git://git.whamcloud.com - fs/lustre-release.git/commit

author	Sebastien Buisson <sbuisson@ddn.com>
	Wed, 27 Apr 2022 15:33:57 +0000 (17:33 +0200)
committer	Oleg Drokin <green@whamcloud.com>
	Thu, 5 May 2022 18:47:27 +0000 (18:47 +0000)
commit	a31db2ec062ccc995527d37f0330edbca9d486a9
tree	1fc07154ec6aeb93606e8ebe9ec0dc60a338edc6	tree \| snapshot
parent	abe5c93175c331493f204985e630b7d28eb27327	commit \| diff

LU-15787 sec: block enc unaware clients on enc files

Prevent encryption unaware clients from manipulating encrypted files
and directories. Those can be old clients, or clients built without
encryption support (intentionally or because they run on an old
kernel).
In the mdt layer, check that clients have the OBD_CONNECT2_ENCRYPT
connection flag, and if not, block access if they try to manipulate
a file or directory that has the LUSTRE_ENCRYPT_FL flag.
The forbidden operations from encryption unaware clients are:
- open
- create
- link
- rename
- migrate
Improve sanity-sec test_54 to test this use case.

Test-Parameters: testlist=sanity-sec mdscount=2 mdtcount=4 osscount=1 ostcount=8 clientcount=2 serverdistro=el7.9
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ief0639e49c0a8e1a1a0cb19cb13c006edfdff6c4
Reviewed-on: https://review.whamcloud.com/47156
Tested-by: jenkins <devops@whamcloud.com>
Reviewed-by: John L. Hammond <jhammond@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

lustre/mdt/mdt_internal.h		diff \| blob \| history
lustre/mdt/mdt_open.c		diff \| blob \| history
lustre/mdt/mdt_reint.c		diff \| blob \| history
lustre/tests/sanity-sec.sh		diff \| blob \| history