4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see http://www.gnu.org/licenses
23 * Copyright (c) 2014 Bull SAS
25 * Copyright (c) 2015, 2016, Intel Corporation.
26 * Author: Sebastien Buisson sebastien.buisson@bull.net
30 * lustre/llite/xattr_security.c
31 * Handler for storing security labels as extended attributes.
34 #include <linux/types.h>
35 #include <linux/security.h>
36 #ifdef HAVE_LINUX_SELINUX_IS_ENABLED
37 #include <linux/selinux.h>
39 #include <linux/xattr.h>
40 #include "llite_internal.h"
42 #ifndef XATTR_SELINUX_SUFFIX
43 # define XATTR_SELINUX_SUFFIX "selinux"
46 #ifndef XATTR_NAME_SELINUX
47 # define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
50 #ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX
51 #define HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG 1
55 * Check for LL_SBI_FILE_SECCTX before calling.
57 int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
58 const char **secctx_name, __u32 *secctx_name_size,
59 void **secctx, __u32 *secctx_size, int *secctx_slot)
61 struct ll_sb_info *sbi = ll_s2sbi(dentry->d_sb);
62 #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG
63 const char *secctx_name_lsm = NULL;
65 #ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX
66 struct lsmcontext ctx = {};
71 * Before kernel 5.15-rc1-20-g15bf32398ad4,
72 * security_inode_init_security() does not return to us the name of the
73 * extended attribute to store the context under (for example
74 * "security.selinux"). So we only call it when we think we know what
75 * the name of the extended attribute will be. This is OK-ish since
76 * SELinux is the only module that implements
77 * security_dentry_init_security(). Note that the NFS client code just
78 * calls it and assumes that if anything is returned then it must come
82 *secctx_name_size = ll_secctx_name_get(sbi, secctx_name);
83 /* xattr name length == 0 means no LSM module manage file contexts */
84 if (*secctx_name_size == 0)
87 rc = security_dentry_init_security(dentry, mode, name,
88 #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG
91 #ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX
96 /* ignore error if the hook is not supported by the LSM module */
97 if (rc == -EOPNOTSUPP)
102 #ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX
103 *secctx = ctx.context;
104 *secctx_size = ctx.len;
105 #ifdef HAVE_LSMCONTEXT_HAS_ID
106 *secctx_slot = ctx.id;
108 *secctx_slot = ctx.slot;
109 #endif /* HAVE_LSMCONTEXT_HAS_ID */
110 #endif /* HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX */
112 #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG
113 if (strncmp(*secctx_name, secctx_name_lsm, *secctx_name_size) != 0) {
114 CERROR("%s: LSM secctx_name '%s' does not match the one stored by Lustre '%s'\n",
115 sbi->ll_fsname, secctx_name_lsm, *secctx_name);
124 * A helper function for security_inode_init_security()
125 * that takes care of setting xattrs
127 * Get security context of @inode from @xattr_array,
128 * and put it in 'security.xxx' xattr of dentry
129 * stored in @fs_info.
132 * \retval -ENOMEM if no memory could be allocated for xattr name
133 * \retval < 0 failure to set xattr
136 ll_initxattrs(struct inode *inode, const struct xattr *xattr_array,
139 struct dentry *dentry = fs_info;
140 const struct xattr *xattr;
143 for (xattr = xattr_array; xattr->name; xattr++) {
146 full_name = kasprintf(GFP_KERNEL, "%s%s",
147 XATTR_SECURITY_PREFIX, xattr->name);
153 err = ll_vfs_setxattr(dentry, inode, full_name, xattr->value,
154 xattr->value_len, XATTR_CREATE);
163 * Initializes security context
165 * Get security context of @inode in @dir,
166 * and put it in 'security.xxx' xattr of @dentry.
168 * \retval 0 success, or SELinux is disabled
169 * \retval -ENOMEM if no memory could be allocated for xattr name
170 * \retval < 0 failure to get security context or set xattr
173 ll_inode_init_security(struct dentry *dentry, struct inode *inode,
178 if (!ll_security_xattr_wanted(dir))
181 rc = security_inode_init_security(inode, dir, NULL,
182 &ll_initxattrs, dentry);
183 if (rc == -EOPNOTSUPP)
190 * Notify security context to the security layer
192 * Notify security context @secctx of inode @inode to the security layer.
194 * \retval 0 success, or SELinux is disabled or not supported by the fs
195 * \retval < 0 failure to set the security context
197 int ll_inode_notifysecctx(struct inode *inode,
198 void *secctx, __u32 secctxlen)
200 struct ll_sb_info *sbi = ll_i2sbi(inode);
203 if (!test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags) ||
204 !ll_security_xattr_wanted(inode) ||
205 !secctx || !secctxlen)
208 /* no need to protect selinux_inode_setsecurity() by
209 * inode_lock. Taking it would lead to a client deadlock
212 rc = security_inode_notifysecctx(inode, secctx, secctxlen);
214 CWARN("%s: cannot set security context for "DFID": rc = %d\n",
215 sbi->ll_fsname, PFID(ll_inode2fid(inode)), rc);
221 * Free the security context xattr name used by policy
223 void ll_secctx_name_free(struct ll_sb_info *sbi)
225 OBD_FREE(sbi->ll_secctx_name, sbi->ll_secctx_name_size + 1);
226 sbi->ll_secctx_name = NULL;
227 sbi->ll_secctx_name_size = 0;
231 * Get security context xattr name used by policy and save it.
233 * \retval > 0 length of xattr name
234 * \retval == 0 no LSM module registered supporting security contexts
235 * \retval <= 0 failure to get xattr name or xattr is not supported
237 int ll_secctx_name_store(struct inode *in)
239 struct ll_sb_info *sbi = ll_i2sbi(in);
242 if (!ll_security_xattr_wanted(in))
245 /* get size of xattr name */
246 rc = security_inode_listsecurity(in, NULL, 0);
250 if (sbi->ll_secctx_name)
251 ll_secctx_name_free(sbi);
253 OBD_ALLOC(sbi->ll_secctx_name, rc + 1);
254 if (!sbi->ll_secctx_name)
257 /* save the xattr name */
258 sbi->ll_secctx_name_size = rc;
259 rc = security_inode_listsecurity(in, sbi->ll_secctx_name,
260 sbi->ll_secctx_name_size);
264 if (rc > sbi->ll_secctx_name_size) {
270 sbi->ll_secctx_name[rc] = '\0';
271 if (rc < sizeof(XATTR_SECURITY_PREFIX)) {
275 if (strncmp(sbi->ll_secctx_name, XATTR_SECURITY_PREFIX,
276 sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) {
284 ll_secctx_name_free(sbi);
289 * Retrieved file security context xattr name stored.
291 * \retval security context xattr name size stored.
292 * \retval 0 no xattr name stored.
294 __u32 ll_secctx_name_get(struct ll_sb_info *sbi, const char **secctx_name)
296 if (!sbi->ll_secctx_name || !sbi->ll_secctx_name_size)
299 *secctx_name = sbi->ll_secctx_name;
301 return sbi->ll_secctx_name_size;
305 * Filter out xattr file security context if not managed by LSM
307 * This is done to improve performance for application that blindly try to get
308 * file context (like "ls -l" for security.linux).
309 * See LU-549 for more information.
311 * \retval 0 xattr not filtered
312 * \retval -EOPNOTSUPP no enabled LSM security module supports the xattr
314 int ll_security_secctx_name_filter(struct ll_sb_info *sbi, int xattr_type,
317 const char *cached_suffix = NULL;
319 if (xattr_type != XATTR_SECURITY_T ||
320 !ll_xattr_suffix_is_seclabel(suffix))
323 /* is the xattr label used by lsm ? */
324 if (!ll_secctx_name_get(sbi, &cached_suffix))
327 cached_suffix += sizeof(XATTR_SECURITY_PREFIX) - 1;
328 if (strcmp(suffix, cached_suffix) != 0)