label(value, label_len, GFP_KERNEL); 3773 + if (IS_ERR(skp)) 3774 + return PTR_ERR(skp); 3814 3775 3815 3776 new = prepare_creds(); 3816 3777 if (new == NULL) ··· 3832 3777 smk_destroy_label_list(&tsp->smk_relabel); 3833 3778 3834 3779 commit_creds(new); 3835 - return size; 3780 + return 0; 3836 3781 } 3837 3782 3838 3783 /** ··· 3840 3785 * @attr: which attribute to set 3841 3786 * @ctx: buffer containing the data 3842 3787 * @size: size of @ctx 3843 - * @flags: unused 3788 + * @flags: reserved, must be zero 3844 3789 * 3845 3790 * Fill the passed user space @ctx with the details of the requested 3846 3791 * attribute. ··· 3850 3795 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3851 3796 u32 size, u32 flags) 3852 3797 { 3853 - int rc; 3798 + if (attr != LSM_ATTR_CURRENT) 3799 + return -EOPNOTSUPP; 3854 3800 3855 - rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3856 - if (rc > 0) 3857 - return 0; 3858 - return rc; 3801 + if (ctx->flags) 3802 + return -EINVAL; 3803 + /* 3804 + * string must have \0 terminator, included in ctx->ctx 3805 + * (see description of struct lsm_ctx) 3806 + */ 3807 + if (ctx->ctx_len == 0) 3808 + return -EINVAL; 3809 + 3810 + if (ctx->ctx[ctx->ctx_len - 1] != '\0') 3811 + return -EINVAL; 3812 + /* 3813 + * other do_setattr() caller, smack_setprocattr(), 3814 + * does not count \0 into size, so 3815 + * decreasing length by 1 to accommodate the divergence. 3816 + */ 3817 + return do_setattr(attr, ctx->ctx, ctx->ctx_len - 1); 3859 3818 } 3860 3819 3861 3820 /** ··· 3881 3812 * Sets the Smack value of the task. Only setting self 3882 3813 * is permitted and only with privilege 3883 3814 * 3884 - * Returns the length of the smack label or an error code 3815 + * Returns the size of the input value or an error code 3885 3816 */ 3886 3817 static int smack_setprocattr(const char *name, void *value, size_t size) 3887 3818 { 3888 - int attr = lsm_name_to_attr(name); 3819 + size_t realsize = size; 3820 + unsigned int attr = lsm_name_to_attr(name); 3889 3821 3890 - if (attr != LSM_ATTR_UNDEF) 3891 - return do_setattr(attr, value, size); 3892 - return -EINVAL; 3822 + switch (attr) { 3823 + case LSM_ATTR_UNDEF: return -EINVAL; 3824 + default: return -EOPNOTSUPP; 3825 + case LSM_ATTR_CURRENT: 3826 + ; 3827 + } 3828 + 3829 + /* 3830 + * The value for the "current" attribute is the label 3831 + * followed by one of the 4 trailers: none, \0, \n, \n\0 3832 + * 3833 + * I.e. following inputs are accepted as 3-characters long label "foo": 3834 + * 3835 + * "foo" (3 characters) 3836 + * "foo\0" (4 characters) 3837 + * "foo\n" (4 characters) 3838 + * "foo\n\0" (5 characters) 3839 + */ 3840 + 3841 + if (realsize && (((const char *)value)[realsize - 1] == '\0')) 3842 + --realsize; 3843 + 3844 + if (realsize && (((const char *)value)[realsize - 1] == '\n')) 3845 + --realsize; 3846 + 3847 + return do_setattr(attr, value, realsize) ? : size; 3893 3848 } 3894 3849 3895 3850 /** ··· 4943 4850 4944 4851 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4945 4852 { 4853 + /* 4854 + * UDS inode has fixed label. Ignore nfs label. 4855 + */ 4856 + if (S_ISSOCK(inode->i_mode)) 4857 + return 0; 4946 4858 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4947 4859 ctxlen, 0); 4948 4860 } ··· 5013 4915 struct task_smack *otsp = smack_cred(old); 5014 4916 struct task_smack *ntsp = smack_cred(new); 5015 4917 struct inode_smack *isp; 5016 - int may; 5017 4918 5018 4919 /* 5019 4920 * Use the process credential unless all of ··· 5026 4929 isp = smack_inode(d_inode(dentry->d_parent)); 5027 4930 5028 4931 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 5029 - rcu_read_lock(); 5030 - may = smk_access_entry(otsp->smk_task->smk_known, 5031 - isp->smk_inode->smk_known, 5032 - &otsp->smk_task->smk_rules); 5033 - rcu_read_unlock(); 5034 - 5035 4932 /* 5036 4933 * If the directory is transmuting and the rule 5037 4934 * providing access is transmuting use the containing 5038 4935 * directory label instead of the process label. 5039 4936 */ 5040 - if (may > 0 && (may & MAY_TRANSMUTE)) { 4937 + if (smk_rule_transmutes(otsp->smk_task, isp->smk_inode)) { 5041 4938 ntsp->smk_task = isp->smk_inode; 5042 4939 ntsp->smk_transmuted = ntsp->smk_task; 5043 4940 }

Configure Feed

Configure Feed