[PATCH 0/5] smack: fix bugs: invalid unix socket label, invalid transmute attr
Casey Schaufler
casey at schaufler-ca.com
Mon Jun 23 17:09:55 UTC 2025
On 6/15/2025 6:07 PM, Konstantin Andreev wrote:
> Formerly, Smack inode security was initialized
> by smack_d_instantiate() for all inodes,
> except ones under /proc
I have taken this patch set into smack-next.
>
> Commit [1] imposed the sole responsibility for
> initializing inode security for newly created
> filesystem objects on smack_inode_init_security().
>
> However, smack_inode_init_security() lacks some logic
> present in smack_d_instantiate().
>
> This patch series fixes 2 particular omissions
> I faced directly:
>
> 1) special handling of unix socket files (5th patch)
> 2) S_ISDIR check for "transmute" xattr (2nd patch)
>
> I did not check for other omissions,
> but there may be ones.
>
> Patches 1,3,4 are necessary optimizations
> in smack_inode_init_security() made along the way.
>
> I structured the changes this way to make the review
> process easier.
>
> The patch set applies on top of:
> https://github.com/cschaufler/smack-next/commits/next
> commit 4b59f4fd0a36
>
> [1] 2023-11-16 roberto.sassu
> commit e63d86b8b764 ("smack: Initialize the in-memory inode in smack_inode_init_security()")
> Link: https://lore.kernel.org/linux-security-module/20231116090125.187209-5-roberto.sassu@huaweicloud.com/
>
> Konstantin Andreev (5):
> smack: deduplicate "does access rule request transmutation"
> smack: fix bug: SMACK64TRANSMUTE set on non-directory
> smack: deduplicate xattr setting in smack_inode_init_security()
> smack: always "instantiate" inode in smack_inode_init_security()
> smack: fix bug: invalid label of unix socket file
>
> Documentation/admin-guide/LSM/Smack.rst | 5 +
> security/smack/smack_lsm.c | 159 +++++++++++++++---------
> 2 files changed, 107 insertions(+), 57 deletions(-)
>
More information about the Linux-security-module-archive
mailing list