LU-6455 mdt: disable IMA support

in IMA (Integrity Measurement Architecture), there are two xattr
"security.ima" and "security.evm" to protect the file to be modified
accidentally or maliciously, the two xattr are not compatible with
VBR, then disable it to workaround the problem currently and enable
it when the conditions are ready.

Change-Id: Ie3e30dcb0d4d605a17d301c6cda14818af40d7b0
Signed-off-by: Hongchao Zhang <hongchao.zhang@intel.com>
Reviewed-on: http://review.whamcloud.com/14928
Tested-by: Jenkins
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Mike Pershin <mike.pershin@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>

diff --git a/lustre/llite/xattr.c b/lustre/llite/xattr.c
index 9cb21b8..8a365b4 100644 (file)
--- a/lustre/llite/xattr.c
+++ b/lustre/llite/xattr.c
@@ -102,6 +102,12 @@ int xattr_type_filter(struct ll_sb_info *sbi, int xattr_type)
         return 0;
 }
 
+/* xattr related to IMA(Integrity Measurement Architecture) */
+#ifndef XATTR_NAME_IMA
+#define XATTR_NAME_IMA         "security.ima"
+#define XATTR_NAME_EVM         "security.evm"
+#endif
+
 static
 int ll_setxattr_common(struct inode *inode, const char *name,
                       const void *value, size_t size,
@@ -116,6 +122,13 @@ int ll_setxattr_common(struct inode *inode, const char *name,
         const char *pv = value;
         ENTRY;
 
+       /*FIXME: enable IMA when the conditions are ready */
+       if (strncmp(name, XATTR_NAME_IMA,
+                   sizeof(XATTR_NAME_IMA)) == 0 ||
+           strncmp(name, XATTR_NAME_EVM,
+                   sizeof(XATTR_NAME_EVM)) == 0)
+               return -EOPNOTSUPP;
+
         xattr_type = get_xattr_type(name);
         rc = xattr_type_filter(sbi, xattr_type);
         if (rc)