[PATCH] selinux,smack: remove the capability checks in the removexattr hooks

Casey Schaufler casey at schaufler-ca.com
Wed Jul 3 21:55:25 UTC 2024


On 7/3/2024 2:14 PM, Paul Moore wrote:
> On Wed, Jul 3, 2024 at 5:11 PM Paul Moore <paul at paul-moore.com> wrote:
>> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
>> moved the responsibility of doing the inode xattr capability checking
>> out of the individual LSMs and into the LSM framework itself.
>> Unfortunately, while the original commit added the capability checks
>> to both the setxattr and removexattr code in the LSM framework, it
>> only removed the setxattr capability checks from the individual LSMs,
>> leaving duplicated removexattr capability checks in both the SELinux
>> and Smack code.
>>
>> This patch removes the duplicated code from SELinux and Smack.
>>
>> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
>> Signed-off-by: Paul Moore <paul at paul-moore.com>
>> ---
>>  security/selinux/hooks.c   | 10 ++--------
>>  security/smack/smack_lsm.c |  3 +--
>>  2 files changed, 3 insertions(+), 10 deletions(-)
> FYI, this is still untested as my test kernel is compiling now, but I
> wanted to get this out onto the list before the holiday in the US for
> folks (/me looks at Casey for the Smack bits)

Let me know how your test goes, and then I'll have a closer look.

>  to look at and
> potentially review.
>



More information about the Linux-security-module-archive mailing list