Problem with setxattr on sockfs with Smack after 971df15bd54ad46e907046ff33750a137b2f0096

From: Casey Schaufler
Date: Mon Oct 31 2016 - 17:55:26 EST

Next message: Borislav Petkov: "Re: [PATCH v2 2/2] x86/AMD: Group cpu_llc_id assignment by topology feature and family"
Previous message: sonofagun: "Re: [PATCH] x86/AMD: Apply erratum 688 on machines without a BIOS fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Smack has always used extended attributes to identify
the security information used to make access control
decisions on packet delivery. The two attributes
security.SMACK64_IPIN and security.SMACK64_IPOUT
contain the label used for inbound and outbound
checks respectively. A process with CAP_MAC_ADMIN can
change these values using fsetxattr() to allow a
privileged service to communicate more openly than
is allowed under the strict Smack policy.

After the xattr rework the fsetxattr() call still
sets the Smack attribute correctly, because the
smack_inode_setxattr() hook is still getting called,
but it returns EOPNOTSUPP. I believe that this is
either a result of the attribute name being unknown
to sockfs (as mentioned in the commit message) or
one of the other changes made in the process of the
xattr rework. I haven't finished the bisect yet,
but I'm reasonably certain the issue arises here.

Should I add the Smack attributes to the list of
attributes sockfs acknowledges? Is there a better
approach?

Thank you.

Next message: Borislav Petkov: "Re: [PATCH v2 2/2] x86/AMD: Group cpu_llc_id assignment by topology feature and family"
Previous message: sonofagun: "Re: [PATCH] x86/AMD: Apply erratum 688 on machines without a BIOS fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]