On Mon, May 25, 2020 at 1:14 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > I might be missing something, but couldn't you achieve the same by > simply adding something like this in here: > > if (!selinux_initialized(&selinux_state)) > return -EOPNOTSUPP; > > (Or by adding it to the condition above.) > > Then you should hit this condition here and be all set: > https://elixir.bootlin.com/linux/v5.7-rc7/source/fs/xattr.c#L337 Hi Ondrej, Yes, that looks promising. Two questions with that approach: 1. Is there a concern here with transiently returning -EOPNOTSUPP even if the SELinux LSM does technically support the inode_getsecurity hook? I'm thinking of potential corner-cases down the road where somehow this knowledge is cached. 2. The selinux_inode_getsecurity hook today does somewhat handle the uninitialized case. It ends up here: https://elixir.bootlin.com/linux/v5.7-rc7/source/security/selinux/ss/services.c#L1322. Specifically, it has support for initial SIDs. The patch I wrote purposely tries to allow falling back to that logic. Is there a concern with short-circuiting this logic even if the inode SID somehow isn't SECINITSID_UNLABELED?
