Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 51cfb8c4 authored by Sebastien Buisson's avatar Sebastien Buisson Committed by Greg Kroah-Hartman
Browse files

staging: lustre: llite: basic support of SELinux in CLIO 



Bring the ability to properly initiate security context
on SELinux-enabled client and store it on server side via
extended attribute.

Security context initialization is not atomic, but that would
require a wire protocol change to send security label in the
creation request.

Filter out security.selinux from xattr cache as it is
already cached in system slab.

Signed-off-by: default avatarSebastien Buisson <sebastien.buisson@bull.net>
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5560
Reviewed-on: http://review.whamcloud.com/11648


Reviewed-by: default avatarDmitry Eremin <dmitry.eremin@intel.com>
Reviewed-by: default avatarAndreas Dilger <andreas.dilger@intel.com>
Reviewed-by: default avatarOleg Drokin <oleg.drokin@intel.com>
Signed-off-by: default avatarJames Simmons <jsimmons@infradead.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 96049bd1

drivers/staging/lustre/lustre/llite/Makefile

+3 −3
Original line number Diff line number Diff line 
obj-$(CONFIG_LUSTRE_FS) += lustre.o

lustre-y := dcache.o dir.o file.o llite_lib.o llite_nfs.o \

	    rw.o namei.o symlink.o llite_mmap.o range_lock.o \

	    xattr.o xattr_cache.o rw26.o super25.o statahead.o \

	    glimpse.o lcommon_cl.o lcommon_misc.o \

	    rw.o rw26.o namei.o symlink.o llite_mmap.o range_lock.o \

	    xattr.o xattr_cache.o xattr_security.o \

	    super25.o statahead.o glimpse.o lcommon_cl.o lcommon_misc.o \

	    vvp_dev.o vvp_page.o vvp_lock.o vvp_io.o vvp_object.o vvp_req.o \

	    lproc_llite.o

drivers/staging/lustre/lustre/llite/dir.c

+11 −0
Original line number Diff line number Diff line
@@ -410,6 +410,8 @@ static int ll_dir_setdirstripe(struct inode *parent, struct lmv_user_md *lump, 
	struct ptlrpc_request *request = NULL;

	struct md_op_data *op_data;

	struct ll_sb_info *sbi = ll_i2sbi(parent);

	struct inode *inode = NULL;

	struct dentry dentry;

	int err;



	if (unlikely(lump->lum_magic != LMV_USER_MAGIC))
@@ -443,8 +445,17 @@ static int ll_dir_setdirstripe(struct inode *parent, struct lmv_user_md *lump, 
			from_kgid(&init_user_ns, current_fsgid()),

			cfs_curproc_cap_pack(), 0, &request);

	ll_finish_md_op_data(op_data);



	err = ll_prep_inode(&inode, request, parent->i_sb, NULL);

	if (err)

		goto err_exit;



	memset(&dentry, 0, sizeof(dentry));

	dentry.d_inode = inode;



	err = ll_init_security(&dentry, inode, parent);

	iput(inode);



err_exit:

	ptlrpc_req_finished(request);

	return err;

drivers/staging/lustre/lustre/llite/llite_internal.h

+4 −0
Original line number Diff line number Diff line
@@ -261,6 +261,9 @@ int ll_xattr_cache_destroy(struct inode *inode); 
int ll_xattr_cache_get(struct inode *inode, const char *name,

		       char *buffer, size_t size, __u64 valid);



int ll_init_security(struct dentry *dentry, struct inode *inode,

		     struct inode *dir);



/*

 * Locking to guarantee consistency of non-atomic updates to long long i_size,

 * consistency between file size and KMS.
@@ -998,6 +1001,7 @@ extern const struct xattr_handler *ll_xattr_handlers[]; 
ssize_t ll_listxattr(struct dentry *dentry, char *buffer, size_t size);

int ll_xattr_list(struct inode *inode, const char *name, int type,

		  void *buffer, size_t size, __u64 valid);

const struct xattr_handler *get_xattr_type(const char *name);



/**

 * Common IO arguments for various VFS I/O interfaces.

drivers/staging/lustre/lustre/llite/namei.c

+4 −1
Original line number Diff line number Diff line
@@ -790,7 +790,8 @@ static int ll_create_it(struct inode *dir, struct dentry *dentry, 
		return PTR_ERR(inode);



	d_instantiate(dentry, inode);

	return 0;



	return ll_init_security(dentry, inode, dir);

}



void ll_update_times(struct ptlrpc_request *request, struct inode *inode)
@@ -885,6 +886,8 @@ static int ll_new_node(struct inode *dir, struct dentry *dentry, 
		goto err_exit;



	d_instantiate(dentry, inode);



	err = ll_init_security(dentry, inode, dir);

err_exit:

	if (request)

		ptlrpc_req_finished(request);

drivers/staging/lustre/lustre/llite/xattr.c

+26 −34
Original line number Diff line number Diff line
@@ -44,48 +44,39 @@ 


#include "llite_internal.h"



static

int get_xattr_type(const char *name)

const struct xattr_handler *get_xattr_type(const char *name)

{

	if (!strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS))

		return XATTR_ACL_ACCESS_T;

	int i = 0;



	if (!strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT))

		return XATTR_ACL_DEFAULT_T;

	while (ll_xattr_handlers[i]) {

		size_t len = strlen(ll_xattr_handlers[i]->prefix);



	if (!strncmp(name, XATTR_USER_PREFIX,

		     sizeof(XATTR_USER_PREFIX) - 1))

		return XATTR_USER_T;



	if (!strncmp(name, XATTR_TRUSTED_PREFIX,

		     sizeof(XATTR_TRUSTED_PREFIX) - 1))

		return XATTR_TRUSTED_T;



	if (!strncmp(name, XATTR_SECURITY_PREFIX,

		     sizeof(XATTR_SECURITY_PREFIX) - 1))

		return XATTR_SECURITY_T;



	if (!strncmp(name, XATTR_LUSTRE_PREFIX,

		     sizeof(XATTR_LUSTRE_PREFIX) - 1))

		return XATTR_LUSTRE_T;



	return XATTR_OTHER_T;

		if (!strncmp(ll_xattr_handlers[i]->prefix, name, len))

			return ll_xattr_handlers[i];

		i++;

	}

	return NULL;

}



static

int xattr_type_filter(struct ll_sb_info *sbi, int xattr_type)

static int xattr_type_filter(struct ll_sb_info *sbi,

			     const struct xattr_handler *handler)

{

	if ((xattr_type == XATTR_ACL_ACCESS_T ||

	     xattr_type == XATTR_ACL_DEFAULT_T) &&

	/* No handler means XATTR_OTHER_T */

	if (!handler)

		return -EOPNOTSUPP;



	if ((handler->flags == XATTR_ACL_ACCESS_T ||

	     handler->flags == XATTR_ACL_DEFAULT_T) &&

	   !(sbi->ll_flags & LL_SBI_ACL))

		return -EOPNOTSUPP;



	if (xattr_type == XATTR_USER_T && !(sbi->ll_flags & LL_SBI_USER_XATTR))

	if (handler->flags == XATTR_USER_T &&

	    !(sbi->ll_flags & LL_SBI_USER_XATTR))

		return -EOPNOTSUPP;

	if (xattr_type == XATTR_TRUSTED_T && !capable(CFS_CAP_SYS_ADMIN))



	if (handler->flags == XATTR_TRUSTED_T &&

	    !capable(CFS_CAP_SYS_ADMIN))

		return -EPERM;

	if (xattr_type == XATTR_OTHER_T)

		return -EOPNOTSUPP;



	return 0;

}
@@ -111,7 +102,7 @@ ll_xattr_set_common(const struct xattr_handler *handler, 
		valid = OBD_MD_FLXATTR;

	}



	rc = xattr_type_filter(sbi, handler->flags);

	rc = xattr_type_filter(sbi, handler);

	if (rc)

		return rc;
@@ -225,7 +216,8 @@ ll_xattr_list(struct inode *inode, const char *name, int type, void *buffer, 
	void *xdata;

	int rc;



	if (sbi->ll_xattr_cache_enabled && type != XATTR_ACL_ACCESS_T) {

	if (sbi->ll_xattr_cache_enabled && type != XATTR_ACL_ACCESS_T &&

	    (type != XATTR_SECURITY_T || strcmp(name, "security.selinux"))) {

		rc = ll_xattr_cache_get(inode, name, buffer, size, valid);

		if (rc == -EAGAIN)

			goto getxattr_nocache;
@@ -313,7 +305,7 @@ static int ll_xattr_get_common(const struct xattr_handler *handler, 


	ll_stats_ops_tally(ll_i2sbi(inode), LPROC_LL_GETXATTR, 1);



	rc = xattr_type_filter(sbi, handler->flags);

	rc = xattr_type_filter(sbi, handler);

	if (rc)

		return rc;