On Mon 16-02-26 14:32:07, Christian Brauner wrote:
> Allow user.* extended attributes on sockets by adding S_IFSOCK to the
> xattr_permission() switch statement. Previously user.* xattrs were only
> permitted on regular files and directories. Symlinks and special files
> including sockets were rejected with -EPERM.
>
> Path-based AF_UNIX sockets have their inodes on the underlying
> filesystem (e.g. tmpfs) which already supports user.* xattrs through
> simple_xattrs. So for these the permission check was the only thing
> missing.
>
> For sockets in sockfs - everything created via socket() including
> abstract namespace AF_UNIX sockets - the preceding patch added
> simple_xattr storage with per-inode limits. With the permission check
> lifted here these sockets can now store user.* xattrs as well.
>
> This enables services to associate metadata with their sockets. For
> example, a service using Varlink for IPC can label its socket with
> user.varlink=1 allowing eBPF programs to selectively capture traffic
> and tools to discover IPC entrypoints by enumerating bound sockets via
> netlink. Similarly, protocol negotiation can be performed through xattrs
> such as indicating RFC 5424 structured syslog support on /dev/log.
>
> Signed-off-by: Christian Brauner <brauner@kernel.org>
OK. Feel free to add:
Reviewed-by: Jan Kara <jack@suse.cz>
Honza
> ---
> fs/xattr.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 5e559b1c651f..09ecbaaa1660 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -163,6 +163,8 @@ xattr_permission(struct mnt_idmap *idmap, struct inode *inode,
> if (inode_owner_or_capable(idmap, inode))
> break;
> return -EPERM;
> + case S_IFSOCK:
> + break;
> default:
> return xattr_permission_error(mask);
> }
>
> --
> 2.47.3
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR