tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nfs: unify security_inode_listsecurity() calls

commit 243fea134633 ("NFSv4.2: fix listxattr to return selinux
security label") introduced a direct call to
security_inode_listsecurity() in nfs4_listxattr(). However,
nfs4_listxattr() already indirectly called
security_inode_listsecurity() via nfs4_listxattr_nfs4_label() if
CONFIG_NFS_V4_SECURITY_LABEL is enabled and the server has the
NFS_CAP_SECURITY_LABEL capability enabled. This duplication was fixed
by commit 9acb237deff7 ("NFSv4.2: another fix for listxattr") by
making the second call conditional on NFS_CAP_SECURITY_LABEL not being
set by the server. However, the combination of the two changes
effectively makes one call to security_inode_listsecurity() in every
case - which is the desired behavior since getxattr() always returns a
security xattr even if it has to synthesize one. Further, the two
different calls produce different xattr name ordering between
security.* and user.* xattr names. Unify the two separate calls into a
single call and get rid of nfs4_listxattr_nfs4_label() altogether.

Link: https://lore.kernel.org/selinux/CAEjxPJ6e8z__=MP5NfdUxkOMQ=EnUFSjWFofP4YPwHqK=Ki5nw@mail.gmail.com/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Stephen Smalley and committed by
Paul Moore 4f099d09 1c0860d4

+3 -35
+3 -35
fs/nfs/nfs4proc.c
··· 8141 8141 return -EOPNOTSUPP; 8142 8142 } 8143 8143 8144 - static ssize_t 8145 - nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len) 8146 - { 8147 - int len = 0; 8148 - 8149 - if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) { 8150 - len = security_inode_listsecurity(inode, list, list_len); 8151 - if (len >= 0 && list_len && len > list_len) 8152 - return -ERANGE; 8153 - } 8154 - return len; 8155 - } 8156 - 8157 8144 static const struct xattr_handler nfs4_xattr_nfs4_label_handler = { 8158 8145 .prefix = XATTR_SECURITY_PREFIX, 8159 8146 .get = nfs4_xattr_get_nfs4_label, 8160 8147 .set = nfs4_xattr_set_nfs4_label, 8161 8148 }; 8162 - 8163 - #else 8164 - 8165 - static ssize_t 8166 - nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len) 8167 - { 8168 - return 0; 8169 - } 8170 8149 8171 8150 #endif 8172 8151 ··· 10943 10964 10944 10965 static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size) 10945 10966 { 10946 - ssize_t error, error2, error3, error4 = 0; 10967 + ssize_t error, error2, error3; 10947 10968 size_t left = size; 10948 10969 10949 10970 error = generic_listxattr(dentry, list, left); ··· 10954 10975 left -= error; 10955 10976 } 10956 10977 10957 - error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, left); 10978 + error2 = security_inode_listsecurity(d_inode(dentry), list, left); 10958 10979 if (error2 < 0) 10959 10980 return error2; 10960 - 10961 10981 if (list) { 10962 10982 list += error2; 10963 10983 left -= error2; ··· 10965 10987 error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left); 10966 10988 if (error3 < 0) 10967 10989 return error3; 10968 - if (list) { 10969 - list += error3; 10970 - left -= error3; 10971 - } 10972 10990 10973 - if (!nfs_server_capable(d_inode(dentry), NFS_CAP_SECURITY_LABEL)) { 10974 - error4 = security_inode_listsecurity(d_inode(dentry), list, left); 10975 - if (error4 < 0) 10976 - return error4; 10977 - } 10978 - 10979 - error += error2 + error3 + error4; 10991 + error += error2 + error3; 10980 10992 if (size && error > size) 10981 10993 return -ERANGE; 10982 10994 return error;