Commit 6d14f5c7 authored by Tianjia Zhang's avatar Tianjia Zhang Committed by Casey Schaufler
Browse files

Smack: Fix wrong semantics in smk_access_entry() 



In the smk_access_entry() function, if no matching rule is found
in the rust_list, a negative error code will be used to perform bit
operations with the MAY_ enumeration value. This is semantically
wrong. This patch fixes this issue.

Signed-off-by: default avatarTianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
parent 2734d6c1

security/smack/smack_access.c

+8 −9
Original line number Diff line number Diff line
@@ -81,17 +81,12 @@ int log_policy = SMACK_AUDIT_DENIED; 
int smk_access_entry(char *subject_label, char *object_label,

			struct list_head *rule_list)

{

	int may = -ENOENT;

	struct smack_rule *srp;



	list_for_each_entry_rcu(srp, rule_list, list) {

		if (srp->smk_object->smk_known == object_label &&

		    srp->smk_subject->smk_known == subject_label) {

			may = srp->smk_access;

			break;

		}

	}



			int may = srp->smk_access;

			/*

			 * MAY_WRITE implies MAY_LOCK.

			 */
@@ -99,6 +94,10 @@ int smk_access_entry(char *subject_label, char *object_label, 
				may |= MAY_LOCK;

			return may;

		}

	}



	return -ENOENT;

}



/**

 * smk_access - determine if a subject has a specific access to an object