[PATCH 09/19] smack: smack_inode_setsecurity: prevent setting SMACK64IPIN/OUT in other LSMs

Konstantin Andreev andreev at swemel.ru
Thu Jul 24 13:09:42 UTC 2025 

smack_inode_setsecurity() equally returns -EOPNOTSUPP
either the inode does not come from socket (sockfs
inode) or the xattr is a security.NOT-SMACK-XATTR

This did make no difference until [1]. Since [1]
-EOPNOTSUPP is reserved by security_inode_setsecurity()
as a signal to "continue polling other LSMs".

When xattr is SMACK64IPIN or SMACK64IPOUT and inode
is not from socket then return code is -EOPNOTSUPP,
and the security_inode_setsecurity() proceeds to query
other LSMs and attempts to store the xattr there.

Passing a Smack property to other LSMs is incorrect,
as Smack owns these xattrs.

This change returns -ENODATA if inode does not come
from sockfs and the xattr is SMACK64IPIN/OUT.
This causes change from

  # setfattr -n security.SMACK64IPIN -v foo /sys/kernel/debug/sleep_time
  setfattr: /sys/kernel/debug/sleep_time: Operation not supported

to

  # setfattr -n security.SMACK64IPIN -v foo /sys/kernel/debug/sleep_time
  setfattr: /sys/kernel/debug/sleep_time: No such attribute

not ideal, but it makes sense and prevents fallback to other LSMs.

[1] 2016-05-31 Casey Schaufler
commit 2885c1e3e0c2 ("LSM: Fix for security_inode_getsecurity
                      and -EOPNOTSUPP")
Link: https://lore.kernel.org/lkml/d8a4d26e-46c8-975d-d075-a3848130981c@schaufler-ca.com/

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 00d4b5bf1056..7108696083d8 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3004,21 +3004,25 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 	if (strcmp(name, XATTR_SMACK_EXEC) == 0 ||
 	    strcmp(name, XATTR_SMACK_MMAP) == 0)
 		return -ENODATA;
+
+	if (!(strcmp(name, XATTR_SMACK_IPIN) == 0 ||
+	      strcmp(name, XATTR_SMACK_IPOUT) == 0))
+		return -EOPNOTSUPP;
 	/*
 	 * The rest of the Smack xattrs are only on sockets.
 	 */
 	if (inode->i_sb->s_magic != SOCKFS_MAGIC)
-		return -EOPNOTSUPP;
+		return -ENODATA;
 
 	sock = SOCKET_I(inode);
-	if (sock == NULL || sock->sk == NULL)
-		return -EOPNOTSUPP;
+	if (sock->sk == NULL)
+		return -ENODATA;
 
 	ssp = smack_sock(sock->sk);
 
 	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
 		ssp->smk_in = skp;
-	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
+	else {
 		ssp->smk_out = skp;
 		if (sock->sk->sk_family == PF_INET) {
 			rc = smack_netlbl_add(sock->sk);
@@ -3027,8 +3031,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 					"Smack: \"%s\" netlbl error %d.\n",
 					__func__, -rc);
 		}
-	} else
-		return -EOPNOTSUPP;
+	}
 
 #ifdef SMACK_IPV6_PORT_LABELING
 	if (sock->sk->sk_family == PF_INET6)
-- 
2.43.0

More information about the Linux-security-module-archive mailing list