review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Roberto Sassu <roberto.sassu@huawei.com>
	Sat, 10 Jun 2023 07:57:36 +0000 (09:57 +0200)
committer	Paul Moore <paul@paul-moore.com>
	Mon, 10 Jul 2023 17:59:38 +0000 (13:59 -0400)
commit	baed456a6a2f6b8bec2913a6c6a72cc811252c6e
tree	720cd8ffaf75189a8fa310a7e669cf06b83cfb93	tree \| snapshot
parent	6bcdfd2cac5559c680aef8dd4c5facada55ab623	commit \| diff

smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security()

With the newly added ability of LSMs to supply multiple xattrs, set
SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
lsm_get_xattr_slot() a second time, if the transmuting conditions are met.

The LSM infrastructure passes all xattrs provided by LSMs to the
filesystems through the initxattrs() callback, so that filesystems can
store xattrs in the disk.

After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
call.

Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
adding a new xattr without checking and updating the existing HMAC.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/smack/smack.h		diff \| blob \| history
security/smack/smack_lsm.c		diff \| blob \| history