All of lore.kernel.org
 help / color / mirror / Atom feed
* [RFC PATCH v2 0/9] smb: support security and trusted xattrs over EAs
@ 2026-07-17  3:39 Ze Tan
  2026-07-17  3:39 ` [RFC PATCH v2 1/9] smb: client: support security.capability " Ze Tan
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: Ze Tan @ 2026-07-17  3:39 UTC (permalink / raw)
  To: sfrench, linkinjeon, pc, sprasad, tom, senozhatsky, chenxiaosong,
	linux-cifs
  Cc: linux-kernel, tanze

The CIFS client and ksmbd currently expose SMB extended attributes
mainly through the Linux user.* namespace. This causes security and
trusted xattr names carried through SMB EAs to be stored with an
additional user. prefix on the server.

For example, security.xfstests can be stored as
user.security.xfstests instead of security.xfstests. This also prevents
security.capability from being handled as a file capability.

generic/093 exercises these namespaces through several commands:

  - setcap and getcap use security.capability;
  - _require_attrs security uses security.xfstests;
  - setfattr and getfattr use trusted.name.

This RFC adds end-to-end handling for the xattrs required by those
operations. The client passes security.capability,
security.xfstests and trusted.* names through SMB EAs without adding
the user. prefix. When SMB3 POSIX extensions are available, ksmbd maps
the same names to their native backing filesystem xattr namespaces for
set, get and list operations.

The security namespace is deliberately restricted to
security.capability and security.xfstests. Other security.* xattrs are
not exposed by this series. trusted.* names are supported while
internal POSIX ACL xattrs remain filtered.

The series also avoids an oplock self-deadlock found while running
generic/093. An EA or metadata-only reopen from the same SMB session
can otherwise break an oplock held by that session and wait for the
same client. Oplock breaks from other sessions and opens with share
conflicts continue to use the normal break path.

Patches 1-3 add the CIFS client support. Patches 4-5 refactor the ksmbd
EA name conversion paths without changing behavior. Patches 6-8 add
the corresponding ksmbd mappings. Patch 9 handles the same-session
oplock case.

The series touches both the CIFS client and ksmbd. It is sent as one
RFC so that the end-to-end name mapping and protocol behavior can be
reviewed together. It can be split into client and server patchsets
for merging after the approach is agreed.

Testing:

generic/093 was run with the CIFS test mount mapped to the fsgqa uid
and gid. Both xfstests mount option variables were configured as
follows:

  export CIFS_OPTS="-o username=fsgqa,password=<password>"
  export CIFS_OPTS="${CIFS_OPTS},uid=1001,gid=1001"
  export TEST_FS_MOUNT_OPTS="${CIFS_OPTS}"
  export MOUNT_OPTIONS="${CIFS_OPTS}"
  cd ~/xfstests/
  ./check -d generic/093

generic/093 passed.

Changelog
---------------

rfc v2: Rebase the patch series onto the for-next branch and resubmit it to avoid "Failed to apply" errors.

rfc: https://lore.kernel.org/all/20260715074908.641940-1-tanze@kylinos.cn/

Ze Tan (9):
  smb: client: support security.capability over EAs
  smb: client: support security.xfstests over EAs
  smb: client: support trusted xattrs over EAs
  ksmbd: extract SMB EA backing xattr name mapping
  ksmbd: extract SMB EA response name handling
  ksmbd: support security.capability EAs
  ksmbd: support security.xfstests EAs
  ksmbd: support trusted EAs
  ksmbd: avoid self oplock breaks for EA opens

 fs/smb/client/smb2ops.c |  34 ++++++++-
 fs/smb/client/xattr.c   | 109 ++++++++++++++++++++++++--
 fs/smb/server/oplock.c  |  49 ++++++++++++
 fs/smb/server/smb2pdu.c | 165 +++++++++++++++++++++++++++++++---------
 4 files changed, 311 insertions(+), 46 deletions(-)


base-commit: fce2dfa773ced15f27dd27cd0b482a7473cdcf2a
-- 
2.43.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2026-07-17  3:40 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-17  3:39 [RFC PATCH v2 0/9] smb: support security and trusted xattrs over EAs Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 1/9] smb: client: support security.capability " Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 2/9] smb: client: support security.xfstests " Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 3/9] smb: client: support trusted xattrs " Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 4/9] ksmbd: extract SMB EA backing xattr name mapping Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 5/9] ksmbd: extract SMB EA response name handling Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 6/9] ksmbd: support security.capability EAs Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 7/9] ksmbd: support security.xfstests EAs Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 8/9] ksmbd: support trusted EAs Ze Tan
2026-07-17  3:39 ` [RFC PATCH v2 9/9] ksmbd: avoid self oplock breaks for EA opens Ze Tan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.