[PATCH 5/5] smack: fix bug: invalid label of unix socket file
Konstantin Andreev
andreev at swemel.ru
Mon Jun 16 11:46:18 UTC 2025
Roberto Sassu, 16 Jun 2025 11:05:11 +0200:
> On Mon, 2025-06-16 at 04:07 +0300, Konstantin Andreev wrote:
>> According to [1], the label of a UNIX domain socket (UDS)
>>
>> [irrelevant portion of the message deleted]
>>
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index fb23254c8a54..1b41ae053966 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -1021,6 +1021,16 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
>> bool trans_cred;
>> bool trans_rule;
>>
>> + /*
>> + * UNIX domain sockets use lower level socket data. Let
>> + * UDS inode have fixed * label to keep smack_inode_permission() calm
>> + * when called from unix_find_bsd()
>> + */
>> + if (S_ISSOCK(inode->i_mode)) {
>> + /* forced label, no need to save to xattrs */
>> + issp->smk_inode = &smack_known_star;
>> + goto instant_inode;
>
> Maybe you could also set SMK_INODE_INSTANT here and just return.
Certainly.
But I personally avoid duplication even of small cleanups
and avoid multiple returns at the price of few gotos.
A matter of style. Either way is fine for me.
Let Casey decide.
Konstantin
[the rest of the message deleted]
More information about the Linux-security-module-archive
mailing list