[PATCH 10/19] smack: fix bug: smack_inode_setsecurity() imports alien xattrs as labels

[Konstantin Andreev]

Currently, smack_inode_setsecurity() calls smk_import_entry()
to import the xattr value as a label before checking whether
the xattr is actually a Smack xattr.

For example, attempting to set security.foo=bar on a socket
fails as expected, but the value 'bar' is still imported
into Smack as a label.

This change ensures that the xattr is recognized
as a Smack xattr before importing its value.

2008-02-04 Casey Schaufler
Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel")

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7108696083d8..6f74be82ae45 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2991,6 +2991,14 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 		return 0;
 	}
 
+	if (!(strcmp(name, XATTR_SMACK_SUFFIX) == 0 ||
+	      strcmp(name, XATTR_SMACK_EXEC) == 0 ||
+	      strcmp(name, XATTR_SMACK_MMAP) == 0 ||
+	      strcmp(name, XATTR_SMACK_IPIN) == 0 ||
+	      strcmp(name, XATTR_SMACK_IPOUT) == 0
+	))
+		return -EOPNOTSUPP;
+
 	skp = smk_import_entry(value, size);
 	if (IS_ERR(skp))
 		return PTR_ERR(skp);
@@ -3004,10 +3012,6 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 	if (strcmp(name, XATTR_SMACK_EXEC) == 0 ||
 	    strcmp(name, XATTR_SMACK_MMAP) == 0)
 		return -ENODATA;
-
-	if (!(strcmp(name, XATTR_SMACK_IPIN) == 0 ||
-	      strcmp(name, XATTR_SMACK_IPOUT) == 0))
-		return -EOPNOTSUPP;
 	/*
 	 * The rest of the Smack xattrs are only on sockets.
 	 */
-- 
2.43.0