[PATCH 12/19] smack: restrict setxattr() SMACK64IPIN/IPOUT to sockets

Konstantin Andreev andreev at swemel.ru
Thu Jul 24 13:09:45 UTC 2025 

The SMACK64IPIN and SMACK64IPOUT xattrs apply
only to sockets. However, smack_inode_setxattr()
currently allows setting them on any filesystem
object, including regular files, FIFOs, and others.

These xattrs are even written to disk by the
underlying filesystem. E.g. you can

  # setfattr -n security.SMACK64IPIN -v foo /etc/passwd
  # # no error

and have SMACK64IPIN on disk.

This change restricts setting SMACK64IPIN/IPOUT
in smack_inode_setxattr() to socket inodes only.

Given that, the corresponding check in
smack_inode_setsecurity() may be omitted,
as it called after smack_inode_setxattr()
for SMACK64IPIN/IPOUT:

    fs/xattr.c:

    ...
    ` __vfs_setxattr_locked
      ` security_inode_setxattr
      ` __vfs_setxattr_noperm
        ` security_inode_setsecurity

Additionally, with this change the error code returned by setxattr()
for unsupported SMACK64IPIN/OUT xattrs
changes from -ENODATA [1]:

  # setfattr -n security.SMACK64IPIN -v foo /sys/kernel/debug/sleep_time
  setfattr: /sys/kernel/debug/sleep_time: No such attribute

back to -EOPNOTSUPP:

  # setfattr -n security.SMACK64IPIN -v foo /sys/kernel/debug/sleep_time
  setfattr: /sys/kernel/debug/sleep_time: Operation not supported

[1] 2025-07 andreev
commit ("smack: smack_inode_setsecurity:
         prevent setting SMACK64IPIN/OUT in other LSMs")
Link: https://lore.kernel.org/linux-security-module/a0d039a407a8164a2025847f5b00fd5f3c2e5def.1753356770.git.andreev@swemel.ru/

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 Documentation/admin-guide/LSM/Smack.rst |  3 ++-
 security/smack/smack_lsm.c              | 16 +++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/Documentation/admin-guide/LSM/Smack.rst b/Documentation/admin-guide/LSM/Smack.rst
index c5ed775f2d10..ce8be25333a7 100644
--- a/Documentation/admin-guide/LSM/Smack.rst
+++ b/Documentation/admin-guide/LSM/Smack.rst
@@ -693,7 +693,8 @@ can only be set by privileged tasks, but any task can read them for their own
 sockets.
 
   SMACK64IPIN:
-	The Smack label of the task object. A privileged
+	The Smack label of incoming packets must have write access to the
+	Smack label, specified in the SMACK64IPIN attribute. A privileged
 	program that will enforce policy may set this to the star label.
 
   SMACK64IPOUT:
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 672be8b47821..a66fa2c16dc2 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1415,7 +1415,14 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 			return -EINVAL;
 	} else if (strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
 		   strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
-		;
+		/*
+		 * inode of socket file descriptor (sockfs inode) only
+		 */
+		if (inode->i_sb->s_magic != SOCKFS_MAGIC)
+			return -EOPNOTSUPP;
+
+		if (SOCKET_I(inode)->sk == NULL)
+			return -EOPNOTSUPP;
 	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
 		   strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
 		task_label = true;
@@ -3015,14 +3022,9 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 		return -ENODATA;
 	/*
 	 * The rest of the Smack xattrs are only on sockets.
+	 * smack_inode_setxattr() has checked that inode is sockfs
 	 */
-	if (inode->i_sb->s_magic != SOCKFS_MAGIC)
-		return -ENODATA;
-
 	sock = SOCKET_I(inode);
-	if (sock->sk == NULL)
-		return -ENODATA;
-
 	ssp = smack_sock(sock->sk);
 
 	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-- 
2.43.0

More information about the Linux-security-module-archive mailing list