Smack: Fix wrong semantics in smk_access_entry()

[ Upstream commit 6d14f5c7028eea70760df284057fe198ce7778dd ]

In the smk_access_entry() function, if no matching rule is found
in the rust_list, a negative error code will be used to perform bit
operations with the MAY_ enumeration value. This is semantically
wrong. This patch fixes this issue.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index a7855c61c05cd2383a267511393e3599ecdc7626..07d23b4f76f3ba4a57a1489096aa70b1db1f3da5 100644 (file)
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -85,23 +85,22 @@ int log_policy = SMACK_AUDIT_DENIED;
 int smk_access_entry(char *subject_label, char *object_label,
                        struct list_head *rule_list)
 {
-       int may = -ENOENT;
        struct smack_rule *srp;
 
        list_for_each_entry_rcu(srp, rule_list, list) {
                if (srp->smk_object->smk_known == object_label &&
                    srp->smk_subject->smk_known == subject_label) {
-                       may = srp->smk_access;
-                       break;
+                       int may = srp->smk_access;
+                       /*
+                        * MAY_WRITE implies MAY_LOCK.
+                        */
+                       if ((may & MAY_WRITE) == MAY_WRITE)
+                               may |= MAY_LOCK;
+                       return may;
                }
        }
 
-       /*
-        * MAY_WRITE implies MAY_LOCK.
-        */
-       if ((may & MAY_WRITE) == MAY_WRITE)
-               may |= MAY_LOCK;
-       return may;
+       return -ENOENT;
 }
 
 /**