X-Git-Url: https://git.whamcloud.com/?a=blobdiff_plain;f=lustre%2Ftests%2Fsanity-selinux.sh;h=90b5b9ce05da8f50e5aa346394ccab41f3d83037;hb=f238540c879dc668e18cf99cba62f117ccae64d6;hp=8ddc402cd4944271a9a1bb33a1f8c213b306f323;hpb=1796539799e2798caa80799e957faa03ef6af1a5;p=fs%2Flustre-release.git diff --git a/lustre/tests/sanity-selinux.sh b/lustre/tests/sanity-selinux.sh index 8ddc402..90b5b9c 100755 --- a/lustre/tests/sanity-selinux.sh +++ b/lustre/tests/sanity-selinux.sh @@ -15,23 +15,20 @@ set -e ONLY=${ONLY:-"$*"} -# bug number for skipped test: -ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-"$SANITY_SELINUX_EXCEPT"} -# UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT! - -SRCDIR=$(dirname $0) -SAVE_PWD=$PWD LUSTRE=${LUSTRE:-$(dirname $0)/..} . $LUSTRE/tests/test-framework.sh init_test_env $@ -. ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh} init_logging -require_dsh_mds || exit 0 +ALWAYS_EXCEPT="$SANITY_SELINUX_EXCEPT" [ "$SLOW" = "no" ] && EXCEPT_SLOW="xxx" +build_test_filter + +require_dsh_mds || exit 0 + RUNAS_CMD=${RUNAS_CMD:-runas} # $RUNAS_ID may get set incorrectly somewhere else [ $UID -eq 0 -a $RUNAS_ID -eq 0 ] && @@ -69,8 +66,6 @@ rm -rf $DIR/[df][0-9]* check_runas_id $RUNAS_ID $RUNAS_ID $RUNAS -build_test_filter - umask 077 check_selinux_xattr() { @@ -93,6 +88,13 @@ check_selinux_xattr() { echo $xattrval } +get_sel_ctx() { + local file=$1 + + [ -n "$file" ] || return; + [ -f $file ] || return; + stat $file | awk '$1 == "Context:" {print $2}' +} test_1() { local devname=$(mdsdevname 1) @@ -118,7 +120,7 @@ test_2a() { mds_path=${mds_path#/} - $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed" + mkdir_on_mdt0 ${DIR}/$tdir || error "create dir failed" mkdir $dirname || error "cannot mkdir $dirname" local xattrval=$(check_selinux_xattr "mds1" $mds_path) @@ -230,7 +232,7 @@ test_5() { # get sec context ls -lZ $filename - local secctxseen=$(ls -lZ $filename | awk '{print $4}' | cut -d: -f3) + local secctxseen=$(get_sel_ctx $filename | cut -d: -f3) [ "$newsecctx" == "$secctxseen" ] || error "sec context seen from 1st mount point is not correct" @@ -254,7 +256,7 @@ test_10() { # get sec context from 1st mount point ls -lZ $filename1 - local secctxseen=$(ls -lZ $filename1 | awk '{print $4}' | cut -d: -f3) + local secctxseen=$(get_sel_ctx $filename1 | cut -d: -f3) [ "$newsecctx" == "$secctxseen" ] || error_ignore LU-6784 \ @@ -288,12 +290,12 @@ test_20a() { # get sec info on second mount point if [ -e "$filename2" ]; then - secinfo2=$(ls -lZ $filename2 | awk '{print $4}') + secinfo2=$(get_sel_ctx $filename2) fi # get sec info on first mount point wait $touchpid - secinfo1=$(ls -lZ $filename1 | awk '{print $4}') + secinfo1=$(get_sel_ctx $filename1) # compare sec contexts [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] || @@ -422,8 +424,8 @@ trace_cmd() { } test_20d() { - if [ $MDS1_VERSION -lt $(version_code 2.12.50) ] || - [ $CLIENT_VERSION -lt $(version_code 2.12.50) ]; then + if [ "$MDS1_VERSION" -lt $(version_code 2.12.50) ] || + [ "$CLIENT_VERSION" -lt $(version_code 2.12.50) ]; then skip "Need version >= 2.12.50" fi [ $MDSCOUNT -lt 2 ] && skip "needs >= 2 MDTs" @@ -461,10 +463,41 @@ test_20d() { } run_test 20d "[atomicity] avoid getxattr for security context" +test_20e() { + [ "$CLIENT_VERSION" -lt $(version_code 2.13.54) ] && + skip "Need client version >= 2.13.54" + local filename1=$DIR/$tdir/df20e + local delay=5 + local evict + local unconctx="-u unconfined_u -r unconfined_r -t unconfined_t -l s0" + + mkdir -p $DIR/$tdir + chmod 777 $DIR/$tdir + #define OBD_FAIL_LLITE_CREATE_FILE_PAUSE2 0x1416 + do_facet client "$LCTL set_param fail_val=$delay fail_loc=0x80001416" + + # create file on first mount point + $RUNAS_CMD -u $RUNAS_ID runcon $unconctx touch $filename1 & + local touchpid=$! + sleep 1 + cancel_lru_locks mdc + sysctl -w vm.drop_caches=2 + $RUNAS_CMD -u $RUNAS_ID runcon $unconctx stat $DIR/$tdir & + + wait $touchpid + + evict=$($LCTL get_param mdc.$FSNAME-MDT*.state | + awk -F"[ [,]" '/EVICTED ]$/ { if (mx<$5) {mx=$5;} } END { print mx }') + + [ -z "$evict" ] || [[ $evict -le $before ]] || error "eviction happened" +} +run_test 20e "client deadlock and eviction form MDS" + check_nodemap() { local nm=$1 local key=$2 local val=$3 + local facets="" local i if [ "$nm" == "active" ]; then @@ -472,17 +505,23 @@ check_nodemap() { else proc_param="$nm.$key" fi - is_sync=false - for i in $(seq 1 20); do - out=$(do_facet mds1 $LCTL get_param -n \ + # check all MDS nodes, in reverse order to privilege remote ones first + for i in $(seq $MDSCOUNT); do + facets="mds$i $facets" + done + for facet in $facets; do + is_sync=false + for i in {1..20}; do + out=$(do_facet $facet $LCTL get_param -n \ nodemap.$proc_param 2>/dev/null) - echo "On mds1, ${proc_param} = $out" - [ "$val" == "$out" ] && is_sync=true && break - sleep 1 + echo "On $facet, ${proc_param} = $out" + [ "$val" == "$out" ] && is_sync=true && break + sleep 1 + done + if ! $is_sync; then + error "$proc_param not updated on $facet after 20 secs" + fi done - if ! $is_sync; then - error "$proc_param not updated on mds1 after 20 secs" - fi } create_nodemap() { @@ -504,8 +543,10 @@ create_nodemap() { check_nodemap $nm admin_nodemap 1 check_nodemap $nm trusted_nodemap 1 + sleep 10 + l_getsepol || error "cannot get sepol" sepol=$(l_getsepol | cut -d':' -f2- | xargs) - do_facet mgs $LCTL set_param nodemap.$nm.sepol="$sepol" + [ -n "$sepol" ] || error "sepol is empty" do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol" check_nodemap $nm sepol $sepol @@ -516,17 +557,22 @@ remove_nodemap() { do_facet mgs $LCTL nodemap_del $nm + wait_update_facet --verbose mds1 \ + "$LCTL get_param nodemap.$nm.id 2>/dev/null | \ + grep -c $nm || true" 0 30 || + error "nodemap $nm could not be removed" + do_facet mgs $LCTL nodemap_activate 0 check_nodemap active x 0 } test_21a() { - local sepol - - [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.56) ] && + [ "$MDS1_VERSION" -lt $(version_code 2.11.56) ] && skip "Need MDS >= 2.11.56" + local sepol + # umount client if [ "$MOUNT_2" ] && $(grep -q $MOUNT2' ' /proc/mounts); then umount_client $MOUNT2 || error "umount $MOUNT2 failed" @@ -536,7 +582,24 @@ test_21a() { fi # create nodemap entry with sepol - create_nodemap nm1 + create_nodemap c0 + + if $GSS_SK; then + # update mount option with skpath + MOUNT_OPTS=$(add_sk_mntflag $MOUNT_OPTS) + export SK_UNIQUE_NM=true + + # load specific key on servers + do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \ + -l $SK_PATH/nodemap/c0.key" + + # set perms for per-nodemap keys else permission denied + do_nodes $(comma_list $(all_server_nodes)) \ + "keyctl show | grep lustre | cut -c1-11 | + sed -e 's/ //g;' | + xargs -IX keyctl setperm X 0x3f3f3f3f" + + fi # mount client without sending sepol mount_client $MOUNT $MOUNT_OPTS && @@ -552,16 +615,19 @@ test_21a() { # store wrong sepol in nodemap sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000" - do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol" - do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol" - check_nodemap nm1 sepol $sepol + do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol" + check_nodemap c0 sepol $sepol # mount client with sepol mount_client $MOUNT $MOUNT_OPTS && error "client mount without matching sepol should be refused" # remove nodemap - remove_nodemap nm1 + remove_nodemap c0 + + if $GSS_SK; then + export SK_UNIQUE_NM=false + fi # remount client normally echo 0 > /sys/module/ptlrpc/parameters/send_sepol @@ -570,12 +636,15 @@ test_21a() { run_test 21a "Send sepol at connect" test_21b() { - local sepol - - [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.56) ] && + [ "$MDS1_VERSION" -lt $(version_code 2.11.56) ] && skip "Need MDS >= 2.11.56" - mkdir -p $DIR/$tdir || error "failed to create $DIR/$tdir" + stack_trap "restore_opencache" EXIT + disable_opencache + + local sepol + + mkdir_on_mdt0 $DIR/$tdir || error "failed to create $DIR/$tdir" echo test > $DIR/$tdir/toopen || error "failed to write to $DIR/$tdir/toopen" touch $DIR/$tdir/ftoremove || @@ -603,7 +672,22 @@ test_21b() { echo 3 > /proc/sys/vm/drop_caches # create nodemap entry with sepol - create_nodemap nm1 + create_nodemap c0 + + if $GSS_SK; then + export SK_UNIQUE_NM=true + + # load specific key on servers + do_nodes $(comma_list $(all_server_nodes)) "lgss_sk -t server \ + -l $SK_PATH/nodemap/c0.key" + + # set perms for per-nodemap keys else permission denied + do_nodes $(comma_list $(all_server_nodes)) \ + "keyctl show | grep lustre | cut -c1-11 | + sed -e 's/ //g;' | + xargs -IX keyctl setperm X 0x3f3f3f3f" + + fi # metadata ops without sending sepol touch $DIR/$tdir/f0 && error "touch (1)" @@ -647,9 +731,8 @@ test_21b() { # store wrong sepol in nodemap sepol="0:policy:0:0000000000000000000000000000000000000000000000000000000000000000" - do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol" - do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol" - check_nodemap nm1 sepol $sepol + do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol" + check_nodemap c0 sepol $sepol # metadata ops with sepol touch $DIR/$tdir/f4 && error "touch (3)" @@ -671,13 +754,15 @@ test_21b() { ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)" # reset correct sepol + l_getsepol || error "cannot get sepol" sepol=$(l_getsepol | cut -d':' -f2- | xargs) - do_facet mgs $LCTL set_param nodemap.nm1.sepol="$sepol" - do_facet mgs $LCTL set_param -P nodemap.nm1.sepol="$sepol" - check_nodemap nm1 sepol $sepol + [ -n "$sepol" ] || error "sepol is empty" + do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol" + check_nodemap c0 sepol $sepol - # metadata ops with sepol every 10 seconds only - echo 10 > /sys/module/ptlrpc/parameters/send_sepol + # metadata ops with sepol every 1000 seconds only + echo 1000 > /sys/module/ptlrpc/parameters/send_sepol + local before=$(date +%s) touch $DIR/$tdir/f6 || error "touch (4)" lfs setstripe -c1 $DIR/$tdir/f7 || error "lfs setstripe (4)" mkdir $DIR/$tdir/d6 || error "mkdir (4)" @@ -726,7 +811,9 @@ test_21b() { ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl5 || error "hardlink (5)" echo 3 > /proc/sys/vm/drop_caches - sleep 10 + local after=$(date +%s) + # change send_sepol to a smaller, already expired, value + echo $((after-before-1)) > /sys/module/ptlrpc/parameters/send_sepol # metadata ops without matching sepol: should fail now touch $DIR/$tdir/f10 && error "touch (6)" lfs setstripe -c1 $DIR/$tdir/f11 && error "lfs setstripe (6)" @@ -754,8 +841,12 @@ test_21b() { fi # remove nodemap - remove_nodemap nm1 + remove_nodemap c0 echo 0 > /sys/module/ptlrpc/parameters/send_sepol + + if $GSS_SK; then + export SK_UNIQUE_NM=false + fi } run_test 21b "Send sepol for metadata ops"