archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 03:24:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

nfs: unify security_inode_listsecurity() calls

Browse source 
commit 243fea1346 ("NFSv4.2: fix listxattr to return selinux
security label") introduced a direct call to
security_inode_listsecurity() in nfs4_listxattr(). However,
nfs4_listxattr() already indirectly called
security_inode_listsecurity() via nfs4_listxattr_nfs4_label() if
CONFIG_NFS_V4_SECURITY_LABEL is enabled and the server has the
NFS_CAP_SECURITY_LABEL capability enabled. This duplication was fixed
by commit 9acb237def ("NFSv4.2: another fix for listxattr") by
making the second call conditional on NFS_CAP_SECURITY_LABEL not being
set by the server. However, the combination of the two changes
effectively makes one call to security_inode_listsecurity() in every
case - which is the desired behavior since getxattr() always returns a
security xattr even if it has to synthesize one. Further, the two
different calls produce different xattr name ordering between
security.* and user.* xattr names. Unify the two separate calls into a
single call and get rid of nfs4_listxattr_nfs4_label() altogether.

Link: https://lore.kernel.org/selinux/CAEjxPJ6e8z__=MP5NfdUxkOMQ=EnUFSjWFofP4YPwHqK=Ki5nw@mail.gmail.com/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
This commit is contained in:
Stephen Smalley 2025-12-03 14:57:28 -05:00 committed by Anna Schumaker
parent 42e7c876b1
commit fdc0396b3c
1 changed files with 3 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

38
fs/nfs/nfs4proc.c
View file

@ -7888,33 +7888,12 @@ static int nfs4_xattr_get_nfs4_label(const struct xattr_handler *handler,
return -EOPNOTSUPP;
}
static ssize_t
nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len)
{
int len = 0;
if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
len = security_inode_listsecurity(inode, list, list_len);
if (len >= 0 && list_len && len > list_len)
return -ERANGE;
}
return len;
}
static const struct xattr_handler nfs4_xattr_nfs4_label_handler = {
.prefix = XATTR_SECURITY_PREFIX,
.get = nfs4_xattr_get_nfs4_label,
.set = nfs4_xattr_set_nfs4_label,
};
#else
static ssize_t
nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len)
{
return 0;
}
#endif
#ifdef CONFIG_NFS_V4_2
@ -10553,7 +10532,7 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = {
static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
{
ssize_t error, error2, error3, error4 = 0;
ssize_t error, error2, error3;
size_t left = size;
error = generic_listxattr(dentry, list, left);
@ -10564,10 +10543,9 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
left -= error;
}
error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, left);
error2 = security_inode_listsecurity(d_inode(dentry), list, left);
if (error2 < 0)
return error2;
if (list) {
list += error2;
left -= error2;
@ -10576,18 +10554,8 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left);
if (error3 < 0)
return error3;
if (list) {
list += error3;
left -= error3;
}
if (!nfs_server_capable(d_inode(dentry), NFS_CAP_SECURITY_LABEL)) {
error4 = security_inode_listsecurity(d_inode(dentry), list, left);
if (error4 < 0)
return error4;
}
error += error2 + error3 + error4;
error += error2 + error3;
if (size && error > size)
return -ERANGE;
return error;