Merge tag 'lsm-pr-20240830' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

torvalds · torvalds · commit fb24560f31f9 · 2024-08-31T06:33:59.000+12:00
Pull lsm fix from Paul Moore:
 "One small patch to correct a NFS permissions problem with SELinux and
  Smack"

* tag 'lsm-pr-20240830' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
  selinux,smack: don't bypass permissions check in inode_setsecctx hook
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -6660,8 +6660,8 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen
  */
 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 {
-	return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
-				     ctx, ctxlen, 0);
+	return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
+				     ctx, ctxlen, 0, NULL);
 }
 
 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
@@ -4880,8 +4880,8 @@ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
 
 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 {
-	return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK,
-				     ctx, ctxlen, 0);
+	return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK,
+				     ctx, ctxlen, 0, NULL);
 }
 
 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)

Original file line number	Diff line number	Diff line change
`@@ -6660,8 +6660,8 @@ static int selinux_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen`
`6660`	`6660`	`*/`
`6661`	`6661`	`static int selinux_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)`
`6662`	`6662`	`{`
`6663`		`- return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,`
`6664`		`- ctx, ctxlen, 0);`
	`6663`	`+ return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,`
	`6664`	`+ ctx, ctxlen, 0, NULL);`
`6665`	`6665`	`}`
`6666`	`6666`
`6667`	`6667`	`static int selinux_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)`
Original file line number	Diff line number	Diff line change
`@@ -4880,8 +4880,8 @@ static int smack_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen)`
`4880`	`4880`
`4881`	`4881`	`static int smack_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)`
`4882`	`4882`	`{`
`4883`		`- return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK,`
`4884`		`- ctx, ctxlen, 0);`
	`4883`	`+ return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK,`
	`4884`	`+ ctx, ctxlen, 0, NULL);`
`4885`	`4885`	`}`
`4886`	`4886`
`4887`	`4887`	`static int smack_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)`