the system calls getxattr("security.capability") on every FUSE write()!

[jti-lanl]

We could probably gain some FUSE write performance by short-circuiting this behavior.

See this discussion:
https://sourceforge.net/p/fuse/mailman/fuse-devel/thread/[email protected]/

Assuming we don't want (a) to prevent users from using xattrs, or (b) to do this:

In other words, another option is to disable "File POSIX
Capabilities" (under Security options in menuconfig) or
CONFIG_SECURITY_FILE_CAPABILITIES in your kernel configuration.

... then the next-best option (assuming this xattr might be set on any file we manage) is to go ahead and let the query run, the first time it happens on a given filehandle, and cache the result/errno (per filehandle). All subsequent queries can just return the cached result/errno. [Don't forget to clear the cache in setxattr()]

Or (if we are willing to say we'll never have a file with this xattr) we could at least have getxattr test the key, and always return ENODATA for this case. [Don't forget to have setxattr() refuse to set this key.] Or we could provide a build-option to enable this behavior.

[shanegoff]

We should reinvestigate these solutions for the future.