[PATCH] vfs, shmem, kernfs: fix listxattr to include security.* xattrs
Stephen Smalley
stephen.smalley.work at gmail.com
Thu Apr 24 13:53:36 UTC 2025
On Thu, Apr 24, 2025 at 9:12 AM Greg Kroah-Hartman
<gregkh at linuxfoundation.org> wrote:
>
> On Thu, Apr 24, 2025 at 08:46:43AM -0400, Stephen Smalley wrote:
> > The vfs has long had a fallback to obtain the security.* xattrs from the
> > LSM when the filesystem does not implement its own listxattr, but
> > shmem/tmpfs and kernfs later gained their own xattr handlers to support
> > other xattrs. Unfortunately, as a side effect, tmpfs and kernfs-based
> > filesystems like sysfs no longer return the synthetic security.* xattr
> > names via listxattr unless they are explicitly set by userspace or
> > initially set upon inode creation after policy load. coreutils has
> > recently switched from unconditionally invoking getxattr for security.*
> > for ls -Z via libselinux to only doing so if listxattr returns the xattr
> > name, breaking ls -Z of such inodes.
> >
> > Before:
> > $ getfattr -m.* /run/initramfs
> > <no output>
> > $ getfattr -m.* /sys/kernel/fscaps
> > <no output>
> >
> > After:
> > $ getfattr -m.* /run/initramfs
> > security.selinux
> > $ getfattr -m.* /sys/kernel/fscaps
> > security.selinux
> >
> > Link: https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=iOawX4y77ph0EcfcqcUUj+T87FKyA@mail.gmail.com/
> > Link: https://lore.kernel.org/selinux/20250423175728.3185-2-stephen.smalley.work@gmail.com/
> > Signed-off-by: Stephen Smalley <stephen.smalley.work at gmail.com>
>
> As this "changed" in the past, shouldn't it have a "Fixes:" tag?
Yes, I'll add that on v2. Also appears that it doesn't quite correctly
handle the case where listxattr() is called with size == 0 to probe
for the required size.
More information about the Linux-security-module-archive
mailing list