summaryrefslogtreecommitdiff
path: root/security/smack
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-07-23 11:43:57 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 15:35:07 +1000
commitd09ca73979460b96d5d4684d588b188be9a1f57d (patch)
tree217543affc5c1c76181ffca00c23cfa69f1dd4f6 /security/smack
parent9cfcac810e8993fa7a5bfd24b1a21f1dbbb03a7b (diff)
security: make LSMs explicitly mask off permissions
SELinux needs to pass the MAY_ACCESS flag so it can handle auditting correctly. Presently the masking of MAY_* flags is done in the VFS. In order to allow LSMs to decide what flags they care about and what flags they don't just pass them all and the each LSM mask off what they don't need. This patch should contain no functional changes to either the VFS or any LSM. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/smack')
-rw-r--r--security/smack/smack_lsm.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 07abc9ce72f..9192ba366a4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -598,6 +598,8 @@ static int smack_inode_rename(struct inode *old_inode,
static int smack_inode_permission(struct inode *inode, int mask)
{
struct smk_audit_info ad;
+
+ mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
/*
* No permission to check. Existence test. Yup, it's there.
*/