Re: Problem with setxattr on sockfs with Smack after 971df15bd54ad46e907046ff33750a137b2f0096
diff mbox

Message ID 1478115261-29669-1-git-send-email-agruenba@redhat.com
State New
Headers show

Commit Message

Andreas Gruenbacher Nov. 2, 2016, 7:34 p.m. UTC
Casey,

does this patch help?

(The way how security xattrs are handled by LSM is pretty ugly.  I'm not
convinced that it doesn't break something else, yet.)

Thanks,
Andreas
---
 fs/xattr.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Casey Schaufler Nov. 2, 2016, 8:09 p.m. UTC | #1
On 11/2/2016 12:34 PM, Andreas Gruenbacher wrote:
> Casey,
>
> does this patch help?

My tests pass with this patch applied.

>
> (The way how security xattrs are handled by LSM is pretty ugly.

I'm open to suggestions.

>   I'm not
> convinced that it doesn't break something else, yet.)
>
> Thanks,
> Andreas
> ---
>  fs/xattr.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 3368659..bf09836 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -183,11 +183,13 @@ int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
>  			security_inode_post_setxattr(dentry, name, value,
>  						     size, flags);
>  		}
> -	} else if (issec) {
> -		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
> -
> +	} else {
>  		if (unlikely(is_bad_inode(inode)))
>  			return -EIO;
> +	}
> +	if (issec && error == -EOPNOTSUPP) {
> +		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
> +
>  		error = security_inode_setsecurity(inode, suffix, value,
>  						   size, flags);
>  		if (!error)

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/fs/xattr.c b/fs/xattr.c
index 3368659..bf09836 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -183,11 +183,13 @@  int __vfs_setxattr_noperm(struct dentry *dentry, const char *name,
 			security_inode_post_setxattr(dentry, name, value,
 						     size, flags);
 		}
-	} else if (issec) {
-		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
-
+	} else {
 		if (unlikely(is_bad_inode(inode)))
 			return -EIO;
+	}
+	if (issec && error == -EOPNOTSUPP) {
+		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
+
 		error = security_inode_setsecurity(inode, suffix, value,
 						   size, flags);
 		if (!error)