Smack has always used extended attributes to identify the security information used to make access control decisions on packet delivery. The two attributes security.SMACK64_IPIN and security.SMACK64_IPOUT contain the label used for inbound and outbound checks respectively. A process with CAP_MAC_ADMIN can change these values using fsetxattr() to allow a privileged service to communicate more openly than is allowed under the strict Smack policy.
After the xattr rework the fsetxattr() call still sets the Smack attribute correctly, because the smack_inode_setxattr() hook is still getting called, but it returns EOPNOTSUPP. I believe that this is either a result of the attribute name being unknown to sockfs (as mentioned in the commit message) or one of the other changes made in the process of the xattr rework. I haven't finished the bisect yet, but I'm reasonably certain the issue arises here. Should I add the Smack attributes to the list of attributes sockfs acknowledges? Is there a better approach? Thank you.
