#include <uapi/linux/lnet/nidstr.h>
#include <lustre_net.h>
#include <lustre_acl.h>
-#include <lustre_eacl.h>
#include <obd_class.h>
#include "nodemap_internal.h"
*/
struct lu_nodemap *nodemap_classify_nid(lnet_nid_t nid)
{
- struct lu_nid_range *range;
- struct lu_nodemap *nodemap;
+ struct lu_nid_range *range;
+ struct lu_nodemap *nodemap;
int rc;
ENTRY;
/* don't use 0@lo, use the first non-lo local NID instead */
- if (LNET_NETTYP(LNET_NIDNET(nid)) == LOLND) {
- struct lnet_process_id id;
+ if (nid == LNET_NID_LO_0) {
+ struct lnet_processid id;
int i = 0;
do {
rc = LNetGetId(i++, &id);
if (rc < 0)
RETURN(ERR_PTR(-EINVAL));
- } while (LNET_NETTYP(LNET_NIDNET(id.nid)) == LOLND);
+ } while (nid_is_lo0(&id.nid));
- nid = id.nid;
+ nid = lnet_nid_to_nid4(&id.nid);
CDEBUG(D_INFO, "found nid %s\n", libcfs_nid2str(nid));
}
* mapping function for nodemap idmaps
*
* \param nodemap lu_nodemap structure defining nodemap
- * \param node_type NODEMAP_UID or NODEMAP_GID
+ * \param node_type NODEMAP_UID or NODEMAP_GID or NODEMAP_PROJID
* \param tree_type NODEMAP_CLIENT_TO_FS or
* NODEMAP_FS_TO_CLIENT
* \param id id to map
if (unlikely(nodemap == NULL))
goto out;
- if (nodemap->nmf_map_uid_only && id_type == NODEMAP_GID)
- goto out;
-
- if (nodemap->nmf_map_gid_only && id_type == NODEMAP_UID)
- goto out;
-
if (id == 0) {
if (nodemap->nmf_allow_root_access)
goto out;
- else
- goto squash;
+ goto squash;
}
+ if (id_type == NODEMAP_UID &&
+ !(nodemap->nmf_map_mode & NODEMAP_MAP_UID))
+ goto out;
+
+ if (id_type == NODEMAP_GID &&
+ !(nodemap->nmf_map_mode & NODEMAP_MAP_GID))
+ goto out;
+
+ if (id_type == NODEMAP_PROJID &&
+ !(nodemap->nmf_map_mode & NODEMAP_MAP_PROJID))
+ goto out;
+
if (nodemap->nmf_trust_client_ids)
goto out;
squash:
if (id_type == NODEMAP_UID)
RETURN(nodemap->nm_squash_uid);
- else
+ if (id_type == NODEMAP_GID)
RETURN(nodemap->nm_squash_gid);
+ if (id_type == NODEMAP_PROJID)
+ RETURN(nodemap->nm_squash_projid);
out:
RETURN(id);
}
if (count < 0)
RETURN(-EINVAL);
if (count == 0)
- RETURN(0);
+ /* if not proper ACL, do nothing and return initial size */
+ RETURN(size);
for (end = entry + count; entry != end; entry++) {
__u16 tag = le16_to_cpu(entry->e_tag);
}
rc = range_insert(&config->nmc_range_tree, range);
- if (rc != 0) {
- CERROR("cannot insert nodemap range into '%s': rc = %d\n",
- nodemap->nm_name, rc);
+ if (rc) {
+ CDEBUG_LIMIT(rc == -EEXIST ? D_INFO : D_ERROR,
+ "cannot insert nodemap range into '%s': rc = %d\n",
+ nodemap->nm_name, rc);
up_write(&config->nmc_range_tree_lock);
list_del(&range->rn_list);
range_destroy(range);
- GOTO(out, rc = -ENOMEM);
+ GOTO(out, rc);
}
list_add(&range->rn_list, &nodemap->nm_ranges);
out:
return rc;
}
+
int nodemap_add_range(const char *name, const lnet_nid_t nid[2])
{
struct lu_nodemap *nodemap = NULL;
}
EXPORT_SYMBOL(nodemap_get_fileset);
+static int nodemap_validate_sepol(const char *sepol)
+{
+ char buf[LUSTRE_NODEMAP_SEPOL_LENGTH + 1];
+ char *p = (char *)sepol;
+ char *q = buf;
+ char polname[NAME_MAX + 1] = "";
+ char hash[SELINUX_POLICY_HASH_LEN + 1] = "";
+ unsigned char mode;
+ unsigned short ver;
+
+ BUILD_BUG_ON(sizeof(buf) != sizeof(((struct lu_nodemap *)0)->nm_sepol));
+
+ if (sepol == NULL)
+ return -EINVAL;
+
+ /* we allow sepol = "" which means clear SELinux policy info */
+ if (sepol[0] == '\0')
+ return 0;
+
+ /* make a copy of sepol, by replacing ':' with space
+ * so that we can use sscanf over the string
+ */
+ while (p-sepol < sizeof(buf)) {
+ if (*p == ':')
+ *q = ' ';
+ else
+ *q = *p;
+ if (*p == '\0')
+ break;
+ p++;
+ q++;
+ }
+ if (p-sepol == sizeof(buf))
+ return -ENAMETOOLONG;
+
+ if (sscanf(buf, "%1hhu %s %hu %s", &mode, polname, &ver, hash) != 4)
+ return -EINVAL;
+
+ if (mode != 0 && mode != 1)
+ return -EINVAL;
+
+ return 0;
+}
+
+/**
+ * set SELinux policy on nodemap
+ * \param name nodemap to set SELinux policy info on
+ * \param sepol string containing SELinux policy info
+ * \retval 0 on success
+ *
+ * set SELinux policy info on the named nodemap
+ */
+int nodemap_set_sepol(const char *name, const char *sepol)
+{
+ struct lu_nodemap *nodemap = NULL;
+ int rc;
+
+ rc = nodemap_validate_sepol(sepol);
+ if (rc < 0)
+ GOTO(out, rc);
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(name);
+ if (IS_ERR(nodemap)) {
+ mutex_unlock(&active_config_lock);
+ GOTO(out, rc = PTR_ERR(nodemap));
+ }
+
+ if (is_default_nodemap(nodemap)) {
+ /* We do not want nodes in the default nodemap to have
+ * SELinux restrictions. Sec admin should create dedicated
+ * nodemap entries for this.
+ */
+ GOTO(out_putref, rc = -EINVAL);
+ }
+
+ /* truncation cannot happen, as string length was checked in
+ * nodemap_validate_sepol()
+ */
+ strlcpy(nodemap->nm_sepol, sepol, sizeof(nodemap->nm_sepol));
+
+out_putref:
+ mutex_unlock(&active_config_lock);
+ nodemap_putref(nodemap);
+out:
+ return rc;
+}
+EXPORT_SYMBOL(nodemap_set_sepol);
+
+/**
+ * get SELinux policy info defined on nodemap
+ * \param nodemap nodemap to get SELinux policy info from
+ * \retval SELinux policy info, or NULL if not defined or not activated
+ *
+ * get the SELinux policy info defined on the nodemap
+ */
+const char *nodemap_get_sepol(const struct lu_nodemap *nodemap)
+{
+ if (is_default_nodemap(nodemap))
+ return NULL;
+ else
+ return (char *)nodemap->nm_sepol;
+}
+EXPORT_SYMBOL(nodemap_get_sepol);
+
/**
* Nodemap constructor
*
OBD_ALLOC_PTR(nodemap);
if (nodemap == NULL) {
- CERROR("cannot allocate memory (%zu bytes)"
- "for nodemap '%s'\n", sizeof(*nodemap),
- name);
+ CERROR("cannot allocate memory (%zu bytes) for nodemap '%s'\n",
+ sizeof(*nodemap), name);
GOTO(out, rc = -ENOMEM);
}
nodemap->nm_client_to_fs_uidmap = RB_ROOT;
nodemap->nm_fs_to_client_gidmap = RB_ROOT;
nodemap->nm_client_to_fs_gidmap = RB_ROOT;
+ nodemap->nm_fs_to_client_projidmap = RB_ROOT;
+ nodemap->nm_client_to_fs_projidmap = RB_ROOT;
if (is_default) {
nodemap->nm_id = LUSTRE_NODEMAP_DEFAULT_ID;
nodemap->nmf_trust_client_ids = 0;
nodemap->nmf_allow_root_access = 0;
nodemap->nmf_deny_unknown = 0;
- nodemap->nmf_map_uid_only = 0;
- nodemap->nmf_map_gid_only = 0;
+ nodemap->nmf_map_mode = NODEMAP_MAP_ALL;
nodemap->nmf_enable_audit = 1;
+ nodemap->nmf_forbid_encryption = 0;
+ nodemap->nmf_readonly_mount = 0;
+ nodemap->nmf_rbac = NODEMAP_RBAC_ALL;
nodemap->nm_squash_uid = NODEMAP_NOBODY_UID;
nodemap->nm_squash_gid = NODEMAP_NOBODY_GID;
+ nodemap->nm_squash_projid = NODEMAP_NOBODY_PROJID;
nodemap->nm_fileset[0] = '\0';
+ nodemap->nm_sepol[0] = '\0';
if (!is_default)
CWARN("adding nodemap '%s' to config without"
" default nodemap\n", nodemap->nm_name);
default_nodemap->nmf_trust_client_ids;
nodemap->nmf_allow_root_access =
default_nodemap->nmf_allow_root_access;
- nodemap->nmf_deny_unknown =
- default_nodemap->nmf_deny_unknown;
- nodemap->nmf_map_uid_only =
- default_nodemap->nmf_map_uid_only;
- nodemap->nmf_map_gid_only =
- default_nodemap->nmf_map_gid_only;
- nodemap->nmf_enable_audit =
- default_nodemap->nmf_enable_audit;
+ nodemap->nmf_deny_unknown = default_nodemap->nmf_deny_unknown;
+ nodemap->nmf_map_mode = default_nodemap->nmf_map_mode;
+ nodemap->nmf_enable_audit = default_nodemap->nmf_enable_audit;
+ nodemap->nmf_forbid_encryption =
+ default_nodemap->nmf_forbid_encryption;
+ nodemap->nmf_readonly_mount =
+ default_nodemap->nmf_readonly_mount;
+ nodemap->nmf_rbac = default_nodemap->nmf_rbac;
nodemap->nm_squash_uid = default_nodemap->nm_squash_uid;
nodemap->nm_squash_gid = default_nodemap->nm_squash_gid;
+ nodemap->nm_squash_projid = default_nodemap->nm_squash_projid;
nodemap->nm_fileset[0] = '\0';
+ nodemap->nm_sepol[0] = '\0';
}
RETURN(nodemap);
}
EXPORT_SYMBOL(nodemap_set_trust_client_ids);
-int nodemap_set_mapping_mode(const char *name, enum nodemap_mapping_modes mode)
+int nodemap_set_mapping_mode(const char *name,
+ enum nodemap_mapping_modes map_mode)
{
struct lu_nodemap *nodemap = NULL;
int rc = 0;
if (IS_ERR(nodemap))
GOTO(out, rc = PTR_ERR(nodemap));
- switch (mode) {
- case NODEMAP_MAP_BOTH:
- nodemap->nmf_map_uid_only = 0;
- nodemap->nmf_map_gid_only = 0;
- break;
- case NODEMAP_MAP_UID_ONLY:
- nodemap->nmf_map_uid_only = 1;
- nodemap->nmf_map_gid_only = 0;
- break;
- case NODEMAP_MAP_GID_ONLY:
- nodemap->nmf_map_uid_only = 0;
- nodemap->nmf_map_gid_only = 1;
- break;
- default:
- CWARN("cannot set unknown mapping mode, mode = %d\n", mode);
- }
+ nodemap->nmf_map_mode = map_mode;
rc = nodemap_idx_nodemap_update(nodemap);
nm_member_revoke_locks(nodemap);
}
EXPORT_SYMBOL(nodemap_set_mapping_mode);
+int nodemap_set_rbac(const char *name, enum nodemap_rbac_roles rbac)
+{
+ struct lu_nodemap *nodemap = NULL;
+ enum nodemap_rbac_roles old_rbac;
+ int rc = 0;
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(name);
+ mutex_unlock(&active_config_lock);
+ if (IS_ERR(nodemap))
+ GOTO(out, rc = PTR_ERR(nodemap));
+
+ if (is_default_nodemap(nodemap))
+ GOTO(put, rc = -EINVAL);
+
+ old_rbac = nodemap->nmf_rbac;
+ /* if value does not change, do nothing */
+ if (rbac == old_rbac)
+ GOTO(put, rc = 0);
+
+ nodemap->nmf_rbac = rbac;
+ if (rbac == NODEMAP_RBAC_ALL)
+ /* if new value is ALL (default), just delete
+ * NODEMAP_CLUSTER_ROLES idx
+ */
+ rc = nodemap_idx_cluster_roles_del(nodemap);
+ else if (old_rbac == NODEMAP_RBAC_ALL)
+ /* if old value is ALL (default), need to insert
+ * NODEMAP_CLUSTER_ROLES idx
+ */
+ rc = nodemap_idx_cluster_roles_add(nodemap);
+ else
+ /* otherwise just update existing NODEMAP_CLUSTER_ROLES idx */
+ rc = nodemap_idx_cluster_roles_update(nodemap);
+
+ nm_member_revoke_locks(nodemap);
+put:
+ nodemap_putref(nodemap);
+out:
+ return rc;
+}
+EXPORT_SYMBOL(nodemap_set_rbac);
+
/**
* Update the squash_uid for a nodemap.
*
* \param gid the new gid to squash unknown gids to
* \retval 0 on success
*
- * Update the squash_gid for a nodemap. The squash_uid is the gid
+ * Update the squash_gid for a nodemap. The squash_gid is the gid
* that the all client gids are mapped to if nodemap is active,
* the trust_client_ids flag is not set, and the gid is not in
* the idmap tree.
EXPORT_SYMBOL(nodemap_set_squash_gid);
/**
- * Returns true if this nodemap has root user access. Always returns true if
- * nodemaps are not active.
+ * Update the squash_projid for a nodemap.
+ *
+ * \param name nodemap name
+ * \param gid the new projid to squash unknown projids to
+ * \retval 0 on success
+ *
+ * Update the squash_projid for a nodemap. The squash_projid is the projid
+ * that the all client projids are mapped to if nodemap is active,
+ * the trust_client_ids flag is not set, and the projid is not in
+ * the idmap tree.
+ */
+int nodemap_set_squash_projid(const char *name, projid_t projid)
+{
+ struct lu_nodemap *nodemap = NULL;
+ int rc = 0;
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(name);
+ mutex_unlock(&active_config_lock);
+ if (IS_ERR(nodemap))
+ GOTO(out, rc = PTR_ERR(nodemap));
+
+ nodemap->nm_squash_projid = projid;
+ rc = nodemap_idx_nodemap_update(nodemap);
+
+ nm_member_revoke_locks(nodemap);
+ nodemap_putref(nodemap);
+out:
+ return rc;
+}
+EXPORT_SYMBOL(nodemap_set_squash_projid);
+
+/**
+ * Check if nodemap allows setting quota.
+ *
+ * If nodemap is not active, always allow.
+ * For user and group quota, allow if the nodemap allows root access.
+ * For project quota, allow if project id is not squashed or deny_unknown
+ * is not set.
*
* \param nodemap nodemap to check access for
+ * \param qc_type quota type
+ * \param id client id to map
+ * \retval true is setquota is allowed, false otherwise
*/
-bool nodemap_can_setquota(const struct lu_nodemap *nodemap)
+bool nodemap_can_setquota(struct lu_nodemap *nodemap, __u32 qc_type, __u32 id)
{
- return !nodemap_active || (nodemap && nodemap->nmf_allow_root_access);
+ if (!nodemap_active)
+ return true;
+
+ if (!nodemap || !nodemap->nmf_allow_root_access ||
+ !(nodemap->nmf_rbac & NODEMAP_RBAC_QUOTA_OPS))
+ return false;
+
+ if (qc_type == PRJQUOTA) {
+ id = nodemap_map_id(nodemap, NODEMAP_PROJID,
+ NODEMAP_CLIENT_TO_FS, id);
+
+ if (id == nodemap->nm_squash_projid &&
+ nodemap->nmf_deny_unknown)
+ return false;
+ }
+
+ return true;
}
EXPORT_SYMBOL(nodemap_can_setquota);
}
EXPORT_SYMBOL(nodemap_set_audit_mode);
+/**
+ * Set the nmf_forbid_encryption flag to true or false.
+ * \param name nodemap name
+ * \param forbid_encryption if true, forbid encryption
+ * \retval 0 on success
+ *
+ */
+int nodemap_set_forbid_encryption(const char *name, bool forbid_encryption)
+{
+ struct lu_nodemap *nodemap = NULL;
+ int rc = 0;
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(name);
+ mutex_unlock(&active_config_lock);
+ if (IS_ERR(nodemap))
+ GOTO(out, rc = PTR_ERR(nodemap));
+
+ nodemap->nmf_forbid_encryption = forbid_encryption;
+ rc = nodemap_idx_nodemap_update(nodemap);
+
+ nm_member_revoke_locks(nodemap);
+ nodemap_putref(nodemap);
+out:
+ return rc;
+}
+EXPORT_SYMBOL(nodemap_set_forbid_encryption);
+
+/**
+ * Set the nmf_readonly_mount flag to true or false.
+ * \param name nodemap name
+ * \param readonly_mount if true, forbid rw mount
+ * \retval 0 on success
+ *
+ */
+int nodemap_set_readonly_mount(const char *name, bool readonly_mount)
+{
+ struct lu_nodemap *nodemap = NULL;
+ int rc = 0;
+
+ mutex_lock(&active_config_lock);
+ nodemap = nodemap_lookup(name);
+ mutex_unlock(&active_config_lock);
+ if (IS_ERR(nodemap))
+ GOTO(out, rc = PTR_ERR(nodemap));
+
+ nodemap->nmf_readonly_mount = readonly_mount;
+ rc = nodemap_idx_nodemap_update(nodemap);
+
+ nm_member_revoke_locks(nodemap);
+ nodemap_putref(nodemap);
+out:
+ return rc;
+}
+EXPORT_SYMBOL(nodemap_set_readonly_mount);
/**
* Add a nodemap
init_rwsem(&config->nmc_range_tree_lock);
+ config->nmc_range_tree.nmrt_range_interval_root = INTERVAL_TREE_ROOT;
+
return config;
}
EXPORT_SYMBOL(nodemap_config_alloc);