SMACK: Do not apply star label in smack_setprocattr hook

Smack prohibits processes from using the star ("*") and web ("@") labels.
Checks have been added in other functions. In smack_setprocattr()
hook, only check for web ("@") label has been added and restricted
from applying web ("@") label.
Check for star ("*") label should also be added in smack_setprocattr()
hook. Return error should be "-EINVAL" not "-EPERM" as permission
is there for setting label but not the label value as star ("*") or
web ("@").

Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 788a5faf37748cc00372d84f16a346728e5661a2..3a5684b47354fc169d49c0ee1b25ed98f8b899c5 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3669,10 +3669,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
                return PTR_ERR(skp);
 
        /*
-        * No process is ever allowed the web ("@") label.
+        * No process is ever allowed the web ("@") label
+        * and the star ("*") label.
         */
-       if (skp == &smack_known_web)
-               return -EPERM;
+       if (skp == &smack_known_web || skp == &smack_known_star)
+               return -EINVAL;
 
        if (!smack_privileged(CAP_MAC_ADMIN)) {
                rc = -EPERM;