On Wed, Jul 3, 2024 at 5:55 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> On 7/3/2024 2:14 PM, Paul Moore wrote:
> > On Wed, Jul 3, 2024 at 5:11 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> >> moved the responsibility of doing the inode xattr capability checking
> >> out of the individual LSMs and into the LSM framework itself.
> >> Unfortunately, while the original commit added the capability checks
> >> to both the setxattr and removexattr code in the LSM framework, it
> >> only removed the setxattr capability checks from the individual LSMs,
> >> leaving duplicated removexattr capability checks in both the SELinux
> >> and Smack code.
> >>
> >> This patch removes the duplicated code from SELinux and Smack.
> >>
> >> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> >> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> >> ---
> >> security/selinux/hooks.c | 10 ++--------
> >> security/smack/smack_lsm.c | 3 +--
> >> 2 files changed, 3 insertions(+), 10 deletions(-)
> > FYI, this is still untested as my test kernel is compiling now, but I
> > wanted to get this out onto the list before the holiday in the US for
> > folks (/me looks at Casey for the Smack bits)
>
> Let me know how your test goes, and then I'll have a closer look.
It looks good - my SELinux test system booted up, appears to be
running normally, and all of the selinux-testsuite tests pass.
--
paul-moore.com
