In the Linux kernel, the following vulnerability has been resolved:
selinux,smack: don't bypass permissions check in inode_setsecctx hook
Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled.
The end of the kerneldoc comment for _vfssetxattr_noperm() states:
nfsdsetattr() does do permissions checking via fhverify() and nfsdpermission(), but those don't do all the same permissions checks that are done by securityinode_setxattr() and its related LSM hooks do.
Since nfsdsetattr() is the only consumer of securityinodesetsecctx(), simplest solution appears to be to replace the call to _vfssetxattrnoperm() with a call to _vfssetxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label.