[PATCH 11/19] smack: fix bug: smack_inode_setsecurity() false EINVAL for alien xattrs

[Konstantin Andreev]

Currently, smack_inode_setsecurity() checks
the validity of the xattr value before checking
whether the xattr is actually a Smack xattr.

This was correct when only one LSM
could be active in the system.
Since [1] this is no longer incorrect.

When Smack mistakenly EINVALidates a non-Smack xattr,
Smack may prevent owner LSM from seeing the xattr.

The change ensures that the xattr is recognized
as a Smack xattr before looking into the value.

[1] 2015-05-02 Casey Schaufler
Fixes: b1d9e6b0646d ("LSM: Switch to lists of hooks")

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6f74be82ae45..672be8b47821 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2979,6 +2979,15 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 	struct socket *sock;
 	int rc = 0;
 
+	if (!(strcmp(name, XATTR_SMACK_SUFFIX) == 0 ||
+	      strcmp(name, XATTR_SMACK_TRANSMUTE) == 0 ||
+	      strcmp(name, XATTR_SMACK_EXEC) == 0 ||
+	      strcmp(name, XATTR_SMACK_MMAP) == 0 ||
+	      strcmp(name, XATTR_SMACK_IPIN) == 0 ||
+	      strcmp(name, XATTR_SMACK_IPOUT) == 0
+	))
+		return -EOPNOTSUPP;
+
 	if (value == NULL || size > SMK_LONGLABEL || size == 0)
 		return -EINVAL;
 
@@ -2991,14 +3000,6 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 		return 0;
 	}
 
-	if (!(strcmp(name, XATTR_SMACK_SUFFIX) == 0 ||
-	      strcmp(name, XATTR_SMACK_EXEC) == 0 ||
-	      strcmp(name, XATTR_SMACK_MMAP) == 0 ||
-	      strcmp(name, XATTR_SMACK_IPIN) == 0 ||
-	      strcmp(name, XATTR_SMACK_IPOUT) == 0
-	))
-		return -EOPNOTSUPP;
-
 	skp = smk_import_entry(value, size);
 	if (IS_ERR(skp))
 		return PTR_ERR(skp);
-- 
2.43.0