[PATCH 00/19] smack: clean up xattr handling

Casey Schaufler casey at schaufler-ca.com
Sat Jul 26 17:41:32 UTC 2025 

On 7/24/2025 6:09 AM, Konstantin Andreev wrote:
> A set of minor bug fixes and optimizations in Smack xattr handling.
> Logically independent, but with the code dependencies.

Please break this into two (or more) patch sets. The patches regarding
restrictions on getting and setting the file type specific attributes
should be presented independently of the xattr "fixes".

There appears to be a misunderstanding regarding "valid" Smack labels.
A Smack label is a text string. The intention is that a label is "valid"
if the system is exposed to it. For example,

	# echo Oatmeal > /proc/self/attr/smack/current

should introduce "Oatmeal" as a Smack label if is has never been used
before. After a reboot the system may find the label "Bacon" on a file,
and if the label isn't known it is imported. Similarly, if a CIPSO packet
includes a label that has not been seen in is added.

This policy is necessary in part because there is a valid use case for
a Smack label with no explicit access rules.

I tried out the combined set and encountered many unexpected failures.

>
> The patch set applies on top of:
> https://github.com/cschaufler/smack-next/commits/next
> commit 6ddd169d0288
>
> Konstantin Andreev (19):
>   smack: fix bug: changing Smack xattrs requires cap_sys_admin
>   smack: fix bug: changing Smack xattrs requires cap_mac_override
>   smack: fix bug: setting label-containing xattrs silently ignores input garbage
>   smack: stop polling other LSMs & VFS to getxattr() unsupported SMACK64IPIN/OUT
>   smack: restrict getxattr() SMACK64TRANSMUTE to directories
>   smack: fix bug: getxattr() returns invalid SMACK64EXEC/MMAP
>   smack: deduplicate task label validation
>   smack: smack_inode_setsecurity: prevent setting SMACK64EXEC/MMAP in other LSMs
>   smack: smack_inode_setsecurity: prevent setting SMACK64IPIN/OUT in other LSMs
>   smack: fix bug: smack_inode_setsecurity() imports alien xattrs as labels
>   smack: fix bug: smack_inode_setsecurity() false EINVAL for alien xattrs
>   smack: restrict setxattr() SMACK64IPIN/IPOUT to sockets
>   smack: restrict setxattr() SMACK64EXEC/MMAP to regular files
>   smack: return EOPNOTSUPP for setxattr() unsupported SMACK64(TRANSMUTE)
>   smack: smack_inode_setsecurity(): skip checks for SMACK64TRANSMUTE
>   smack: smack_inode_notifysecctx(): reject invalid labels
>   smack: smack_inode_post_setxattr(): find label instead of import
>   smack: smack_inode_setsecurity(): find label instead of import
>   smack: deduplicate strcmp(name, XATTR_{,NAME_}SMACK*)
>
>  Documentation/admin-guide/LSM/Smack.rst |   3 +-
>  security/smack/smack.h                  |   2 +
>  security/smack/smack_access.c           |  22 +-
>  security/smack/smack_lsm.c              | 492 +++++++++++++++---------
>  4 files changed, 324 insertions(+), 195 deletions(-)
>

More information about the Linux-security-module-archive mailing list