if (is_root_inode(child_inode))
GOTO(out_iput, rc = -EINVAL);
+ if (IS_ENCRYPTED(child_inode)) {
+ rc = llcrypt_get_encryption_info(child_inode);
+ if (rc)
+ GOTO(out_iput, rc);
+ if (!llcrypt_has_encryption_key(child_inode)) {
+ CDEBUG(D_SEC, "no enc key for "DFID"\n",
+ PFID(ll_inode2fid(child_inode)));
+ GOTO(out_iput, rc = -ENOKEY);
+ }
+ }
+
op_data = ll_prep_md_op_data(NULL, parent, NULL, name, namelen,
child_inode->i_mode, LUSTRE_OPC_ANY, NULL);
if (IS_ERR(op_data))
RETURN(-EPERM);
}
+ /* Setting LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr is only allowed
+ * when defining an encryption policy on a directory, ie when it
+ * comes from ll_set_context().
+ * When new files/dirs are created in an encrypted dir, the xattr
+ * is set directly in the create request.
+ */
+ if (handler->flags == XATTR_SECURITY_T &&
+ !strcmp(name, "c") &&
+ !ll_file_test_and_clear_flag(ll_i2info(inode), LLIF_SET_ENC_CTX))
+ RETURN(-EPERM);
+
fullname = kasprintf(GFP_KERNEL, "%s%s", xattr_prefix(handler), name);
if (!fullname)
RETURN(-ENOMEM);
if (!mdd_object_exists(obj))
return -ENOENT;
+ /* If we are about to set the LL_XATTR_NAME_ENCRYPTION_CONTEXT
+ * xattr, it means the file/dir is encrypted. In that case we want
+ * to set the LUSTRE_ENCRYPT_FL flag as well: it will be stored
+ * into the LMA, making it more efficient to recognise we are
+ * dealing with an encrypted file/dir, as LMA info is cached upon
+ * object init.
+ * However, marking a dir as encrypted is only possible if it is
+ * being created or migrated (LU_XATTR_CREATE flag not set), or
+ * if it is empty.
+ */
if ((strcmp(name, LL_XATTR_NAME_ENCRYPTION_CONTEXT) == 0) &&
(!S_ISDIR(mdd_object_type(obj)) ||
+ !(fl & LU_XATTR_CREATE) ||
(rc = mdd_dir_is_empty(env, obj)) == 0)) {
struct lu_attr la = { 0 };
local cmd="$@"
local xattr_name="security.c"
- cancel_lru_locks osc ; cancel_lru_locks mdc
+ cancel_lru_locks
$LCTL set_param debug=+info
$LCTL clear
echo $cmd
eval $cmd
+ [ $? -eq 0 ] || error "$cmd failed"
$LCTL dk | grep -E "get xattr '${xattr_name}'|get xattrs"
[ $? -ne 0 ] || error "get xattr event was triggered"
trace_cmd $TRUNCATE $dirname/f1 10240
trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
- trace_cmd $LFS setdirstripe -i 1 $dirname/d2
- trace_cmd $LFS migrate -m 0 $dirname/d2
- $LFS setdirstripe -i 1 -c 1 $dirname/d3
- dirname=$dirname/d3/subdir
- mkdir $dirname
-
- trace_cmd stat $dirname
- trace_cmd touch $dirname/f1
- trace_cmd stat $dirname/f1
- trace_cmd cat $dirname/f1
- dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
- trace_cmd $TRUNCATE $dirname/f1 10240
- trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
- trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
+ if [[ $MDSCOUNT -gt 1 ]]; then
+ trace_cmd $LFS setdirstripe -i 1 $dirname/d2
+ trace_cmd $LFS migrate -m 0 $dirname/d2
+ touch $dirname/d2/subf
+ # migrate a non-empty encrypted dir
+ trace_cmd $LFS migrate -m 1 $dirname/d2
+
+ $LFS setdirstripe -i 1 -c 1 $dirname/d3
+ dirname=$dirname/d3/subdir
+ mkdir $dirname
+
+ trace_cmd stat $dirname
+ trace_cmd touch $dirname/f1
+ trace_cmd stat $dirname/f1
+ trace_cmd cat $dirname/f1
+ dd if=/dev/zero of=$dirname/f1 bs=1M count=10 conv=fsync
+ trace_cmd $TRUNCATE $dirname/f1 10240
+ trace_cmd $LFS setstripe -E -1 -S 4M $dirname/f2
+ trace_cmd $LFS migrate -E -1 -S 256K $dirname/f2
+ else
+ skip_noexit "2nd part needs >= 2 MDTs"
+ fi
}
run_test 49 "Avoid getxattr for encryption context"
}
run_test 56 "FIEMAP on encrypted file"
+test_57() {
+ local testdir=$DIR/$tdir/mytestdir
+ local testfile=$DIR/$tdir/$tfile
+
+ [[ $(facet_fstype ost1) == zfs ]] && skip "skip ZFS backend"
+
+ $LCTL get_param mdc.*.import | grep -q client_encryption ||
+ skip "client encryption not supported"
+
+ mount.lustre --help |& grep -q "test_dummy_encryption:" ||
+ skip "need dummy encryption support"
+
+ mkdir $DIR/$tdir
+ mkdir $testdir
+ setfattr -n security.c -v myval $testdir &&
+ error "setting xattr on $testdir should have failed (1)"
+ touch $testfile
+ setfattr -n security.c -v myval $testfile &&
+ error "setting xattr on $testfile should have failed (1)"
+
+ rm -rf $DIR/$tdir
+
+ stack_trap cleanup_for_enc_tests EXIT
+ setup_for_enc_tests
+
+ mkdir $testdir
+ setfattr -n security.c -v myval $testdir &&
+ error "setting xattr on $testdir should have failed (2)"
+ touch $testfile
+ setfattr -n security.c -v myval $testfile &&
+ error "setting xattr on $testfile should have failed (2)"
+ return 0
+}
+run_test 57 "security.c xattr protection"
+
log "cleanup: ======================================================"
sec_unsetup() {
git://git.whamcloud.com / fs / lustre-release.git / commitdiff