[PATCH] selinux,smack: remove the capability checks in the removexattr hooks

Paul Moore paul at paul-moore.com
Wed Jul 3 21:14:24 UTC 2024


On Wed, Jul 3, 2024 at 5:11 PM Paul Moore <paul at paul-moore.com> wrote:
>
> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> moved the responsibility of doing the inode xattr capability checking
> out of the individual LSMs and into the LSM framework itself.
> Unfortunately, while the original commit added the capability checks
> to both the setxattr and removexattr code in the LSM framework, it
> only removed the setxattr capability checks from the individual LSMs,
> leaving duplicated removexattr capability checks in both the SELinux
> and Smack code.
>
> This patch removes the duplicated code from SELinux and Smack.
>
> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  security/selinux/hooks.c   | 10 ++--------
>  security/smack/smack_lsm.c |  3 +--
>  2 files changed, 3 insertions(+), 10 deletions(-)

FYI, this is still untested as my test kernel is compiling now, but I
wanted to get this out onto the list before the holiday in the US for
folks (/me looks at Casey for the Smack bits) to look at and
potentially review.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list