From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>,
Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.de>
Cc: Lustre Development List <lustre-devel@lists.lustre.org>
Subject: [lustre-devel] [PATCH 22/24] lustre: sec: fix detection of SELinux enforcement
Date: Mon, 5 Sep 2022 21:55:35 -0400 [thread overview]
Message-ID: <1662429337-18737-23-git-send-email-jsimmons@infradead.org> (raw)
In-Reply-To: <1662429337-18737-1-git-send-email-jsimmons@infradead.org>
From: Sebastien Buisson <sbuisson@ddn.com>
For newer kernels, for which selinux_is_enabled() does not exist
anymore, the only way to find out if SELinux is enforced when
initializing the security context is to fetch the length of the
security attribute name. If it is 0, we conclude SELinux is disabled.
WC-bug-id: https://jira.whamcloud.com/browse/LU-16012
Lustre-commit: 155cbc22ba4f758cf ("LU-16012 sec: fix detection of SELinux enforcement")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/48049
Reviewed-by: Jian Yu <yujian@whamcloud.com>
Reviewed-by: Yingjin Qian <qian@ddn.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
fs/lustre/llite/dir.c | 3 ++-
fs/lustre/llite/llite_internal.h | 3 ++-
fs/lustre/llite/namei.c | 6 ++++--
fs/lustre/llite/xattr_security.c | 12 +++++++++++-
4 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/fs/lustre/llite/dir.c b/fs/lustre/llite/dir.c
index bffd34c..9e7812d 100644
--- a/fs/lustre/llite/dir.c
+++ b/fs/lustre/llite/dir.c
@@ -513,7 +513,8 @@ static int ll_dir_setdirstripe(struct dentry *dparent, struct lmv_user_md *lump,
* to determine the security context for the file. So our fake
* dentry should be real enough for this purpose.
*/
- err = ll_dentry_init_security(&dentry, mode, &dentry.d_name,
+ err = ll_dentry_init_security(parent,
+ &dentry, mode, &dentry.d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&op_data->op_file_secctx_size);
diff --git a/fs/lustre/llite/llite_internal.h b/fs/lustre/llite/llite_internal.h
index 227b944..6d85b96 100644
--- a/fs/lustre/llite/llite_internal.h
+++ b/fs/lustre/llite/llite_internal.h
@@ -447,7 +447,8 @@ static inline void obd_connect_set_secctx(struct obd_connect_data *data)
#endif
}
-int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
+int ll_dentry_init_security(struct inode *parent, struct dentry *dentry,
+ int mode, struct qstr *name,
const char **secctx_name, void **secctx,
u32 *secctx_size);
int ll_inode_init_security(struct dentry *dentry, struct inode *inode,
diff --git a/fs/lustre/llite/namei.c b/fs/lustre/llite/namei.c
index a08b1c1..d382554 100644
--- a/fs/lustre/llite/namei.c
+++ b/fs/lustre/llite/namei.c
@@ -891,7 +891,8 @@ static struct dentry *ll_lookup_it(struct inode *parent, struct dentry *dentry,
if (it->it_op & IT_CREAT &&
test_bit(LL_SBI_FILE_SECCTX, ll_i2sbi(parent)->ll_flags)) {
- rc = ll_dentry_init_security(dentry, it->it_create_mode,
+ rc = ll_dentry_init_security(parent,
+ dentry, it->it_create_mode,
&dentry->d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
@@ -1570,7 +1571,8 @@ static int ll_new_node(struct inode *dir, struct dentry *dchild,
ll_qos_mkdir_prep(op_data, dir);
if (test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags)) {
- err = ll_dentry_init_security(dchild, mode, &dchild->d_name,
+ err = ll_dentry_init_security(dir,
+ dchild, mode, &dchild->d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&op_data->op_file_secctx_size);
diff --git a/fs/lustre/llite/xattr_security.c b/fs/lustre/llite/xattr_security.c
index f14021d..39229d3 100644
--- a/fs/lustre/llite/xattr_security.c
+++ b/fs/lustre/llite/xattr_security.c
@@ -38,7 +38,8 @@
/*
* Check for LL_SBI_FILE_SECCTX before calling.
*/
-int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
+int ll_dentry_init_security(struct inode *parent, struct dentry *dentry,
+ int mode, struct qstr *name,
const char **secctx_name, void **secctx,
u32 *secctx_size)
{
@@ -58,6 +59,15 @@ int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
* from SELinux.
*/
+ /* fetch length of security xattr name */
+ rc = security_inode_listsecurity(parent, NULL, 0);
+ /* xattr name length == 0 means SELinux is disabled */
+ if (rc == 0)
+ return 0;
+ /* we support SELinux only */
+ if (rc != strlen(XATTR_NAME_SELINUX) + 1)
+ return -EOPNOTSUPP;
+
rc = security_dentry_init_security(dentry, mode, name, secctx,
secctx_size);
/* Usually, security_dentry_init_security() returns -EOPNOTSUPP when
--
1.8.3.1
_______________________________________________
lustre-devel mailing list
lustre-devel@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-devel-lustre.org
next prev parent reply other threads:[~2022-09-06 1:56 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 1:55 [lustre-devel] [PATCH 00/24] lustre: update to OpenSFS tree Sept 5, 2022 James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 01/24] lustre: sec: new connect flag for name encryption James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 02/24] lustre: lmv: always space-balance r-r directories James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 03/24] lustre: ldlm: rid of obsolete param of ldlm_resource_get() James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 04/24] lustre: llite: fully disable readahead in kernel I/O path James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 05/24] lustre: llite: use fatal_signal_pending in range_lock James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 06/24] lustre: update version to 2.15.51 James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 07/24] lustre: llite: simplify callback handling for async getattr James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 08/24] lustre: statahead: add total hit/miss count stats James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 09/24] lnet: o2iblnd: Salt comp_vector James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 10/24] lnet: selftest: use preallocate bulk for server James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 11/24] lnet: change ni_status in lnet_ni to u32* James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 12/24] lustre: llite: Rework upper/lower DIO/AIO James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 13/24] lustre: sec: use enc pool for bounce pages James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 14/24] lustre: llite: Unify range unlock James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 15/24] lustre: llite: Refactor DIO/AIO free code James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 16/24] lnet: Use fatal NI if none other available James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 17/24] lnet: LNet peer aliveness broken James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 18/24] lnet: Correct net selection for router ping James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 19/24] lnet: Remove duplicate checks for peer sensitivity James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 20/24] lustre: obdclass: use consistent stats units James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 21/24] lnet: Memory leak on adding existing interface James Simmons
2022-09-06 1:55 ` James Simmons [this message]
2022-09-06 1:55 ` [lustre-devel] [PATCH 23/24] lustre: idl: add checks for OBD_CONNECT flags James Simmons
2022-09-06 1:55 ` [lustre-devel] [PATCH 24/24] lustre: llite: fix stat attributes_mask James Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1662429337-18737-23-git-send-email-jsimmons@infradead.org \
--to=jsimmons@infradead.org \
--cc=adilger@whamcloud.com \
--cc=green@whamcloud.com \
--cc=lustre-devel@lists.lustre.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).