CVE-2024-46695
Severity:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/09/2024
Last modified:
13/09/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
selinux,smack: don&#39;t bypass permissions check in inode_setsecctx hook<br />
<br />
Marek Gresko reports that the root user on an NFS client is able to<br />
change the security labels on files on an NFS filesystem that is<br />
exported with root squashing enabled.<br />
<br />
The end of the kerneldoc comment for __vfs_setxattr_noperm() states:<br />
<br />
* This function requires the caller to lock the inode&#39;s i_mutex before it<br />
* is executed. It also assumes that the caller will make the appropriate<br />
* permission checks.<br />
<br />
nfsd_setattr() does do permissions checking via fh_verify() and<br />
nfsd_permission(), but those don&#39;t do all the same permissions checks<br />
that are done by security_inode_setxattr() and its related LSM hooks do.<br />
<br />
Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),<br />
simplest solution appears to be to replace the call to<br />
__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This<br />
fixes the above issue and has the added benefit of causing nfsd to<br />
recall conflicting delegations on a file when a client tries to change<br />
its security label.