git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Stephen Smalley <stephen.smalley.work@gmail.com>
	Wed, 3 Dec 2025 19:57:28 +0000 (14:57 -0500)
committer	Anna Schumaker <anna.schumaker@oracle.com>
	Mon, 9 Feb 2026 18:39:39 +0000 (13:39 -0500)
commit	fdc0396b3cc05dc9b678627af23c3fdc7dbe930e
tree	6b77fac7828887624816042cf533980fb017191f	tree
parent	42e7c876b182da65723700f6bc507a8aecb10d3b	commit \| diff

nfs: unify security_inode_listsecurity() calls

commit 243fea134633 ("NFSv4.2: fix listxattr to return selinux
security label") introduced a direct call to
security_inode_listsecurity() in nfs4_listxattr(). However,
nfs4_listxattr() already indirectly called
security_inode_listsecurity() via nfs4_listxattr_nfs4_label() if
CONFIG_NFS_V4_SECURITY_LABEL is enabled and the server has the
NFS_CAP_SECURITY_LABEL capability enabled. This duplication was fixed
by commit 9acb237deff7 ("NFSv4.2: another fix for listxattr") by
making the second call conditional on NFS_CAP_SECURITY_LABEL not being
set by the server. However, the combination of the two changes
effectively makes one call to security_inode_listsecurity() in every
case - which is the desired behavior since getxattr() always returns a
security xattr even if it has to synthesize one. Further, the two
different calls produce different xattr name ordering between
security.* and user.* xattr names. Unify the two separate calls into a
single call and get rid of nfs4_listxattr_nfs4_label() altogether.

Link: https://lore.kernel.org/selinux/CAEjxPJ6e8z__=MP5NfdUxkOMQ=EnUFSjWFofP4YPwHqK=Ki5nw@mail.gmail.com/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>