[PATCH 18/19] smack: smack_inode_setsecurity(): find label instead of import
Konstantin Andreev
andreev at swemel.ru
Thu Jul 24 13:09:51 UTC 2025
smack_inode_setsecurity() is called
for label-containing xattrs either
after smack_inode_setxattr():
fs/xattr.c:
...
` __vfs_setxattr_locked
` security_inode_setxattr
` __vfs_setxattr_noperm
` security_inode_setsecurity
or
...
` smack_inode_notifysecctx
` smack_inode_setsecurity
In both cases - via security_inode_setxattr()
or smack_inode_notifysecctx() -
the label is imported in advance.
There is no need to validate and import
the input value again; looking it up is sufficient.
Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
security/smack/smack_lsm.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 5d3d72162444..6c529de00584 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2996,17 +2996,16 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
))
return -EOPNOTSUPP;
- if (value == NULL || size > SMK_LONGLABEL || size == 0)
- return -EINVAL;
-
if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) {
nsp->smk_flags |= SMK_INODE_TRANSMUTE;
return 0;
}
- skp = smk_import_entry(value, size);
- if (IS_ERR(skp))
- return PTR_ERR(skp);
+ if (strcmp(name, XATTR_SMACK_EXEC) == 0 ||
+ strcmp(name, XATTR_SMACK_MMAP) == 0)
+ return -ENODATA;
+
+ skp = smk_find_label(value, size);
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
nsp->smk_inode = skp;
@@ -3014,9 +3013,6 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
return 0;
}
- if (strcmp(name, XATTR_SMACK_EXEC) == 0 ||
- strcmp(name, XATTR_SMACK_MMAP) == 0)
- return -ENODATA;
/*
* The rest of the Smack xattrs are only on sockets.
* smack_inode_setxattr() has checked that inode is sockfs
--
2.43.0
More information about the Linux-security-module-archive
mailing list