On 9/10/25 00:59, Scott Bauersfeld wrote: > Hi all, > > We are running into performance bottlenecks in our FUSE system due to > the fact that we get GetXAttr lookups for "security.capabilities" for > every individual write. Even when writeback caching is enabled, the > kernel still sends FUSE this GetXAttr request for every individual > write. > > I found this thread from 2009 that discussed the exact same issue: > https://fuse-devel.narkive.com/ZkJ00Lfr/fuse-linux-filesystem-capabilities > > It seems that the only options are the time were either: > 1. Return ENOSYS to disable all extended attributes for the filesystem > 2. Disable CONFIG_SECURITY_FILE_CAPABILITIES (which no longer seems to > be an option?) > > We can't make use of ENOSYS because we do actually need to support > some other extended attributes. > > Questions: > 1. Does anyone know if there is more recent discussion or any other > way to prevent these GetXAttr calls for every write? > 2. Would we still see these GetXAttr calls even if we used the new > "passthrough" fuse option? > > I guess one option is to submit a patch to the fuse kernel that allows > filesystems to specify that they do not support this security feature, > so the fuse kernel can always short circuit security.capability > lookups. Does this sound like a reasonable change? > > I also asked in the fuse-devel mailing list but was advised to ask here as well. Try this in your fuse server implementation, in the ->init() function /* * needs to handle additional flags: * FUSE_OPEN_KILL_SUIDGID * FATTR_KILL_SUIDGID * FUSE_WRITE_KILL_SUIDGID * (See documentation of FUSE_CAP_HANDLE_KILLPRIV_V2 in libfuse) */ fuse_set_feature_flag(connp, FUSE_CAP_HANDLE_KILLPRIV); fuse_set_feature_flag(connp, FUSE_CAP_HANDLE_KILLPRIV_V2); Thanks, Bernd
