On 10/01/2025 04:46, Paul Eggert wrote:
On 2025-01-09 05:29, Pádraig Brady wrote:
over NFS with unreadable files
you can GET the security.selinux xattr, but you can't LIST any xattrs:
Ouch again....
Also there was a change since coreutils v9.5 where we don't call the GET,
Yes, that is for efficiency in the common case where the file has no
attributes. In that case, ls (via file_has_aclinfo) needs only one
llistxattr call and can skip the other syscalls.
So perhaps we should also always call lgetxattr("security.selinux"),
or at least fall back to that upon EACCES from listxattr() ?
The latter sounds better, given the efficiency concerns. Also, come to
think of it, E2BIG is in the same category as EACCES.
I installed the attached into Gnulib and propagated it into coreutils;
please give it a try.
Yes, with that gnulib patch it is now indicating the security context:
$ strace -e trace=/.*xattr.* src/ls -l /mnt/nfs/file
llistxattr("/mnt/nfs/file", 0x7ffd73a9694c, 152) = -1 EACCES (Permission denied)
lgetxattr("/mnt/nfs/file", "security.selinux", "system_u:object_r:nfs_t:s0",
255) = 27
ls: /mnt/nfs/file: Permission denied
--w-------. 1 padraig padraig 0 Jan 8 20:42 /mnt/nfs/file
+++ exited with 0 +++
With the previously discussed ls patch included, we also suppress the error
(while indicating the obtainable security context):
$ src/ls -l /mnt/nfs
total 0
--w-------. 1 padraig padraig 0 Jan 8 20:42 file
I'll push that ls patch now.
thanks!
Pádraig
