On Fri, 2020-11-06 at 16:03 -0500, Olga Kornievskaia wrote: > From: Olga Kornievskaia <kolga@xxxxxxxxxx> > > Currently, the client will always ask for security_labels if the > server > returns that it supports that feature regardless of any LSM modules > (such as Selinux) enforcing security policy. This adds performance > penalty to the READDIR operation. > > Client adjusts superblock's support of the security_label based on > the server's support but also current client's configuration of the > LSM modules. Thus, prior to using the default bitmask in READDIR, > this patch checks the server's capabilities and then instructs > READDIR to remove FATTR4_WORD2_SECURITY_LABEL from the bitmask. > > v5: fixing silly mistakes of the rushed v4 > v4: simplifying logic > v3: changing label's initialization per Ondrej's comment > v2: dropping selinux hook and using the sb cap. > > Suggested-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > Suggested-by: Scott Mayhew <smayhew@xxxxxxxxxx> > Signed-off-by: Olga Kornievskaia <kolga@xxxxxxxxxx> > --- > fs/nfs/nfs4proc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c > index 9e0ca9b2b210..7fa63e282af0 100644 > --- a/fs/nfs/nfs4proc.c > +++ b/fs/nfs/nfs4proc.c > @@ -4961,12 +4961,12 @@ static int _nfs4_proc_readdir(struct dentry > *dentry, const struct cred *cred, > u64 cookie, struct page **pages, unsigned int count, > bool plus) > { > struct inode *dir = d_inode(dentry); > + struct nfs_server *server = NFS_SERVER(dir); > struct nfs4_readdir_arg args = { > .fh = NFS_FH(dir), > .pages = pages, > .pgbase = 0, > .count = count, > - .bitmask = NFS_SERVER(d_inode(dentry))->attr_bitmask, > .plus = plus, > }; > struct nfs4_readdir_res res; > @@ -4981,9 +4981,15 @@ static int _nfs4_proc_readdir(struct dentry > *dentry, const struct cred *cred, > dprintk("%s: dentry = %pd2, cookie = %Lu\n", __func__, > dentry, > (unsigned long long)cookie); > + if (!(server->caps & NFS_CAP_SECURITY_LABEL)) > + args.bitmask = server->attr_bitmask_nl; > + else > + args.bitmask = server->attr_bitmask; > + > nfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry, > &args); > res.pgbase = args.pgbase; > - status = nfs4_call_sync(NFS_SERVER(dir)->client, > NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0); > + status = nfs4_call_sync(server->client, server, &msg, > &args.seq_args, > + &res.seq_res, 0); > if (status >= 0) { > memcpy(NFS_I(dir)->cookieverf, res.verifier.data, > NFS4_VERIFIER_SIZE); > status += args.pgbase; That version looks good to me. Thanks Olga! -- Trond Myklebust Linux NFS client maintainer, Hammerspace trond.myklebust@xxxxxxxxxxxxxxx