On Mon, Dec 7, 2020 at 3:52 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > On Mon, Dec 07, 2020 at 10:03:24AM -0500, Paul Moore wrote: > > On Mon, Dec 7, 2020 at 9:43 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > > > Hi everyone, > > > > > > In [1] we ran into a problem with the current handling of filesystem > > > labeling rules. Basically, it is only possible to specify either > > > genfscon or fs_use_xattr for a given filesystem, but in the case of > > > virtiofs, certain mounts may support security xattrs, while other ones > > > may not. > > [ cc virtio-fs list and miklos ] > > Quickly skimming the linked GH issue, it appears that the problem > > really lies in the fact that virtiofs allows one to enable/disable > > xattrs at mount time. What isn't clear to me is why one would need to > > disable xattrs, can you explain that use case? Why does enabling > > xattrs in virtiofs cause problems? > > Its not exactly a mount time option. Its a virtiofs file server option. > > xattr support by default is disabled because it has performance > penalty. Users can enable it if they want to. Oh the number of sins against security that have been committed under the banner of performance! ;) Regardless, thanks for the explanation, that helps. -- paul moore www.paul-moore.com
