On Fri, Sep 24, 2021, at 3:24 PM, Vivek Goyal wrote: > When a new inode is created, send its security context to server along > with creation request (FUSE_CREAT, FUSE_MKNOD, FUSE_MKDIR and FUSE_SYMLINK). > This gives server an opportunity to create new file and set security > context (possibly atomically). In all the configurations it might not > be possible to set context atomically. > > Like nfs and ceph, use security_dentry_init_security() to dermine security > context of inode and send it with create, mkdir, mknod, and symlink requests. > > Following is the information sent to server. > > - struct fuse_secctx. > This contains total size of security context which follows this structure. > > - xattr name string. > This string represents name of xattr which should be used while setting > security context. As of now it is hardcoded to "security.selinux". Any reason not to just send all `security.*` xattrs found on the inode? (I'm not super familiar with this code, it looks like we're going from the LSM-cached version attached to the inode, but presumably since we're sending bytes we can just ask the filesytem for the raw data instead)
