[PATCH 01/19] smack: fix bug: changing Smack xattrs requires cap_sys_admin

[Konstantin Andreev]

[1] introduced a new LSM hook, inode_xattr_skipcap.
This hook is intended to identify security xattrs
for which the LSM takes responsibility for access control.

However, the Smack implementation, smack_inode_xattr_skipcap(),
has never worked as intended. It mistakenly does not recognize
the security.SMACK64* xattrs it owns.

As a result, Smack does not inform the common security layer
(security/security.c) that Smack is responsible for
security.SMACK64* xattrs. Consequently, the generic access
control functions (cap_inode_removexattr, cap_inode_setxattr)
are invoked, and they require cap_sys_admin to be effective.

This change corrects smack_inode_xattr_skipcap(),
allowing Smack xattrs to skip cap_inode_*xattr() calls.

[1] 2024-05-02, Paul Moore
Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
Link: https://lore.kernel.org/linux-security-module/20240503005850.466144-2-paul@paul-moore.com/

Signed-off-by: Konstantin Andreev <andreev at swemel.ru>
---
 security/smack/smack_lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index adf1c542d213..42fdac05d32d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1312,7 +1312,7 @@ static int smack_inode_getattr(const struct path *path)
  */
 static int smack_inode_xattr_skipcap(const char *name)
 {
-	if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX)))
+	if (strncmp(name, XATTR_NAME_SMACK, sizeof(XATTR_NAME_SMACK) - 1))
 		return 0;
 
 	if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
-- 
2.43.0