Stephen Smalley, 28/04/2025:
Update the security_inode_listsecurity() interface to allow
use of the xattr_list_one() helper and update the hook
implementations.
Link: https://lore.kernel.org/selinux/20250424152822.2719-1-stephen.smalley.work@xxxxxxxxx/
Sorry for being late to the party.
Your approach assumes that every fs-specific xattr lister
called like
| vfs_listxattr() {
| if (inode->i_op->listxattr)
| error = inode->i_op->listxattr(dentry, list, size)
| ...
must call LSM to integrate LSM's xattr(s) into fs-specific list.
You did this for tmpfs:
| simple_xattr_list() {
| security_inode_listsecurity()
| // iterate real xatts list
Well, but what about other filesystems in the linux kernel?
Should all of them also modify their xattr listers?
To me, taking care of security xattrs is improper responsibility
for filesystem code.
May it be better to merge LSM xattrs
and fs-backed xattrs at the vfs level (vfs_listxattr)?
--
Konstantin Andreev
