selinux,smack: remove the capability checks in the removexattr hooks
Commit61df7b8282
("lsm: fixup the inode xattr capability handling") moved the responsibility of doing the inode xattr capability checking out of the individual LSMs and into the LSM framework itself. Unfortunately, while the original commit added the capability checks to both the setxattr and removexattr code in the LSM framework, it only removed the setxattr capability checks from the individual LSMs, leaving duplicated removexattr capability checks in both the SELinux and Smack code. This patch removes the duplicated code from SELinux and Smack. Fixes:61df7b8282
("lsm: fixup the inode xattr capability handling") Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
61df7b8282
commit
dd44477e7f
@ -3356,15 +3356,9 @@ static int selinux_inode_listxattr(struct dentry *dentry)
|
|||||||
static int selinux_inode_removexattr(struct mnt_idmap *idmap,
|
static int selinux_inode_removexattr(struct mnt_idmap *idmap,
|
||||||
struct dentry *dentry, const char *name)
|
struct dentry *dentry, const char *name)
|
||||||
{
|
{
|
||||||
if (strcmp(name, XATTR_NAME_SELINUX)) {
|
/* if not a selinux xattr, only check the ordinary setattr perm */
|
||||||
int rc = cap_inode_removexattr(idmap, dentry, name);
|
if (strcmp(name, XATTR_NAME_SELINUX))
|
||||||
if (rc)
|
|
||||||
return rc;
|
|
||||||
|
|
||||||
/* Not an attribute we recognize, so just check the
|
|
||||||
ordinary setattr permission. */
|
|
||||||
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
|
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
|
||||||
}
|
|
||||||
|
|
||||||
if (!selinux_initialized())
|
if (!selinux_initialized())
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -1461,8 +1461,7 @@ static int smack_inode_removexattr(struct mnt_idmap *idmap,
|
|||||||
strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
|
strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
|
||||||
if (!smack_privileged(CAP_MAC_ADMIN))
|
if (!smack_privileged(CAP_MAC_ADMIN))
|
||||||
rc = -EPERM;
|
rc = -EPERM;
|
||||||
} else
|
}
|
||||||
rc = cap_inode_removexattr(idmap, dentry, name);
|
|
||||||
|
|
||||||
if (rc != 0)
|
if (rc != 0)
|
||||||
return rc;
|
return rc;
|
||||||
|
Loading…
Reference in New Issue
Block a user