[PATCH 05/19] smack: restrict getxattr() SMACK64TRANSMUTE to directories

[Konstantin Andreev]

Since [1], every filesystem object in the system
has a security.SMACK64TRANSMUTE xattr attached:
regular files, FIFOs, sockets, device nodes, and directories.

  # getfattr -n security.SMACK64TRANSMUTE /etc/passwd
  security.SMACK64TRANSMUTE=""
  # getfattr -n security.SMACK64TRANSMUTE /run/initctl
  security.SMACK64TRANSMUTE=""
  # getfattr -n security.SMACK64TRANSMUTE /run/udev/control
  security.SMACK64TRANSMUTE=""
  # getfattr -n security.SMACK64TRANSMUTE /dev/null
  security.SMACK64TRANSMUTE=""
  # getfattr -n security.SMACK64TRANSMUTE /etc
  security.SMACK64TRANSMUTE=""

Most of these values are blank (""), because the xattr
is not set for most directories, and is irrelevant for
anything else. Additionally,
blank is not a valid value for SMACK64TRANSMUTE.

Having an irrelevant xattr with an invalid value
on every filesystem object seems odd.

It is more appropriate to return -ENODATA
(no such attribute) for SMACK64TRANSMUTE,
if it is not set or irrelevant,
like for any other non-existent attribute.

[1] 2023-05-08 roberto.sassu
commit 3a3d8fce31a4 ("smack: Retrieve transmuting information in
                      smack_inode_getsecurity()")
Link: https://lore.kernel.org/linux-security-module/20230508170234.3595105-1-roberto.sassu@huaweicloud.com/

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7bd47baac481..7a27c554ac56 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1661,7 +1661,7 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap,
 		if (ispp->smk_flags & SMK_INODE_TRANSMUTE)
 			label = TRANS_TRUE;
 		else
-			label = "";
+			return -ENODATA;
 	} else if (strcmp(name, XATTR_SMACK_IPIN) == 0 ||
 		   strcmp(name, XATTR_SMACK_IPOUT) == 0) {
 		/*
-- 
2.43.0