Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names

From: Christoph Hellwig
Date: Thu Oct 31 2024 - 02:57:15 EST


On Wed, Oct 30, 2024 at 08:44:26PM +0000, Song Liu wrote:
> Given bpf kfuncs can read user.* xattrs for almost a year now, I think we
> cannot simply revert it. We already have some users using it.
>
> Instead, we can work on a plan to deprecated it. How about we add a
> WARN_ON_ONCE as part of this patchset, and then remove user.* support
> after some time?

As Christian mentioned having bpf access to user xattrs is probably
not a big issue. OTOH anything that makes security decisions based
on it is probably pretty broken. Not sure how you want to best
handle that.