[22/24] lustre: sec: fix detection of SELinux enforcement

Message ID	1662429337-18737-23-git-send-email-jsimmons@infradead.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <lustre-devel-bounces@lists.lustre.org> From: James Simmons <jsimmons@infradead.org> To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.de> Date: Mon, 5 Sep 2022 21:55:35 -0400 Message-Id: <1662429337-18737-23-git-send-email-jsimmons@infradead.org> In-Reply-To: <1662429337-18737-1-git-send-email-jsimmons@infradead.org> References: <1662429337-18737-1-git-send-email-jsimmons@infradead.org> Subject: [lustre-devel] [PATCH 22/24] lustre: sec: fix detection of SELinux enforcement Precedence: list Cc: Lustre Development List <lustre-devel@lists.lustre.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: lustre-devel-bounces@lists.lustre.org Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>
Series	lustre: update to OpenSFS tree Sept 5, 2022 \| expand [00/24] lustre: update to OpenSFS tree Sept 5, 2022 [01/24] lustre: sec: new connect flag for name encryption [02/24] lustre: lmv: always space-balance r-r directories [03/24] lustre: ldlm: rid of obsolete param of ldlm_resource_get() [04/24] lustre: llite: fully disable readahead in kernel I/O path [05/24] lustre: llite: use fatal_signal_pending in range_lock [06/24] lustre: update version to 2.15.51 [07/24] lustre: llite: simplify callback handling for async getattr [08/24] lustre: statahead: add total hit/miss count stats [09/24] lnet: o2iblnd: Salt comp_vector [10/24] lnet: selftest: use preallocate bulk for server [11/24] lnet: change ni_status in lnet_ni to u32* [12/24] lustre: llite: Rework upper/lower DIO/AIO [13/24] lustre: sec: use enc pool for bounce pages [14/24] lustre: llite: Unify range unlock [15/24] lustre: llite: Refactor DIO/AIO free code [16/24] lnet: Use fatal NI if none other available [17/24] lnet: LNet peer aliveness broken [18/24] lnet: Correct net selection for router ping [19/24] lnet: Remove duplicate checks for peer sensitivity [20/24] lustre: obdclass: use consistent stats units [21/24] lnet: Memory leak on adding existing interface [22/24] lustre: sec: fix detection of SELinux enforcement [23/24] lustre: idl: add checks for OBD_CONNECT flags [24/24] lustre: llite: fix stat attributes_mask

Message ID

1662429337-18737-23-git-send-email-jsimmons@infradead.org (mailing list archive)

State

New, archived

Headers

From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>,
 NeilBrown <neilb@suse.de>
Date: Mon,  5 Sep 2022 21:55:35 -0400
Message-Id: <1662429337-18737-23-git-send-email-jsimmons@infradead.org>
In-Reply-To: <1662429337-18737-1-git-send-email-jsimmons@infradead.org>
References: <1662429337-18737-1-git-send-email-jsimmons@infradead.org>
Subject: [lustre-devel] [PATCH 22/24] lustre: sec: fix detection of SELinux
 enforcement
Precedence: list
Cc: Lustre Development List <lustre-devel@lists.lustre.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: lustre-devel-bounces@lists.lustre.org
Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>

Series

lustre: update to OpenSFS tree Sept 5, 2022 | expand

Commit Message

James Simmons Sept. 6, 2022, 1:55 a.m. UTC

From: Sebastien Buisson <sbuisson@ddn.com>

For newer kernels, for which selinux_is_enabled() does not exist
anymore, the only way to find out if SELinux is enforced when
initializing the security context is to fetch the length of the
security attribute name. If it is 0, we conclude SELinux is disabled.

WC-bug-id: https://jira.whamcloud.com/browse/LU-16012
Lustre-commit: 155cbc22ba4f758cf ("LU-16012 sec: fix detection of SELinux enforcement")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/48049
Reviewed-by: Jian Yu <yujian@whamcloud.com>
Reviewed-by: Yingjin Qian <qian@ddn.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
 fs/lustre/llite/dir.c            |  3 ++-
 fs/lustre/llite/llite_internal.h |  3 ++-
 fs/lustre/llite/namei.c          |  6 ++++--
 fs/lustre/llite/xattr_security.c | 12 +++++++++++-
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/fs/lustre/llite/dir.c b/fs/lustre/llite/dir.c
index bffd34c..9e7812d 100644
--- a/fs/lustre/llite/dir.c
+++ b/fs/lustre/llite/dir.c
@@ -513,7 +513,8 @@  static int ll_dir_setdirstripe(struct dentry *dparent, struct lmv_user_md *lump,
 		 * to determine the security context for the file. So our fake
 		 * dentry should be real enough for this purpose.
 		 */
-		err = ll_dentry_init_security(&dentry, mode, &dentry.d_name,
+		err = ll_dentry_init_security(parent,
+					      &dentry, mode, &dentry.d_name,
 					      &op_data->op_file_secctx_name,
 					      &op_data->op_file_secctx,
 					      &op_data->op_file_secctx_size);
diff --git a/fs/lustre/llite/llite_internal.h b/fs/lustre/llite/llite_internal.h
index 227b944..6d85b96 100644
--- a/fs/lustre/llite/llite_internal.h
+++ b/fs/lustre/llite/llite_internal.h
@@ -447,7 +447,8 @@  static inline void obd_connect_set_secctx(struct obd_connect_data *data)
 #endif
 }
 
-int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
+int ll_dentry_init_security(struct inode *parent, struct dentry *dentry,
+			    int mode, struct qstr *name,
 			    const char **secctx_name, void **secctx,
 			    u32 *secctx_size);
 int ll_inode_init_security(struct dentry *dentry, struct inode *inode,
diff --git a/fs/lustre/llite/namei.c b/fs/lustre/llite/namei.c
index a08b1c1..d382554 100644
--- a/fs/lustre/llite/namei.c
+++ b/fs/lustre/llite/namei.c
@@ -891,7 +891,8 @@  static struct dentry *ll_lookup_it(struct inode *parent, struct dentry *dentry,
 
 	if (it->it_op & IT_CREAT &&
 	    test_bit(LL_SBI_FILE_SECCTX, ll_i2sbi(parent)->ll_flags)) {
-		rc = ll_dentry_init_security(dentry, it->it_create_mode,
+		rc = ll_dentry_init_security(parent,
+					     dentry, it->it_create_mode,
 					     &dentry->d_name,
 					     &op_data->op_file_secctx_name,
 					     &op_data->op_file_secctx,
@@ -1570,7 +1571,8 @@  static int ll_new_node(struct inode *dir, struct dentry *dchild,
 		ll_qos_mkdir_prep(op_data, dir);
 
 	if (test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags)) {
-		err = ll_dentry_init_security(dchild, mode, &dchild->d_name,
+		err = ll_dentry_init_security(dir,
+					      dchild, mode, &dchild->d_name,
 					      &op_data->op_file_secctx_name,
 					      &op_data->op_file_secctx,
 					      &op_data->op_file_secctx_size);
diff --git a/fs/lustre/llite/xattr_security.c b/fs/lustre/llite/xattr_security.c
index f14021d..39229d3 100644
--- a/fs/lustre/llite/xattr_security.c
+++ b/fs/lustre/llite/xattr_security.c
@@ -38,7 +38,8 @@ 
 /*
  * Check for LL_SBI_FILE_SECCTX before calling.
  */
-int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
+int ll_dentry_init_security(struct inode *parent, struct dentry *dentry,
+			    int mode, struct qstr *name,
 			    const char **secctx_name, void **secctx,
 			    u32 *secctx_size)
 {
@@ -58,6 +59,15 @@  int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
 	 * from SELinux.
 	 */
 
+	/* fetch length of security xattr name */
+	rc = security_inode_listsecurity(parent, NULL, 0);
+	/* xattr name length == 0 means SELinux is disabled */
+	if (rc == 0)
+		return 0;
+	/* we support SELinux only */
+	if (rc != strlen(XATTR_NAME_SELINUX) + 1)
+		return -EOPNOTSUPP;
+
 	rc = security_dentry_init_security(dentry, mode, name, secctx,
 					   secctx_size);
 	/* Usually, security_dentry_init_security() returns -EOPNOTSUPP when

[22/24] lustre: sec: fix detection of SELinux enforcement

Commit Message

Patch