|
|
@@ -1691,40 +1691,19 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
|
|
|
* smack_task_wait - Smack access check for waiting
|
|
|
* @p: task to wait for
|
|
|
*
|
|
|
- * Returns 0 if current can wait for p, error code otherwise
|
|
|
+ * Returns 0
|
|
|
*/
|
|
|
static int smack_task_wait(struct task_struct *p)
|
|
|
{
|
|
|
- struct smk_audit_info ad;
|
|
|
- char *sp = smk_of_current();
|
|
|
- char *tsp = smk_of_forked(task_security(p));
|
|
|
- int rc;
|
|
|
-
|
|
|
- /* we don't log here, we can be overriden */
|
|
|
- rc = smk_access(tsp, sp, MAY_WRITE, NULL);
|
|
|
- if (rc == 0)
|
|
|
- goto out_log;
|
|
|
-
|
|
|
/*
|
|
|
- * Allow the operation to succeed if either task
|
|
|
- * has privilege to perform operations that might
|
|
|
- * account for the smack labels having gotten to
|
|
|
- * be different in the first place.
|
|
|
- *
|
|
|
- * This breaks the strict subject/object access
|
|
|
- * control ideal, taking the object's privilege
|
|
|
- * state into account in the decision as well as
|
|
|
- * the smack value.
|
|
|
+ * Allow the operation to succeed.
|
|
|
+ * Zombies are bad.
|
|
|
+ * In userless environments (e.g. phones) programs
|
|
|
+ * get marked with SMACK64EXEC and even if the parent
|
|
|
+ * and child shouldn't be talking the parent still
|
|
|
+ * may expect to know when the child exits.
|
|
|
*/
|
|
|
- if (smack_privileged(CAP_MAC_OVERRIDE) ||
|
|
|
- has_capability(p, CAP_MAC_OVERRIDE))
|
|
|
- rc = 0;
|
|
|
- /* we log only if we didn't get overriden */
|
|
|
- out_log:
|
|
|
- smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
|
|
|
- smk_ad_setfield_u_tsk(&ad, p);
|
|
|
- smack_log(tsp, sp, MAY_WRITE, rc, &ad);
|
|
|
- return rc;
|
|
|
+ return 0;
|
|
|
}
|
|
|
|
|
|
/**
|
Casey Schaufler