tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

lsm: introduce new hooks for setting/getting inode fsxattr

Introduce new hooks for setting and getting filesystem extended
attributes on inode (FS_IOC_FSGETXATTR).

Cc: selinux@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>

Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Andrey Albershteyn <aalbersh@kernel.org>
Link: https://lore.kernel.org/20250630-xattrat-syscall-v6-2-c4e3bc35227b@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

Andrey Albershteyn and committed by
Christian Brauner defdd02d 2f952c9e

+66 -5
+18 -5
fs/file_attr.c
··· 77 77 int vfs_fileattr_get(struct dentry *dentry, struct fileattr *fa) 78 78 { 79 79 struct inode *inode = d_inode(dentry); 80 + int error; 80 81 81 82 if (!inode->i_op->fileattr_get) 82 83 return -ENOIOCTLCMD; 84 + 85 + error = security_inode_file_getattr(dentry, fa); 86 + if (error) 87 + return error; 83 88 84 89 return inode->i_op->fileattr_get(dentry, fa); 85 90 } ··· 248 243 } else { 249 244 fa->flags |= old_ma.flags & ~FS_COMMON_FL; 250 245 } 251 - err = fileattr_set_prepare(inode, &old_ma, fa); 252 - if (!err) 253 - err = inode->i_op->fileattr_set(idmap, dentry, fa); 254 - } 255 - inode_unlock(inode); 256 246 247 + err = fileattr_set_prepare(inode, &old_ma, fa); 248 + if (err) 249 + goto out; 250 + err = security_inode_file_setattr(dentry, fa); 251 + if (err) 252 + goto out; 253 + err = inode->i_op->fileattr_set(idmap, dentry, fa); 254 + if (err) 255 + goto out; 256 + } 257 + 258 + out: 259 + inode_unlock(inode); 257 260 return err; 258 261 } 259 262 EXPORT_SYMBOL(vfs_fileattr_set);
+2
include/linux/lsm_hook_defs.h
··· 157 157 struct dentry *dentry, const char *name) 158 158 LSM_HOOK(void, LSM_RET_VOID, inode_post_removexattr, struct dentry *dentry, 159 159 const char *name) 160 + LSM_HOOK(int, 0, inode_file_setattr, struct dentry *dentry, struct fileattr *fa) 161 + LSM_HOOK(int, 0, inode_file_getattr, struct dentry *dentry, struct fileattr *fa) 160 162 LSM_HOOK(int, 0, inode_set_acl, struct mnt_idmap *idmap, 161 163 struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) 162 164 LSM_HOOK(void, LSM_RET_VOID, inode_post_set_acl, struct dentry *dentry,
+16
include/linux/security.h
··· 451 451 int security_inode_removexattr(struct mnt_idmap *idmap, 452 452 struct dentry *dentry, const char *name); 453 453 void security_inode_post_removexattr(struct dentry *dentry, const char *name); 454 + int security_inode_file_setattr(struct dentry *dentry, 455 + struct fileattr *fa); 456 + int security_inode_file_getattr(struct dentry *dentry, 457 + struct fileattr *fa); 454 458 int security_inode_need_killpriv(struct dentry *dentry); 455 459 int security_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry); 456 460 int security_inode_getsecurity(struct mnt_idmap *idmap, ··· 1055 1051 static inline void security_inode_post_removexattr(struct dentry *dentry, 1056 1052 const char *name) 1057 1053 { } 1054 + 1055 + static inline int security_inode_file_setattr(struct dentry *dentry, 1056 + struct fileattr *fa) 1057 + { 1058 + return 0; 1059 + } 1060 + 1061 + static inline int security_inode_file_getattr(struct dentry *dentry, 1062 + struct fileattr *fa) 1063 + { 1064 + return 0; 1065 + } 1058 1066 1059 1067 static inline int security_inode_need_killpriv(struct dentry *dentry) 1060 1068 {
+30
security/security.c
··· 2623 2623 } 2624 2624 2625 2625 /** 2626 + * security_inode_file_setattr() - check if setting fsxattr is allowed 2627 + * @dentry: file to set filesystem extended attributes on 2628 + * @fa: extended attributes to set on the inode 2629 + * 2630 + * Called when file_setattr() syscall or FS_IOC_FSSETXATTR ioctl() is called on 2631 + * inode 2632 + * 2633 + * Return: Returns 0 if permission is granted. 2634 + */ 2635 + int security_inode_file_setattr(struct dentry *dentry, struct fileattr *fa) 2636 + { 2637 + return call_int_hook(inode_file_setattr, dentry, fa); 2638 + } 2639 + 2640 + /** 2641 + * security_inode_file_getattr() - check if retrieving fsxattr is allowed 2642 + * @dentry: file to retrieve filesystem extended attributes from 2643 + * @fa: extended attributes to get 2644 + * 2645 + * Called when file_getattr() syscall or FS_IOC_FSGETXATTR ioctl() is called on 2646 + * inode 2647 + * 2648 + * Return: Returns 0 if permission is granted. 2649 + */ 2650 + int security_inode_file_getattr(struct dentry *dentry, struct fileattr *fa) 2651 + { 2652 + return call_int_hook(inode_file_getattr, dentry, fa); 2653 + } 2654 + 2655 + /** 2626 2656 * security_inode_need_killpriv() - Check if security_inode_killpriv() required 2627 2657 * @dentry: associated dentry 2628 2658 *