• Andreas Gruenbacher's avatar
    xattr: Fix setting security xattrs on sockfs · 4a590153
    Andreas Gruenbacher authored
    The IOP_XATTR flag is set on sockfs because sockfs supports getting the
    "system.sockprotoname" xattr.  Since commit 6c6ef9f2, this flag is checked for
    setxattr support as well.  This is wrong on sockfs because security xattr
    support there is supposed to be provided by security_inode_setsecurity.  The
    smack security module relies on socket labels (xattrs).
    
    Fix this by adding a security xattr handler on sockfs that returns
    -EAGAIN, and by checking for -EAGAIN in setxattr.
    
    We cannot simply check for -EOPNOTSUPP in setxattr because there are
    filesystems that neither have direct security xattr support nor support
    via security_inode_setsecurity.  A more proper fix might be to move the
    call to security_inode_setsecurity into sockfs, but it's not clear to me
    if that is safe: we would end up calling security_inode_post_setxattr after
    that as well.
    Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    4a590153
xattr.c 23.5 KB