Linux Security Module listsecurity (and security xattr hooks) only one called?

Pasquier, Thomas tfjmp at
Tue Sep 6 07:05:54 EDT 2016

Hello everyone,

In security/security.c (see here:

Looking at this:

int security_inode_listsecurity(struct inode *inode, char *buffer, size_t
    if (unlikely(IS_PRIVATE(inode)))
        return 0;
    return call_int_hook(inode_listsecurity, 0, inode, buffer, buffer_size);
One would expect all stacked security module to be called. However, when
looking at this:

#define call_int_hook(FUNC, IRC, ...) ({            \
    int RC = IRC;                       \
    do {                            \
        struct security_hook_list *P;           \
        list_for_each_entry(P, &security_hook_heads.FUNC, list) { \
            RC = P->hook.FUNC(__VA_ARGS__);     \
            if (RC != 0)                \
                break;              \
        }                       \
    } while (0);                        \
    RC;                         \
If one of the module return a non-zero value, the other are not called.
That means that the list of security of xattr is not built (or rather that
it only contains the first module being called), as the lenght of inserted
element is returned. Similarly for setsecurity and getsecurity, it seems
that only one module will be called as if the given module does not support
the security xattr, it returns -EOPNOTSUPP (instead I believe the next
module being called, until one supporting the attribute is met).

I am aware that LSM stacking is not fully supported yet:

Here fix setsecurity and getsecurity: https://github.
com/cschaufler/smack-next/blob/next/security/security.c; but listsecurity
would appear to still not behave as I would expect. However, I may be
missing something.

What is the rational here? I could change the code to support multiple
security xattr, but don't want to do so before I am sure I understand why
it was done like this. Any help is welcome.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Kernelnewbies mailing list