<div dir="ltr">I will redo the manual audit, perhaps I need to not be so scared of allconfig build ;-} (currently my runtime & buildtime test platform is android 4.19 kernel, my bad).<div><br></div><div>I am going through and exploring/changing/testing everything to deal with GregKH/jmorris wanting a single xattr_gs_args structure reference where the flags argument is stowed, rather than YA adding a flags argument. It is doubling the (mechanical) codebase impact but decreases the future maintenance and _large_ set of stakeholders (+75 at last count).</div><div><br></div><div>-- Mark</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 16, 2019 at 8:11 AM Jan Kara <<a href="mailto:jack@suse.cz">jack@suse.cz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu 15-08-19 08:49:58, Mark Salyzyn wrote:<br>
> Add a flag option to get xattr method that could have a bit flag of<br>
> XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then<br>
> set in the __vfs_getxattr path.<br>
> <br>
> This handles the case of a union filesystem driver that is being<br>
> requested by the security layer to report back the xattr data.<br>
> <br>
> For the use case where access is to be blocked by the security layer.<br>
> <br>
> The path then could be security(dentry) -><br>
> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -><br>
> handler->get(dentry...XATTR_NOSECURITY) -><br>
> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -><br>
> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY)<br>
> which would report back through the chain data and success as<br>
> expected, the logging security layer at the top would have the<br>
> data to determine the access permissions and report back the target<br>
> context that was blocked.<br>
> <br>
> Without the get handler flag, the path on a union filesystem would be<br>
> the errant security(dentry) -> __vfs_getxattr(dentry) -><br>
> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -><br>
> security(lower_dentry, log off) -> lower_handler->get(lower_dentry)<br>
> which would report back through the chain no data, and -EACCES.<br>
> <br>
> For selinux for both cases, this would translate to a correctly<br>
> determined blocked access. In the first case with this change a correct avc<br>
> log would be reported, in the second legacy case an incorrect avc log<br>
> would be reported against an uninitialized u:object_r:unlabeled:s0<br>
> context making the logs cosmetically useless for audit2allow.<br>
> <br>
> This patch series is inert and is the wide-spread addition of the<br>
> flags option for xattr functions, and a replacement of _vfs_getxattr<br>
> with __vfs_getxattr(...XATTR_NOSECURITY).<br>
> <br>
> Signed-off-by: Mark Salyzyn <<a href="mailto:salyzyn@android.com" target="_blank">salyzyn@android.com</a>><br>
> Cc: Stephen Smalley <<a href="mailto:sds@tycho.nsa.gov" target="_blank">sds@tycho.nsa.gov</a>><br>
> Cc: <a href="mailto:linux-kernel@vger.kernel.org" target="_blank">linux-kernel@vger.kernel.org</a><br>
> Cc: <a href="mailto:kernel-team@android.com" target="_blank">kernel-team@android.com</a><br>
> Cc: <a href="mailto:linux-security-module@vger.kernel.org" target="_blank">linux-security-module@vger.kernel.org</a><br>
> Cc: Jan Kara <<a href="mailto:jack@suse.cz" target="_blank">jack@suse.cz</a>><br>
> Cc: <a href="mailto:stable@vger.kernel.org" target="_blank">stable@vger.kernel.org</a> # 4.4, 4.9, 4.14 & 4.19<br>
<br>
The patch looks good to me. I can see you've missed conversion of one place<br>
in ext2 which 0-day spotted so that will need fixing. Otherwise feel free<br>
to add:<br>
<br>
Acked-by: Jan Kara <<a href="mailto:jack@suse.cz" target="_blank">jack@suse.cz</a>><br>
<br>
Honza<br>
> ---<br>
> v4:<br>
> - ifdef __KERNEL__ around XATTR_NOSECURITY to<br>
> keep it colocated in uapi headers.<br>
> <br>
> v3:<br>
> - poor aim on ubifs not ubifs_xattr_get, but static xattr_get<br>
> <br>
> v2:<br>
> - Missed a spot: ubifs, erofs and afs.<br>
> <br>
> v1:<br>
> - Removed from an overlayfs patch set, and made independent.<br>
> Expect this to be the basis of some security improvements.<br>
> ---<br>
> drivers/staging/erofs/xattr.c | 3 ++-<br>
> fs/9p/acl.c | 3 ++-<br>
> fs/9p/xattr.c | 3 ++-<br>
> fs/afs/xattr.c | 8 +++----<br>
> fs/btrfs/xattr.c | 3 ++-<br>
> fs/ceph/xattr.c | 3 ++-<br>
> fs/cifs/xattr.c | 2 +-<br>
> fs/ecryptfs/inode.c | 6 ++++--<br>
> fs/ecryptfs/mmap.c | 2 +-<br>
> fs/ext2/xattr_trusted.c | 2 +-<br>
> fs/ext2/xattr_user.c | 2 +-<br>
> fs/ext4/xattr_security.c | 2 +-<br>
> fs/ext4/xattr_trusted.c | 2 +-<br>
> fs/ext4/xattr_user.c | 2 +-<br>
> fs/f2fs/xattr.c | 4 ++--<br>
> fs/fuse/xattr.c | 4 ++--<br>
> fs/gfs2/xattr.c | 3 ++-<br>
> fs/hfs/attr.c | 2 +-<br>
> fs/hfsplus/xattr.c | 3 ++-<br>
> fs/hfsplus/xattr_trusted.c | 3 ++-<br>
> fs/hfsplus/xattr_user.c | 3 ++-<br>
> fs/jffs2/security.c | 3 ++-<br>
> fs/jffs2/xattr_trusted.c | 3 ++-<br>
> fs/jffs2/xattr_user.c | 3 ++-<br>
> fs/jfs/xattr.c | 5 +++--<br>
> fs/kernfs/inode.c | 3 ++-<br>
> fs/nfs/nfs4proc.c | 6 ++++--<br>
> fs/ocfs2/xattr.c | 9 +++++---<br>
> fs/orangefs/xattr.c | 3 ++-<br>
> fs/overlayfs/super.c | 8 ++++---<br>
> fs/posix_acl.c | 2 +-<br>
> fs/reiserfs/xattr_security.c | 3 ++-<br>
> fs/reiserfs/xattr_trusted.c | 3 ++-<br>
> fs/reiserfs/xattr_user.c | 3 ++-<br>
> fs/squashfs/xattr.c | 2 +-<br>
> fs/ubifs/xattr.c | 3 ++-<br>
> fs/xattr.c | 36 +++++++++++++++----------------<br>
> fs/xfs/xfs_xattr.c | 3 ++-<br>
> include/linux/xattr.h | 9 ++++----<br>
> include/uapi/linux/xattr.h | 7 ++++--<br>
> mm/shmem.c | 3 ++-<br>
> net/socket.c | 3 ++-<br>
> security/commoncap.c | 6 ++++--<br>
> security/integrity/evm/evm_main.c | 3 ++-<br>
> security/selinux/hooks.c | 11 ++++++----<br>
> security/smack/smack_lsm.c | 5 +++--<br>
> 46 files changed, 126 insertions(+), 84 deletions(-)<br>
> <br>
> diff --git a/drivers/staging/erofs/xattr.c b/drivers/staging/erofs/xattr.c<br>
> index df40654b9fbb..69440065432c 100644<br>
> --- a/drivers/staging/erofs/xattr.c<br>
> +++ b/drivers/staging/erofs/xattr.c<br>
> @@ -463,7 +463,8 @@ int erofs_getxattr(struct inode *inode, int index,<br>
> <br>
> static int erofs_xattr_generic_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> struct erofs_sb_info *const sbi = EROFS_I_SB(inode);<br>
> <br>
> diff --git a/fs/9p/acl.c b/fs/9p/acl.c<br>
> index 6261719f6f2a..cb14e8b312bc 100644<br>
> --- a/fs/9p/acl.c<br>
> +++ b/fs/9p/acl.c<br>
> @@ -214,7 +214,8 @@ int v9fs_acl_mode(struct inode *dir, umode_t *modep,<br>
> <br>
> static int v9fs_xattr_get_acl(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> struct v9fs_session_info *v9ses;<br>
> struct posix_acl *acl;<br>
> diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c<br>
> index ac8ff8ca4c11..5cfa772452fd 100644<br>
> --- a/fs/9p/xattr.c<br>
> +++ b/fs/9p/xattr.c<br>
> @@ -139,7 +139,8 @@ ssize_t v9fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size)<br>
> <br>
> static int v9fs_xattr_handler_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> const char *full_name = xattr_full_name(handler, name);<br>
> <br>
> diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c<br>
> index 5552d034090a..7e2d97653f5a 100644<br>
> --- a/fs/afs/xattr.c<br>
> +++ b/fs/afs/xattr.c<br>
> @@ -163,7 +163,7 @@ static const struct xattr_handler afs_xattr_afs_acl_handler = {<br>
> static int afs_xattr_get_yfs(const struct xattr_handler *handler,<br>
> struct dentry *dentry,<br>
> struct inode *inode, const char *name,<br>
> - void *buffer, size_t size)<br>
> + void *buffer, size_t size, int flags)<br>
> {<br>
> struct afs_fs_cursor fc;<br>
> struct afs_status_cb *scb;<br>
> @@ -334,7 +334,7 @@ static const struct xattr_handler afs_xattr_yfs_handler = {<br>
> static int afs_xattr_get_cell(const struct xattr_handler *handler,<br>
> struct dentry *dentry,<br>
> struct inode *inode, const char *name,<br>
> - void *buffer, size_t size)<br>
> + void *buffer, size_t size, int flags)<br>
> {<br>
> struct afs_vnode *vnode = AFS_FS_I(inode);<br>
> struct afs_cell *cell = vnode->volume->cell;<br>
> @@ -361,7 +361,7 @@ static const struct xattr_handler afs_xattr_afs_cell_handler = {<br>
> static int afs_xattr_get_fid(const struct xattr_handler *handler,<br>
> struct dentry *dentry,<br>
> struct inode *inode, const char *name,<br>
> - void *buffer, size_t size)<br>
> + void *buffer, size_t size, int flags)<br>
> {<br>
> struct afs_vnode *vnode = AFS_FS_I(inode);<br>
> char text[16 + 1 + 24 + 1 + 8 + 1];<br>
> @@ -397,7 +397,7 @@ static const struct xattr_handler afs_xattr_afs_fid_handler = {<br>
> static int afs_xattr_get_volume(const struct xattr_handler *handler,<br>
> struct dentry *dentry,<br>
> struct inode *inode, const char *name,<br>
> - void *buffer, size_t size)<br>
> + void *buffer, size_t size, int flags)<br>
> {<br>
> struct afs_vnode *vnode = AFS_FS_I(inode);<br>
> const char *volname = vnode->volume->name;<br>
> diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c<br>
> index 95d9aebff2c4..1e522e145344 100644<br>
> --- a/fs/btrfs/xattr.c<br>
> +++ b/fs/btrfs/xattr.c<br>
> @@ -353,7 +353,8 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size)<br>
> <br>
> static int btrfs_xattr_handler_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> name = xattr_full_name(handler, name);<br>
> return btrfs_getxattr(inode, name, buffer, size);<br>
> diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c<br>
> index 37b458a9af3a..edb7eb9ae83e 100644<br>
> --- a/fs/ceph/xattr.c<br>
> +++ b/fs/ceph/xattr.c<br>
> @@ -1171,7 +1171,8 @@ int __ceph_setxattr(struct inode *inode, const char *name,<br>
> <br>
> static int ceph_get_xattr_handler(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size,<br>
> + int flags)<br>
> {<br>
> if (!ceph_is_valid_xattr(name))<br>
> return -EOPNOTSUPP;<br>
> diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c<br>
> index 9076150758d8..7f71c06ce631 100644<br>
> --- a/fs/cifs/xattr.c<br>
> +++ b/fs/cifs/xattr.c<br>
> @@ -199,7 +199,7 @@ static int cifs_creation_time_get(struct dentry *dentry, struct inode *inode,<br>
> <br>
> static int cifs_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size, int flags)<br>
> {<br>
> ssize_t rc = -EOPNOTSUPP;<br>
> unsigned int xid;<br>
> diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c<br>
> index 18426f4855f1..c710c7533729 100644<br>
> --- a/fs/ecryptfs/inode.c<br>
> +++ b/fs/ecryptfs/inode.c<br>
> @@ -1018,7 +1018,8 @@ ecryptfs_getxattr_lower(struct dentry *lower_dentry, struct inode *lower_inode,<br>
> goto out;<br>
> }<br>
> inode_lock(lower_inode);<br>
> - rc = __vfs_getxattr(lower_dentry, lower_inode, name, value, size);<br>
> + rc = __vfs_getxattr(lower_dentry, lower_inode, name, value, size,<br>
> + XATTR_NOSECURITY);<br>
> inode_unlock(lower_inode);<br>
> out:<br>
> return rc;<br>
> @@ -1103,7 +1104,8 @@ const struct inode_operations ecryptfs_main_iops = {<br>
> <br>
> static int ecryptfs_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return ecryptfs_getxattr(dentry, inode, name, buffer, size);<br>
> }<br>
> diff --git a/fs/ecryptfs/mmap.c b/fs/ecryptfs/mmap.c<br>
> index cffa0c1ec829..2362be3e3b4d 100644<br>
> --- a/fs/ecryptfs/mmap.c<br>
> +++ b/fs/ecryptfs/mmap.c<br>
> @@ -422,7 +422,7 @@ static int ecryptfs_write_inode_size_to_xattr(struct inode *ecryptfs_inode)<br>
> }<br>
> inode_lock(lower_inode);<br>
> size = __vfs_getxattr(lower_dentry, lower_inode, ECRYPTFS_XATTR_NAME,<br>
> - xattr_virt, PAGE_SIZE);<br>
> + xattr_virt, PAGE_SIZE, XATTR_NOSECURITY);<br>
> if (size < 0)<br>
> size = 8;<br>
> put_unaligned_be64(i_size_read(ecryptfs_inode), xattr_virt);<br>
> diff --git a/fs/ext2/xattr_trusted.c b/fs/ext2/xattr_trusted.c<br>
> index 49add1107850..8d313664f0fa 100644<br>
> --- a/fs/ext2/xattr_trusted.c<br>
> +++ b/fs/ext2/xattr_trusted.c<br>
> @@ -18,7 +18,7 @@ ext2_xattr_trusted_list(struct dentry *dentry)<br>
> static int<br>
> ext2_xattr_trusted_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> return ext2_xattr_get(inode, EXT2_XATTR_INDEX_TRUSTED, name,<br>
> buffer, size);<br>
> diff --git a/fs/ext2/xattr_user.c b/fs/ext2/xattr_user.c<br>
> index c243a3b4d69d..712b7c95cc64 100644<br>
> --- a/fs/ext2/xattr_user.c<br>
> +++ b/fs/ext2/xattr_user.c<br>
> @@ -20,7 +20,7 @@ ext2_xattr_user_list(struct dentry *dentry)<br>
> static int<br>
> ext2_xattr_user_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> if (!test_opt(inode->i_sb, XATTR_USER))<br>
> return -EOPNOTSUPP;<br>
> diff --git a/fs/ext4/xattr_security.c b/fs/ext4/xattr_security.c<br>
> index 197a9d8a15ef..50fb71393fb6 100644<br>
> --- a/fs/ext4/xattr_security.c<br>
> +++ b/fs/ext4/xattr_security.c<br>
> @@ -15,7 +15,7 @@<br>
> static int<br>
> ext4_xattr_security_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> return ext4_xattr_get(inode, EXT4_XATTR_INDEX_SECURITY,<br>
> name, buffer, size);<br>
> diff --git a/fs/ext4/xattr_trusted.c b/fs/ext4/xattr_trusted.c<br>
> index e9389e5d75c3..64bd8f86c1f1 100644<br>
> --- a/fs/ext4/xattr_trusted.c<br>
> +++ b/fs/ext4/xattr_trusted.c<br>
> @@ -22,7 +22,7 @@ ext4_xattr_trusted_list(struct dentry *dentry)<br>
> static int<br>
> ext4_xattr_trusted_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> return ext4_xattr_get(inode, EXT4_XATTR_INDEX_TRUSTED,<br>
> name, buffer, size);<br>
> diff --git a/fs/ext4/xattr_user.c b/fs/ext4/xattr_user.c<br>
> index d4546184b34b..b7301373820e 100644<br>
> --- a/fs/ext4/xattr_user.c<br>
> +++ b/fs/ext4/xattr_user.c<br>
> @@ -21,7 +21,7 @@ ext4_xattr_user_list(struct dentry *dentry)<br>
> static int<br>
> ext4_xattr_user_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> if (!test_opt(inode->i_sb, XATTR_USER))<br>
> return -EOPNOTSUPP;<br>
> diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c<br>
> index b32c45621679..76559da8dfba 100644<br>
> --- a/fs/f2fs/xattr.c<br>
> +++ b/fs/f2fs/xattr.c<br>
> @@ -24,7 +24,7 @@<br>
> <br>
> static int f2fs_xattr_generic_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> struct f2fs_sb_info *sbi = F2FS_SB(inode->i_sb);<br>
> <br>
> @@ -79,7 +79,7 @@ static bool f2fs_xattr_trusted_list(struct dentry *dentry)<br>
> <br>
> static int f2fs_xattr_advise_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> if (buffer)<br>
> *((char *)buffer) = F2FS_I(inode)->i_advise;<br>
> diff --git a/fs/fuse/xattr.c b/fs/fuse/xattr.c<br>
> index 433717640f78..d1ef7808304e 100644<br>
> --- a/fs/fuse/xattr.c<br>
> +++ b/fs/fuse/xattr.c<br>
> @@ -176,7 +176,7 @@ int fuse_removexattr(struct inode *inode, const char *name)<br>
> <br>
> static int fuse_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size, int flags)<br>
> {<br>
> return fuse_getxattr(inode, name, value, size);<br>
> }<br>
> @@ -199,7 +199,7 @@ static bool no_xattr_list(struct dentry *dentry)<br>
> <br>
> static int no_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size, int flags)<br>
> {<br>
> return -EOPNOTSUPP;<br>
> }<br>
> diff --git a/fs/gfs2/xattr.c b/fs/gfs2/xattr.c<br>
> index bbe593d16bea..a9db067a99c1 100644<br>
> --- a/fs/gfs2/xattr.c<br>
> +++ b/fs/gfs2/xattr.c<br>
> @@ -588,7 +588,8 @@ static int __gfs2_xattr_get(struct inode *inode, const char *name,<br>
> <br>
> static int gfs2_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> struct gfs2_inode *ip = GFS2_I(inode);<br>
> struct gfs2_holder gh;<br>
> diff --git a/fs/hfs/attr.c b/fs/hfs/attr.c<br>
> index 74fa62643136..08222a9c5d31 100644<br>
> --- a/fs/hfs/attr.c<br>
> +++ b/fs/hfs/attr.c<br>
> @@ -115,7 +115,7 @@ static ssize_t __hfs_getxattr(struct inode *inode, enum hfs_xattr_type type,<br>
> <br>
> static int hfs_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size, int flags)<br>
> {<br>
> return __hfs_getxattr(inode, handler->flags, value, size);<br>
> }<br>
> diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c<br>
> index bb0b27d88e50..381c2aaedbc8 100644<br>
> --- a/fs/hfsplus/xattr.c<br>
> +++ b/fs/hfsplus/xattr.c<br>
> @@ -839,7 +839,8 @@ static int hfsplus_removexattr(struct inode *inode, const char *name)<br>
> <br>
> static int hfsplus_osx_getxattr(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> /*<br>
> * Don't allow retrieving properly prefixed attributes<br>
> diff --git a/fs/hfsplus/xattr_trusted.c b/fs/hfsplus/xattr_trusted.c<br>
> index fbad91e1dada..54d926314f8c 100644<br>
> --- a/fs/hfsplus/xattr_trusted.c<br>
> +++ b/fs/hfsplus/xattr_trusted.c<br>
> @@ -14,7 +14,8 @@<br>
> <br>
> static int hfsplus_trusted_getxattr(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer,<br>
> + size_t size, int flags)<br>
> {<br>
> return hfsplus_getxattr(inode, name, buffer, size,<br>
> XATTR_TRUSTED_PREFIX,<br>
> diff --git a/fs/hfsplus/xattr_user.c b/fs/hfsplus/xattr_user.c<br>
> index 74d19faf255e..4d2b1ffff887 100644<br>
> --- a/fs/hfsplus/xattr_user.c<br>
> +++ b/fs/hfsplus/xattr_user.c<br>
> @@ -14,7 +14,8 @@<br>
> <br>
> static int hfsplus_user_getxattr(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> <br>
> return hfsplus_getxattr(inode, name, buffer, size,<br>
> diff --git a/fs/jffs2/security.c b/fs/jffs2/security.c<br>
> index c2332e30f218..e6f42fe435af 100644<br>
> --- a/fs/jffs2/security.c<br>
> +++ b/fs/jffs2/security.c<br>
> @@ -50,7 +50,8 @@ int jffs2_init_security(struct inode *inode, struct inode *dir,<br>
> /* ---- XATTR Handler for "security.*" ----------------- */<br>
> static int jffs2_security_getxattr(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return do_jffs2_getxattr(inode, JFFS2_XPREFIX_SECURITY,<br>
> name, buffer, size);<br>
> diff --git a/fs/jffs2/xattr_trusted.c b/fs/jffs2/xattr_trusted.c<br>
> index 5d6030826c52..9dccaae549f5 100644<br>
> --- a/fs/jffs2/xattr_trusted.c<br>
> +++ b/fs/jffs2/xattr_trusted.c<br>
> @@ -18,7 +18,8 @@<br>
> <br>
> static int jffs2_trusted_getxattr(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return do_jffs2_getxattr(inode, JFFS2_XPREFIX_TRUSTED,<br>
> name, buffer, size);<br>
> diff --git a/fs/jffs2/xattr_user.c b/fs/jffs2/xattr_user.c<br>
> index 9d027b4abcf9..c0983a3e810b 100644<br>
> --- a/fs/jffs2/xattr_user.c<br>
> +++ b/fs/jffs2/xattr_user.c<br>
> @@ -18,7 +18,8 @@<br>
> <br>
> static int jffs2_user_getxattr(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return do_jffs2_getxattr(inode, JFFS2_XPREFIX_USER,<br>
> name, buffer, size);<br>
> diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c<br>
> index db41e7803163..5c79a35bf62f 100644<br>
> --- a/fs/jfs/xattr.c<br>
> +++ b/fs/jfs/xattr.c<br>
> @@ -925,7 +925,7 @@ static int __jfs_xattr_set(struct inode *inode, const char *name,<br>
> <br>
> static int jfs_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size, int flags)<br>
> {<br>
> name = xattr_full_name(handler, name);<br>
> return __jfs_getxattr(inode, name, value, size);<br>
> @@ -942,7 +942,8 @@ static int jfs_xattr_set(const struct xattr_handler *handler,<br>
> <br>
> static int jfs_xattr_get_os2(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size,<br>
> + int flags)<br>
> {<br>
> if (is_known_namespace(name))<br>
> return -EOPNOTSUPP;<br>
> diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c<br>
> index f3f3984cce80..89db24ce644e 100644<br>
> --- a/fs/kernfs/inode.c<br>
> +++ b/fs/kernfs/inode.c<br>
> @@ -309,7 +309,8 @@ int kernfs_xattr_set(struct kernfs_node *kn, const char *name,<br>
> <br>
> static int kernfs_vfs_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *suffix, void *value, size_t size)<br>
> + const char *suffix, void *value, size_t size,<br>
> + int flags)<br>
> {<br>
> const char *name = xattr_full_name(handler, suffix);<br>
> struct kernfs_node *kn = inode->i_private;<br>
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c<br>
> index 1406858bae6c..1905597f86fb 100644<br>
> --- a/fs/nfs/nfs4proc.c<br>
> +++ b/fs/nfs/nfs4proc.c<br>
> @@ -7218,7 +7218,8 @@ static int nfs4_xattr_set_nfs4_acl(const struct xattr_handler *handler,<br>
> <br>
> static int nfs4_xattr_get_nfs4_acl(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *key, void *buf, size_t buflen)<br>
> + const char *key, void *buf, size_t buflen,<br>
> + int flags)<br>
> {<br>
> return nfs4_proc_get_acl(inode, buf, buflen);<br>
> }<br>
> @@ -7243,7 +7244,8 @@ static int nfs4_xattr_set_nfs4_label(const struct xattr_handler *handler,<br>
> <br>
> static int nfs4_xattr_get_nfs4_label(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *key, void *buf, size_t buflen)<br>
> + const char *key, void *buf, size_t buflen,<br>
> + int flags)<br>
> {<br>
> if (security_ismaclabel(key))<br>
> return nfs4_get_security_label(inode, buf, buflen);<br>
> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c<br>
> index 90c830e3758e..525835807c86 100644<br>
> --- a/fs/ocfs2/xattr.c<br>
> +++ b/fs/ocfs2/xattr.c<br>
> @@ -7242,7 +7242,8 @@ int ocfs2_init_security_and_acl(struct inode *dir,<br>
> */<br>
> static int ocfs2_xattr_security_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return ocfs2_xattr_get(inode, OCFS2_XATTR_INDEX_SECURITY,<br>
> name, buffer, size);<br>
> @@ -7314,7 +7315,8 @@ const struct xattr_handler ocfs2_xattr_security_handler = {<br>
> */<br>
> static int ocfs2_xattr_trusted_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return ocfs2_xattr_get(inode, OCFS2_XATTR_INDEX_TRUSTED,<br>
> name, buffer, size);<br>
> @@ -7340,7 +7342,8 @@ const struct xattr_handler ocfs2_xattr_trusted_handler = {<br>
> */<br>
> static int ocfs2_xattr_user_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);<br>
> <br>
> diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c<br>
> index bdc285aea360..ef4180bff7bb 100644<br>
> --- a/fs/orangefs/xattr.c<br>
> +++ b/fs/orangefs/xattr.c<br>
> @@ -541,7 +541,8 @@ static int orangefs_xattr_get_default(const struct xattr_handler *handler,<br>
> struct inode *inode,<br>
> const char *name,<br>
> void *buffer,<br>
> - size_t size)<br>
> + size_t size,<br>
> + int flags)<br>
> {<br>
> return orangefs_inode_getxattr(inode, name, buffer, size);<br>
> <br>
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c<br>
> index b368e2e102fa..a7b21f2ea2dd 100644<br>
> --- a/fs/overlayfs/super.c<br>
> +++ b/fs/overlayfs/super.c<br>
> @@ -854,7 +854,7 @@ static unsigned int ovl_split_lowerdirs(char *str)<br>
> static int __maybe_unused<br>
> ovl_posix_acl_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size, int flags)<br>
> {<br>
> return ovl_xattr_get(dentry, inode, handler->name, buffer, size);<br>
> }<br>
> @@ -919,7 +919,8 @@ ovl_posix_acl_xattr_set(const struct xattr_handler *handler,<br>
> <br>
> static int ovl_own_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return -EOPNOTSUPP;<br>
> }<br>
> @@ -934,7 +935,8 @@ static int ovl_own_xattr_set(const struct xattr_handler *handler,<br>
> <br>
> static int ovl_other_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> return ovl_xattr_get(dentry, inode, name, buffer, size);<br>
> }<br>
> diff --git a/fs/posix_acl.c b/fs/posix_acl.c<br>
> index 84ad1c90d535..cd55621e570b 100644<br>
> --- a/fs/posix_acl.c<br>
> +++ b/fs/posix_acl.c<br>
> @@ -832,7 +832,7 @@ EXPORT_SYMBOL (posix_acl_to_xattr);<br>
> static int<br>
> posix_acl_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *value, size_t size)<br>
> + const char *name, void *value, size_t size, int flags)<br>
> {<br>
> struct posix_acl *acl;<br>
> int error;<br>
> diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c<br>
> index 20be9a0e5870..eedfa07a4fd0 100644<br>
> --- a/fs/reiserfs/xattr_security.c<br>
> +++ b/fs/reiserfs/xattr_security.c<br>
> @@ -11,7 +11,8 @@<br>
> <br>
> static int<br>
> security_get(const struct xattr_handler *handler, struct dentry *unused,<br>
> - struct inode *inode, const char *name, void *buffer, size_t size)<br>
> + struct inode *inode, const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> if (IS_PRIVATE(inode))<br>
> return -EPERM;<br>
> diff --git a/fs/reiserfs/xattr_trusted.c b/fs/reiserfs/xattr_trusted.c<br>
> index 5ed48da3d02b..2d11d98605dd 100644<br>
> --- a/fs/reiserfs/xattr_trusted.c<br>
> +++ b/fs/reiserfs/xattr_trusted.c<br>
> @@ -10,7 +10,8 @@<br>
> <br>
> static int<br>
> trusted_get(const struct xattr_handler *handler, struct dentry *unused,<br>
> - struct inode *inode, const char *name, void *buffer, size_t size)<br>
> + struct inode *inode, const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> if (!capable(CAP_SYS_ADMIN) || IS_PRIVATE(inode))<br>
> return -EPERM;<br>
> diff --git a/fs/reiserfs/xattr_user.c b/fs/reiserfs/xattr_user.c<br>
> index a573ca45bacc..2a59d85c69c9 100644<br>
> --- a/fs/reiserfs/xattr_user.c<br>
> +++ b/fs/reiserfs/xattr_user.c<br>
> @@ -9,7 +9,8 @@<br>
> <br>
> static int<br>
> user_get(const struct xattr_handler *handler, struct dentry *unused,<br>
> - struct inode *inode, const char *name, void *buffer, size_t size)<br>
> + struct inode *inode, const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> if (!reiserfs_xattrs_user(inode->i_sb))<br>
> return -EOPNOTSUPP;<br>
> diff --git a/fs/squashfs/xattr.c b/fs/squashfs/xattr.c<br>
> index e1e3f3dd5a06..d8d58c990652 100644<br>
> --- a/fs/squashfs/xattr.c<br>
> +++ b/fs/squashfs/xattr.c<br>
> @@ -204,7 +204,7 @@ static int squashfs_xattr_handler_get(const struct xattr_handler *handler,<br>
> struct dentry *unused,<br>
> struct inode *inode,<br>
> const char *name,<br>
> - void *buffer, size_t size)<br>
> + void *buffer, size_t size, int flags)<br>
> {<br>
> return squashfs_xattr_get(inode, handler->flags, name,<br>
> buffer, size);<br>
> diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c<br>
> index 9aefbb60074f..26e1a74f178e 100644<br>
> --- a/fs/ubifs/xattr.c<br>
> +++ b/fs/ubifs/xattr.c<br>
> @@ -669,7 +669,8 @@ int ubifs_init_security(struct inode *dentry, struct inode *inode,<br>
> <br>
> static int xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> dbg_gen("xattr '%s', ino %lu ('%pd'), buf size %zd", name,<br>
> inode->i_ino, dentry, size);<br>
> diff --git a/fs/xattr.c b/fs/xattr.c<br>
> index 90dd78f0eb27..71f887518d6f 100644<br>
> --- a/fs/xattr.c<br>
> +++ b/fs/xattr.c<br>
> @@ -281,7 +281,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value,<br>
> return PTR_ERR(handler);<br>
> if (!handler->get)<br>
> return -EOPNOTSUPP;<br>
> - error = handler->get(handler, dentry, inode, name, NULL, 0);<br>
> + error = handler->get(handler, dentry, inode, name, NULL, 0, 0);<br>
> if (error < 0)<br>
> return error;<br>
> <br>
> @@ -292,32 +292,20 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value,<br>
> memset(value, 0, error + 1);<br>
> }<br>
> <br>
> - error = handler->get(handler, dentry, inode, name, value, error);<br>
> + error = handler->get(handler, dentry, inode, name, value, error, 0);<br>
> *xattr_value = value;<br>
> return error;<br>
> }<br>
> <br>
> ssize_t<br>
> __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,<br>
> - void *value, size_t size)<br>
> + void *value, size_t size, int flags)<br>
> {<br>
> const struct xattr_handler *handler;<br>
> -<br>
> - handler = xattr_resolve_name(inode, &name);<br>
> - if (IS_ERR(handler))<br>
> - return PTR_ERR(handler);<br>
> - if (!handler->get)<br>
> - return -EOPNOTSUPP;<br>
> - return handler->get(handler, dentry, inode, name, value, size);<br>
> -}<br>
> -EXPORT_SYMBOL(__vfs_getxattr);<br>
> -<br>
> -ssize_t<br>
> -vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)<br>
> -{<br>
> - struct inode *inode = dentry->d_inode;<br>
> int error;<br>
> <br>
> + if (flags & XATTR_NOSECURITY)<br>
> + goto nolsm;<br>
> error = xattr_permission(inode, name, MAY_READ);<br>
> if (error)<br>
> return error;<br>
> @@ -339,7 +327,19 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)<br>
> return ret;<br>
> }<br>
> nolsm:<br>
> - return __vfs_getxattr(dentry, inode, name, value, size);<br>
> + handler = xattr_resolve_name(inode, &name);<br>
> + if (IS_ERR(handler))<br>
> + return PTR_ERR(handler);<br>
> + if (!handler->get)<br>
> + return -EOPNOTSUPP;<br>
> + return handler->get(handler, dentry, inode, name, value, size, flags);<br>
> +}<br>
> +EXPORT_SYMBOL(__vfs_getxattr);<br>
> +<br>
> +ssize_t<br>
> +vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)<br>
> +{<br>
> + return __vfs_getxattr(dentry, dentry->d_inode, name, value, size, 0);<br>
> }<br>
> EXPORT_SYMBOL_GPL(vfs_getxattr);<br>
> <br>
> diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c<br>
> index 3123b5aaad2a..cafc99c48e20 100644<br>
> --- a/fs/xfs/xfs_xattr.c<br>
> +++ b/fs/xfs/xfs_xattr.c<br>
> @@ -18,7 +18,8 @@<br>
> <br>
> static int<br>
> xfs_xattr_get(const struct xattr_handler *handler, struct dentry *unused,<br>
> - struct inode *inode, const char *name, void *value, size_t size)<br>
> + struct inode *inode, const char *name, void *value, size_t size,<br>
> + int flags)<br>
> {<br>
> int xflags = handler->flags;<br>
> struct xfs_inode *ip = XFS_I(inode);<br>
> diff --git a/include/linux/xattr.h b/include/linux/xattr.h<br>
> index 6dad031be3c2..4df9dcdc48c5 100644<br>
> --- a/include/linux/xattr.h<br>
> +++ b/include/linux/xattr.h<br>
> @@ -30,10 +30,10 @@ struct xattr_handler {<br>
> const char *prefix;<br>
> int flags; /* fs private flags */<br>
> bool (*list)(struct dentry *dentry);<br>
> - int (*get)(const struct xattr_handler *, struct dentry *dentry,<br>
> + int (*get)(const struct xattr_handler *handler, struct dentry *dentry,<br>
> struct inode *inode, const char *name, void *buffer,<br>
> - size_t size);<br>
> - int (*set)(const struct xattr_handler *, struct dentry *dentry,<br>
> + size_t size, int flags);<br>
> + int (*set)(const struct xattr_handler *handler, struct dentry *dentry,<br>
> struct inode *inode, const char *name, const void *buffer,<br>
> size_t size, int flags);<br>
> };<br>
> @@ -46,7 +46,8 @@ struct xattr {<br>
> size_t value_len;<br>
> };<br>
> <br>
> -ssize_t __vfs_getxattr(struct dentry *, struct inode *, const char *, void *, size_t);<br>
> +ssize_t __vfs_getxattr(struct dentry *dentry, struct inode *inode,<br>
> + const char *name, void *buffer, size_t size, int flags);<br>
> ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);<br>
> ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);<br>
> int __vfs_setxattr(struct dentry *, struct inode *, const char *, const void *, size_t, int);<br>
> diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h<br>
> index c1395b5bd432..1eba02616274 100644<br>
> --- a/include/uapi/linux/xattr.h<br>
> +++ b/include/uapi/linux/xattr.h<br>
> @@ -17,8 +17,11 @@<br>
> #if __UAPI_DEF_XATTR<br>
> #define __USE_KERNEL_XATTR_DEFS<br>
> <br>
> -#define XATTR_CREATE 0x1 /* set value, fail if attr already exists */<br>
> -#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */<br>
> +#define XATTR_CREATE 0x1 /* set value, fail if attr already exists */<br>
> +#define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */<br>
> +#ifdef __KERNEL__ /* following is kernel internal, colocated for maintenance */<br>
> +#define XATTR_NOSECURITY 0x4 /* get value, do not involve security check */<br>
> +#endif<br>
> #endif<br>
> <br>
> /* Namespaces */<br>
> diff --git a/mm/shmem.c b/mm/shmem.c<br>
> index 2bed4761f279..1013fcbd0a94 100644<br>
> --- a/mm/shmem.c<br>
> +++ b/mm/shmem.c<br>
> @@ -3206,7 +3206,8 @@ static int shmem_initxattrs(struct inode *inode,<br>
> <br>
> static int shmem_xattr_handler_get(const struct xattr_handler *handler,<br>
> struct dentry *unused, struct inode *inode,<br>
> - const char *name, void *buffer, size_t size)<br>
> + const char *name, void *buffer, size_t size,<br>
> + int flags)<br>
> {<br>
> struct shmem_inode_info *info = SHMEM_I(inode);<br>
> <br>
> diff --git a/net/socket.c b/net/socket.c<br>
> index 6a9ab7a8b1d2..6b0fea92dd02 100644<br>
> --- a/net/socket.c<br>
> +++ b/net/socket.c<br>
> @@ -300,7 +300,8 @@ static const struct dentry_operations sockfs_dentry_operations = {<br>
> <br>
> static int sockfs_xattr_get(const struct xattr_handler *handler,<br>
> struct dentry *dentry, struct inode *inode,<br>
> - const char *suffix, void *value, size_t size)<br>
> + const char *suffix, void *value, size_t size,<br>
> + int flags)<br>
> {<br>
> if (value) {<br>
> if (dentry->d_name.len + 1 > size)<br>
> diff --git a/security/commoncap.c b/security/commoncap.c<br>
> index f4ee0ae106b2..378a2f66a73d 100644<br>
> --- a/security/commoncap.c<br>
> +++ b/security/commoncap.c<br>
> @@ -297,7 +297,8 @@ int cap_inode_need_killpriv(struct dentry *dentry)<br>
> struct inode *inode = d_backing_inode(dentry);<br>
> int error;<br>
> <br>
> - error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);<br>
> + error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0,<br>
> + XATTR_NOSECURITY);<br>
> return error > 0;<br>
> }<br>
> <br>
> @@ -586,7 +587,8 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data<br>
> <br>
> fs_ns = inode->i_sb->s_user_ns;<br>
> size = __vfs_getxattr((struct dentry *)dentry, inode,<br>
> - XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);<br>
> + XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ,<br>
> + XATTR_NOSECURITY);<br>
> if (size == -ENODATA || size == -EOPNOTSUPP)<br>
> /* no data, that's ok */<br>
> return -ENODATA;<br>
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c<br>
> index f9a81b187fae..921c8f2afcaf 100644<br>
> --- a/security/integrity/evm/evm_main.c<br>
> +++ b/security/integrity/evm/evm_main.c<br>
> @@ -100,7 +100,8 @@ static int evm_find_protected_xattrs(struct dentry *dentry)<br>
> return -EOPNOTSUPP;<br>
> <br>
> list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) {<br>
> - error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0);<br>
> + error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0,<br>
> + XATTR_NOSECURITY);<br>
> if (error < 0) {<br>
> if (error == -ENODATA)<br>
> continue;<br>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c<br>
> index 74dd46de01b6..b0822da0658f 100644<br>
> --- a/security/selinux/hooks.c<br>
> +++ b/security/selinux/hooks.c<br>
> @@ -552,7 +552,8 @@ static int sb_finish_set_opts(struct super_block *sb)<br>
> goto out;<br>
> }<br>
> <br>
> - rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);<br>
> + rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL,<br>
> + 0, XATTR_NOSECURITY);<br>
> if (rc < 0 && rc != -ENODATA) {<br>
> if (rc == -EOPNOTSUPP)<br>
> pr_warn("SELinux: (dev %s, type "<br>
> @@ -1378,12 +1379,14 @@ static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,<br>
> return -ENOMEM;<br>
> <br>
> context[len] = '\0';<br>
> - rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);<br>
> + rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len,<br>
> + XATTR_NOSECURITY);<br>
> if (rc == -ERANGE) {<br>
> kfree(context);<br>
> <br>
> /* Need a larger buffer. Query for the right size. */<br>
> - rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);<br>
> + rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0,<br>
> + XATTR_NOSECURITY);<br>
> if (rc < 0)<br>
> return rc;<br>
> <br>
> @@ -1394,7 +1397,7 @@ static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,<br>
> <br>
> context[len] = '\0';<br>
> rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,<br>
> - context, len);<br>
> + context, len, XATTR_NOSECURITY);<br>
> }<br>
> if (rc < 0) {<br>
> kfree(context);<br>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c<br>
> index 4c5e5a438f8b..158b35772be1 100644<br>
> --- a/security/smack/smack_lsm.c<br>
> +++ b/security/smack/smack_lsm.c<br>
> @@ -292,7 +292,8 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,<br>
> if (buffer == NULL)<br>
> return ERR_PTR(-ENOMEM);<br>
> <br>
> - rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL);<br>
> + rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL,<br>
> + XATTR_NOSECURITY);<br>
> if (rc < 0)<br>
> skp = ERR_PTR(rc);<br>
> else if (rc == 0)<br>
> @@ -3442,7 +3443,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)<br>
> } else {<br>
> rc = __vfs_getxattr(dp, inode,<br>
> XATTR_NAME_SMACKTRANSMUTE, trattr,<br>
> - TRANS_TRUE_SIZE);<br>
> + TRANS_TRUE_SIZE, XATTR_NOSECURITY);<br>
> if (rc >= 0 && strncmp(trattr, TRANS_TRUE,<br>
> TRANS_TRUE_SIZE) != 0)<br>
> rc = -EINVAL;<br>
> -- <br>
> 2.23.0.rc1.153.gdeed80330f-goog<br>
> <br>
-- <br>
Jan Kara <<a href="mailto:jack@suse.com" target="_blank">jack@suse.com</a>><br>
SUSE Labs, CR<br>
<br>
-- <br>
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:kernel-team%2Bunsubscribe@android.com" target="_blank">kernel-team+unsubscribe@android.com</a>.<br>
<br>
</blockquote></div>