From 0a773f04b28860c3748f9f1460818b8461c96ad1 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Tue, 16 Aug 2016 17:17:40 +0900 Subject: [PATCH] LU-8955 ptlrpc: manage SELinux policy info for metadata ops Add SELinux policy info for following metedata operations: - create - open - unlink - rename - getxattr - setxattr - setattr - getattr - symlink - hardlink On server side, get SELinux policy info from nodemap and compare it with the one received from client. Test-Parameters: serverbuildno=62488 serverjob=lustre-reviews testlist=sanity,sanity-selinux clientselinux Test-Parameters: clientbuildno=4033 clientjob=lustre-reviews-patchless testlist=sanity,sanity-selinux clientselinux Signed-off-by: Sebastien Buisson Change-Id: I16493d7c5713180fb065623b735d7348fc3f9140 Reviewed-on: https://review.whamcloud.com/24424 Reviewed-by: Patrick Farrell Reviewed-by: Li Dongyang Tested-by: Jenkins Tested-by: Maloo Reviewed-by: Oleg Drokin --- lustre/include/lustre_req_layout.h | 2 +- lustre/mdc/mdc_internal.h | 1 + lustre/mdc/mdc_lib.c | 31 +++++++++++++++++ lustre/mdc/mdc_locks.c | 23 +++++++++++++ lustre/mdc/mdc_reint.c | 40 ++++++++++++++++++++++ lustre/mdc/mdc_request.c | 31 +++++++++++------ lustre/mdt/mdt_handler.c | 19 +++++++---- lustre/mdt/mdt_lib.c | 32 +++++++++++++++-- lustre/mdt/mdt_xattr.c | 4 +++ lustre/ptlrpc/layout.c | 70 ++++++++++++++++++++++---------------- 10 files changed, 204 insertions(+), 49 deletions(-) diff --git a/lustre/include/lustre_req_layout.h b/lustre/include/lustre_req_layout.h index f11efa1..5dbfab9 100644 --- a/lustre/include/lustre_req_layout.h +++ b/lustre/include/lustre_req_layout.h @@ -59,7 +59,7 @@ enum req_location { }; /* Maximal number of fields (buffers) in a request message. */ -#define REQ_MAX_FIELD_NR 10 +#define REQ_MAX_FIELD_NR 11 struct req_capsule { struct ptlrpc_request *rc_req; diff --git a/lustre/mdc/mdc_internal.h b/lustre/mdc/mdc_internal.h index 553063e..81594bc 100644 --- a/lustre/mdc/mdc_internal.h +++ b/lustre/mdc/mdc_internal.h @@ -56,6 +56,7 @@ void mdc_open_pack(struct ptlrpc_request *req, struct md_op_data *op_data, void mdc_file_secctx_pack(struct ptlrpc_request *req, const char *secctx_name, const void *secctx, size_t secctx_size); +void mdc_file_sepol_pack(struct ptlrpc_request *req); void mdc_unlink_pack(struct ptlrpc_request *req, struct md_op_data *op_data); void mdc_getxattr_pack(struct ptlrpc_request *req, struct md_op_data *op_data); diff --git a/lustre/mdc/mdc_lib.c b/lustre/mdc/mdc_lib.c index 336761d..dcc4250 100644 --- a/lustre/mdc/mdc_lib.c +++ b/lustre/mdc/mdc_lib.c @@ -147,6 +147,22 @@ void mdc_file_secctx_pack(struct ptlrpc_request *req, const char *secctx_name, memcpy(buf, secctx, buf_size); } +void mdc_file_sepol_pack(struct ptlrpc_request *req) +{ + void *buf; + size_t buf_size; + + if (strlen(req->rq_sepol) == 0) + return; + + buf = req_capsule_client_get(&req->rq_pill, &RMF_SELINUX_POL); + buf_size = req_capsule_get_size(&req->rq_pill, &RMF_SELINUX_POL, + RCL_CLIENT); + + LASSERT(buf_size == strlen(req->rq_sepol) + 1); + snprintf(buf, strlen(req->rq_sepol) + 1, "%s", req->rq_sepol); +} + void mdc_readdir_pack(struct ptlrpc_request *req, __u64 pgoff, size_t size, const struct lu_fid *fid) { @@ -200,6 +216,9 @@ void mdc_create_pack(struct ptlrpc_request *req, struct md_op_data *op_data, mdc_file_secctx_pack(req, op_data->op_file_secctx_name, op_data->op_file_secctx, op_data->op_file_secctx_size); + + /* pack SELinux policy info if any */ + mdc_file_sepol_pack(req); } static inline __u64 mds_pack_open_flags(__u64 flags) @@ -276,6 +295,9 @@ void mdc_open_pack(struct ptlrpc_request *req, struct md_op_data *op_data, mdc_file_secctx_pack(req, op_data->op_file_secctx_name, op_data->op_file_secctx, op_data->op_file_secctx_size); + + /* pack SELinux policy info if any */ + mdc_file_sepol_pack(req); } if (lmm) { @@ -422,6 +444,9 @@ void mdc_unlink_pack(struct ptlrpc_request *req, struct md_op_data *op_data) rec->ul_bias = op_data->op_bias; mdc_pack_name(req, &RMF_NAME, op_data->op_name, op_data->op_namelen); + + /* pack SELinux policy info if any */ + mdc_file_sepol_pack(req); } void mdc_link_pack(struct ptlrpc_request *req, struct md_op_data *op_data) @@ -444,6 +469,9 @@ void mdc_link_pack(struct ptlrpc_request *req, struct md_op_data *op_data) rec->lk_bias = op_data->op_bias; mdc_pack_name(req, &RMF_NAME, op_data->op_name, op_data->op_namelen); + + /* pack SELinux policy info if any */ + mdc_file_sepol_pack(req); } static void mdc_close_intent_pack(struct ptlrpc_request *req, @@ -514,6 +542,9 @@ void mdc_rename_pack(struct ptlrpc_request *req, struct md_op_data *op_data, if (new != NULL) mdc_pack_name(req, &RMF_SYMTGT, new, newlen); + + /* pack SELinux policy info if any */ + mdc_file_sepol_pack(req); } void mdc_migrate_pack(struct ptlrpc_request *req, struct md_op_data *op_data, diff --git a/lustre/mdc/mdc_locks.c b/lustre/mdc/mdc_locks.c index 5a5496e..24cea59 100644 --- a/lustre/mdc/mdc_locks.c +++ b/lustre/mdc/mdc_locks.c @@ -319,6 +319,16 @@ mdc_intent_open_pack(struct obd_export *exp, struct lookup_intent *it, req_capsule_set_size(&req->rq_pill, &RMF_FILE_SECCTX, RCL_CLIENT, op_data->op_file_secctx_size); + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(ERR_PTR(rc)); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); + rc = ldlm_prep_enqueue_req(exp, req, &cancels, count); if (rc < 0) { ptlrpc_request_free(req); @@ -428,6 +438,16 @@ mdc_intent_getxattr_pack(struct obd_export *exp, if (req == NULL) RETURN(ERR_PTR(-ENOMEM)); + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(ERR_PTR(rc)); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); + rc = ldlm_prep_enqueue_req(exp, req, &cancels, count); if (rc) { ptlrpc_request_free(req); @@ -458,6 +478,9 @@ mdc_intent_getxattr_pack(struct obd_export *exp, mdc_pack_body(req, &op_data->op_fid1, op_data->op_valid, ea_vals_buf_size, -1, 0); + /* get SELinux policy info if any */ + mdc_file_sepol_pack(req); + req_capsule_set_size(&req->rq_pill, &RMF_EADATA, RCL_SERVER, GA_DEFAULT_EA_NAME_LEN * GA_DEFAULT_EA_NUM); diff --git a/lustre/mdc/mdc_reint.c b/lustre/mdc/mdc_reint.c index 8cce8c3..b8331e6 100644 --- a/lustre/mdc/mdc_reint.c +++ b/lustre/mdc/mdc_reint.c @@ -201,6 +201,16 @@ rebuild: req_capsule_set_size(&req->rq_pill, &RMF_FILE_SECCTX, RCL_CLIENT, op_data->op_file_secctx_size); + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(rc); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); + rc = mdc_prep_elc_req(exp, req, MDS_REINT, &cancels, count); if (rc) { ptlrpc_request_free(req); @@ -289,6 +299,16 @@ int mdc_unlink(struct obd_export *exp, struct md_op_data *op_data, req_capsule_set_size(&req->rq_pill, &RMF_NAME, RCL_CLIENT, op_data->op_namelen + 1); + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(rc); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); + rc = mdc_prep_elc_req(exp, req, MDS_REINT, &cancels, count); if (rc) { ptlrpc_request_free(req); @@ -337,6 +357,16 @@ int mdc_link(struct obd_export *exp, struct md_op_data *op_data, req_capsule_set_size(&req->rq_pill, &RMF_NAME, RCL_CLIENT, op_data->op_namelen + 1); + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(rc); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); + rc = mdc_prep_elc_req(exp, req, MDS_REINT, &cancels, count); if (rc) { ptlrpc_request_free(req); @@ -400,6 +430,16 @@ int mdc_rename(struct obd_export *exp, struct md_op_data *op_data, req_capsule_set_size(&req->rq_pill, &RMF_EADATA, RCL_CLIENT, op_data->op_data_size); + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(rc); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); + rc = mdc_prep_elc_req(exp, req, MDS_REINT, &cancels, count); if (rc) { ptlrpc_request_free(req); diff --git a/lustre/mdc/mdc_request.c b/lustre/mdc/mdc_request.c index 9b62958..0805643 100644 --- a/lustre/mdc/mdc_request.c +++ b/lustre/mdc/mdc_request.c @@ -325,16 +325,25 @@ static int mdc_xattr_common(struct obd_export *exp,const struct req_format *fmt, if (req == NULL) RETURN(-ENOMEM); - if (xattr_name) { - xattr_namelen = strlen(xattr_name) + 1; - req_capsule_set_size(&req->rq_pill, &RMF_NAME, RCL_CLIENT, - xattr_namelen); - } - if (input_size) { - LASSERT(input); - req_capsule_set_size(&req->rq_pill, &RMF_EADATA, RCL_CLIENT, - input_size); - } + if (xattr_name) { + xattr_namelen = strlen(xattr_name) + 1; + req_capsule_set_size(&req->rq_pill, &RMF_NAME, RCL_CLIENT, + xattr_namelen); + } + if (input_size) + LASSERT(input); + req_capsule_set_size(&req->rq_pill, &RMF_EADATA, RCL_CLIENT, + input_size); + + /* get SELinux policy info if any */ + rc = sptlrpc_get_sepol(req); + if (rc < 0) { + ptlrpc_request_free(req); + RETURN(rc); + } + req_capsule_set_size(&req->rq_pill, &RMF_SELINUX_POL, RCL_CLIENT, + strlen(req->rq_sepol) ? + strlen(req->rq_sepol) + 1 : 0); /* Flush local XATTR locks to get rid of a possible cancel RPC */ if (opcode == MDS_REINT && fid_is_sane(fid) && @@ -394,6 +403,8 @@ static int mdc_xattr_common(struct obd_export *exp,const struct req_format *fmt, memcpy(tmp, input, input_size); } + mdc_file_sepol_pack(req); + if (req_capsule_has_field(&req->rq_pill, &RMF_EADATA, RCL_SERVER)) req_capsule_set_size(&req->rq_pill, &RMF_EADATA, RCL_SERVER, output_size); diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c index 923e42a..cf92911 100644 --- a/lustre/mdt/mdt_handler.c +++ b/lustre/mdt/mdt_handler.c @@ -3702,7 +3702,10 @@ static int mdt_intent_getxattr(enum ldlm_intent_flags it_opc, if (ldlm_rep == NULL || OBD_FAIL_CHECK(OBD_FAIL_MDS_XATTR_REP)) { mdt_object_unlock(info, info->mti_object, lhc, 1); - RETURN(err_serious(-EFAULT)); + if (is_serious(rc)) + RETURN(rc); + else + RETURN(err_serious(-EFAULT)); } ldlm_rep->lock_policy_res2 = clear_serious(rc); @@ -3965,11 +3968,15 @@ static int mdt_intent_open(enum ldlm_intent_flags it_opc, rc = mdt_reint_internal(info, lhc, opc); - /* Check whether the reply has been packed successfully. */ - if (mdt_info_req(info)->rq_repmsg != NULL) - rep = req_capsule_server_get(info->mti_pill, &RMF_DLM_REP); - if (rep == NULL) - RETURN(err_serious(-EFAULT)); + /* Check whether the reply has been packed successfully. */ + if (mdt_info_req(info)->rq_repmsg != NULL) + rep = req_capsule_server_get(info->mti_pill, &RMF_DLM_REP); + if (rep == NULL) { + if (is_serious(rc)) + RETURN(rc); + else + RETURN(err_serious(-EFAULT)); + } /* MDC expects this in any case */ if (rc != 0) diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index 7d2a7c0..90123c4 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -1228,8 +1228,8 @@ static int mdt_create_unpack(struct mdt_thread_info *info) struct mdt_rec_create *rec; struct lu_attr *attr = &info->mti_attr.ma_attr; struct mdt_reint_record *rr = &info->mti_rr; - struct req_capsule *pill = info->mti_pill; - struct md_op_spec *sp = &info->mti_spec; + struct req_capsule *pill = info->mti_pill; + struct md_op_spec *sp = &info->mti_spec; int rc; ENTRY; @@ -1294,6 +1294,10 @@ static int mdt_create_unpack(struct mdt_thread_info *info) if (rc < 0) RETURN(rc); + rc = req_check_sepol(pill); + if (rc) + RETURN(rc); + rc = mdt_dlmreq_unpack(info); RETURN(rc); } @@ -1333,6 +1337,10 @@ static int mdt_link_unpack(struct mdt_thread_info *info) if (rc < 0) RETURN(rc); + rc = req_check_sepol(pill); + if (rc) + RETURN(rc); + rc = mdt_dlmreq_unpack(info); RETURN(rc); @@ -1344,7 +1352,7 @@ static int mdt_unlink_unpack(struct mdt_thread_info *info) struct mdt_rec_unlink *rec; struct lu_attr *attr = &info->mti_attr.ma_attr; struct mdt_reint_record *rr = &info->mti_rr; - struct req_capsule *pill = info->mti_pill; + struct req_capsule *pill = info->mti_pill; int rc; ENTRY; @@ -1376,6 +1384,10 @@ static int mdt_unlink_unpack(struct mdt_thread_info *info) info->mti_spec.no_create = !!req_is_replay(mdt_info_req(info)); + rc = req_check_sepol(pill); + if (rc) + RETURN(rc); + rc = mdt_dlmreq_unpack(info); RETURN(rc); } @@ -1430,6 +1442,10 @@ static int mdt_rename_unpack(struct mdt_thread_info *info) spec->no_create = !!req_is_replay(mdt_info_req(info)); + rc = req_check_sepol(pill); + if (rc) + RETURN(rc); + rc = mdt_dlmreq_unpack(info); RETURN(rc); @@ -1597,6 +1613,12 @@ static int mdt_open_unpack(struct mdt_thread_info *info) rc = mdt_file_secctx_unpack(pill, &sp->sp_cr_file_secctx_name, &sp->sp_cr_file_secctx, &sp->sp_cr_file_secctx_size); + if (rc < 0) + RETURN(rc); + + rc = req_check_sepol(pill); + if (rc) + RETURN(rc); RETURN(rc); } @@ -1653,6 +1675,10 @@ static int mdt_setxattr_unpack(struct mdt_thread_info *info) RETURN(-EFAULT); } + rc = req_check_sepol(pill); + if (rc) + RETURN(rc); + if (mdt_dlmreq_unpack(info) < 0) RETURN(-EPROTO); diff --git a/lustre/mdt/mdt_xattr.c b/lustre/mdt/mdt_xattr.c index e5f70e3..06baab6 100644 --- a/lustre/mdt/mdt_xattr.c +++ b/lustre/mdt/mdt_xattr.c @@ -241,6 +241,10 @@ int mdt_getxattr(struct mdt_thread_info *info) CDEBUG(D_INODE, "getxattr "DFID"\n", PFID(&info->mti_body->mbo_fid1)); + rc = req_check_sepol(info->mti_pill); + if (rc) + RETURN(err_serious(rc)); + reqbody = req_capsule_client_get(info->mti_pill, &RMF_MDT_BODY); if (reqbody == NULL) RETURN(err_serious(-EFAULT)); diff --git a/lustre/ptlrpc/layout.c b/lustre/ptlrpc/layout.c index 8eddf55..b578ee8 100644 --- a/lustre/ptlrpc/layout.c +++ b/lustre/ptlrpc/layout.c @@ -212,7 +212,8 @@ static const struct req_msg_field *mds_reint_create_acl_client[] = { &RMF_EADATA, &RMF_DLM_REQ, &RMF_FILE_SECCTX_NAME, - &RMF_FILE_SECCTX + &RMF_FILE_SECCTX, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_create_sym_client[] = { @@ -223,7 +224,8 @@ static const struct req_msg_field *mds_reint_create_sym_client[] = { &RMF_SYMTGT, &RMF_DLM_REQ, &RMF_FILE_SECCTX_NAME, - &RMF_FILE_SECCTX + &RMF_FILE_SECCTX, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_open_client[] = { @@ -234,7 +236,8 @@ static const struct req_msg_field *mds_reint_open_client[] = { &RMF_NAME, &RMF_EADATA, &RMF_FILE_SECCTX_NAME, - &RMF_FILE_SECCTX + &RMF_FILE_SECCTX, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_open_server[] = { @@ -247,30 +250,33 @@ static const struct req_msg_field *mds_reint_open_server[] = { }; static const struct req_msg_field *mds_reint_unlink_client[] = { - &RMF_PTLRPC_BODY, - &RMF_REC_REINT, - &RMF_CAPA1, - &RMF_NAME, - &RMF_DLM_REQ + &RMF_PTLRPC_BODY, + &RMF_REC_REINT, + &RMF_CAPA1, + &RMF_NAME, + &RMF_DLM_REQ, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_link_client[] = { - &RMF_PTLRPC_BODY, - &RMF_REC_REINT, - &RMF_CAPA1, - &RMF_CAPA2, - &RMF_NAME, - &RMF_DLM_REQ + &RMF_PTLRPC_BODY, + &RMF_REC_REINT, + &RMF_CAPA1, + &RMF_CAPA2, + &RMF_NAME, + &RMF_DLM_REQ, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_rename_client[] = { - &RMF_PTLRPC_BODY, - &RMF_REC_REINT, - &RMF_CAPA1, - &RMF_CAPA2, - &RMF_NAME, - &RMF_SYMTGT, - &RMF_DLM_REQ + &RMF_PTLRPC_BODY, + &RMF_REC_REINT, + &RMF_CAPA1, + &RMF_CAPA2, + &RMF_NAME, + &RMF_SYMTGT, + &RMF_DLM_REQ, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_migrate_client[] = { @@ -281,6 +287,7 @@ static const struct req_msg_field *mds_reint_migrate_client[] = { &RMF_NAME, &RMF_SYMTGT, &RMF_DLM_REQ, + &RMF_SELINUX_POL, &RMF_MDT_EPOCH, &RMF_CLOSE_DATA, &RMF_EADATA @@ -311,7 +318,8 @@ static const struct req_msg_field *mds_reint_setxattr_client[] = { &RMF_CAPA1, &RMF_NAME, &RMF_EADATA, - &RMF_DLM_REQ + &RMF_DLM_REQ, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_reint_resync[] = { @@ -469,7 +477,8 @@ static const struct req_msg_field *ldlm_intent_create_client[] = { &RMF_NAME, &RMF_EADATA, &RMF_FILE_SECCTX_NAME, - &RMF_FILE_SECCTX + &RMF_FILE_SECCTX, + &RMF_SELINUX_POL }; static const struct req_msg_field *ldlm_intent_open_client[] = { @@ -482,7 +491,8 @@ static const struct req_msg_field *ldlm_intent_open_client[] = { &RMF_NAME, &RMF_EADATA, &RMF_FILE_SECCTX_NAME, - &RMF_FILE_SECCTX + &RMF_FILE_SECCTX, + &RMF_SELINUX_POL }; static const struct req_msg_field *ldlm_intent_getxattr_client[] = { @@ -491,6 +501,7 @@ static const struct req_msg_field *ldlm_intent_getxattr_client[] = { &RMF_LDLM_INTENT, &RMF_MDT_BODY, &RMF_CAPA1, + &RMF_SELINUX_POL }; static const struct req_msg_field *ldlm_intent_getxattr_server[] = { @@ -511,11 +522,12 @@ static const struct req_msg_field *mds_get_root_client[] = { }; static const struct req_msg_field *mds_getxattr_client[] = { - &RMF_PTLRPC_BODY, - &RMF_MDT_BODY, - &RMF_CAPA1, - &RMF_NAME, - &RMF_EADATA + &RMF_PTLRPC_BODY, + &RMF_MDT_BODY, + &RMF_CAPA1, + &RMF_NAME, + &RMF_EADATA, + &RMF_SELINUX_POL }; static const struct req_msg_field *mds_getxattr_server[] = { -- 1.8.3.1