[PATCH 13/19] smack: restrict setxattr() SMACK64EXEC/MMAP to regular files

Konstantin Andreev andreev at swemel.ru
Thu Jul 24 13:09:46 UTC 2025 

The SMACK64EXEC and SMACK64MMAP xattrs apply
only to regular files. However, setxattr() currently
allows setting them on any filesystem object,
including FIFOs, device nodes, and others. E.g.

   root# setfattr  -n security.SMACK64EXEC -v foo /dev/null
   root# getfattr -hn security.SMACK64EXEC        /dev/null
   # file: dev/null
   security.SMACK64EXEC="foo"

This change restricts setting SMACK64EXEC and
SMACK64MMAP to regular files only.

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a66fa2c16dc2..6712fa047722 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1425,6 +1425,8 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 			return -EOPNOTSUPP;
 	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
 		   strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
+		if (!S_ISREG(i_mode))
+			return -EOPNOTSUPP;
 		task_label = true;
 	} else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
 		if (!S_ISDIR(i_mode) ||
@@ -3754,15 +3756,17 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
 		/*
 		 * Don't let the exec or mmap label be "*" or "@".
 		 */
-		skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
-		if (IS_ERR(skp) || smk_task_invalid_label(skp))
-			skp = NULL;
-		isp->smk_task = skp;
+		if (S_ISREG(inode->i_mode)) {
+			skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
+			if (IS_ERR(skp) || smk_task_invalid_label(skp))
+				skp = NULL;
+			isp->smk_task = skp;
 
-		skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
-		if (IS_ERR(skp) || smk_task_invalid_label(skp))
-			skp = NULL;
-		isp->smk_mmap = skp;
+			skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
+			if (IS_ERR(skp) || smk_task_invalid_label(skp))
+				skp = NULL;
+			isp->smk_mmap = skp;
+		}
 
 		dput(dp);
 		break;
-- 
2.43.0

More information about the Linux-security-module-archive mailing list