[PATCH 00/19] smack: clean up xattr handling
Konstantin Andreev
andreev at swemel.ru
Thu Jul 24 13:09:33 UTC 2025
A set of minor bug fixes and optimizations in Smack xattr handling.
Logically independent, but with the code dependencies.
The patch set applies on top of:
https://github.com/cschaufler/smack-next/commits/next
commit 6ddd169d0288
Konstantin Andreev (19):
smack: fix bug: changing Smack xattrs requires cap_sys_admin
smack: fix bug: changing Smack xattrs requires cap_mac_override
smack: fix bug: setting label-containing xattrs silently ignores input garbage
smack: stop polling other LSMs & VFS to getxattr() unsupported SMACK64IPIN/OUT
smack: restrict getxattr() SMACK64TRANSMUTE to directories
smack: fix bug: getxattr() returns invalid SMACK64EXEC/MMAP
smack: deduplicate task label validation
smack: smack_inode_setsecurity: prevent setting SMACK64EXEC/MMAP in other LSMs
smack: smack_inode_setsecurity: prevent setting SMACK64IPIN/OUT in other LSMs
smack: fix bug: smack_inode_setsecurity() imports alien xattrs as labels
smack: fix bug: smack_inode_setsecurity() false EINVAL for alien xattrs
smack: restrict setxattr() SMACK64IPIN/IPOUT to sockets
smack: restrict setxattr() SMACK64EXEC/MMAP to regular files
smack: return EOPNOTSUPP for setxattr() unsupported SMACK64(TRANSMUTE)
smack: smack_inode_setsecurity(): skip checks for SMACK64TRANSMUTE
smack: smack_inode_notifysecctx(): reject invalid labels
smack: smack_inode_post_setxattr(): find label instead of import
smack: smack_inode_setsecurity(): find label instead of import
smack: deduplicate strcmp(name, XATTR_{,NAME_}SMACK*)
Documentation/admin-guide/LSM/Smack.rst | 3 +-
security/smack/smack.h | 2 +
security/smack/smack_access.c | 22 +-
security/smack/smack_lsm.c | 492 +++++++++++++++---------
4 files changed, 324 insertions(+), 195 deletions(-)
--
2.43.0
More information about the Linux-security-module-archive
mailing list