Re: [PATCH] selinux,smack: remove the capability checks in the removexattr hooks

Casey Schaufler <casey@xxxxxxxxxxxxxxxx> · Wed, 3 Jul 2024 16:13:22 -0700



On 7/3/2024 2:11 PM, Paul Moore wrote:
> Commit 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> moved the responsibility of doing the inode xattr capability checking
> out of the individual LSMs and into the LSM framework itself.
> Unfortunately, while the original commit added the capability checks
> to both the setxattr and removexattr code in the LSM framework, it
> only removed the setxattr capability checks from the individual LSMs,
> leaving duplicated removexattr capability checks in both the SELinux
> and Smack code.
>
> This patch removes the duplicated code from SELinux and Smack.
>
> Fixes: 61df7b828204 ("lsm: fixup the inode xattr capability handling")
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>

Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>

> ---
>  security/selinux/hooks.c   | 10 ++--------
>  security/smack/smack_lsm.c |  3 +--
>  2 files changed, 3 insertions(+), 10 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2daa0961b7f1..c41bf07d4b06 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3356,15 +3356,9 @@ static int selinux_inode_listxattr(struct dentry *dentry)
>  static int selinux_inode_removexattr(struct mnt_idmap *idmap,
>  				     struct dentry *dentry, const char *name)
>  {
> -	if (strcmp(name, XATTR_NAME_SELINUX)) {
> -		int rc = cap_inode_removexattr(idmap, dentry, name);
> -		if (rc)
> -			return rc;
> -
> -		/* Not an attribute we recognize, so just check the
> -		   ordinary setattr permission. */
> +	/* if not a selinux xattr, only check the ordinary setattr perm */
> +	if (strcmp(name, XATTR_NAME_SELINUX))
>  		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
> -	}
>  
>  	if (!selinux_initialized())
>  		return 0;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a19a94f27766..9f8a8ffb5dde 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1461,8 +1461,7 @@ static int smack_inode_removexattr(struct mnt_idmap *idmap,
>  	    strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
>  		if (!smack_privileged(CAP_MAC_ADMIN))
>  			rc = -EPERM;
> -	} else
> -		rc = cap_inode_removexattr(idmap, dentry, name);
> +	}
>  
>  	if (rc != 0)
>  		return rc;