CVE-2024-46695

In the Linux kernel, the following vulnerability has been resolved:

selinux,smack: don't bypass permissions check in inode_setsecctx hook

Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled.

The end of the kerneldoc comment for __vfssetxattrnoperm() states:

• This function requires the caller to lock the inode's i_mutex before it
• is executed. It also assumes that the caller will make the appropriate
• permission checks.

nfsdsetattr() does do permissions checking via fhverify() and nfsdpermission(), but those don't do all the same permissions checks that are done by securityinode_setxattr() and its related LSM hooks do.

Since nfsdsetattr() is the only consumer of securityinode_setsecctx(), simplest solution appears to be to replace the call to __vfssetxattrnoperm() with a call to __vfssetxattrlocked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label.