Re: [PATCH] vfs,shmem,kernfs: fix listxattr to include security.* xattrs

From: Stephen Smalley
Date: Thu Apr 24 2025 - 11:44:27 EST

Next message: Bryan O'Donoghue: "Re: [PATCH 0/3] Add x1e Dell Inpsiron 14p"
Previous message: Nicolas Dufresne: "Re: [PATCH v2 1/8] media: v4l2-common: Add YUV24 format info"
In reply to: Stephen Smalley: "Re: [PATCH] vfs,shmem,kernfs: fix listxattr to include security.* xattrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 24, 2025 at 10:55 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Thu, Apr 24, 2025 at 9:53 AM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > On Thu, Apr 24, 2025 at 9:12 AM Greg Kroah-Hartman
> > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > On Thu, Apr 24, 2025 at 08:46:43AM -0400, Stephen Smalley wrote:
> > > > The vfs has long had a fallback to obtain the security.* xattrs from the
> > > > LSM when the filesystem does not implement its own listxattr, but
> > > > shmem/tmpfs and kernfs later gained their own xattr handlers to support
> > > > other xattrs. Unfortunately, as a side effect, tmpfs and kernfs-based
> > > > filesystems like sysfs no longer return the synthetic security.* xattr
> > > > names via listxattr unless they are explicitly set by userspace or
> > > > initially set upon inode creation after policy load. coreutils has
> > > > recently switched from unconditionally invoking getxattr for security.*
> > > > for ls -Z via libselinux to only doing so if listxattr returns the xattr
> > > > name, breaking ls -Z of such inodes.
> > > >
> > > > Before:
> > > > $ getfattr -m.* /run/initramfs
> > > > <no output>
> > > > $ getfattr -m.* /sys/kernel/fscaps
> > > > <no output>
> > > >
> > > > After:
> > > > $ getfattr -m.* /run/initramfs
> > > > security.selinux
> > > > $ getfattr -m.* /sys/kernel/fscaps
> > > > security.selinux
> > > >
> > > > Link: https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=iOawX4y77ph0EcfcqcUUj+T87FKyA@xxxxxxxxxxxxxx/
> > > > Link: https://lore.kernel.org/selinux/20250423175728.3185-2-stephen.smalley.work@xxxxxxxxx/
> > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> > >
> > > As this "changed" in the past, shouldn't it have a "Fixes:" tag?
> >
> > Yes, I'll add that on v2. Also appears that it doesn't quite correctly
> > handle the case where listxattr() is called with size == 0 to probe
> > for the required size.
>
> And doesn't correctly handle the case where the list size exceeds the
> original buffer size. On second look, this can be done more simply and
> safely in simple_xattr_list() itself, avoiding the need to modify
> shmem/tmpfs and kernfs. I'll submit an updated patch.

Submitted here,
https://lore.kernel.org/selinux/20250424152822.2719-1-stephen.smalley.work@xxxxxxxxx/

Sorry I forgot the Fixes tag again but added it in a reply.

Next message: Bryan O'Donoghue: "Re: [PATCH 0/3] Add x1e Dell Inpsiron 14p"
Previous message: Nicolas Dufresne: "Re: [PATCH v2 1/8] media: v4l2-common: Add YUV24 format info"
In reply to: Stephen Smalley: "Re: [PATCH] vfs,shmem,kernfs: fix listxattr to include security.* xattrs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]