Skip to content
  • Stephen Smalley's avatar
    [PATCH] Generic VFS fallback for security xattrs · f549d6c1
    Stephen Smalley authored
    This patch modifies the VFS setxattr, getxattr, and listxattr code to fall
    back to the security module for security xattrs if the filesystem does not
    support xattrs natively.  This allows security modules to export the incore
    inode security label information to userspace even if the filesystem does
    not provide xattr storage, and eliminates the need to individually patch
    various pseudo filesystem types to provide such access.  The patch removes
    the existing xattr code from devpts and tmpfs as it is then no longer
    The patch restructures the code flow slightly to reduce duplication between
    the normal path and the fallback path, but this should only have one
    user-visible side effect - a program may get -EACCES rather than
    -EOPNOTSUPP if policy denied access but the filesystem didn't support the
    operation anyway.  Note that the post_setxattr hook call is not needed in
    the fallback case, as the inode_setsecurity hook call handles the incore
    inode security state update directly.  In contrast, we do call fsnotify in
    both cases.
    Signed-off-by: default avatarStephen Smalley <>
    Acked-by: default avatarJames Morris <>
    Signed-off-by: default avatarAndrew Morton <>
    Signed-off-by: default avatarLinus Torvalds <>