From 0e6648940171c60cbaa295f54af1093232e66430 Mon Sep 17 00:00:00 2001 From: Shaun Tancheff Date: Tue, 2 May 2023 00:34:39 -0500 Subject: [PATCH] LU-16619 build: Ubuntu jammy 5.19 client support Ubuntu 5.19 kernel removed lsmcontext_init() and changed security_dentry_init_security to require struct context * Linux kernel linux-hwe-5.19 LSM: Removed scaffolding function lsmcontext_init Linux kernel linux-hwe-5.19 LSM: security_dentry_init_security with struct lsmcontext Signed-off-by: Shaun Tancheff Change-Id: Ib6479a2cd20df5e565ae6203e05df2afa3f3de31 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/50210 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Sebastien Buisson Reviewed-by: James Simmons Reviewed-by: Oleg Drokin --- lustre/autoconf/lustre-core.m4 | 58 +++++++++++++++++++++++++++++++++++++++++- lustre/include/lustre_compat.h | 18 +++++++++++-- lustre/include/obd.h | 1 + lustre/llite/dir.c | 3 ++- lustre/llite/llite_internal.h | 4 ++- lustre/llite/llite_lib.c | 3 ++- lustre/llite/namei.c | 21 ++++++++++----- lustre/llite/xattr_security.c | 19 +++++++++++++- 8 files changed, 114 insertions(+), 13 deletions(-) diff --git a/lustre/autoconf/lustre-core.m4 b/lustre/autoconf/lustre-core.m4 index 2c766c1..8603884 100644 --- a/lustre/autoconf/lustre-core.m4 +++ b/lustre/autoconf/lustre-core.m4 @@ -2349,7 +2349,7 @@ AC_DEFUN([LC_CURRENT_TIME], [ AC_DEFINE(HAVE_CURRENT_TIME, 1, [current_time() has replaced CURRENT_TIME]) ]) -]) # LIBCFS_CURRENT_TIME +]) # LC_CURRENT_TIME # # LC_HAVE_GET_INODE_USAGE @@ -3416,6 +3416,58 @@ AC_DEFUN([LC_HAVE_ADDRESS_SPACE_OPERATIONS_RELEASE_FOLIO], [ ]) # LC_HAVE_ADDRESS_SPACE_OPERATIONS_RELEASE_FOLIO # +# LC_HAVE_LSMCONTEXT_INIT +# +# repo: git://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy +# kernel linux-hwe-5.19 commit fef1deb99dad87dd700afae76b35c5b5750e33a8 +# LSM: Removed scaffolding function lsmcontext_init +# +AC_DEFUN([LC_SRC_HAVE_LSMCONTEXT_INIT], [ + LB2_LINUX_TEST_SRC([lsmcontext_init], [ + #include + ],[ + struct lsmcontext ctx = {}; + + lsmcontext_init(&ctx, "", 0, 0); + ],[]) +]) +AC_DEFUN([LC_HAVE_LSMCONTEXT_INIT], [ + AC_MSG_CHECKING([if lsmcontext_init is available]) + LB2_LINUX_TEST_RESULT([lsmcontext_init], [ + AC_DEFINE(HAVE_LSMCONTEXT_INIT, 1, + [lsmcontext_init is available]) + ]) +]) # LC_HAVE_LSMCONTEXT_INIT + +# +# LC_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX +# +# repo: git://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy +# kernel linux-hwe-5.19 commit 57d0004bc811254916be30f94c86d9607867deb0 +# LSM: Use lsmcontext in security_dentry_init_security +# +AC_DEFUN([LC_SRC_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX], [ + LB2_LINUX_TEST_SRC([security_dentry_init_security_with_ctx], [ + #include + ],[ + struct dentry *dentry = NULL; + const struct qstr *name = NULL; + struct lsmcontext *ctx = NULL; + const char *xattr_name = ""; + + (void)security_dentry_init_security(dentry, 0, name, + &xattr_name, ctx); + ],[-Werror]) +]) +AC_DEFUN([LC_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX], [ + AC_MSG_CHECKING([if security_dentry_init_security needs lsmcontext]) + LB2_LINUX_TEST_RESULT([security_dentry_init_security_with_ctx], [ + AC_DEFINE(HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX, 1, + [security_dentry_init_security needs lsmcontext]) + ]) +]) # LC_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX + +# # LC_HAVE_NO_LLSEEK # # Linux commit v5.19-rc2-6-g868941b14441 @@ -3888,6 +3940,8 @@ AC_DEFUN([LC_PROG_LINUX_SRC], [ LC_SRC_HAVE_ADDRESS_SPACE_OPERATIONS_READ_FOLIO LC_SRC_HAVE_READ_CACHE_PAGE_FILLER_WITH_FILE LC_SRC_HAVE_ADDRESS_SPACE_OPERATIONS_RELEASE_FOLIO + LC_SRC_HAVE_LSMCONTEXT_INIT + LC_SRC_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX # 6.0 LC_SRC_HAVE_NO_LLSEEK @@ -4143,6 +4197,8 @@ AC_DEFUN([LC_PROG_LINUX_RESULTS], [ LC_HAVE_ADDRESS_SPACE_OPERATIONS_READ_FOLIO LC_HAVE_READ_CACHE_PAGE_FILLER_WITH_FILE LC_HAVE_ADDRESS_SPACE_OPERATIONS_RELEASE_FOLIO + LC_HAVE_LSMCONTEXT_INIT + LC_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX # 6.0 LC_HAVE_NO_LLSEEK diff --git a/lustre/include/lustre_compat.h b/lustre/include/lustre_compat.h index 8234332..06e674d 100644 --- a/lustre/include/lustre_compat.h +++ b/lustre/include/lustre_compat.h @@ -597,12 +597,26 @@ static inline bool is_root_inode(struct inode *inode) #define ll_access_ok(ptr, len) access_ok(ptr, len) #endif -static inline void ll_security_release_secctx(char *secdata, u32 seclen) +#ifdef HAVE_SEC_RELEASE_SECCTX_1ARG +#ifndef HAVE_LSMCONTEXT_INIT +/* Ubuntu 5.19 */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} +#endif +#endif + +static inline void ll_security_release_secctx(char *secdata, u32 seclen, + int slot) { #ifdef HAVE_SEC_RELEASE_SECCTX_1ARG struct lsmcontext context = { }; - lsmcontext_init(&context, secdata, seclen, 0); + lsmcontext_init(&context, secdata, seclen, slot); return security_release_secctx(&context); #else return security_release_secctx(secdata, seclen); diff --git a/lustre/include/obd.h b/lustre/include/obd.h index efda050..2496e69 100644 --- a/lustre/include/obd.h +++ b/lustre/include/obd.h @@ -931,6 +931,7 @@ struct md_op_data { __u32 op_file_secctx_name_size; void *op_file_secctx; __u32 op_file_secctx_size; + int op_file_secctx_slot; /* File encryption context, for creates/metadata ops */ void *op_file_encctx; diff --git a/lustre/llite/dir.c b/lustre/llite/dir.c index 8037785..1377697 100644 --- a/lustre/llite/dir.c +++ b/lustre/llite/dir.c @@ -546,7 +546,8 @@ static int ll_dir_setdirstripe(struct dentry *dparent, struct lmv_user_md *lump, &op_data->op_file_secctx_name, &op_data->op_file_secctx_name_size, &op_data->op_file_secctx, - &op_data->op_file_secctx_size); + &op_data->op_file_secctx_size, + &op_data->op_file_secctx_slot); if (err < 0) GOTO(out_op_data, err); } diff --git a/lustre/llite/llite_internal.h b/lustre/llite/llite_internal.h index dde54b2..a709728 100644 --- a/lustre/llite/llite_internal.h +++ b/lustre/llite/llite_internal.h @@ -493,7 +493,9 @@ static inline bool ll_xattr_suffix_is_seclabel(const char *suffix) int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name, const char **secctx_name, __u32 *secctx_name_size, - void **secctx, __u32 *secctx_size); + void **secctx, __u32 *secctx_size, + int *secctx_slot); + int ll_inode_init_security(struct dentry *dentry, struct inode *inode, struct inode *dir); diff --git a/lustre/llite/llite_lib.c b/lustre/llite/llite_lib.c index a0f1003..fab2ee7 100644 --- a/lustre/llite/llite_lib.c +++ b/lustre/llite/llite_lib.c @@ -3679,7 +3679,8 @@ void ll_finish_md_op_data(struct md_op_data *op_data) { ll_unlock_md_op_lsm(op_data); ll_security_release_secctx(op_data->op_file_secctx, - op_data->op_file_secctx_size); + op_data->op_file_secctx_size, + op_data->op_file_secctx_slot); if (op_data->op_flags & MF_OPNAME_KMALLOCED) /* allocated via ll_setup_filename called * from ll_prep_md_op_data diff --git a/lustre/llite/namei.c b/lustre/llite/namei.c index dc4b135..15f6cea 100644 --- a/lustre/llite/namei.c +++ b/lustre/llite/namei.c @@ -810,6 +810,7 @@ out: static struct dentry *ll_lookup_it(struct inode *parent, struct dentry *dentry, struct lookup_intent *it, void **secctx, __u32 *secctxlen, + int *secctxslot, struct pcc_create_attach *pca, bool encrypt, void **encctx, __u32 *encctxlen) @@ -882,18 +883,23 @@ static struct dentry *ll_lookup_it(struct inode *parent, struct dentry *dentry, &op_data->op_file_secctx_name, &op_data->op_file_secctx_name_size, &op_data->op_file_secctx, - &op_data->op_file_secctx_size); + &op_data->op_file_secctx_size, + &op_data->op_file_secctx_slot); if (rc < 0) GOTO(out, retval = ERR_PTR(rc)); if (secctx != NULL) *secctx = op_data->op_file_secctx; if (secctxlen != NULL) *secctxlen = op_data->op_file_secctx_size; + if (secctxslot != NULL) + *secctxslot = op_data->op_file_secctx_slot; } else { if (secctx != NULL) *secctx = NULL; if (secctxlen != NULL) *secctxlen = 0; + if (secctxslot != NULL) + *secctxslot = 0; } if (it->it_op & IT_CREAT && encrypt) { if (unlikely(filename_is_volatile(dentry->d_name.name, @@ -1107,7 +1113,7 @@ static struct dentry *ll_lookup_nd(struct inode *parent, struct dentry *dentry, itp = NULL; else itp = ⁢ - de = ll_lookup_it(parent, dentry, itp, NULL, NULL, NULL, false, + de = ll_lookup_it(parent, dentry, itp, NULL, NULL, NULL, NULL, false, NULL, NULL); if (itp != NULL) @@ -1149,6 +1155,7 @@ static int ll_atomic_open(struct inode *dir, struct dentry *dentry, long long lookup_flags = LOOKUP_OPEN; void *secctx = NULL; __u32 secctxlen = 0; + int secctxslot = 0; void *encctx = NULL; __u32 encctxlen = 0; struct ll_sb_info *sbi = NULL; @@ -1247,8 +1254,8 @@ static int ll_atomic_open(struct inode *dir, struct dentry *dentry, it->it_flags |= MDS_OPEN_LOCK; /* Dentry added to dcache tree in ll_lookup_it */ - de = ll_lookup_it(dir, dentry, it, &secctx, &secctxlen, &pca, encrypt, - &encctx, &encctxlen); + de = ll_lookup_it(dir, dentry, it, &secctx, &secctxlen, &secctxslot, + &pca, encrypt, &encctx, &encctxlen); if (IS_ERR(de)) rc = PTR_ERR(de); else if (de != NULL) @@ -1262,7 +1269,8 @@ static int ll_atomic_open(struct inode *dir, struct dentry *dentry, rc = ll_create_it(dir, dentry, it, secctx, secctxlen, encrypt, encctx, encctxlen, open_flags); - ll_security_release_secctx(secctx, secctxlen); + ll_security_release_secctx(secctx, secctxlen, + secctxslot); llcrypt_free_ctx(encctx, encctxlen); if (rc) { /* We dget in ll_splice_alias. */ @@ -1559,7 +1567,8 @@ again: &op_data->op_file_secctx_name, &op_data->op_file_secctx_name_size, &op_data->op_file_secctx, - &op_data->op_file_secctx_size); + &op_data->op_file_secctx_size, + &op_data->op_file_secctx_slot); if (err < 0) GOTO(err_exit, err); } diff --git a/lustre/llite/xattr_security.c b/lustre/llite/xattr_security.c index 57e1d7a..df34ab3 100644 --- a/lustre/llite/xattr_security.c +++ b/lustre/llite/xattr_security.c @@ -47,17 +47,24 @@ # define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX #endif +#ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX +#define HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG 1 +#endif + /* * Check for LL_SBI_FILE_SECCTX before calling. */ int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name, const char **secctx_name, __u32 *secctx_name_size, - void **secctx, __u32 *secctx_size) + void **secctx, __u32 *secctx_size, int *secctx_slot) { struct ll_sb_info *sbi = ll_s2sbi(dentry->d_sb); #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG const char *secctx_name_lsm = NULL; #endif +#ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX + struct lsmcontext ctx = {}; +#endif int rc; /* @@ -81,13 +88,23 @@ int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name, #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG &secctx_name_lsm, #endif +#ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX + &ctx); +#else secctx, secctx_size); +#endif /* ignore error if the hook is not supported by the LSM module */ if (rc == -EOPNOTSUPP) return 0; if (rc < 0) return rc; +#ifdef HAVE_SECURITY_DENTRY_INIT_SECURTY_WITH_CTX + *secctx = ctx.context; + *secctx_size = ctx.len; + *secctx_slot = ctx.slot; +#endif + #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG if (strncmp(*secctx_name, secctx_name_lsm, *secctx_name_size) != 0) { CERROR("%s: LSM secctx_name '%s' does not match the one stored by Lustre '%s'\n", -- 1.8.3.1