From: Paul Moore <paul@paul-moore.com>
To: David Windsor <dwindsor@gmail.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] selinux: don't reserve xattr slot when we won't fill it
Date: Mon, 27 Apr 2026 19:32:55 -0400 [thread overview]
Message-ID: <0a65e27845468d7b0b57810086a563d3@paul-moore.com> (raw)
In-Reply-To: <20260426232349.844289-1-dwindsor@gmail.com>
On Apr 26, 2026 David Windsor <dwindsor@gmail.com> wrote:
>
> Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave
> a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem
> initxattrs() callbacks stop iterating at the first NULL ->name, silently
> dropping xattrs installed by later LSMs.
>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
> security/selinux/hooks.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Good catch, thanks. These seems like a stable candidate so I've merged
it into selinux/stable-7.1 and we likely send it up to Linus later this
week.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 97801966bf32..4ff118a9395f 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2966,7 +2966,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
> {
> const struct cred_security_struct *crsec = selinux_cred(current_cred());
> struct superblock_security_struct *sbsec;
> - struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
> + struct xattr *xattr;
> u32 newsid, clen;
> u16 newsclass;
> int rc;
> @@ -2992,6 +2992,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
> !(sbsec->flags & SBLABEL_MNT))
> return -EOPNOTSUPP;
>
> + xattr = lsm_get_xattr_slot(xattrs, xattr_count);
> if (xattr) {
> rc = security_sid_to_context_force(newsid,
> &context, &clen);
>
> base-commit: 254f49634ee16a731174d2ae34bc50bd5f45e731
> --
> 2.53.0
--
paul-moore.com
prev parent reply other threads:[~2026-04-27 23:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-26 23:23 [PATCH] selinux: don't reserve xattr slot when we won't fill it David Windsor
2026-04-27 23:32 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0a65e27845468d7b0b57810086a563d3@paul-moore.com \
--to=paul@paul-moore.com \
--cc=dwindsor@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox