From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 178C3C369AB for ; Thu, 24 Apr 2025 13:53:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EAEE86B00A1; Thu, 24 Apr 2025 09:53:49 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E5E826B00A3; Thu, 24 Apr 2025 09:53:49 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CD65C6B00AB; Thu, 24 Apr 2025 09:53:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id AD2AE6B00A1 for ; Thu, 24 Apr 2025 09:53:49 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 80CCD1207D6 for ; Thu, 24 Apr 2025 13:53:50 +0000 (UTC) X-FDA: 83369080620.26.062019D Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by imf18.hostedemail.com (Postfix) with ESMTP id 9D5A81C0015 for ; Thu, 24 Apr 2025 13:53:48 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Zex0dg3I; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf18.hostedemail.com: domain of stephen.smalley.work@gmail.com designates 209.85.215.177 as permitted sender) smtp.mailfrom=stephen.smalley.work@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1745502828; a=rsa-sha256; cv=none; b=SsK2sB2GZIDHx0NqivCGri2efDed8UL9tvKQIBFc0wlopwTyPrdqAk8bmAozCS6gW4rb8A gtttgFys1BcNwdjJSWKJyiV10g9A2mGNSG52HdaY5lceNEbqU3DJZp3ew12kPG+Ewokvjy Tl5vL7+qVxpuo+1sOclKh6I0rcgzttg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1745502828; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XCdDB8vyzVodNj24dGQS42DgtCQbWMXuCM3lTeB9QzI=; b=7IekNm/g3X0zgQBt3Y7VIfCKXAk2z94XFpjxa9HHsemeroS8w1tYJ7rgH63k8w+XrhWDTb qz+Qtq4xy7VkVu7Afv8p43nRcbLkm1iMyLzSJdZLSMlyzadbBnwxyEV5CGmE2YsGffdVod SewRuEFSvpYZuThIJTFYtOHpnF2xmu0= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Zex0dg3I; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf18.hostedemail.com: domain of stephen.smalley.work@gmail.com designates 209.85.215.177 as permitted sender) smtp.mailfrom=stephen.smalley.work@gmail.com Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-b07d607dc83so817376a12.1 for ; Thu, 24 Apr 2025 06:53:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1745502827; x=1746107627; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=XCdDB8vyzVodNj24dGQS42DgtCQbWMXuCM3lTeB9QzI=; b=Zex0dg3I+IdKg0U94L2TpQ0/7vmtg3X5wrGK3cCsZwsX+TYFLU6zIGOZyl+ZjXRW1H xpIFqQCPciCmF1z0shfb0CPtyOCfBEJh45ajOkCZtI4oLI1l43vRchEPyqFcScVE9NrG WngKGJhqI9UuSWD+Lf6W2SFBvu+9N0c0OF/IrxN89PN4njSSuV3ijdGCHZSmd8zJ+hQt Dt/Zewn1QbAPul7EUJItFHNGmU4GCSsmViL30hfL1CFNZBZw6I5suvcD/psIfZm9/CNX ilH3YFyTFAfnfbDkokTv6ysfooVONg/Yq14UJop2vwvgtYX+COEV8raehi2Dr5Ea2XDG WQjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745502827; x=1746107627; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XCdDB8vyzVodNj24dGQS42DgtCQbWMXuCM3lTeB9QzI=; b=qWTjvllickUA2TOLVbBp06MkPBSZnoxPf8BCNDOiAF9NiULAf0R4lQVebvt6VeMQU/ zsfnnFdEJn+oDhNtgRttSWUY8vguX+dxjf+HEaeUVY3DFrApcUWR7QYzQkEN5BynfCzW 6o36RKXq98MEqZrZPtqt6zRCS5I6ND8npEizoqZtvdokE/lwwB3m19JpEOfLSQIgj6tt w2en8T9eH9TACjuYVKZSqCnvWKiXNUfwSOqedKXld1ioX1o60WIvE/NdOxYEfi2q2xkO N139NOKpXmXlaOr+dQMy1yeaUkRSES9zhRrAavmb4Uwzlaowf/5b4b8ujqFN4Q6pupeN JZNw== X-Forwarded-Encrypted: i=1; AJvYcCUVNB8dKbPezuzlPcgR81yveTQMhHQNCsyURUWEv1KdszZTqB4GjSROfkDr2vq7E8RYq6hPTg61lg==@kvack.org X-Gm-Message-State: AOJu0YyDK9qj5shULGOPU/zbL+XoU7ICKO7rOfM1R+nZkMjl5EorExWr gU80cTjWskMapnSPbbYoDBq+AkElum3nFVjUP1Jav/4B5Zcsa7TZ8myNs9cmp7IWEIhM3cAdGZ5 Uqv2qVMVriLj5uhrph/O6nf4TxLs= X-Gm-Gg: ASbGncs0HZ8RTJHEuj0ThjwlYcPuKWAwKDwxWNDMHwYmjIKcPE0J40Bm2Ip1vc6KZD/ XI+UsEnkCZYa4Dnpkzf8yLPi5FjSY47K36U2lPeFnKi/zYWACBAHIoxcX0Anrt59QmuTHR+CSq6 eSpM/1cCyXw0w2vucvT0/nkA== X-Google-Smtp-Source: AGHT+IHmiV2rWP6yv3KQljQsE888DhuQ4aI9hOeNLvxVP5Y3ADd1TyB7LHDhH+1TrQbcBvhVAu6u5FeMtJmFNvogQgY= X-Received: by 2002:a17:90b:5252:b0:2fa:228d:5b03 with SMTP id 98e67ed59e1d1-309ed285c0dmr3563798a91.19.1745502827291; Thu, 24 Apr 2025 06:53:47 -0700 (PDT) MIME-Version: 1.0 References: <20250424124644.4413-1-stephen.smalley.work@gmail.com> <2025042427-hardship-captive-4d7b@gregkh> In-Reply-To: <2025042427-hardship-captive-4d7b@gregkh> From: Stephen Smalley Date: Thu, 24 Apr 2025 09:53:36 -0400 X-Gm-Features: ATxdqUGgUngJcCmJc0s7SBLYKDMz9Vn2SWYGB2QfAAKIVQW0WWNLSTPolwBxgCU Message-ID: Subject: Re: [PATCH] vfs,shmem,kernfs: fix listxattr to include security.* xattrs To: Greg Kroah-Hartman Cc: paul@paul-moore.com, omosnace@redhat.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, Tejun Heo , Alexander Viro , Christian Brauner , Jan Kara , Hugh Dickins , Baolin Wang , Andrew Morton , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 9D5A81C0015 X-Stat-Signature: u4i8ixr8rw9oukqtgife7bcies1txbhs X-Rspam-User: X-HE-Tag: 1745502828-90363 X-HE-Meta: U2FsdGVkX1/J+1y+yHaSqeN5/vt2OP7RJ3DqSK8iuOoAh6YxoiBQFJQKRMkcOg5tm6XmOi6GLqGCuzzft2XaBX1zoMN8WAjSLoI22yrbVGD0MAwYSGmoO6yoYE16gCWj5IXEbZBTmNmDn09WJqlBqhEyvc5DLywukG6SUQ0eHzPzo5wsjDWX44bSrDbcfwSJ6nniLOmTVkxUjO1hCFrD4e9ZuWeZEY7ueHA5WK0qw4IDzAOjB/D/9Pzn3qBm+HXwH5i0gRpcf9tL7aHd60SKKodpjGtWLqOWAGgW/FmH3ylEZ+JJj6BXuasTnOo09jDX6jPFKvxiSDYYhNWe0OkL6tzowR0g5V/sso1PaElHFsevOcgH8ZSES0F5TCi65kx4LIjn38D0iHvi0vf8m1S2LAVD3SmT3xCP0mXlCwG9SVbXonK+Qcz9D54FIiAOgODppJ8/RrEZelnhTImUrTg1oOcTv2I6YdBpWULjO6Y5US3P+5klBX3i0+xmLoWyLiGLQKKumkQkFySvnX0MXIFuQFbmkNXjy7MFAOIdtTKMshVFq6W8fqXeyHxW/4g2f3/OXDcmBkdRrEydKRANBaxVUcXVnBwJtXeZ3beypMe5/sl7TxLOd3t8QF4javQ3o+1rCiILQdg9Oze0DQRIPVIK793gS4XgxX6UwUkJkLtsiukFds64jmgUw1zGmb85IdJ29UNEPT3Q83yJTRCTl6DqS5kGBh2fK0b4XD4KqQrrPDVfaMCn6Qd/UfRfrBvmjLkB7R1wXyXFb5IDqIkqoobYC40OrcIeiljWpvlrAO5szu0ZQDycTXWB84sjHZw39jJ+Mt0RgGC0rhcby6Gli7QYKQTlDp4BYJE48HnxESqrWtbKsuSaklBUldZwoSzETPALwcQFRs2k1dlDwR44I7z4uvTG8TGi4ZDfxMg+FUynyuyXBP8209Q6L1iBz8hTF+LZ64+hRw9OPeHfw52edz/ kLs+fxcL aChN7C3SjH+mjrJR4hqtKJEUs5JWzw8mASIwXm0QD+T4Dl8A2UeLU4xC5c+uSN2gKpUltBConPRegxqRicBplX2ulnrO/mKdeUHp5RY7vx2vP9KqX3w7rsW46lWUt5EhlyMhxBCIPZ+8fQUySF70cU7OGhJAlQIh9XP4M64P1AQbmvq6+AlGWAwkRXuUi1o0edlZWGPQZPAfZZS3NuoHws7AkDS9kXxmbHA563eYa2fq9xdN7U9hySTGy2x1oWDsTdfQI6cuBqRWA0CTCVE7AC4cLvVJ50/f8KmN29ZpeImWqpyMqfKPyLit+7LF2Sn04fOjLj+ToSpm6rWzM03dNwe1Wtb3iBELWsJM+7lBD694UTABMYCrLO9m7CIZj8hgeYvsZGFy1rWCBW6aUEIBA+4cuXpwn6mKBwo/D1dMETxe/2SY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Apr 24, 2025 at 9:12=E2=80=AFAM Greg Kroah-Hartman wrote: > > On Thu, Apr 24, 2025 at 08:46:43AM -0400, Stephen Smalley wrote: > > The vfs has long had a fallback to obtain the security.* xattrs from th= e > > LSM when the filesystem does not implement its own listxattr, but > > shmem/tmpfs and kernfs later gained their own xattr handlers to support > > other xattrs. Unfortunately, as a side effect, tmpfs and kernfs-based > > filesystems like sysfs no longer return the synthetic security.* xattr > > names via listxattr unless they are explicitly set by userspace or > > initially set upon inode creation after policy load. coreutils has > > recently switched from unconditionally invoking getxattr for security.* > > for ls -Z via libselinux to only doing so if listxattr returns the xatt= r > > name, breaking ls -Z of such inodes. > > > > Before: > > $ getfattr -m.* /run/initramfs > > > > $ getfattr -m.* /sys/kernel/fscaps > > > > > > After: > > $ getfattr -m.* /run/initramfs > > security.selinux > > $ getfattr -m.* /sys/kernel/fscaps > > security.selinux > > > > Link: https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=3DiOawX4y77= ph0EcfcqcUUj+T87FKyA@mail.gmail.com/ > > Link: https://lore.kernel.org/selinux/20250423175728.3185-2-stephen.sma= lley.work@gmail.com/ > > Signed-off-by: Stephen Smalley > > As this "changed" in the past, shouldn't it have a "Fixes:" tag? Yes, I'll add that on v2. Also appears that it doesn't quite correctly handle the case where listxattr() is called with size =3D=3D 0 to probe for the required size.