From f549d6c18c0e8e6cf1bf0e7a47acc1daf7e2cec1 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Sat, 3 Sep 2005 15:55:18 -0700 Subject: [PATCH] Generic VFS fallback for security xattrs This patch modifies the VFS setxattr, getxattr, and listxattr code to fall back to the security module for security xattrs if the filesystem does not support xattrs natively. This allows security modules to export the incore inode security label information to userspace even if the filesystem does not provide xattr storage, and eliminates the need to individually patch various pseudo filesystem types to provide such access. The patch removes the existing xattr code from devpts and tmpfs as it is then no longer needed. The patch restructures the code flow slightly to reduce duplication between the normal path and the fallback path, but this should only have one user-visible side effect - a program may get -EACCES rather than -EOPNOTSUPP if policy denied access but the filesystem didn't support the operation anyway. Note that the post_setxattr hook call is not needed in the fallback case, as the inode_setsecurity hook call handles the incore inode security state update directly. In contrast, we do call fsnotify in both cases. Signed-off-by: Stephen Smalley Acked-by: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/Kconfig | 43 ------------------------------------------- 1 file changed, 43 deletions(-) (limited to 'fs/Kconfig') diff --git a/fs/Kconfig b/fs/Kconfig index e54be70..ed78d24 100644 --- a/fs/Kconfig +++ b/fs/Kconfig @@ -783,28 +783,6 @@ config SYSFS Designers of embedded systems may wish to say N here to conserve space. -config DEVPTS_FS_XATTR - bool "/dev/pts Extended Attributes" - depends on UNIX98_PTYS - help - Extended attributes are name:value pairs associated with inodes by - the kernel or by users (see the attr(5) manual page, or visit - for details). - - If unsure, say N. - -config DEVPTS_FS_SECURITY - bool "/dev/pts Security Labels" - depends on DEVPTS_FS_XATTR - help - Security labels support alternative access control models - implemented by security modules like SELinux. This option - enables an extended attribute handler for file security - labels in the /dev/pts filesystem. - - If you are not using a security module that requires using - extended attributes for file security labels, say N. - config TMPFS bool "Virtual memory file system support (former shm fs)" help @@ -817,27 +795,6 @@ config TMPFS See for details. -config TMPFS_XATTR - bool "tmpfs Extended Attributes" - depends on TMPFS - help - Extended attributes are name:value pairs associated with inodes by - the kernel or by users (see the attr(5) manual page, or visit - for details). - - If unsure, say N. - -config TMPFS_SECURITY - bool "tmpfs Security Labels" - depends on TMPFS_XATTR - help - Security labels support alternative access control models - implemented by security modules like SELinux. This option - enables an extended attribute handler for file security - labels in the tmpfs filesystem. - If you are not using a security module that requires using - extended attributes for file security labels, say N. - config HUGETLBFS bool "HugeTLB file system support" depends X86 || IA64 || PPC64 || SPARC64 || SUPERH || X86_64 || BROKEN -- cgit v1.1