[PATCH] selinux,smack: remove the capability checks in the removexattr hooks
Casey Schaufler
casey at schaufler-ca.com
Wed Jul 3 21:55:25 UTC 2024
On 7/3/2024 2:14 PM, Paul Moore wrote:
> On Wed, Jul 3, 2024 at 5:11 PM Paul Moore <paul at paul-moore.com> wrote:
>> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
>> moved the responsibility of doing the inode xattr capability checking
>> out of the individual LSMs and into the LSM framework itself.
>> Unfortunately, while the original commit added the capability checks
>> to both the setxattr and removexattr code in the LSM framework, it
>> only removed the setxattr capability checks from the individual LSMs,
>> leaving duplicated removexattr capability checks in both the SELinux
>> and Smack code.
>>
>> This patch removes the duplicated code from SELinux and Smack.
>>
>> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
>> Signed-off-by: Paul Moore <paul at paul-moore.com>
>> ---
>> security/selinux/hooks.c | 10 ++--------
>> security/smack/smack_lsm.c | 3 +--
>> 2 files changed, 3 insertions(+), 10 deletions(-)
> FYI, this is still untested as my test kernel is compiling now, but I
> wanted to get this out onto the list before the holiday in the US for
> folks (/me looks at Casey for the Smack bits)
Let me know how your test goes, and then I'll have a closer look.
> to look at and
> potentially review.
>
More information about the Linux-security-module-archive
mailing list