[PATCH] selinux: Allow file owner to set "security.sehash"

Chirantan Ekbote <chirantan@xxxxxxxxxxxx> · Mon, 1 Jun 2020 16:29:16 +0900

Normally a process needs CAP_SYS_ADMIN in the namespace that mounted a
particular filesystem in order to set a security xattr. However, this
restriction is relaxed for the security.selinux xattr: the file owner
or a process with CAP_FOWNER in its namespace may set this attribute.

Apply this relaxed restriction to the security.sehash xattr as well.
Since this xattr is mainly a performance optimization when labeling
files recursively it shouldn't have stricter requirements than setting
the selinux xattr in the first place.

Signed-off-by: Chirantan Ekbote <chirantan@xxxxxxxxxxxx>
---
 include/uapi/linux/xattr.h | 3 +++
 security/selinux/hooks.c   | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
index c1395b5bd432a..b700c8ffc3f1a 100644
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
@@ -53,6 +53,9 @@
 #define XATTR_SELINUX_SUFFIX "selinux"
 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
 
+#define XATTR_SEHASH_SUFFIX "sehash"
+#define XATTR_NAME_SEHASH XATTR_SECURITY_PREFIX XATTR_SEHASH_SUFFIX
+
 #define XATTR_SMACK_SUFFIX "SMACK64"
 #define XATTR_SMACK_IPIN "SMACK64IPIN"
 #define XATTR_SMACK_IPOUT "SMACK64IPOUT"
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4c037c2545c16..776df2ec85a82 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3121,9 +3121,10 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
 	struct superblock_security_struct *sbsec;
 	struct common_audit_data ad;
 	u32 newsid, sid = current_sid();
+	const bool is_sehash = !strcmp(name, XATTR_NAME_SEHASH);
 	int rc = 0;
 
-	if (strcmp(name, XATTR_NAME_SELINUX)) {
+	if (strcmp(name, XATTR_NAME_SELINUX) && !is_sehash) {
 		rc = cap_inode_setxattr(dentry, name, value, size, flags);
 		if (rc)
 			return rc;
@@ -3143,6 +3144,10 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
 	if (!inode_owner_or_capable(inode))
 		return -EPERM;
 
+	/* No more checks needed for security.sehash. */
+	if (is_sehash)
+		return 0;
+
 	ad.type = LSM_AUDIT_DATA_DENTRY;
 	ad.u.dentry = dentry;
 
-- 
2.27.0.rc0.183.gde8f92d652-goog







