All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Andreas Gruenbacher <agruenba@redhat.com>,
	Al Viro <viro@ZenIV.linux.org.uk>
Cc: LKLM <linux-kernel@vger.kernel.org>,
	LSM <linux-security-module@vger.kernel.org>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Problem with setxattr on sockfs with Smack after 971df15bd54ad46e907046ff33750a137b2f0096
Date: Mon, 31 Oct 2016 14:55:19 -0700	[thread overview]
Message-ID: <ab02d571-b4ab-3348-87d6-03cd0889f041@schaufler-ca.com> (raw)

Smack has always used extended attributes to identify
the security information used to make access control
decisions on packet delivery. The two attributes
security.SMACK64_IPIN and security.SMACK64_IPOUT
contain the label used for inbound and outbound
checks respectively. A process with CAP_MAC_ADMIN can
change these values using fsetxattr() to allow a
privileged service to communicate more openly than
is allowed under the strict Smack policy.

After the xattr rework the fsetxattr() call still
sets the Smack attribute correctly, because the
smack_inode_setxattr() hook is still getting called,
but it returns EOPNOTSUPP. I believe that this is
either a result of the attribute name being unknown
to sockfs (as mentioned in the commit message) or
one of the other changes made in the process of the
xattr rework. I haven't finished the bisect yet,
but I'm reasonably certain the issue arises here.

Should I add the Smack attributes to the list of
attributes sockfs acknowledges? Is there a better
approach?

Thank you.

             reply	other threads:[~2016-10-31 21:55 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-31 21:55 Casey Schaufler [this message]
2016-11-01 16:10 ` Problem with setxattr on sockfs with Smack after 971df15bd54ad46e907046ff33750a137b2f0096 Casey Schaufler
2016-11-02 19:34   ` [PATCH] " Andreas Gruenbacher
2016-11-02 20:09     ` Casey Schaufler
2016-11-03 13:45       ` [PATCH] xattr: Fix setting security xattrs on sockfs Andreas Gruenbacher
2016-11-03 15:51         ` Casey Schaufler
2016-11-03 16:00           ` Andreas Gruenbacher
2016-11-03 16:25             ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ab02d571-b4ab-3348-87d6-03cd0889f041@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=agruenba@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.