[PATCH v5 3/7] selinux: implement inode_file_[g|s]etattr hooks

Andrey Albershteyn Tue, 13 May 2025 02:18:55 -0700

These hooks are called on inode extended attribute retrieval/change.

Cc: seli...@vger.kernel.org
Cc: Paul Moore <p...@paul-moore.com>


Signed-off-by: Andrey Albershteyn <aalbe...@kernel.org>
---
 security/selinux/hooks.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 
e7a7dcab81db6a8735877eeb911975e06a9de688..9c6e264b090f9038d6848546760860bfe74b7341
 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3366,6 +3366,18 @@ static int selinux_inode_removexattr(struct mnt_idmap 
*idmap,
        return -EACCES;
 }
 
+static int selinux_inode_file_setattr(struct dentry *dentry,
+                                     struct fileattr *fa)
+{
+       return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+}
+
+static int selinux_inode_file_getattr(struct dentry *dentry,
+                                     struct fileattr *fa)
+{
+       return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
+}
+
 static int selinux_path_notify(const struct path *path, u64 mask,
                                                unsigned int obj_type)
 {
@@ -7272,6 +7284,8 @@ static struct security_hook_list selinux_hooks[] 
__ro_after_init = {
        LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
        LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
        LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
+       LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr),
+       LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr),
        LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
        LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
        LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),

-- 
2.47.2

[PATCH v5 3/7] selinux: implement inode_file_[g|s]etattr hooks

Reply via email to