From 304b486fa310381733bc1fdbcd2b98a2f4077e2e Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Wed, 27 Jul 2022 12:39:26 +0000 Subject: [PATCH] LU-16012 sec: fix detection of SELinux enforcement On newer distros (e.g. RHEL 9.0), on which selinux_is_enabled() does not exist anymore, the only way to find out if SELinux is enforced when initializing the security context is to fetch the length of the security attribute name. If it is 0, we conclude SELinux is disabled. Lustre-change: https://review.whamcloud.com/48049 Lustre-commit: 155cbc22ba4f758cf9eec415f36f940ca2b23de9 Signed-off-by: Sebastien Buisson Change-Id: Ifcdcb8ffbb7f9ad50d16d7d3317e94d0d212fa42 Reviewed-by: Andreas Dilger Reviewed-by: Yingjin Qian Reviewed-by: Jian Yu Reviewed-on: https://review.whamcloud.com/48193 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Oleg Drokin --- lustre/llite/dir.c | 3 ++- lustre/llite/llite_internal.h | 3 ++- lustre/llite/namei.c | 6 ++++-- lustre/llite/xattr_security.c | 12 +++++++++++- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/lustre/llite/dir.c b/lustre/llite/dir.c index c3fb0c5..de18ee4 100644 --- a/lustre/llite/dir.c +++ b/lustre/llite/dir.c @@ -534,7 +534,8 @@ static int ll_dir_setdirstripe(struct dentry *dparent, struct lmv_user_md *lump, /* selinux_dentry_init_security() uses dentry->d_parent and name * to determine the security context for the file. So our fake * dentry should be real enough for this purpose. */ - err = ll_dentry_init_security(&dentry, mode, &dentry.d_name, + err = ll_dentry_init_security(parent, + &dentry, mode, &dentry.d_name, &op_data->op_file_secctx_name, &op_data->op_file_secctx, &op_data->op_file_secctx_size); diff --git a/lustre/llite/llite_internal.h b/lustre/llite/llite_internal.h index 1792bf0..2d4bf1c 100644 --- a/lustre/llite/llite_internal.h +++ b/lustre/llite/llite_internal.h @@ -463,7 +463,8 @@ static inline void obd_connect_set_secctx(struct obd_connect_data *data) #endif } -int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name, +int ll_dentry_init_security(struct inode *parent, struct dentry *dentry, + int mode, struct qstr *name, const char **secctx_name, void **secctx, __u32 *secctx_size); int ll_inode_init_security(struct dentry *dentry, struct inode *inode, diff --git a/lustre/llite/namei.c b/lustre/llite/namei.c index 3c288a0..4630aec 100644 --- a/lustre/llite/namei.c +++ b/lustre/llite/namei.c @@ -902,7 +902,8 @@ static struct dentry *ll_lookup_it(struct inode *parent, struct dentry *dentry, if (it->it_op & IT_CREAT && test_bit(LL_SBI_FILE_SECCTX, ll_i2sbi(parent)->ll_flags)) { - rc = ll_dentry_init_security(dentry, it->it_create_mode, + rc = ll_dentry_init_security(parent, + dentry, it->it_create_mode, &dentry->d_name, &op_data->op_file_secctx_name, &op_data->op_file_secctx, @@ -1583,7 +1584,8 @@ again: ll_qos_mkdir_prep(op_data, dir); if (test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags)) { - err = ll_dentry_init_security(dchild, mode, &dchild->d_name, + err = ll_dentry_init_security(dir, + dchild, mode, &dchild->d_name, &op_data->op_file_secctx_name, &op_data->op_file_secctx, &op_data->op_file_secctx_size); diff --git a/lustre/llite/xattr_security.c b/lustre/llite/xattr_security.c index 3993700..caf89be 100644 --- a/lustre/llite/xattr_security.c +++ b/lustre/llite/xattr_security.c @@ -50,7 +50,8 @@ /* * Check for LL_SBI_FILE_SECCTX before calling. */ -int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name, +int ll_dentry_init_security(struct inode *parent, struct dentry *dentry, + int mode, struct qstr *name, const char **secctx_name, void **secctx, __u32 *secctx_size) { @@ -73,6 +74,15 @@ int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name, if (!selinux_is_enabled()) return 0; + /* fetch length of security xattr name */ + rc = security_inode_listsecurity(parent, NULL, 0); + /* xattr name length == 0 means SELinux is disabled */ + if (rc == 0) + return 0; + /* we support SELinux only */ + if (rc != strlen(XATTR_NAME_SELINUX) + 1) + return -EOPNOTSUPP; + rc = security_dentry_init_security(dentry, mode, name, secctx, secctx_size); /* Usually, security_dentry_init_security() returns -EOPNOTSUPP when -- 1.8.3.1