Kernel threads excluded from smack checks

This change “Kernel threads excluded from smack checks” in Linux kernel is authored by Roman Kubiak <r.kubiak [at] samsung.com> on Mon Aug 10 16:54:25 2015 +0200.

Kernel threads excluded from smack checks

Adds an ignore case for kernel tasks,
so that they can access all resources.

Since kernel worker threads are spawned with
floor label, they are severely restricted by
Smack policy. It is not an issue without onlycap,
as these processes also run with root,
so CAP_MAC_OVERRIDE kicks in. But with onlycap
turned on, there is no way to change the label
for these processes.

Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>

This Linux change may have been applied to various maintained Linux releases and you can find Linux releases including commit 41a2d57.

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 security/smack/smack_access.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 00f6b38..bc1053f 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -639,6 +639,12 @@ int smack_privileged(int cap)
 	struct smack_known *skp = smk_of_current();
 	struct smack_onlycap *sop;
 
+	/*
+	 * All kernel tasks are privileged
+	 */
+	if (unlikely(current->flags & PF_KTHREAD))
+		return 1;
+
 	if (!capable(cap))
 		return 0;
 

The commit for this change in Linux stable tree is 41a2d57 (patch).

Leave a Reply

Your email address will not be published. Required fields are marked *