[PATCH 04/19] smack: stop polling other LSMs & VFS to getxattr() unsupported SMACK64IPIN/OUT

Konstantin Andreev andreev at swemel.ru
Thu Jul 24 13:09:37 UTC 2025 

smack_inode_getsecurity() returns -EOPNOTSUPP
for the SMACK64IPIN and SMACK64IPOUT xattrs
if the inode is not a socket.

Since [1], the -EOPNOTSUPP return value
from the inode_getsecurity LSM hook
has been interpreted by security_inode_getsecurity()
as a signal to "continue polling other LSMs".

As a result, security_inode_getsecurity() queries
other LSMs for these Smack xattrs.

Furthermore, the VFS layer is also aware of the convention
and attempts to read SMACK64IPIN and SMACK64IPOUT from disk
via __vfs_getxattr() if all LSMs return -EOPNOTSUPP.

Looking for Smack propertу in these places is incorrect,
as Smack does own these xattrs - even if
they are irrelevant for a particular inode.

Returning -ENODATA (no such attribute) instead of
-EOPNOTSUPP is more appropriate, as it stops further
fallback to other LSMs and the filesystem.

This appears safe, since __vfs_getxattr() also returns
-ENODATA when the attribute does not exist.

[1] 2016-05-31 Casey Schaufler
commit 2885c1e3e0c2 ("LSM: Fix for security_inode_getsecurity
                      and -EOPNOTSUPP")
Link: https://lore.kernel.org/lkml/d8a4d26e-46c8-975d-d075-a3848130981c@schaufler-ca.com/

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4ef6355c84c0..7bd47baac481 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1649,10 +1649,6 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap,
 				   struct inode *inode, const char *name,
 				   void **buffer, bool alloc)
 {
-	struct socket_smack *ssp;
-	struct socket *sock;
-	struct super_block *sbp;
-	struct inode *ip = inode;
 	struct smack_known *isp;
 	struct inode_smack *ispp;
 	size_t label_len;
@@ -1666,27 +1662,29 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap,
 			label = TRANS_TRUE;
 		else
 			label = "";
-	} else {
+	} else if (strcmp(name, XATTR_SMACK_IPIN) == 0 ||
+		   strcmp(name, XATTR_SMACK_IPOUT) == 0) {
 		/*
-		 * The rest of the Smack xattrs are only on sockets.
+		 * These Smack xattrs are only on sockets.
 		 */
-		sbp = ip->i_sb;
-		if (sbp->s_magic != SOCKFS_MAGIC)
-			return -EOPNOTSUPP;
+		const struct socket_smack *ssp;
+		const struct sock *sk;
 
-		sock = SOCKET_I(ip);
-		if (sock == NULL || sock->sk == NULL)
-			return -EOPNOTSUPP;
+		if (inode->i_sb->s_magic != SOCKFS_MAGIC)
+			return -ENODATA;
 
-		ssp = smack_sock(sock->sk);
+		sk = SOCKET_I(inode)->sk;
+		if (sk == NULL)
+			return -ENODATA;
+
+		ssp = smack_sock(sk);
 
 		if (strcmp(name, XATTR_SMACK_IPIN) == 0)
 			isp = ssp->smk_in;
-		else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
-			isp = ssp->smk_out;
 		else
-			return -EOPNOTSUPP;
-	}
+			isp = ssp->smk_out;
+	} else
+		return -EOPNOTSUPP;
 
 	if (!label)
 		label = isp->smk_known;
-- 
2.43.0

More information about the Linux-security-module-archive mailing list