Kernel threads excluded from smack checks

Adds an ignore case for kernel tasks, so that they can access all resources. Since kernel worker threads are spawned with floor label, they are severely restricted by Smack policy. It is not an issue without onlycap, as these processes also run with root, so CAP_MAC_OVERRIDE kicks in. But with onlycap turned on, there is no way to change the label for these processes. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
author: Roman Kubiak <r.kubiak@samsung.com> 2015-08-10 16:54:25 +0200
committer: Seung-Woo Kim <sw0312.kim@samsung.com> 2016-12-14 13:48:25 +0900
commit: 31d910badeb0ddcd3ca07924343857f263d1136c (patch)
tree: 2e2d6fbd4e0ddabd2cdd1b0f201f0f2965d83d53 /security
parent: 44e48ee3e171c4c68a24a7419293c2a3ef458d93 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 012785a78973..89d18bfae53a 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -651,6 +651,12 @@ int smack_privileged(int cap)
 	struct smack_known *skp = smk_of_current();
 	struct smack_onlycap *sop;
 
+	/*
+	 * All kernel tasks are privileged
+	 */
+	if (unlikely(current->flags & PF_KTHREAD))
+		return 1;
+
 	if (!capable(cap))
 		return 0;
author	Roman Kubiak <r.kubiak@samsung.com>	2015-08-10 16:54:25 +0200
committer	Seung-Woo Kim <sw0312.kim@samsung.com>	2016-12-14 13:48:25 +0900
commit	31d910badeb0ddcd3ca07924343857f263d1136c (patch)
tree	2e2d6fbd4e0ddabd2cdd1b0f201f0f2965d83d53 /security
parent	44e48ee3e171c4c68a24a7419293c2a3ef458d93 (diff)