Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9542661ybi;
        Wed, 10 Jul 2019 12:08:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwHImz/k5zljeK5MfJhI/OJz2YKYXmz9/WUdGadvX3By/Dz+lLpggoT3t5KFFhWNhqPyCVI
X-Received: by 2002:a17:902:8f81:: with SMTP id z1mr39748588plo.290.1562785684282;
        Wed, 10 Jul 2019 12:08:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562785684; cv=none;
        d=google.com; s=arc-20160816;
        b=x76GX0Ji+oi6bagd2PVOWaK+/I4WTUnrffxNNO4VIuMDmsz3x5dgtHlf8IS4TfnsWA
         WcRJD3HDQZ5SGvA9Wzn7R6+EzM0sJ/IU0qJ6zjEa0EXTuTPaJ0PkJdaSmnPvpKlkZTS1
         XvTnYeqZEgNbAkbMWdTdyFdlrZvaioZwSarkkOfQoJQQ286uLSbd+hBZOGN7fgb918k7
         0eLcXdRBmuUL5jQ+15ww92uBSS2Wfr6Kl+Tz19l78OrxTn0M3pk4BZFJjaYU9XJZTYzf
         ISSsS11xRFeDVwQTnw0t9bOcIibK2qNUQDUOnqBo/ia0eCm45IVVna1fj0u8R59+dcjS
         f2kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=ahAFNDw3YnaumJC5YUU159SXkDcebAJzvmRPCMuE2B0=;
        b=h8NoHtXIzPRW9p8dmbfY8G6NO9zY3eK/2jxkL9EgDpU6bCl5+gc0IpQby0miqEytIF
         o6UXG4skgG2Y47ncsbtfofVc3HK5Pu3BdGSMksbEP+TZhnumWBydfFbiTmpoo4QFb1h2
         xe3atE+pHNd0C+OoQdzw1lshlEDZcSuSfdo1z6jTeGNOqW/CHQo/jookEuQcn4JRryNa
         r32JJE9Xl2PbyIBY89fau2BQoiRwe/z6qFkQ8SW0b89QmU5TZHVx47qOp8AmVHnLkyNv
         KNjhM7HgNtfPgA89i8KMWFSIAzl2t0uh3zIm1unA0R8irTG8VFkp1s4PFoAS7ce+VqKl
         SOqw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IYGD6l44;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id cx7si2703170pjb.51.2019.07.10.12.07.48;
        Wed, 10 Jul 2019 12:08:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IYGD6l44;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728027AbfGJTGd (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 10 Jul 2019 15:06:33 -0400
Received: from mail-wm1-f67.google.com ([209.85.128.67]:34680 "EHLO
        mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727612AbfGJTGd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Jul 2019 15:06:33 -0400
Received: by mail-wm1-f67.google.com with SMTP id w9so5301522wmd.1
        for <linux-kernel@vger.kernel.org>; Wed, 10 Jul 2019 12:06:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ahAFNDw3YnaumJC5YUU159SXkDcebAJzvmRPCMuE2B0=;
        b=IYGD6l44OnouJsX8eAShejGMGjJCPGZTzH6CFET8s9ZeYw4XYmNFmhNg+mNyAX992D
         R/sgu2vPFcBTtZ/u2Sff00a/hKYvEkjIzcr+Oq7mDhJ1ej+qS75KXOXfZRDTUVVVnP1R
         bysT/yU3xBYIP/Pvduzlbfb5A2wWlKRIrJseHMknRx8/AWgZkYcsOWC8TheUbhhU+0Bm
         hCnk9Lo1VQ6QXtF2YQ3xYRCpSW2E4H9s+FYVRqCR37WOu33RrjJeBqakAB9MwayN5W6B
         EazrJuoAHAhX0ll0uZ/X0vqTVnxOPD0ZKxM4Jd98QqjndxWFNg7VRxPExtuHAUXjV/oT
         NB/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ahAFNDw3YnaumJC5YUU159SXkDcebAJzvmRPCMuE2B0=;
        b=Cb2FaYVLWXPjWmRwZZrT3chjfNlPCZwVECCcbEM9IJsfbpO+VzVd9fi4rppmepa40o
         RP3saUB3wr1tU4Tcx0CJIfGiC4zJ+WRzhpOoi/o3PjsQxNpGaoVCw4ZhwrL+KYXLNeb2
         n3i8x5IlMcRMza8GJDYwREtr0SKgadReRv+Tn/4/fVykXTg58F7P8H4UOpxlYqIGErwG
         WW7I7GsXP1n/P+gTbPTL1EZ28Xz0eF6ax17s2l/HyxDoGOCIDRxotnrgy8gVVWS4//d9
         3znFHXOjuxAg+NPfPCoziX4xLk8eOzI2+JiS1BXu1syOna7M3UkWiN0wUpQ1rv04J0C+
         4igQ==
X-Gm-Message-State: APjAAAVI5E4MlapU7DQ+CD/+WbfY4v9XShe84RuJYXpL6oD5mljt/g2i
        YSV0MRCRD1L243Hwbw5FqVU=
X-Received: by 2002:a1c:7e14:: with SMTP id z20mr6357789wmc.83.1562785591085;
        Wed, 10 Jul 2019 12:06:31 -0700 (PDT)
Received: from localhost.localdomain (bzq-79-177-233-205.red.bezeqint.net. [79.177.233.205])
        by smtp.gmail.com with ESMTPSA id o11sm3308588wmh.37.2019.07.10.12.06.28
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Wed, 10 Jul 2019 12:06:30 -0700 (PDT)
From:   Carmeli Tamir <carmeli.tamir@gmail.com>
To:     keescook@chromium.org, casey@schaufler-ca.com,
        james.morris@microsoft.com, efremov@ispras.ru,
        viro@zeniv.linux.org.uk, dhowells@redhat.com,
        linux-kernel@vger.kernel.org, carmeli.tamir@gmail.com
Subject: [PATCH] security/lsm_hooks: Updated set/remove xattr documentation
Date:   Wed, 10 Jul 2019 15:06:07 -0400
Message-Id: <20190710190607.5026-1-carmeli.tamir@gmail.com>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The inode_setxattr and inode_removexattr hooks check for CAP_SYS_ADMIN
capability when no LSMs exist. When LSMs exist, the hook expects
them to check for capabilities - which SMACK and SELinux indeed do.

This behavior is only mentioned in a comment in the 
hooks' implementation. This patch makes it clearer for 
LSM programmers that when implememting these hooks they are
responsible for the CAP check.

Signed-off-by: Carmeli Tamir <carmeli.tamir@gmail.com>
---
 include/linux/lsm_hooks.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 47f58cfb6a19..d16c88a31ea9 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -377,7 +377,8 @@
  *	Return 0 if permission is granted.
  * @inode_setxattr:
  *	Check permission before setting the extended attributes
- *	@value identified by @name for @dentry.
+ *	@value identified by @name for @dentry. Note that the hook
+ *	is responsible to check for capabilities.
  *	Return 0 if permission is granted.
  * @inode_post_setxattr:
  *	Update inode security field after successful setxattr operation.
@@ -392,7 +393,8 @@
  *	Return 0 if permission is granted.
  * @inode_removexattr:
  *	Check permission before removing the extended attribute
- *	identified by @name for @dentry.
+ *	identified by @name for @dentry. Note that the hook
+ *	is responsible to check for capabilities.
  *	Return 0 if permission is granted.
  * @inode_getsecurity:
  *	Retrieve a copy of the extended attribute representation of the
-- 
2.21.0