On newer distros (e.g. RHEL 9.0), on which selinux_is_enabled() does
not exist anymore, the only way to find out if SELinux is enforced
when initializing the security context is to fetch the length of the
security attribute name. If it is 0, we conclude SELinux is disabled.
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Ifcdcb8ffbb7f9ad50d16d7d3317e94d0d212fa42
Reviewed-on: https://review.whamcloud.com/48049
Reviewed-by: Jian Yu <yujian@whamcloud.com>
Reviewed-by: Yingjin Qian <qian@ddn.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
/* selinux_dentry_init_security() uses dentry->d_parent and name
* to determine the security context for the file. So our fake
* dentry should be real enough for this purpose. */
/* selinux_dentry_init_security() uses dentry->d_parent and name
* to determine the security context for the file. So our fake
* dentry should be real enough for this purpose. */
- err = ll_dentry_init_security(&dentry, mode, &dentry.d_name,
+ err = ll_dentry_init_security(parent,
+ &dentry, mode, &dentry.d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&op_data->op_file_secctx_size);
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&op_data->op_file_secctx_size);
-int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
+int ll_dentry_init_security(struct inode *parent, struct dentry *dentry,
+ int mode, struct qstr *name,
const char **secctx_name, void **secctx,
__u32 *secctx_size);
int ll_inode_init_security(struct dentry *dentry, struct inode *inode,
const char **secctx_name, void **secctx,
__u32 *secctx_size);
int ll_inode_init_security(struct dentry *dentry, struct inode *inode,
if (it->it_op & IT_CREAT &&
test_bit(LL_SBI_FILE_SECCTX, ll_i2sbi(parent)->ll_flags)) {
if (it->it_op & IT_CREAT &&
test_bit(LL_SBI_FILE_SECCTX, ll_i2sbi(parent)->ll_flags)) {
- rc = ll_dentry_init_security(dentry, it->it_create_mode,
+ rc = ll_dentry_init_security(parent,
+ dentry, it->it_create_mode,
&dentry->d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&dentry->d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
ll_qos_mkdir_prep(op_data, dir);
if (test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags)) {
ll_qos_mkdir_prep(op_data, dir);
if (test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags)) {
- err = ll_dentry_init_security(dchild, mode, &dchild->d_name,
+ err = ll_dentry_init_security(dir,
+ dchild, mode, &dchild->d_name,
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&op_data->op_file_secctx_size);
&op_data->op_file_secctx_name,
&op_data->op_file_secctx,
&op_data->op_file_secctx_size);
/*
* Check for LL_SBI_FILE_SECCTX before calling.
*/
/*
* Check for LL_SBI_FILE_SECCTX before calling.
*/
-int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
+int ll_dentry_init_security(struct inode *parent, struct dentry *dentry,
+ int mode, struct qstr *name,
const char **secctx_name, void **secctx,
__u32 *secctx_size)
{
const char **secctx_name, void **secctx,
__u32 *secctx_size)
{
if (!selinux_is_enabled())
return 0;
if (!selinux_is_enabled())
return 0;
+ /* fetch length of security xattr name */
+ rc = security_inode_listsecurity(parent, NULL, 0);
+ /* xattr name length == 0 means SELinux is disabled */
+ if (rc == 0)
+ return 0;
+ /* we support SELinux only */
+ if (rc != strlen(XATTR_NAME_SELINUX) + 1)
+ return -EOPNOTSUPP;
+
rc = security_dentry_init_security(dentry, mode, name, secctx,
secctx_size);
/* Usually, security_dentry_init_security() returns -EOPNOTSUPP when
rc = security_dentry_init_security(dentry, mode, name, secctx,
secctx_size);
/* Usually, security_dentry_init_security() returns -EOPNOTSUPP when