]) # LC_INODE_TIMESPEC64
#
+# LC_HAS_LINUX_SELINUX_ENABLED
+#
+# kernel 5.1 commit 3d252529480c68bfd6a6774652df7c8968b28e41
+# SELinux: Remove unused selinux_is_enabled
+#
+AC_DEFUN([LC_HAS_LINUX_SELINUX_ENABLED], [
+tmp_flags="$EXTRA_KCFLAGS"
+EXTRA_KCFLAGS="-Werror"
+LB_CHECK_COMPILE([if linux/selinux.h exists],
+selinux_is_enabled, [
+ #include <linux/selinux.h>
+],[
+ bool has_selinux = selinux_is_enabled();
+ (void)has_selinux;
+],[
+ AC_DEFINE(HAVE_LINUX_SELINUX_IS_ENABLED, 1,
+ [if linux/selinux.h exists])
+])
+EXTRA_KCFLAGS="$tmp_flags"
+]) # LC_HAS_LINUX_SELINUX_ENABLED
+
+#
# LC_PROG_LINUX
#
# Lustre linux kernel checks
# 5.0
LC_UAPI_LINUX_MOUNT_H
+ # 5.1
+ LC_HAS_LINUX_SELINUX_ENABLED
+
# kernel patch to extend integrity interface
LC_BIO_INTEGRITY_PREP_FN
kmem_cache_create(name, size, align, flags, ctor)
#endif
+#ifndef HAVE_LINUX_SELINUX_IS_ENABLED
+#define selinux_is_enabled() 1
+#endif
+
#endif /* _LUSTRE_COMPAT_H */
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/xattr.h>
+#ifdef HAVE_LINUX_SELINUX_IS_ENABLED
#include <linux/selinux.h>
+#endif
#define DEBUG_SUBSYSTEM S_LLITE
}
#endif
+#ifdef HAVE_LINUX_SELINUX_IS_ENABLED
+# define test_xattr_is_selinux_disabled(handler, name) \
+ ((handler)->flags == XATTR_SECURITY_T && \
+ !selinux_is_enabled() && \
+ strcmp((name), "selinux") == 0)
+#else
+# define test_xattr_is_selinux_disabled(handler, name) \
+ ((handler)->flags == XATTR_SECURITY_T && \
+ strcmp((name), "selinux") == 0)
+#endif
+
const struct xattr_handler *get_xattr_type(const char *name)
{
int i;
RETURN(0);
/* LU-549: Disable security.selinux when selinux is disabled */
- if (handler->flags == XATTR_SECURITY_T && !selinux_is_enabled() &&
- strcmp(name, "selinux") == 0)
+ if (test_xattr_is_selinux_disabled(handler, name))
RETURN(-EOPNOTSUPP);
/*
RETURN(rc);
/* LU-549: Disable security.selinux when selinux is disabled */
- if (handler->flags == XATTR_SECURITY_T && !selinux_is_enabled() &&
- !strcmp(name, "selinux"))
+ if (test_xattr_is_selinux_disabled(handler, name))
RETURN(-EOPNOTSUPP);
#ifdef CONFIG_FS_POSIX_ACL
#include <linux/types.h>
#include <linux/security.h>
+#ifdef HAVE_LINUX_SELINUX_IS_ENABLED
#include <linux/selinux.h>
+#endif
#include <linux/xattr.h>
#include "llite_internal.h"
#ifdef HAVE_SECURITY_DENTRY_INIT_SECURITY
int rc;
- /* security_dentry_init_security() is strange. Like
+ /*
+ * security_dentry_init_security() is strange. Like
* security_inode_init_security() it may return a context (provided a
* Linux security module is enabled) but unlike
* security_inode_init_security() it does not return to us the name of
* SELinux is the only module that implements
* security_dentry_init_security(). Note that the NFS client code just
* calls it and assumes that if anything is returned then it must come
- * from SELinux. */
+ * from SELinux.
+ */
if (!selinux_is_enabled())
return 0;
rc = security_dentry_init_security(dentry, mode, name, secctx,
secctx_size);
+ if (rc == -EOPNOTSUPP)
+ return 0;
if (rc < 0)
return rc;
ll_inode_init_security(struct dentry *dentry, struct inode *inode,
struct inode *dir)
{
+ int rc;
+
if (!selinux_is_enabled())
return 0;
- return ll_security_inode_init_security(inode, dir, NULL, NULL, 0,
- &ll_initxattrs, dentry);
+ rc = ll_security_inode_init_security(inode, dir, NULL, NULL, 0,
+ &ll_initxattrs, dentry);
+ if (rc == -EOPNOTSUPP)
+ return 0;
+
+ return rc;
}
#else /* !HAVE_SECURITY_IINITSEC_CALLBACK */
/**
#define PRINT_MASK (D_SUPER | D_CONFIG)
#include <linux/types.h>
+#ifdef HAVE_LINUX_SELINUX_IS_ENABLED
#include <linux/selinux.h>
+#endif
#include <linux/statfs.h>
#include <linux/version.h>