[PATCH 14/19] smack: return EOPNOTSUPP for setxattr() unsupported SMACK64(TRANSMUTE)

Konstantin Andreev andreev at swemel.ru
Thu Jul 24 13:09:47 UTC 2025 

The SMACK64TRANSMUTE is supported only for directories.

"The standard return value for unsupported attribute names is
 -EOPNOTSUPP, as opposed to undefined but supported attributes
 (-ENODATA)" [3]

Smack follows [4] the convention
for get/setxattr() SMACK64IPIN/IPOUT

It is more appropriate to return -EOPNOTSUPP
instead of -EINVAL when attempting to set SMACK64TRANSMUTE
on a non-directory object.

A Unix domain socket (UDS) with a BSD address, and
the inode of a socket file descriptor (sockfs inode)
have fixed (*) nominal SMACK64 label [2]

Likewise, it is more appropriate to return -EOPNOTSUPP
instead of -EINVAL when attempting to set
the SMACK64 xattr on either type of socket inode.

The commits being fixed [1,2] are recent enough
so this change should not break userspace.

[1] 2023-11-16 roberto.sassu
Fixes: 9c82169208dd ("smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr()")
Link: https://lore.kernel.org/linux-security-module/20231116090125.187209-2-roberto.sassu@huaweicloud.com/

[2] 2025-06-16 andreev
Fixes: 78fc6a94be25 ("smack: fix bug: invalid label of unix socket file")
Link: https://lore.kernel.org/linux-security-module/20250616010745.800386-6-andreev@swemel.ru/

[3] 2016-09-29 agruenba
commit 971df15bd54a ("sockfs: getxattr: Fail with -EOPNOTSUPP
                      for invalid attribute names")

[4] 2008-02-04 casey
commit e114e473771c ("Smack: Simplified Mandatory Access Control Kernel")

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6712fa047722..113371887b4d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1412,7 +1412,7 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 		 * UDS inode have fixed label
 		 */
 		if (S_ISSOCK(i_mode))
-			return -EINVAL;
+			return -EOPNOTSUPP;
 	} else if (strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
 		   strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
 		/*
@@ -1429,8 +1429,9 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 			return -EOPNOTSUPP;
 		task_label = true;
 	} else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
-		if (!S_ISDIR(i_mode) ||
-		    size != TRANS_TRUE_SIZE ||
+		if (!S_ISDIR(i_mode))
+			return -EOPNOTSUPP;
+		if (size != TRANS_TRUE_SIZE ||
 		    strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
 			return -EINVAL;
 		label_inside = false;
-- 
2.43.0

More information about the Linux-security-module-archive mailing list