From: Steve Dickson <SteveD@redhat.com>
To: Trond Myklebust <Trond.Myklebust@netapp.com>,
"J. Bruce Fields" <bfields@redhat.com>,
"David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: Linux NFS list <linux-nfs@vger.kernel.org>,
Linux FS devel list <linux-fsdevel@vger.kernel.org>,
Linux Security List <linux-security-module@vger.kernel.org>,
SELinux List <selinux@tycho.nsa.gov>
Subject: [PATCH 17/19] NFSv4.2: Only set the label attribute on v4.2 mounts
Date: Tue, 2 Apr 2013 17:45:58 -0400 [thread overview]
Message-ID: <1364939160-20874-18-git-send-email-SteveD@redhat.com> (raw)
In-Reply-To: <1364939160-20874-1-git-send-email-SteveD@redhat.com>
From: Steve Dickson <steved@redhat.com>
Make sure the FATTR4_WORD2_SECURITY_LABEL bit is
only set in bitmasks and bitmaps when label NFS
is configured and only on v4.2 mounts.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
fs/nfs/nfs4proc.c | 52 ++++++++++++++++++++++++++++++++++++--------------
fs/nfs/pnfs.c | 2 +-
include/linux/nfs_fs.h | 10 ++++++++++
3 files changed, 49 insertions(+), 15 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 3e18d39..0bdc865 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -113,6 +113,24 @@ nfs4_label_release_security(struct nfs4_label *label)
if (label)
security_release_secctx(label->label, label->len);
}
+static inline u32 *nfs4_bitmap(struct nfs4_label *label, u32 *bitmap)
+{
+ bitmap[0] = nfs4_fattr_bitmap[0];
+ bitmap[1] = nfs4_fattr_bitmap[1];
+ bitmap[2] = nfs4_fattr_bitmap[2];
+
+ if (!label)
+ bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+
+ return bitmap;
+}
+static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
+{
+ if (label)
+ return server->attr_bitmask;
+
+ return server->attr_bitmask_nl;
+}
#else
static inline struct nfs4_label *
nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
@@ -122,6 +140,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
static inline void
nfs4_label_release_security(struct nfs4_label *label)
{ return; }
+static inline u32 *
+nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
+{ return server->attr_bitmask; }
+static inline const u32 *
+nfs4_bitmap(struct nfs4_label *label, u32 *bitmap)
+{ return &nfs4_fattr_bitmap[0]; }
#endif
/* Prevent leaks of NFSv4 errors into userland */
@@ -824,6 +848,7 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
struct inode *dir = parent->d_inode;
struct nfs_server *server = NFS_SERVER(dir);
struct nfs4_opendata *p;
+ u32 bitmap[3];
p = kzalloc(sizeof(*p), gfp_mask);
if (p == NULL)
@@ -857,8 +882,8 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry,
p->o_arg.id.uniquifier = sp->so_seqid.owner_id;
p->o_arg.name = &dentry->d_name;
p->o_arg.server = server;
- p->o_arg.bitmask = server->attr_bitmask;
- p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0];
+ p->o_arg.open_bitmap = nfs4_bitmap(label, bitmap);
+ p->o_arg.bitmask = nfs4_bitmask(server, label);
p->o_arg.claim = NFS4_OPEN_CLAIM_NULL;
p->o_arg.label = label;
if (attrs != NULL && attrs->ia_valid != 0) {
@@ -2126,8 +2151,9 @@ static int _nfs4_do_setattr(struct inode *inode, struct rpc_cred *cred,
unsigned long timestamp = jiffies;
int status;
- if (ilabel == NULL || olabel == NULL)
- arg.bitmask = server->attr_bitmask_nl;
+ arg.bitmask = nfs4_bitmask(server, ilabel);
+ if (ilabel)
+ arg.bitmask = nfs4_bitmask(server, olabel);
nfs_fattr_init(fattr);
@@ -2708,8 +2734,7 @@ static int _nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle,
.rpc_resp = &res,
};
- if (!label)
- args.bitmask = server->attr_bitmask_nl;
+ args.bitmask = nfs4_bitmask(server, label);
nfs_fattr_init(fattr);
return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
@@ -2814,8 +2839,7 @@ static int _nfs4_proc_lookup(struct rpc_clnt *clnt, struct inode *dir,
.rpc_resp = &res,
};
- if (label == NULL)
- args.bitmask = server->attr_bitmask_nl;
+ args.bitmask = nfs4_bitmask(server, label);
nfs_fattr_init(fattr);
@@ -2952,6 +2976,8 @@ static int _nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry
goto out;
}
+ args.bitmask = nfs4_cache_bitmask(server, res.label);
+
status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
if (!status) {
nfs_access_set_mask(entry, res.access);
@@ -3263,6 +3289,7 @@ static int _nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *
status = PTR_ERR(res.label);
goto out;
}
+ arg.bitmask = nfs4_bitmask(server, res.label);
status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
if (!status) {
@@ -3320,7 +3347,7 @@ static struct nfs4_createdata *nfs4_alloc_createdata(struct inode *dir,
data->arg.name = name;
data->arg.attrs = sattr;
data->arg.ftype = ftype;
- data->arg.bitmask = server->attr_bitmask;
+ data->arg.bitmask = nfs4_bitmask(server, data->label);
data->res.server = server;
data->res.fh = &data->fh;
data->res.fattr = &data->fattr;
@@ -3758,11 +3785,8 @@ static void nfs4_proc_write_setup(struct nfs_write_data *data, struct rpc_messag
data->args.bitmask = NULL;
data->res.fattr = NULL;
} else
-#ifdef CONFIG_NFS_V4_SECURITY_LABEL
- data->args.bitmask = server->cache_consistency_bitmask_nl;
-#else
- data->args.bitmask = server->cache_consistency_bitmask;
-#endif
+
+ data->args.bitmask = nfs4_cache_bitmask(server, NULL);
if (!data->write_done_cb)
data->write_done_cb = nfs4_write_done_cb;
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 4bdffe0..0ead05b 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1922,7 +1922,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
data->args.inode = inode;
data->cred = get_rpccred(nfsi->layout->plh_lc_cred);
nfs_fattr_init(&data->fattr);
- data->args.bitmask = NFS_SERVER(inode)->cache_consistency_bitmask;
+ data->args.bitmask = nfs4_cache_bitmask(NFS_SERVER(inode), NULL);
data->res.fattr = &data->fattr;
data->args.lastbytewritten = end_pos - 1;
data->res.server = NFS_SERVER(inode);
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 6de5336..1510f4f 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -505,9 +505,19 @@ static inline void nfs4_label_free(struct nfs4_label *label)
}
return;
}
+static inline u32 *nfs4_cache_bitmask(struct nfs_server *server, struct nfs4_label *label)
+{
+ if (label)
+ return server->cache_consistency_bitmask;
+
+ return server->cache_consistency_bitmask_nl;
+}
#else
static inline struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags) { return NULL; }
static inline void nfs4_label_free(void *label) {}
+static inline u32 *
+nfs4_cache_bitmask(struct nfs_server *server, struct nfs4_label *label)
+{ return server->cache_consistency_bitmask; }
#endif
/*
--
1.8.1.4
next prev parent reply other threads:[~2013-04-02 21:45 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 21:45 [PATCH 00/19] lnfs: 3.9-rc5 release Steve Dickson
2013-04-02 21:45 ` [PATCH 01/19] Security: Add hook to calculate context based on a negative dentry Steve Dickson
2013-04-02 23:35 ` Myklebust, Trond
[not found] ` <1364945729.3026.7.camel-5lNtUQgoD8Pfa3cDbr2K10B+6BGkLq7r@public.gmane.org>
2013-04-03 19:57 ` David Quigley
2013-04-02 21:45 ` [PATCH 03/19] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data Steve Dickson
2013-04-02 21:45 ` [PATCH 04/19] SELinux: Add new labeling type native labels Steve Dickson
2013-04-02 21:45 ` [PATCH 05/19] NFSv4: Add label recommended attribute and NFSv4 flags Steve Dickson
2013-04-02 21:45 ` [PATCH 06/19] NFSv4: Introduce new label structure Steve Dickson
2013-04-02 21:45 ` [PATCH 07/19] NFSv4: Extend fattr bitmaps to support all 3 words Steve Dickson
2013-04-02 21:45 ` [PATCH 09/19] NFS: Add label lifecycle management Steve Dickson
2013-04-02 21:45 ` [PATCH 10/19] NFS: Client implementation of Labeled-NFS Steve Dickson
2013-04-02 21:45 ` [PATCH 11/19] NFS: Extend NFS xattr handlers to accept the security namespace Steve Dickson
2013-04-02 21:45 ` [PATCH 14/19] Kconfig: Add Kconfig entry for Labeled NFS V4 server Steve Dickson
2013-04-02 21:45 ` [PATCH 15/19] NFSv4.2: Added NFS v4.2 support to the NFS client Steve Dickson
2013-04-02 21:45 ` [PATCH 16/19] NFSv4.2: Only allocate labels on v4.2 mounts Steve Dickson
2013-04-02 21:45 ` Steve Dickson [this message]
2013-04-02 21:45 ` [PATCH 18/19] NFSv4.2: Added v4.2 error codes Steve Dickson
[not found] ` <1364939160-20874-1-git-send-email-SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-04-02 21:45 ` [PATCH 02/19] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-04-02 21:45 ` [PATCH 08/19] NFS:Add labels to client function prototypes Steve Dickson
2013-04-02 21:45 ` [PATCH 12/19] Kconfig: Add Kconfig entry for Labeled NFS V4 client Steve Dickson
2013-04-02 21:45 ` [PATCH 13/19] NFSD: Server implementation of MAC Labeling Steve Dickson
[not found] ` <1364939160-20874-14-git-send-email-SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-04-10 15:19 ` J. Bruce Fields
[not found] ` <20130410151953.GC24404-spRCxval1Z7TsXDwO4sDpg@public.gmane.org>
2013-04-23 19:40 ` Steve Dickson
2013-04-23 19:44 ` J. Bruce Fields
2013-04-23 19:51 ` Steve Dickson
2013-04-02 21:46 ` [PATCH 19/19] NFSDv4.2: Added NFS v4.2 support to the NFS server Steve Dickson
2013-04-10 15:25 ` J. Bruce Fields
2013-04-10 15:58 ` Steve Dickson
2013-04-10 20:12 ` J. Bruce Fields
2013-04-11 16:58 ` Steve Dickson
2013-04-10 15:09 ` [PATCH 00/19] lnfs: 3.9-rc5 release J. Bruce Fields
[not found] ` <20130410150940.GB24404-spRCxval1Z7TsXDwO4sDpg@public.gmane.org>
2013-04-10 15:48 ` Steve Dickson
2013-04-12 15:03 ` J. Bruce Fields
2013-04-23 15:46 ` Steve Dickson
2013-04-23 16:05 ` J. Bruce Fields
2013-04-23 17:22 ` J. Bruce Fields
[not found] ` <20130423172227.GF20622-spRCxval1Z7TsXDwO4sDpg@public.gmane.org>
2013-04-23 18:04 ` Steve Dickson
[not found] ` <5176CD42.4080405-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2013-04-23 18:15 ` J. Bruce Fields
2013-04-23 18:40 ` Mimi Zohar
2013-04-23 18:57 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1364939160-20874-18-git-send-email-SteveD@redhat.com \
--to=steved@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@redhat.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).