Problem with setxattr on sockfs with Smack after 971df15bd54ad46e907046ff33750a137b2f0096
From: Casey Schaufler
Date: Mon Oct 31 2016 - 17:55:26 EST
Smack has always used extended attributes to identify
the security information used to make access control
decisions on packet delivery. The two attributes
security.SMACK64_IPIN and security.SMACK64_IPOUT
contain the label used for inbound and outbound
checks respectively. A process with CAP_MAC_ADMIN can
change these values using fsetxattr() to allow a
privileged service to communicate more openly than
is allowed under the strict Smack policy.
After the xattr rework the fsetxattr() call still
sets the Smack attribute correctly, because the
smack_inode_setxattr() hook is still getting called,
but it returns EOPNOTSUPP. I believe that this is
either a result of the attribute name being unknown
to sockfs (as mentioned in the commit message) or
one of the other changes made in the process of the
xattr rework. I haven't finished the bisect yet,
but I'm reasonably certain the issue arises here.
Should I add the Smack attributes to the list of
attributes sockfs acknowledges? Is there a better
approach?
Thank you.