[PATCH] Fuse: Add mount option to cache presence of security related xattr

[Ashish Sangwan <ashishsangwan2@gmail.com>]

In case of a write call on any file, there is a xattr lookup call for
security.capablities type of xattr which is a scaling bottleneck.
In some of our use cases, just enabling the xattr support, we are
experiencing a performance drop of almost 20% even though the file does
not have any security xattr.
Fuse, by default, does not remember the presence of security attributes as
it clears the MS_NOSEC flag at the time of fill super and hence requires a
lookup of security xattr at each write. This makes sense in case of network
filesystems where multiple clients can change the state of xattr.
This patch adds a new mount option cache_security_xattr_presence
to avoid clearing MS_NOSEC flag. This could be use by the filesystem
implementations which supports xattr but are local in nature OR the
implementations which has its own security policies and
do not support security.capablities xattr.

Signed-off-by: Ashish Sangwan <ashishsangwan2@gmail.com>
---
 Documentation/filesystems/fuse.txt | 12 ++++++++++++
 fs/fuse/inode.c                    |  9 +++++++++
 2 files changed, 21 insertions(+)

diff --git a/Documentation/filesystems/fuse.txt b/Documentation/filesystems/fuse.txt
index 13af4a4..7245a40 100644
--- a/Documentation/filesystems/fuse.txt
+++ b/Documentation/filesystems/fuse.txt
@@ -115,6 +115,18 @@ Mount options
   Set the block size for the filesystem.  The default is 512.  This
   option is only valid for 'fuseblk' type mounts.
 
+'cache_security_xattr_presence'
+
+  If xattr support is enabled, in case of every write call on a file
+  fuse perform a xattr lookup call for security.capablities type as it does
+  not remember the presence of this xattr type. This is expected behavior in
+  case of network file system implementations where multiple clients can
+  modify the security related xattr state.
+  But in case of local file system implementations OR in case of network
+  file system implementations which does not support security.capablities
+  this option will prevent the security xattr lookup by caching its presence
+  in kernel.
+
 Control filesystem
 ~~~~~~~~~~~~~~~~~~
 
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 4e05b51..bd670c8 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -66,6 +66,7 @@ struct fuse_mount_data {
 	unsigned rootmode_present:1;
 	unsigned user_id_present:1;
 	unsigned group_id_present:1;
+	unsigned cache_security_xattr_presence:1;
 	unsigned flags;
 	unsigned max_read;
 	unsigned blksize;
@@ -454,6 +455,7 @@ enum {
 	OPT_ALLOW_OTHER,
 	OPT_MAX_READ,
 	OPT_BLKSIZE,
+	OPT_CACHE_SECURITY_XATTR_PRESENCE,
 	OPT_ERR
 };
 
@@ -466,6 +468,7 @@ static const match_table_t tokens = {
 	{OPT_ALLOW_OTHER,		"allow_other"},
 	{OPT_MAX_READ,			"max_read=%u"},
 	{OPT_BLKSIZE,			"blksize=%u"},
+	{OPT_CACHE_SECURITY_XATTR_PRESENCE, "cache_security_xattr_presence"},
 	{OPT_ERR,			NULL}
 };
 
@@ -539,6 +542,10 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
 			d->flags |= FUSE_ALLOW_OTHER;
 			break;
 
+		case OPT_CACHE_SECURITY_XATTR_PRESENCE:
+			d->cache_security_xattr_presence = 1;
+			break;
+
 		case OPT_MAX_READ:
 			if (match_int(&args[0], &value))
 				return 0;
@@ -1069,6 +1076,8 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 		sb->s_blocksize = PAGE_SIZE;
 		sb->s_blocksize_bits = PAGE_SHIFT;
 	}
+	if (d.cache_security_xattr_presence)
+		sb->s_flags |= MS_NOSEC;
 	sb->s_magic = FUSE_SUPER_MAGIC;
 	sb->s_op = &fuse_super_operations;
 	sb->s_maxbytes = MAX_LFS_FILESIZE;
-- 
1.9.1