From: Carlos Llamas <cmllamas@google.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>
Subject: Re: [PATCH vfs/vfs-7.2.xattr v3] bpf: Add simple xattr support to bpffs
Date: Wed, 1 Jul 2026 23:06:26 +0000 [thread overview]
Message-ID: <akWdcp6P0FkNDzBk@google.com> (raw)
In-Reply-To: <20260603-abwenden-plagiat-abtropfen-31bd59c3140b@brauner>
On Wed, Jun 03, 2026 at 09:07:55AM +0200, Christian Brauner wrote:
> On Tue, 02 Jun 2026 09:40:12 +0200, Daniel Borkmann wrote:
> > Add support for extended attributes on bpffs inodes so that user space
> > and BPF LSM programs can attach metadata, for example, a content hash
> > or a security label - to a pinned object or directory. BPF LSM or user
> > space tooling can then uniformly look at this (e.g. security.bpf.*) in
> > similar way to other fs'es. The store is in-memory and non-persistent:
> > it lives only for the lifetime of the mount, like everything else in
> > bpffs. The modelling is similar to tmpfs.
> >
> > [...]
>
> Applied to the vfs-7.2.xattr branch of the vfs/vfs.git tree.
> Patches in the vfs-7.2.xattr branch should appear in linux-next soon.
>
> Please report any outstanding bugs that were missed during review in a
> new review to the original patch series allowing us to drop it.
>
> It's encouraged to provide Acked-bys and Reviewed-bys even though the
> patch has now been applied. If possible patch trailers will be updated.
>
> Note that commit hashes shown below are subject to change due to rebase,
> trailer updates or similar. If in doubt, please check the listed branch.
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
> branch: vfs-7.2.xattr
>
> [1/1] bpf: Add simple xattr support to bpffs
> https://git.kernel.org/vfs/vfs/c/a146500e1144
Hey Christian / Daniel,
I'm getting a regression with this patch when using genfs for bpffs. It
seems like calling selinux_inode_init_security() with !SBLABEL_MNT will
leave the isec->initialized before doing the EOPNOTSUPP exit.
The genfs path is later skipped because inode_doinit_with_dentry() sees
the inode initialized and I get denials in userspace.
I don't know if this would be correct but doing the check for
SBLABEL_MNT before marking the isec as initialized worked for me.
Any thoughts? Should I send a formal patch?
Carlos Llamas
---
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0f704380a8c8..9cb1724d2bbc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2980,6 +2980,10 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
if (rc)
return rc;
+ if (!selinux_initialized() ||
+ !(sbsec->flags & SBLABEL_MNT))
+ return -EOPNOTSUPP;
+
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
struct inode_security_struct *isec = selinux_inode(inode);
@@ -2988,10 +2992,6 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
isec->initialized = LABEL_INITIALIZED;
}
- if (!selinux_initialized() ||
- !(sbsec->flags & SBLABEL_MNT))
- return -EOPNOTSUPP;
-
xattr = lsm_get_xattr_slot(xattrs, xattr_count);
if (xattr) {
rc = security_sid_to_context_force(newsid,
prev parent reply other threads:[~2026-07-01 23:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 7:40 [PATCH vfs/vfs-7.2.xattr v3] bpf: Add simple xattr support to bpffs Daniel Borkmann
2026-06-02 18:07 ` bot+bpf-ci
2026-06-02 18:25 ` Daniel Borkmann
2026-06-03 7:07 ` Christian Brauner
2026-07-01 23:06 ` Carlos Llamas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=akWdcp6P0FkNDzBk@google.com \
--to=cmllamas@google.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox