Hi all Please find attached bugfix patch for SMACK Linux security module.
This patch fixes following bugs in smack_lsm.c file :
1. In order to remove any SMACK extended attribute from a file, a user should
have CAP_MAC_ADMIN capability.
But user without this capability is able to remove SMACK64MMAP security
attribute.
This error has been corrected by a modification in smack_inode_removexattr
SMACK hook.
2. While setting extended attribute in smack_inode_setsecurity hook,
"-EACCES" error is getting returned if extended attribute size or value is not
correct.
But this is not correct error to be returned as extended attribute is invalid
so we should return "-EINVAL" error.
To correct this problem now we are returning "-EINVAL" error.
---
security/smack/smack_lsm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b0be893..b0e6552 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -951,7 +951,7 @@ static int smack_inode_removexattr(struct dentry *dentry,
const char *name)
strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
- strcmp(name, XATTR_NAME_SMACKMMAP)) {
+ strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
if (!smack_privileged(CAP_MAC_ADMIN))
rc = -EPERM;
} else
@@ -2089,7 +2089,7 @@ static int smack_inode_setsecurity(struct inode *inode,
const char *name,
int rc = 0;
if (value == NULL || size > SMK_LONGLABEL || size == 0)
- return -EACCES;
+ return -EINVAL;
skp = smk_import_entry(value, size);
if (skp == NULL)
--
1.8.1.2
In case of any issue, Please feel free to contact me.
Thanks & Regards
Pankaj Kumar
0001-bugfix-patch-for-SMACK.patch
Description: Binary data
