Skip to content

bcachefs: initialize security xattrs on inode creation#651

Closed
Komzpa wants to merge 1 commit into
koverstreet:testingfrom
Komzpa:komzpa/security-xattr-init
Closed

bcachefs: initialize security xattrs on inode creation#651
Komzpa wants to merge 1 commit into
koverstreet:testingfrom
Komzpa:komzpa/security-xattr-init

Conversation

@Komzpa

@Komzpa Komzpa commented Jun 28, 2026

Copy link
Copy Markdown

Summary

  • Run security_inode_init_security() from the bcachefs inode creation path so LSMs can provide initial security.* xattrs.
  • Reuse the existing bcachefs xattr insert path for KEY_TYPE_XATTR_INDEX_SECURITY.
  • Carry Reagan Bohan's security-callback patch from stale/conflicting Initial support for security callbacks. bcachefs#664 to the current bcachefs-tools source tree, preserving the original commit author on this branch.

Issue

koverstreet/bcachefs#642 reports that chcon fails on bcachefs with:

Operation not supported

The missing piece is that new bcachefs inodes do not run the security initialization callback that asks the active LSM for initial labels.

This still needs matching distro SELinux policy support for bcachefs as a labeled filesystem, as noted on koverstreet/bcachefs#664.

Provenance

The implementation comes from Reagan Bohan's koverstreet/bcachefs#664 payload commit. This branch was rebuilt at head 1cf1a9dcaa7213b86cbe980391deffc631bcc781 so the carried commit is authored by Reagan Bohan, with the current bcachefs-tools adaptation kept in that ported commit rather than presented as a new Komzpa-authored squash.

Tests

Validation

  • git diff --check origin/testing...HEAD
  • BINDGEN=/home/kom/.cargo/bin/bindgen make -j32 fs/fs/xattr.o fs/vfs/fs.o bcachefs
  • GitHub CI: all 17 visible checks passed for attribution-repaired head 1cf1a9dcaa7213b86cbe980391deffc631bcc781; merge state is CLEAN.

@Komzpa Komzpa force-pushed the komzpa/security-xattr-init branch from d034646 to 1cf1a9d Compare June 30, 2026 19:27
@koverstreet koverstreet force-pushed the testing branch 2 times, most recently from def6d9f to 669ada1 Compare July 1, 2026 16:41
@koverstreet

Copy link
Copy Markdown
Owner

Merged to the testing branch — carried as vfs: initialize security xattrs on inode creation (809a76a), Reagan Bohan's authorship preserved, with rework on apply: minimal vfs-inode pre-init (the LSM only reads i_mode/uid/gid — no update_after_write or faked i_ino needed), NULL qstr for tmpfiles (ext4 parity), and the error path folded into the existing ?: chain. Followed by vfs: RAII for posix acls in __bch2_create (acaa983) cleaning up the surrounding error handling. Functionally verified in a Smack-enabled VM: every new inode gets security.SMACK64 at creation with no setxattr, labels persist across remount, fsck clean; manual security.* roundtrip also passes. Thanks Reagan for the original patch and Komzpa for carrying it forward!

@koverstreet koverstreet closed this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants