On 2025-01-09 05:29, Pádraig Brady wrote:
over NFS with unreadable files
you can GET the security.selinux xattr, but you can't LIST any xattrs:
Ouch again....
Also there was a change since coreutils v9.5 where we don't call the GET,
Yes, that is for efficiency in the common case where the file has no
attributes. In that case, ls (via file_has_aclinfo) needs only one
llistxattr call and can skip the other syscalls.
So perhaps we should also always call lgetxattr("security.selinux"),
or at least fall back to that upon EACCES from listxattr() ?
The latter sounds better, given the efficiency concerns. Also, come to
think of it, E2BIG is in the same category as EACCES.
I installed the attached into Gnulib and propagated it into coreutils;
please give it a try.From 64ce046c046563bce51e9a5ed4cf2422ee376c8b Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@xxxxxxxxxxx>
Date: Thu, 9 Jan 2025 20:37:13 -0800
Subject: [PATCH] file-has-acl: port to Linux 6.12 + NFS listxattr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* lib/file-has-acl.c (get_aclinfo): Try the getxattr-related calls
even if [l]listxattr fails with EACCES. Problem reported by
Pádraig Brady <https://bugs.gnu.org/74692#25>. Also, treat E2BIG
like EACCES.
---
ChangeLog | 8 ++++++++
lib/file-has-acl.c | 12 +++++++++---
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index b9681a71f1..4cbbe52e8d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2025-01-09 Paul Eggert <eggert@xxxxxxxxxxx>
+
+ file-has-acl: port to Linux 6.12 + NFS listxattr
+ * lib/file-has-acl.c (get_aclinfo): Try the getxattr-related calls
+ even if [l]listxattr fails with EACCES. Problem reported by
+ Pádraig Brady <https://bugs.gnu.org/74692#25>. Also, treat E2BIG
+ like EACCES.
+
2025-01-09 Bruno Haible <bruno@xxxxxxxxx>
sys_socket-h: Update for POSIX:2024.
diff --git a/lib/file-has-acl.c b/lib/file-has-acl.c
index 35dcc19f16..5ec6b256ef 100644
--- a/lib/file-has-acl.c
+++ b/lib/file-has-acl.c
@@ -176,11 +176,17 @@ get_aclinfo (char const *name, struct aclinfo *ai, int flags)
}
}
- if (0 < ai->size && flags & ACL_GET_SCONTEXT)
+ /* A security context can exist only if extended attributes do: i.e.,
+ [l]listxattr either returned a positive number, or failed with E2BIG,
+ or failed with EACCES which in Linux kernel 6.12 NFS can mean merely
+ that we lack read access. */
+ if (flags & ACL_GET_SCONTEXT
+ && (0 < ai->size
+ || (ai->size < 0 && (ai->u.err == E2BIG || ai->u.err == EACCES))))
{
if (is_smack_enabled ())
{
- if (aclinfo_has_xattr (ai, XATTR_NAME_SMACK))
+ if (ai->size < 0 || aclinfo_has_xattr (ai, XATTR_NAME_SMACK))
{
ssize_t r = smack_new_label_from_path (name, "security.SMACK64",
flags & ACL_SYMLINK_FOLLOW,
@@ -191,7 +197,7 @@ get_aclinfo (char const *name, struct aclinfo *ai, int flags)
else
{
# if USE_SELINUX_SELINUX_H
- if (aclinfo_has_xattr (ai, XATTR_NAME_SELINUX))
+ if (ai->size < 0 || aclinfo_has_xattr (ai, XATTR_NAME_SELINUX))
{
ssize_t r =
((flags & ACL_SYMLINK_FOLLOW ? getfilecon : lgetfilecon)
--
2.45.2
