From: Paul Moore <paul@paul-moore.com>
To: linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH] selinux,smack: remove the capability checks in the removexattr hooks
Date: Wed, 3 Jul 2024 17:11:35 -0400 [thread overview]
Message-ID: <20240703211134.349950-2-paul@paul-moore.com> (raw)
Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
moved the responsibility of doing the inode xattr capability checking
out of the individual LSMs and into the LSM framework itself.
Unfortunately, while the original commit added the capability checks
to both the setxattr and removexattr code in the LSM framework, it
only removed the setxattr capability checks from the individual LSMs,
leaving duplicated removexattr capability checks in both the SELinux
and Smack code.
This patch removes the duplicated code from SELinux and Smack.
Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
security/selinux/hooks.c | 10 ++--------
security/smack/smack_lsm.c | 3 +--
2 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2daa0961b7f1..c41bf07d4b06 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3356,15 +3356,9 @@ static int selinux_inode_listxattr(struct dentry *dentry)
static int selinux_inode_removexattr(struct mnt_idmap *idmap,
struct dentry *dentry, const char *name)
{
- if (strcmp(name, XATTR_NAME_SELINUX)) {
- int rc = cap_inode_removexattr(idmap, dentry, name);
- if (rc)
- return rc;
-
- /* Not an attribute we recognize, so just check the
- ordinary setattr permission. */
+ /* if not a selinux xattr, only check the ordinary setattr perm */
+ if (strcmp(name, XATTR_NAME_SELINUX))
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
- }
if (!selinux_initialized())
return 0;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a19a94f27766..9f8a8ffb5dde 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1461,8 +1461,7 @@ static int smack_inode_removexattr(struct mnt_idmap *idmap,
strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
if (!smack_privileged(CAP_MAC_ADMIN))
rc = -EPERM;
- } else
- rc = cap_inode_removexattr(idmap, dentry, name);
+ }
if (rc != 0)
return rc;
--
2.45.2
next reply other threads:[~2024-07-03 21:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-03 21:11 Paul Moore [this message]
2024-07-03 21:14 ` [PATCH] selinux,smack: remove the capability checks in the removexattr hooks Paul Moore
2024-07-03 21:55 ` Casey Schaufler
2024-07-03 23:00 ` Paul Moore
2024-07-03 23:13 ` Casey Schaufler
2024-07-05 17:11 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240703211134.349950-2-paul@paul-moore.com \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox