X-Git-Url: https://git.whamcloud.com/?a=blobdiff_plain;f=lustre%2Finclude%2Flustre_sec.h;h=664c234845b04308cb610013e956626c6b2ff72b;hb=2a32eaa35dd7b96bb29f6a17991f48fe07fa833e;hp=d6fbd2fc36eae0716a465732d67a3130166ec97e;hpb=08aa217ce49aba1ded52e0f7adb8a607035123fd;p=fs%2Flustre-release.git diff --git a/lustre/include/lustre_sec.h b/lustre/include/lustre_sec.h index d6fbd2f..664c234 100644 --- a/lustre/include/lustre_sec.h +++ b/lustre/include/lustre_sec.h @@ -15,11 +15,7 @@ * * You should have received a copy of the GNU General Public License * version 2 along with this program; If not, see - * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf - * - * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, - * CA 95054 USA or visit www.sun.com if you need additional information or - * have any questions. + * http://www.gnu.org/licenses/gpl-2.0.html * * GPL HEADER END */ @@ -27,7 +23,7 @@ * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2012, Intel Corporation. + * Copyright (c) 2012, 2017, Intel Corporation. */ /* * This file is part of Lustre, http://www.lustre.org/ @@ -51,9 +47,11 @@ struct ptlrpc_request; struct ptlrpc_reply_state; struct ptlrpc_bulk_desc; struct brw_page; +struct lu_env; /* Linux specific */ struct key; struct seq_file; +struct lustre_cfg; /* * forward declaration @@ -65,6 +63,7 @@ struct ptlrpc_sec; struct ptlrpc_svc_ctx; struct ptlrpc_cli_ctx; struct ptlrpc_ctx_ops; +struct req_msg_field; /** * \addtogroup flavor flavor @@ -103,6 +102,7 @@ enum sptlrpc_mech_plain { enum sptlrpc_mech_gss { SPTLRPC_MECH_GSS_NULL = 0, SPTLRPC_MECH_GSS_KRB5 = 1, + SPTLRPC_MECH_GSS_SK = 2, SPTLRPC_MECH_GSS_MAX, }; @@ -170,6 +170,8 @@ enum sptlrpc_bulk_service { ((__u32)(mech) | \ ((__u32)(svc) << (FLVR_SVC_OFFSET - FLVR_MECH_OFFSET))) +#define SPTLRPC_SUBFLVR_GSSNULL \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_NULL, SPTLRPC_SVC_NULL) #define SPTLRPC_SUBFLVR_KRB5N \ MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_NULL) #define SPTLRPC_SUBFLVR_KRB5A \ @@ -178,6 +180,14 @@ enum sptlrpc_bulk_service { MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_INTG) #define SPTLRPC_SUBFLVR_KRB5P \ MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_PRIV) +#define SPTLRPC_SUBFLVR_SKN \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_NULL) +#define SPTLRPC_SUBFLVR_SKA \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_AUTH) +#define SPTLRPC_SUBFLVR_SKI \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_INTG) +#define SPTLRPC_SUBFLVR_SKPI \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_PRIV) /* * "end user" flavors @@ -194,6 +204,12 @@ enum sptlrpc_bulk_service { SPTLRPC_SVC_NULL, \ SPTLRPC_BULK_HASH, \ SPTLRPC_BULK_SVC_INTG) +#define SPTLRPC_FLVR_GSSNULL \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_NULL, \ + SPTLRPC_SVC_NULL, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_NULL) #define SPTLRPC_FLVR_KRB5N \ MAKE_FLVR(SPTLRPC_POLICY_GSS, \ SPTLRPC_MECH_GSS_KRB5, \ @@ -218,6 +234,30 @@ enum sptlrpc_bulk_service { SPTLRPC_SVC_PRIV, \ SPTLRPC_BULK_DEFAULT, \ SPTLRPC_BULK_SVC_PRIV) +#define SPTLRPC_FLVR_SKN \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_SK, \ + SPTLRPC_SVC_NULL, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_NULL) +#define SPTLRPC_FLVR_SKA \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_SK, \ + SPTLRPC_SVC_AUTH, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_NULL) +#define SPTLRPC_FLVR_SKI \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_SK, \ + SPTLRPC_SVC_INTG, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_INTG) +#define SPTLRPC_FLVR_SKPI \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_SK, \ + SPTLRPC_SVC_PRIV, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_PRIV) #define SPTLRPC_FLVR_DEFAULT SPTLRPC_FLVR_NULL @@ -348,8 +388,7 @@ void sptlrpc_conf_log_update_begin(const char *logname); void sptlrpc_conf_log_update_end(const char *logname); void sptlrpc_conf_client_adapt(struct obd_device *obd); int sptlrpc_conf_target_get_rules(struct obd_device *obd, - struct sptlrpc_rule_set *rset, - int initial); + struct sptlrpc_rule_set *rset); void sptlrpc_target_choose_flavor(struct sptlrpc_rule_set *rset, enum lustre_sec_part from, lnet_nid_t nid, @@ -493,12 +532,12 @@ struct ptlrpc_ctx_ops { #define PTLRPC_CTX_CACHED_BIT (8) /* in ctx cache (hash etc.) */ #define PTLRPC_CTX_ETERNAL_BIT (9) /* always valid */ -#define PTLRPC_CTX_NEW (1 << PTLRPC_CTX_NEW_BIT) -#define PTLRPC_CTX_UPTODATE (1 << PTLRPC_CTX_UPTODATE_BIT) -#define PTLRPC_CTX_DEAD (1 << PTLRPC_CTX_DEAD_BIT) -#define PTLRPC_CTX_ERROR (1 << PTLRPC_CTX_ERROR_BIT) -#define PTLRPC_CTX_CACHED (1 << PTLRPC_CTX_CACHED_BIT) -#define PTLRPC_CTX_ETERNAL (1 << PTLRPC_CTX_ETERNAL_BIT) +#define PTLRPC_CTX_NEW BIT(PTLRPC_CTX_NEW_BIT) +#define PTLRPC_CTX_UPTODATE BIT(PTLRPC_CTX_UPTODATE_BIT) +#define PTLRPC_CTX_DEAD BIT(PTLRPC_CTX_DEAD_BIT) +#define PTLRPC_CTX_ERROR BIT(PTLRPC_CTX_ERROR_BIT) +#define PTLRPC_CTX_CACHED BIT(PTLRPC_CTX_CACHED_BIT) +#define PTLRPC_CTX_ETERNAL BIT(PTLRPC_CTX_ETERNAL_BIT) #define PTLRPC_CTX_STATUS_MASK (PTLRPC_CTX_NEW_BIT | \ PTLRPC_CTX_UPTODATE | \ @@ -506,17 +545,17 @@ struct ptlrpc_ctx_ops { PTLRPC_CTX_ERROR) struct ptlrpc_cli_ctx { - cfs_hlist_node_t cc_cache; /* linked into ctx cache */ - cfs_atomic_t cc_refcount; - struct ptlrpc_sec *cc_sec; - struct ptlrpc_ctx_ops *cc_ops; - cfs_time_t cc_expire; /* in seconds */ - unsigned int cc_early_expire:1; - unsigned long cc_flags; - struct vfs_cred cc_vcred; + struct hlist_node cc_cache; /* linked into ctx cache */ + atomic_t cc_refcount; + struct ptlrpc_sec *cc_sec; + struct ptlrpc_ctx_ops *cc_ops; + time64_t cc_expire; /* in seconds */ + unsigned int cc_early_expire:1; + unsigned long cc_flags; + struct vfs_cred cc_vcred; spinlock_t cc_lock; - cfs_list_t cc_req_list; /* waiting reqs linked here */ - cfs_list_t cc_gc_chain; /* linked to gc chain */ + struct list_head cc_req_list; /* waiting reqs linked here */ + struct list_head cc_gc_chain; /* linked to gc chain */ }; /** @@ -796,11 +835,11 @@ struct ptlrpc_sec_sops { }; struct ptlrpc_sec_policy { - cfs_module_t *sp_owner; - char *sp_name; - __u16 sp_policy; /* policy number */ - struct ptlrpc_sec_cops *sp_cops; /* client ops */ - struct ptlrpc_sec_sops *sp_sops; /* server ops */ + struct module *sp_owner; + char *sp_name; + __u16 sp_policy; /* policy number */ + struct ptlrpc_sec_cops *sp_cops; /* client ops */ + struct ptlrpc_sec_sops *sp_sops; /* server ops */ }; #define PTLRPC_SEC_FL_REVERSE 0x0001 /* reverse sec */ @@ -817,12 +856,12 @@ struct ptlrpc_sec_policy { * \see sptlrpc_import_sec_adapt(). */ struct ptlrpc_sec { - struct ptlrpc_sec_policy *ps_policy; - cfs_atomic_t ps_refcount; - /** statistic only */ - cfs_atomic_t ps_nctx; - /** unique identifier */ - int ps_id; + struct ptlrpc_sec_policy *ps_policy; + atomic_t ps_refcount; + /** statistic only */ + atomic_t ps_nctx; + /** unique identifier */ + int ps_id; struct sptlrpc_flavor ps_flvr; enum lustre_sec_part ps_part; /** after set, no more new context will be created */ @@ -830,15 +869,40 @@ struct ptlrpc_sec { /** owning import */ struct obd_import *ps_import; spinlock_t ps_lock; - - /* - * garbage collection - */ - cfs_list_t ps_gc_list; - cfs_time_t ps_gc_interval; /* in seconds */ - cfs_time_t ps_gc_next; /* in seconds */ + /** mtime of SELinux policy file */ + ktime_t ps_sepol_mtime; + /** next check time of SELinux policy file */ + ktime_t ps_sepol_checknext; + /** + * SELinux policy info + * sepol string format is: + * ::: + */ + char ps_sepol[LUSTRE_NODEMAP_SEPOL_LENGTH + + 1]; + + /* + * garbage collection + */ + struct list_head ps_gc_list; + time64_t ps_gc_interval; /* in seconds */ + time64_t ps_gc_next; /* in seconds */ }; +static inline int flvr_is_rootonly(__u32 flavor) +{ + return (SPTLRPC_FLVR_POLICY(flavor) == SPTLRPC_POLICY_GSS && + (SPTLRPC_FLVR_MECH(flavor) == SPTLRPC_MECH_GSS_NULL || + SPTLRPC_FLVR_MECH(flavor) == SPTLRPC_MECH_GSS_SK)); +} + +static inline int flvr_allows_user_desc(__u32 flavor) +{ + return (SPTLRPC_FLVR_POLICY(flavor) == SPTLRPC_POLICY_GSS && + (SPTLRPC_FLVR_MECH(flavor) == SPTLRPC_MECH_GSS_NULL || + SPTLRPC_FLVR_MECH(flavor) == SPTLRPC_MECH_GSS_SK)); +} + static inline int sec_is_reverse(struct ptlrpc_sec *sec) { return (sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_REVERSE); @@ -851,8 +915,8 @@ static inline int sec_is_rootonly(struct ptlrpc_sec *sec) struct ptlrpc_svc_ctx { - cfs_atomic_t sc_refcount; - struct ptlrpc_sec_policy *sc_policy; + atomic_t sc_refcount; + struct ptlrpc_sec_policy *sc_policy; }; /* @@ -901,12 +965,8 @@ struct ptlrpc_bulk_sec_desc { __u8 bsd_data[0]; /* policy-specific token */ }; - -/* - * lprocfs - */ -struct proc_dir_entry; -extern struct proc_dir_entry *sptlrpc_proc_root; +extern struct dentry *sptlrpc_debugfs_dir; +extern struct proc_dir_entry *sptlrpc_lprocfs_dir; /* * round size up to next power of 2, for slab allocation. @@ -943,17 +1003,17 @@ char *sptlrpc_flavor2name_bulk(struct sptlrpc_flavor *sf, char *sptlrpc_flavor2name(struct sptlrpc_flavor *sf, char *buf, int bufsize); char *sptlrpc_secflags2str(__u32 flags, char *buf, int bufsize); -static inline -struct ptlrpc_sec_policy *sptlrpc_policy_get(struct ptlrpc_sec_policy *policy) +static inline struct ptlrpc_sec_policy * +sptlrpc_policy_get(struct ptlrpc_sec_policy *policy) { - __cfs_module_get(policy->sp_owner); - return policy; + __module_get(policy->sp_owner); + return policy; } -static inline -void sptlrpc_policy_put(struct ptlrpc_sec_policy *policy) +static inline void +sptlrpc_policy_put(struct ptlrpc_sec_policy *policy) { - cfs_module_put(policy->sp_owner); + module_put(policy->sp_owner); } /* @@ -1032,12 +1092,14 @@ void sptlrpc_cli_free_reqbuf(struct ptlrpc_request *req); int sptlrpc_cli_alloc_repbuf(struct ptlrpc_request *req, int msgsize); void sptlrpc_cli_free_repbuf(struct ptlrpc_request *req); int sptlrpc_cli_enlarge_reqbuf(struct ptlrpc_request *req, - int segment, int newsize); + const struct req_msg_field *field, + int newsize); int sptlrpc_cli_unwrap_early_reply(struct ptlrpc_request *req, struct ptlrpc_request **req_ret); void sptlrpc_cli_finish_early_reply(struct ptlrpc_request *early_req); void sptlrpc_request_out_callback(struct ptlrpc_request *req); +int sptlrpc_get_sepol(struct ptlrpc_request *req); /* * exported higher interface of import & request @@ -1055,6 +1117,7 @@ void sptlrpc_import_flush_all_ctx(struct obd_import *imp); int sptlrpc_req_get_ctx(struct ptlrpc_request *req); void sptlrpc_req_put_ctx(struct ptlrpc_request *req, int sync); int sptlrpc_req_refresh_ctx(struct ptlrpc_request *req, long timeout); +int sptlrpc_export_update_ctx(struct obd_export *exp); int sptlrpc_req_replace_dead_ctx(struct ptlrpc_request *req); void sptlrpc_req_set_flavor(struct ptlrpc_request *req, int opcode); @@ -1067,7 +1130,7 @@ void sptlrpc_gc_add_ctx(struct ptlrpc_cli_ctx *ctx); /* misc */ const char * sec2target_str(struct ptlrpc_sec *sec); -int sptlrpc_lprocfs_cliobd_attach(struct obd_device *dev); +int sptlrpc_lprocfs_cliobd_attach(struct obd_device *obd); /* * server side @@ -1104,6 +1167,8 @@ int sptlrpc_enc_pool_add_user(void); int sptlrpc_enc_pool_del_user(void); int sptlrpc_enc_pool_get_pages(struct ptlrpc_bulk_desc *desc); void sptlrpc_enc_pool_put_pages(struct ptlrpc_bulk_desc *desc); +int get_free_pages_in_pool(void); +int pool_is_at_full_capacity(void); int sptlrpc_cli_wrap_bulk(struct ptlrpc_request *req, struct ptlrpc_bulk_desc *desc); @@ -1137,17 +1202,6 @@ int sptlrpc_current_user_desc_size(void); int sptlrpc_pack_user_desc(struct lustre_msg *msg, int offset); int sptlrpc_unpack_user_desc(struct lustre_msg *req, int offset, int swabbed); - -#define CFS_CAP_CHOWN_MASK (1 << CFS_CAP_CHOWN) -#define CFS_CAP_SYS_RESOURCE_MASK (1 << CFS_CAP_SYS_RESOURCE) - -enum { - LUSTRE_SEC_NONE = 0, - LUSTRE_SEC_REMOTE = 1, - LUSTRE_SEC_SPECIFY = 2, - LUSTRE_SEC_ALL = 3 -}; - /** @} sptlrpc */ #endif /* _LUSTRE_SEC_H_ */