4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see http://www.gnu.org/licenses
23 * Copyright (c) 2014 Bull SAS
24 * Author: Sebastien Buisson sebastien.buisson@bull.net
28 * lustre/llite/xattr_security.c
29 * Handler for storing security labels as extended attributes.
32 #include <linux/types.h>
33 #include <linux/security.h>
34 #include <linux/selinux.h>
35 #include <linux/xattr.h>
36 #include "llite_internal.h"
38 #ifndef XATTR_SELINUX_SUFFIX
39 # define XATTR_SELINUX_SUFFIX "selinux"
42 #ifndef XATTR_NAME_SELINUX
43 # define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
47 * Check for LL_SBI_FILE_SECCTX before calling.
49 int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
50 const char **secctx_name, void **secctx,
53 #ifdef HAVE_SECURITY_DENTRY_INIT_SECURITY
56 /* security_dentry_init_security() is strange. Like
57 * security_inode_init_security() it may return a context (provided a
58 * Linux security module is enabled) but unlike
59 * security_inode_init_security() it does not return to us the name of
60 * the extended attribute to store the context under (for example
61 * "security.selinux"). So we only call it when we think we know what
62 * the name of the extended attribute will be. This is OK-ish since
63 * SELinux is the only module that implements
64 * security_dentry_init_security(). Note that the NFS client code just
65 * calls it and assumes that if anything is returned then it must come
68 if (!selinux_is_enabled())
71 rc = security_dentry_init_security(dentry, mode, name, secctx,
76 *secctx_name = XATTR_NAME_SELINUX;
77 #endif /* HAVE_SECURITY_DENTRY_INIT_SECURITY */
82 #ifdef HAVE_SECURITY_IINITSEC_CALLBACK
84 * A helper function for ll_security_inode_init_security()
85 * that takes care of setting xattrs
87 * Get security context of @inode from @xattr_array,
88 * and put it in 'security.xxx' xattr of dentry
92 * \retval -ENOMEM if no memory could be allocated for xattr name
93 * \retval < 0 failure to set xattr
96 ll_initxattrs(struct inode *inode, const struct xattr *xattr_array,
99 const struct xattr *xattr;
100 struct dentry *dentry = fs_info;
105 for (xattr = xattr_array; xattr->name != NULL; xattr++) {
106 name_len = strlen(XATTR_SECURITY_PREFIX) + strlen(xattr->name)
108 OBD_ALLOC(full_name, name_len);
109 if (full_name == NULL)
111 strlcpy(full_name, XATTR_SECURITY_PREFIX, name_len);
112 strlcat(full_name, xattr->name, name_len);
114 err = ll_setxattr(dentry, full_name, xattr->value,
115 xattr->value_len, 0);
117 OBD_FREE(full_name, name_len);
126 * Initializes security context
128 * Get security context of @inode in @dir,
129 * and put it in 'security.xxx' xattr of @dentry.
131 * \retval 0 success, or SELinux is disabled
132 * \retval -ENOMEM if no memory could be allocated for xattr name
133 * \retval < 0 failure to get security context or set xattr
136 ll_inode_init_security(struct dentry *dentry, struct inode *inode,
139 if (!selinux_is_enabled())
142 return ll_security_inode_init_security(inode, dir, NULL, NULL, 0,
143 &ll_initxattrs, dentry);
145 #else /* !HAVE_SECURITY_IINITSEC_CALLBACK */
147 * Initializes security context
149 * Get security context of @inode in @dir,
150 * and put it in 'security.xxx' xattr of @dentry.
152 * \retval 0 success, or SELinux is disabled
153 * \retval -ENOMEM if no memory could be allocated for xattr name
154 * \retval < 0 failure to get security context or set xattr
157 ll_inode_init_security(struct dentry *dentry, struct inode *inode,
161 size_t len, name_len;
163 char *name, *full_name;
165 if (!selinux_is_enabled())
168 err = ll_security_inode_init_security(inode, dir, &name, &value, &len,
171 if (err == -EOPNOTSUPP)
176 name_len = strlen(XATTR_SECURITY_PREFIX) + strlen(name) + 1;
177 OBD_ALLOC(full_name, name_len);
178 if (full_name == NULL)
179 GOTO(out_free, err = -ENOMEM);
180 strlcpy(full_name, XATTR_SECURITY_PREFIX, name_len);
181 strlcat(full_name, name, name_len);
183 err = ll_setxattr(dentry, full_name, value, len, 0);
184 OBD_FREE(full_name, name_len);
192 #endif /* HAVE_SECURITY_IINITSEC_CALLBACK */