[PATCH] selinux,smack: remove the capability checks in the removexattr hooks
Paul Moore
paul at paul-moore.com
Wed Jul 3 21:14:24 UTC 2024
On Wed, Jul 3, 2024 at 5:11 PM Paul Moore <paul at paul-moore.com> wrote:
>
> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> moved the responsibility of doing the inode xattr capability checking
> out of the individual LSMs and into the LSM framework itself.
> Unfortunately, while the original commit added the capability checks
> to both the setxattr and removexattr code in the LSM framework, it
> only removed the setxattr capability checks from the individual LSMs,
> leaving duplicated removexattr capability checks in both the SELinux
> and Smack code.
>
> This patch removes the duplicated code from SELinux and Smack.
>
> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
> security/selinux/hooks.c | 10 ++--------
> security/smack/smack_lsm.c | 3 +--
> 2 files changed, 3 insertions(+), 10 deletions(-)
FYI, this is still untested as my test kernel is compiling now, but I
wanted to get this out onto the list before the holiday in the US for
folks (/me looks at Casey for the Smack bits) to look at and
potentially review.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list