CVE-2024-46695

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> selinux,smack: don&amp;#39;t bypass permissions check in inode_setsecctx hook<br /> <br /> Marek Gresko reports that the root user on an NFS client is able to<br /> change the security labels on files on an NFS filesystem that is<br /> exported with root squashing enabled.<br /> <br /> The end of the kerneldoc comment for __vfs_setxattr_noperm() states:<br /> <br /> * This function requires the caller to lock the inode&amp;#39;s i_mutex before it<br /> * is executed. It also assumes that the caller will make the appropriate<br /> * permission checks.<br /> <br /> nfsd_setattr() does do permissions checking via fh_verify() and<br /> nfsd_permission(), but those don&amp;#39;t do all the same permissions checks<br /> that are done by security_inode_setxattr() and its related LSM hooks do.<br /> <br /> Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),<br /> simplest solution appears to be to replace the call to<br /> __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This<br /> fixes the above issue and has the added benefit of causing nfsd to<br /> recall conflicting delegations on a file when a client tries to change<br /> its security label.