[PATCH] selinux,smack: remove the capability checks in the removexattr hooks
Casey Schaufler
casey at schaufler-ca.com
Wed Jul 3 23:13:22 UTC 2024
On 7/3/2024 2:11 PM, Paul Moore wrote:
> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> moved the responsibility of doing the inode xattr capability checking
> out of the individual LSMs and into the LSM framework itself.
> Unfortunately, while the original commit added the capability checks
> to both the setxattr and removexattr code in the LSM framework, it
> only removed the setxattr capability checks from the individual LSMs,
> leaving duplicated removexattr capability checks in both the SELinux
> and Smack code.
>
> This patch removes the duplicated code from SELinux and Smack.
>
> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> Signed-off-by: Paul Moore <paul at paul-moore.com>
Acked-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
> security/selinux/hooks.c | 10 ++--------
> security/smack/smack_lsm.c | 3 +--
> 2 files changed, 3 insertions(+), 10 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2daa0961b7f1..c41bf07d4b06 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3356,15 +3356,9 @@ static int selinux_inode_listxattr(struct dentry *dentry)
> static int selinux_inode_removexattr(struct mnt_idmap *idmap,
> struct dentry *dentry, const char *name)
> {
> - if (strcmp(name, XATTR_NAME_SELINUX)) {
> - int rc = cap_inode_removexattr(idmap, dentry, name);
> - if (rc)
> - return rc;
> -
> - /* Not an attribute we recognize, so just check the
> - ordinary setattr permission. */
> + /* if not a selinux xattr, only check the ordinary setattr perm */
> + if (strcmp(name, XATTR_NAME_SELINUX))
> return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
> - }
>
> if (!selinux_initialized())
> return 0;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a19a94f27766..9f8a8ffb5dde 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1461,8 +1461,7 @@ static int smack_inode_removexattr(struct mnt_idmap *idmap,
> strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
> if (!smack_privileged(CAP_MAC_ADMIN))
> rc = -EPERM;
> - } else
> - rc = cap_inode_removexattr(idmap, dentry, name);
> + }
>
> if (rc != 0)
> return rc;
More information about the Linux-security-module-archive
mailing list