The inode_setxattr and inode_removexattr hooks check for CAP_SYS_ADMIN capability when no LSMs exist. When LSMs exist, the hook expects them to check for capabilities - which SMACK and SELinux indeed do.
This behavior is only mentioned in a comment in the hooks' implementation. This patch makes it clearer for LSM programmers that when implememting these hooks they are responsible for the CAP check. Signed-off-by: Carmeli Tamir <carmeli.ta...@gmail.com> --- include/linux/lsm_hooks.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 47f58cfb6a19..d16c88a31ea9 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -377,7 +377,8 @@ * Return 0 if permission is granted. * @inode_setxattr: * Check permission before setting the extended attributes - * @value identified by @name for @dentry. + * @value identified by @name for @dentry. Note that the hook + * is responsible to check for capabilities. * Return 0 if permission is granted. * @inode_post_setxattr: * Update inode security field after successful setxattr operation. @@ -392,7 +393,8 @@ * Return 0 if permission is granted. * @inode_removexattr: * Check permission before removing the extended attribute - * identified by @name for @dentry. + * identified by @name for @dentry. Note that the hook + * is responsible to check for capabilities. * Return 0 if permission is granted. * @inode_getsecurity: * Retrieve a copy of the extended attribute representation of the -- 2.21.0
