[PATCH] vfs, shmem, kernfs: fix listxattr to include security.* xattrs

Thu Apr 24 14:55:56 UTC 2025

On Thu, Apr 24, 2025 at 9:53 AM Stephen Smalley
<stephen.smalley.work at gmail.com> wrote:
>
> On Thu, Apr 24, 2025 at 9:12 AM Greg Kroah-Hartman
> <gregkh at linuxfoundation.org> wrote:
> >
> > On Thu, Apr 24, 2025 at 08:46:43AM -0400, Stephen Smalley wrote:
> > > The vfs has long had a fallback to obtain the security.* xattrs from the
> > > LSM when the filesystem does not implement its own listxattr, but
> > > shmem/tmpfs and kernfs later gained their own xattr handlers to support
> > > other xattrs. Unfortunately, as a side effect, tmpfs and kernfs-based
> > > filesystems like sysfs no longer return the synthetic security.* xattr
> > > names via listxattr unless they are explicitly set by userspace or
> > > initially set upon inode creation after policy load. coreutils has
> > > recently switched from unconditionally invoking getxattr for security.*
> > > for ls -Z via libselinux to only doing so if listxattr returns the xattr
> > > name, breaking ls -Z of such inodes.
> > >
> > > Before:
> > > $ getfattr -m.* /run/initramfs
> > > <no output>
> > > $ getfattr -m.* /sys/kernel/fscaps
> > > <no output>
> > >
> > > After:
> > > $ getfattr -m.* /run/initramfs
> > > security.selinux
> > > $ getfattr -m.* /sys/kernel/fscaps
> > > security.selinux
> > >
> > > Link: https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=iOawX4y77ph0EcfcqcUUj+T87FKyA@mail.gmail.com/
> > > Link: https://lore.kernel.org/selinux/20250423175728.3185-2-stephen.smalley.work@gmail.com/
> > > Signed-off-by: Stephen Smalley <stephen.smalley.work at gmail.com>
> >
> > As this "changed" in the past, shouldn't it have a "Fixes:" tag?
>
> Yes, I'll add that on v2. Also appears that it doesn't quite correctly
> handle the case where listxattr() is called with size == 0 to probe
> for the required size.

And doesn't correctly handle the case where the list size exceeds the
original buffer size. On second look, this can be done more simply and
safely in simple_xattr_list() itself, avoiding the need to modify
shmem/tmpfs and kernfs. I'll submit an updated patch.