• Roberto Sassu's avatar
    smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security() · baed456a
    Roberto Sassu authored
    With the newly added ability of LSMs to supply multiple xattrs, set
    SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
    Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
    lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
    
    The LSM infrastructure passes all xattrs provided by LSMs to the
    filesystems through the initxattrs() callback, so that filesystems can
    store xattrs in the disk.
    
    After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
    d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
    was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
    call.
    
    Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
    adding a new xattr without checking and updating the existing HMAC.
    Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
    Reviewed-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    baed456a
smack.h 13.3 KB