]) # LC_EXPORT_TRUNCATE_COMPLETE_PAGE
#
-# LC_CONFIG_RMTCLIENT
-#
-dnl FIXME
-dnl the AES symbol usually tied with arch, e.g. CRYPTO_AES_586
-dnl FIXME
-AC_DEFUN([LC_CONFIG_RMTCLIENT], [
-LB_CHECK_CONFIG_IM([CRYPTO_AES], [],
- [AC_MSG_WARN([
-
-Lustre remote client require that CONFIG_CRYPTO_AES is enabled in your kernel.
-])])
-]) # LC_CONFIG_RMTCLIENT
-
-#
# LC_CONFIG_GSS_KEYRING
#
# default 'auto', tests for dependencies, if found, enables;
LC_LLITE_LLOOP_MODULE
LC_GLIBC_SUPPORT_FHANDLES
- LC_CONFIG_RMTCLIENT
LC_CONFIG_GSS
LC_HAVE_VOID_OPENSSL_HMAC_FUNCS
offset=lustre_dissect_struct_mdt_rec_create(tvb, offset, pinfo, tree, hf_lustre_mdt_rec_create);
offset=lustre_dissect_struct_capa(tvb, offset, pinfo, tree, hf_lustre_capa, LUSTRE_REQ_REC_OFF+1);
offset=lustre_dissect_element_string(tvb, offset, pinfo, tree, hf_lustre_reint_name, LUSTRE_REQ_REC_OFF+2);
- /* REINT_CREATE_SLAVE / SYM / RMT_ACL */
+ /* REINT_CREATE_SLAVE / SYM */
if (LUSTRE_BUFCOUNT > 4) {
/* for CREATE_SYM this is actually name of target - encoded in mdt_rec_create.cr_mode */
offset=lustre_dissect_element_data(tvb, offset, pinfo, tree, hf_lustre_reint_name, LUSTRE_REQ_REC_OFF+3);
return (rc < 0 && -rc & ESERIOUS);
}
-/**
- * Do not return server-side uid/gid to remote client
- */
-static inline void tgt_drop_id(struct obd_export *exp, struct obdo *oa)
-{
- if (unlikely(exp_connect_rmtclient(exp))) {
- oa->o_uid = -1;
- oa->o_gid = -1;
- oa->o_valid &= ~(OBD_MD_FLUID | OBD_MD_FLGID);
- }
-}
-
/*
* Unified target generic handers macros and generic functions.
*/
*to be reused.*/
#define OBD_CONNECT_ATTRFID 0x4000ULL /*Server can GetAttr By Fid*/
#define OBD_CONNECT_NODEVOH 0x8000ULL /*No open hndl on specl nodes*/
-#define OBD_CONNECT_RMT_CLIENT 0x10000ULL /*Remote client */
-#define OBD_CONNECT_RMT_CLIENT_FORCE 0x20000ULL /*Remote client by force */
+#define OBD_CONNECT_RMT_CLIENT 0x10000ULL /* Remote client, never used
+ * in production. Removed in
+ * 2.9. Keep this flag to
+ * avoid reusing.
+ */
+#define OBD_CONNECT_RMT_CLIENT_FORCE 0x20000ULL /* Remote client by force,
+ * never used in production.
+ * Removed in 2.9. Keep this
+ * flag to avoid reusing.
+ */
#define OBD_CONNECT_BRW_SIZE 0x40000ULL /*Max bytes per rpc */
#define OBD_CONNECT_QUOTA64 0x80000ULL /*Not used since 2.4 */
#define OBD_CONNECT_MDS_CAPA 0x100000ULL /*MDS capability */
#endif
#define MDT_CONNECT_SUPPORTED (OBD_CONNECT_RDONLY | OBD_CONNECT_VERSION | \
- OBD_CONNECT_ACL | OBD_CONNECT_XATTR | \
- OBD_CONNECT_IBITS | \
- OBD_CONNECT_NODEVOH | OBD_CONNECT_ATTRFID | \
- OBD_CONNECT_CANCELSET | OBD_CONNECT_AT | \
- OBD_CONNECT_RMT_CLIENT | \
- OBD_CONNECT_RMT_CLIENT_FORCE | \
- OBD_CONNECT_BRW_SIZE | OBD_CONNECT_MDS_MDS | \
- OBD_CONNECT_FID | LRU_RESIZE_CONNECT_FLAG | \
- OBD_CONNECT_VBR | OBD_CONNECT_LOV_V3 | \
- OBD_CONNECT_FULL20 | \
+ OBD_CONNECT_ACL | OBD_CONNECT_XATTR | \
+ OBD_CONNECT_IBITS | OBD_CONNECT_NODEVOH | \
+ OBD_CONNECT_ATTRFID | OBD_CONNECT_CANCELSET | \
+ OBD_CONNECT_AT | OBD_CONNECT_BRW_SIZE | \
+ OBD_CONNECT_MDS_MDS | OBD_CONNECT_FID | \
+ LRU_RESIZE_CONNECT_FLAG | OBD_CONNECT_VBR | \
+ OBD_CONNECT_LOV_V3 | OBD_CONNECT_FULL20 | \
OBD_CONNECT_64BITHASH | OBD_CONNECT_JOBSTATS | \
OBD_CONNECT_EINPROGRESS | \
OBD_CONNECT_LIGHTWEIGHT | OBD_CONNECT_UMASK | \
#define MDT_CONNECT_SUPPORTED2 OBD_CONNECT2_FILE_SECCTX
#define OST_CONNECT_SUPPORTED (OBD_CONNECT_SRVLOCK | OBD_CONNECT_GRANT | \
- OBD_CONNECT_REQPORTAL | OBD_CONNECT_VERSION | \
- OBD_CONNECT_TRUNCLOCK | OBD_CONNECT_INDEX | \
- OBD_CONNECT_BRW_SIZE | \
- OBD_CONNECT_CANCELSET | OBD_CONNECT_AT | \
- LRU_RESIZE_CONNECT_FLAG | OBD_CONNECT_CKSUM | \
- OBD_CONNECT_RMT_CLIENT | \
- OBD_CONNECT_RMT_CLIENT_FORCE | OBD_CONNECT_VBR | \
- OBD_CONNECT_MDS | OBD_CONNECT_SKIP_ORPHAN | \
- OBD_CONNECT_GRANT_SHRINK | OBD_CONNECT_FULL20 | \
- OBD_CONNECT_64BITHASH | OBD_CONNECT_MAXBYTES | \
- OBD_CONNECT_MAX_EASIZE | \
+ OBD_CONNECT_REQPORTAL | OBD_CONNECT_VERSION | \
+ OBD_CONNECT_TRUNCLOCK | OBD_CONNECT_INDEX | \
+ OBD_CONNECT_BRW_SIZE | OBD_CONNECT_CANCELSET | \
+ OBD_CONNECT_AT | LRU_RESIZE_CONNECT_FLAG | \
+ OBD_CONNECT_CKSUM | OBD_CONNECT_VBR | \
+ OBD_CONNECT_MDS | OBD_CONNECT_SKIP_ORPHAN | \
+ OBD_CONNECT_GRANT_SHRINK | OBD_CONNECT_FULL20 |\
+ OBD_CONNECT_64BITHASH | OBD_CONNECT_MAXBYTES | \
+ OBD_CONNECT_MAX_EASIZE | \
OBD_CONNECT_EINPROGRESS | \
OBD_CONNECT_JOBSTATS | \
OBD_CONNECT_LIGHTWEIGHT | OBD_CONNECT_LVB_TYPE|\
#define OBD_MD_FLXATTRLS (0x0000002000000000ULL) /* xattr list */
#define OBD_MD_FLXATTRRM (0x0000004000000000ULL) /* xattr remove */
#define OBD_MD_FLACL (0x0000008000000000ULL) /* ACL */
-#define OBD_MD_FLRMTPERM (0x0000010000000000ULL) /* remote permission */
+/* OBD_MD_FLRMTPERM (0x0000010000000000ULL) remote perm, obsolete */
#define OBD_MD_FLMDSCAPA (0x0000020000000000ULL) /* MDS capability */
#define OBD_MD_FLOSSCAPA (0x0000040000000000ULL) /* OSS capability */
#define OBD_MD_FLCKSPLIT (0x0000080000000000ULL) /* Check split on server */
* client holds the lock */
#define OBD_MD_FLOBJCOUNT (0x0000400000000000ULL) /* for multiple destroy */
-#define OBD_MD_FLRMTLSETFACL (0x0001000000000000ULL) /* lfs lsetfacl case */
-#define OBD_MD_FLRMTLGETFACL (0x0002000000000000ULL) /* lfs lgetfacl case */
-#define OBD_MD_FLRMTRSETFACL (0x0004000000000000ULL) /* lfs rsetfacl case */
-#define OBD_MD_FLRMTRGETFACL (0x0008000000000000ULL) /* lfs rgetfacl case */
+/* OBD_MD_FLRMTLSETFACL (0x0001000000000000ULL) lfs lsetfacl, obsolete */
+/* OBD_MD_FLRMTLGETFACL (0x0002000000000000ULL) lfs lgetfacl, obsolete */
+/* OBD_MD_FLRMTRSETFACL (0x0004000000000000ULL) lfs rsetfacl, obsolete */
+/* OBD_MD_FLRMTRGETFACL (0x0008000000000000ULL) lfs rgetfacl, obsolete */
#define OBD_MD_FLDATAVERSION (0x0010000000000000ULL) /* iversion sum */
#define OBD_MD_CLOSE_INTENT_EXECED (0x0020000000000000ULL) /* close intent
CFS_SETUID_PERM = 0x01,
CFS_SETGID_PERM = 0x02,
CFS_SETGRP_PERM = 0x04,
- CFS_RMTACL_PERM = 0x08,
- CFS_RMTOWN_PERM = 0x10
-};
-
-/* inode access permission for remote user, the inode info are omitted,
- * for client knows them. */
-struct mdt_remote_perm {
- __u32 rp_uid;
- __u32 rp_gid;
- __u32 rp_fsuid;
- __u32 rp_fsuid_h;
- __u32 rp_fsgid;
- __u32 rp_fsgid_h;
- __u32 rp_access_perm; /* MAY_READ/WRITE/EXEC */
- __u32 rp_padding;
};
struct mdt_rec_setattr {
#define IOC_OBD_STATFS _IOWR('f', 164, struct obd_statfs *)
/* IOC_LOV_GETINFO 165 obsolete */
#define LL_IOC_FLUSHCTX _IOW ('f', 166, long)
-#define LL_IOC_RMTACL _IOW ('f', 167, long)
+/* LL_IOC_RMTACL 167 obsolete */
#define LL_IOC_GETOBDCOUNT _IOR ('f', 168, long)
#define LL_IOC_LLOOP_ATTACH _IOWR('f', 169, long)
#define LL_IOC_LLOOP_DETACH _IOWR('f', 170, long)
#define LL_FILE_READAHEA 0x00000004
#define LL_FILE_LOCKED_DIRECTIO 0x00000008 /* client-side locks with dio */
#define LL_FILE_LOCKLESS_IO 0x00000010 /* server-side locks with cio */
-#define LL_FILE_RMTACL 0x00000020
#define LOV_USER_MAGIC_V1 0x0BD10BD0
#define LOV_USER_MAGIC LOV_USER_MAGIC_V1
__u32 idd_groups[0];
};
-/* for non-mapped uid/gid */
-#define NOBODY_UID 99
-#define NOBODY_GID 99
-
-#define INVALID_ID (-1)
-
-enum {
- RMT_LSETFACL = 1,
- RMT_LGETFACL = 2,
- RMT_RSETFACL = 3,
- RMT_RGETFACL = 4
-};
-
#ifdef NEED_QUOTA_DEFS
#ifndef QIF_BLIMITS
#define QIF_BLIMITS 1
__u32 *pmode, int count);
extern int lustre_posix_acl_equiv_mode(posix_acl_xattr_entry *entry, mode_t *mode_p,
int count);
-
-extern int
-lustre_posix_acl_xattr_id2client(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- posix_acl_xattr_header *header,
- int size, int flags);
-
-extern int
-lustre_ext_acl_xattr_id2server(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- ext_acl_xattr_header *header);
#endif /* HAVE_SERVER_SUPPORT */
-
-extern ext_acl_xattr_header *
-lustre_posix_acl_xattr_2ext(posix_acl_xattr_header *header, int size);
-extern int
-lustre_posix_acl_xattr_filter(posix_acl_xattr_header *header, int size,
- posix_acl_xattr_header **out);
-extern void
-lustre_posix_acl_xattr_free(posix_acl_xattr_header *header, int size);
-extern void
-lustre_ext_acl_xattr_free(ext_acl_xattr_header *header);
-extern int
-lustre_acl_xattr_merge2posix(posix_acl_xattr_header *posix_header, int size,
- ext_acl_xattr_header *ext_header,
- posix_acl_xattr_header **out);
-extern ext_acl_xattr_header *
-lustre_acl_xattr_merge2ext(posix_acl_xattr_header *posix_header, int size,
- ext_acl_xattr_header *ext_header);
-
#endif /* CONFIG_FS_POSIX_ACL */
/** @} eacl */
/** List of all files opened by client on this MDT */
struct list_head med_open_head;
spinlock_t med_open_lock; /* med_open_head, mfd_list */
- struct mutex med_idmap_mutex;
- struct lustre_idmap_table *med_idmap;
};
struct ec_export_data { /* echo client */
return !!(exp_connect_flags(exp) & OBD_CONNECT_LRU_RESIZE);
}
-static inline int exp_connect_rmtclient(struct obd_export *exp)
-{
- LASSERT(exp != NULL);
- return !!(exp_connect_flags(exp) & OBD_CONNECT_RMT_CLIENT);
-}
-
-static inline int client_is_remote(struct obd_export *exp)
-{
- struct obd_import *imp = class_exp2cliimp(exp);
-
- return !!(imp->imp_connect_data.ocd_connect_flags &
- OBD_CONNECT_RMT_CLIENT);
-}
-
static inline int exp_connect_vbr(struct obd_export *exp)
{
LASSERT(exp != NULL);
#define CFS_GROUP_AT(gi, i) \
((gi)->blocks[(i) / CFS_NGROUPS_PER_BLOCK][(i) % CFS_NGROUPS_PER_BLOCK])
-enum {
- CFS_IC_NOTHING = 0, /* convert nothing */
- CFS_IC_ALL = 1, /* convert all items */
- CFS_IC_MAPPED = 2, /* convert mapped uid/gid */
- CFS_IC_UNMAPPED = 3 /* convert unmapped uid/gid */
-};
-
-#define CFS_IDMAP_NOTFOUND (-1)
-
-#define CFS_IDMAP_HASHSIZE 32
-
-enum lustre_idmap_idx {
- RMT_UIDMAP_IDX,
- LCL_UIDMAP_IDX,
- RMT_GIDMAP_IDX,
- LCL_GIDMAP_IDX,
- CFS_IDMAP_N_HASHES
-};
-
-struct lustre_idmap_table {
- spinlock_t lit_lock;
- struct list_head lit_idmaps[CFS_IDMAP_N_HASHES][CFS_IDMAP_HASHSIZE];
-};
struct lu_ucred;
extern void lustre_groups_sort(struct group_info *group_info);
extern int lustre_in_group_p(struct lu_ucred *mu, gid_t grp);
-extern int lustre_idmap_add(struct lustre_idmap_table *t,
- uid_t ruid, uid_t luid,
- gid_t rgid, gid_t lgid);
-extern int lustre_idmap_del(struct lustre_idmap_table *t,
- uid_t ruid, uid_t luid,
- gid_t rgid, gid_t lgid);
-extern int lustre_idmap_lookup_uid(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- int reverse, uid_t uid);
-extern int lustre_idmap_lookup_gid(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- int reverse, gid_t gid);
-extern struct lustre_idmap_table *lustre_idmap_init(void);
-extern void lustre_idmap_fini(struct lustre_idmap_table *t);
-
/** @} idmap */
#endif
rq_bulk_write:1, /* request bulk write */
/* server authentication flags */
rq_auth_gss:1, /* authenticated by gss */
- rq_auth_remote:1, /* authed as remote user */
rq_auth_usr_root:1, /* authed as root */
rq_auth_usr_mdt:1, /* authed as mdt */
rq_auth_usr_ost:1, /* authed as ost */
extern struct req_format RQF_MDS_READPAGE;
extern struct req_format RQF_MDS_REINT;
extern struct req_format RQF_MDS_REINT_CREATE;
-extern struct req_format RQF_MDS_REINT_CREATE_RMT_ACL;
+extern struct req_format RQF_MDS_REINT_CREATE_ACL;
extern struct req_format RQF_MDS_REINT_CREATE_SLAVE;
extern struct req_format RQF_MDS_REINT_CREATE_SYM;
extern struct req_format RQF_MDS_REINT_OPEN;
void lustre_swab_generic_32s(__u32 *val);
void lustre_swab_mdt_body(struct mdt_body *b);
void lustre_swab_mdt_ioepoch(struct mdt_ioepoch *b);
-void lustre_swab_mdt_remote_perm(struct mdt_remote_perm *p);
void lustre_swab_mdt_rec_setattr(struct mdt_rec_setattr *sa);
void lustre_swab_mdt_rec_reint(struct mdt_rec_reint *rr);
void lustre_swab_lmv_desc(struct lmv_desc *ld);
#ifdef CONFIG_FS_POSIX_ACL
struct posix_acl *posix_acl;
#endif
- struct mdt_remote_perm *remote_perm;
};
struct md_open_data {
union ldlm_policy_data *, enum ldlm_mode,
enum ldlm_cancel_flags flags, void *opaque);
- int (*m_get_remote_perm)(struct obd_export *, const struct lu_fid *,
- u32, struct ptlrpc_request **);
-
int (*m_get_fid_from_lsm)(struct obd_export *,
const struct lmv_stripe_md *,
const char *name, int namelen,
RETURN(MDP(exp->exp_obd, init_ea_size)(exp, ea_size, def_ea_size));
}
-static inline int md_get_remote_perm(struct obd_export *exp,
- const struct lu_fid *fid, u32 suppgid,
- struct ptlrpc_request **request)
-{
- ENTRY;
- EXP_CHECK_MD_OP(exp, get_remote_perm);
- EXP_MD_COUNTER_INCREMENT(exp, get_remote_perm);
-
- RETURN(MDP(exp->exp_obd, get_remote_perm)(exp, fid, suppgid, request));
-}
-
static inline int md_intent_getattr_async(struct obd_export *exp,
struct md_enqueue_info *minfo)
{
@LLITE_LLOOP_TRUE@MODULES += llite_lloop
lustre-objs := dcache.o dir.o file.o llite_lib.o llite_nfs.o
lustre-objs += rw.o lproc_llite.o namei.o symlink.o llite_mmap.o
-lustre-objs += xattr.o xattr_cache.o remote_perm.o llite_rmtacl.o
+lustre-objs += xattr.o xattr_cache.o
lustre-objs += rw26.o super25.o statahead.o xattr_security.o
lustre-objs += glimpse.o
lustre-objs += lcommon_cl.o
switch (cmd) {
case Q_SETQUOTA:
case Q_SETINFO:
- if (!cfs_capable(CFS_CAP_SYS_ADMIN) ||
- sbi->ll_flags & LL_SBI_RMT_CLIENT)
- RETURN(-EPERM);
- break;
+ if (!cfs_capable(CFS_CAP_SYS_ADMIN))
+ RETURN(-EPERM);
+ break;
case Q_GETQUOTA:
if (((type == USRQUOTA &&
!uid_eq(current_euid(), make_kuid(&init_user_ns, id))) ||
(type == GRPQUOTA &&
!in_egroup_p(make_kgid(&init_user_ns, id)))) &&
- (!cfs_capable(CFS_CAP_SYS_ADMIN) ||
- sbi->ll_flags & LL_SBI_RMT_CLIENT))
+ (!cfs_capable(CFS_CAP_SYS_ADMIN)))
RETURN(-EPERM);
break;
case Q_GETINFO:
}
if (valid != QC_GENERAL) {
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT)
- RETURN(-EOPNOTSUPP);
-
if (cmd == Q_GETINFO)
qctl->qc_cmd = Q_GETOINFO;
else if (cmd == Q_GETQUOTA)
RETURN(ll_get_obd_name(inode, cmd, arg));
case LL_IOC_FLUSHCTX:
RETURN(ll_flush_ctx(inode));
-#ifdef CONFIG_FS_POSIX_ACL
- case LL_IOC_RMTACL: {
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT &&
- inode == inode->i_sb->s_root->d_inode) {
- struct ll_file_data *fd = LUSTRE_FPRIVATE(file);
-
- LASSERT(fd != NULL);
- rc = rct_add(&sbi->ll_rct, current_pid(), arg);
- if (!rc)
- fd->fd_flags |= LL_FILE_RMTACL;
- RETURN(rc);
- } else
- RETURN(0);
- }
-#endif
case LL_IOC_GETOBDCOUNT: {
u32 count, vallen;
struct obd_export *exp;
CDEBUG(D_VFSTRACE, "VFS Op:inode="DFID"(%p)\n",
PFID(ll_inode2fid(inode)), inode);
-#ifdef CONFIG_FS_POSIX_ACL
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT &&
- inode == inode->i_sb->s_root->d_inode) {
- struct ll_file_data *fd = LUSTRE_FPRIVATE(file);
-
- LASSERT(fd != NULL);
- if (unlikely(fd->fd_flags & LL_FILE_RMTACL)) {
- fd->fd_flags &= ~LL_FILE_RMTACL;
- rct_del(&sbi->ll_rct, current_pid());
- et_search_free(&sbi->ll_et, current_pid());
- }
- }
-#endif
-
if (inode->i_sb->s_root != file->f_path.dentry)
ll_stats_ops_tally(sbi, LPROC_LL_RELEASE, 1);
fd = LUSTRE_FPRIVATE(file);
}
ll_stats_ops_tally(sbi, LPROC_LL_INODE_PERM, 1);
-
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT)
- rc = lustre_check_remote_perm(inode, mask);
- else
- rc = ll_generic_permission(inode, mask, flags, ll_check_acl);
-
+ rc = ll_generic_permission(inode, mask, flags, ll_check_acl);
/* restore current process's credentials and FS capability */
if (squash_id) {
revert_creds(old_cred);
#define LLI_INODE_MAGIC 0x111d0de5
#define LLI_INODE_DEAD 0xdeadd00d
-/* remote client permission cache */
-#define REMOTE_PERM_HASHSIZE 16
-
struct ll_getname_data {
#ifdef HAVE_DIR_CONTEXT
struct dir_context ctx;
int lgd_found; /* inode matched? */
};
-/* llite setxid/access permission for user on remote client */
-struct ll_remote_perm {
- struct hlist_node lrp_list;
- uid_t lrp_uid;
- gid_t lrp_gid;
- uid_t lrp_fsuid;
- gid_t lrp_fsgid;
- int lrp_access_perm; /* MAY_READ/WRITE/EXEC, this
- is access permission with
- lrp_fsuid/lrp_fsgid. */
-};
-
struct ll_grouplock {
struct lu_env *lg_env;
struct cl_io *lg_io;
volatile unsigned long lli_flags;
struct posix_acl *lli_posix_acl;
- struct hlist_head *lli_remote_perms;
- struct mutex lli_rmtperm_mutex;
-
/* identifying fields for both metadata and data stacks. */
struct lu_fid lli_fid;
/* master inode fid for stripe directory */
/* open count currently used by capability only, indicate whether
* capability needs renewal */
atomic_t lli_open_count;
- cfs_time_t lli_rmtperm_time;
/* We need all three because every inode may be opened in different
* modes */
#define LL_SBI_FLOCK 0x04
#define LL_SBI_USER_XATTR 0x08 /* support user xattr */
#define LL_SBI_ACL 0x10 /* support ACL */
-#define LL_SBI_RMT_CLIENT 0x40 /* remote client */
+/* LL_SBI_RMT_CLIENT 0x40 remote client */
#define LL_SBI_MDS_CAPA 0x80 /* support mds capa, obsolete */
#define LL_SBI_OSS_CAPA 0x100 /* support oss capa, obsolete */
#define LL_SBI_LOCALFLOCK 0x200 /* Local flocks support by kernel */
"user_xattr", \
"acl", \
"???", \
- "rmt_client", \
+ "???", \
"mds_capa", \
"oss_capa", \
"flock", \
"fast_read", \
}
-#define RCE_HASHES 32
-
-struct rmtacl_ctl_entry {
- struct list_head rce_list;
- pid_t rce_key; /* hash key */
- int rce_ops; /* acl operation type */
-};
-
-struct rmtacl_ctl_table {
- spinlock_t rct_lock;
- struct list_head rct_entries[RCE_HASHES];
-};
-
-#define EE_HASHES 32
-
-struct eacl_entry {
- struct list_head ee_list;
- pid_t ee_key; /* hash key */
- struct lu_fid ee_fid;
- int ee_type; /* ACL type for ACCESS or DEFAULT */
- ext_acl_xattr_header *ee_acl;
-};
-
-struct eacl_table {
- spinlock_t et_lock;
- struct list_head et_entries[EE_HASHES];
-};
-
-
/* This is embedded into llite super-blocks to keep track of connect
* flags (capabilities) supported by all imports given mount is
* connected to. */
dev_t ll_sdev_orig; /* save s_dev before assign for
* clustred nfs */
- struct rmtacl_ctl_table ll_rct;
- struct eacl_table ll_et;
-
/* root squash */
struct root_squash_info ll_squash;
};
ssize_t ll_listxattr(struct dentry *dentry, char *buffer, size_t size);
int ll_removexattr(struct dentry *dentry, const char *name);
-/* llite/remote_perm.c */
-extern struct kmem_cache *ll_remote_perm_cachep;
-extern struct kmem_cache *ll_rmtperm_hash_cachep;
-
-void free_rmtperm_hash(struct hlist_head *hash);
-int ll_update_remote_perm(struct inode *inode, struct mdt_remote_perm *perm);
-int lustre_check_remote_perm(struct inode *inode, int mask);
-
/**
* Common IO arguments for various VFS I/O interfaces.
*/
void ll_ra_count_put(struct ll_sb_info *sbi, unsigned long len);
void ll_ra_stats_inc(struct inode *inode, enum ra_stat which);
-/* llite/llite_rmtacl.c */
-#ifdef CONFIG_FS_POSIX_ACL
-u64 rce_ops2valid(int ops);
-struct rmtacl_ctl_entry *rct_search(struct rmtacl_ctl_table *rct, pid_t key);
-int rct_add(struct rmtacl_ctl_table *rct, pid_t key, int ops);
-int rct_del(struct rmtacl_ctl_table *rct, pid_t key);
-void rct_init(struct rmtacl_ctl_table *rct);
-void rct_fini(struct rmtacl_ctl_table *rct);
-
-void ee_free(struct eacl_entry *ee);
-int ee_add(struct eacl_table *et, pid_t key, struct lu_fid *fid, int type,
- ext_acl_xattr_header *header);
-struct eacl_entry *et_search_del(struct eacl_table *et, pid_t key,
- struct lu_fid *fid, int type);
-void et_search_free(struct eacl_table *et, pid_t key);
-void et_init(struct eacl_table *et);
-void et_fini(struct eacl_table *et);
-#endif
-
/* statahead.c */
#define LL_SA_RPC_MIN 2
OBD_CONNECT_MDS_CAPA | OBD_CONNECT_OSS_CAPA |
OBD_CONNECT_CANCELSET | OBD_CONNECT_FID |
OBD_CONNECT_AT | OBD_CONNECT_LOV_V3 |
- OBD_CONNECT_RMT_CLIENT | OBD_CONNECT_VBR |
- OBD_CONNECT_FULL20 | OBD_CONNECT_64BITHASH|
+ OBD_CONNECT_VBR | OBD_CONNECT_FULL20 |
+ OBD_CONNECT_64BITHASH |
OBD_CONNECT_EINPROGRESS |
OBD_CONNECT_JOBSTATS | OBD_CONNECT_LVB_TYPE |
- OBD_CONNECT_LAYOUTLOCK | OBD_CONNECT_PINGLESS |
+ OBD_CONNECT_LAYOUTLOCK | OBD_CONNECT_PINGLESS|
OBD_CONNECT_MAX_EASIZE |
OBD_CONNECT_FLOCK_DEAD |
OBD_CONNECT_DISP_STRIPE | OBD_CONNECT_LFSCK |
/* real client */
data->ocd_connect_flags |= OBD_CONNECT_REAL;
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT)
- data->ocd_connect_flags |= OBD_CONNECT_RMT_CLIENT_FORCE;
/* always ping even if server suppress_pings */
if (sbi->ll_flags & LL_SBI_ALWAYS_PING)
sbi->ll_flags &= ~LL_SBI_ACL;
}
- if (data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT) {
- if (!(sbi->ll_flags & LL_SBI_RMT_CLIENT)) {
- sbi->ll_flags |= LL_SBI_RMT_CLIENT;
- LCONSOLE_INFO("client is set as remote by default.\n");
- }
- } else {
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT) {
- sbi->ll_flags &= ~LL_SBI_RMT_CLIENT;
- LCONSOLE_INFO("client claims to be remote, but server "
- "rejected, forced to be local.\n");
- }
- }
-
if (data->ocd_connect_flags & OBD_CONNECT_64BITHASH)
sbi->ll_flags |= LL_SBI_64BIT_HASH;
* back its backend blocksize for grant calculation purpose */
data->ocd_grant_blkbits = PAGE_SHIFT;
- data->ocd_connect_flags = OBD_CONNECT_GRANT | OBD_CONNECT_VERSION |
+ data->ocd_connect_flags = OBD_CONNECT_GRANT | OBD_CONNECT_VERSION |
OBD_CONNECT_REQPORTAL | OBD_CONNECT_BRW_SIZE |
- OBD_CONNECT_CANCELSET | OBD_CONNECT_FID |
- OBD_CONNECT_SRVLOCK | OBD_CONNECT_TRUNCLOCK|
- OBD_CONNECT_AT | OBD_CONNECT_RMT_CLIENT |
- OBD_CONNECT_OSS_CAPA | OBD_CONNECT_VBR|
- OBD_CONNECT_FULL20 | OBD_CONNECT_64BITHASH |
- OBD_CONNECT_MAXBYTES |
+ OBD_CONNECT_CANCELSET | OBD_CONNECT_FID |
+ OBD_CONNECT_SRVLOCK | OBD_CONNECT_TRUNCLOCK|
+ OBD_CONNECT_AT | OBD_CONNECT_OSS_CAPA |
+ OBD_CONNECT_VBR | OBD_CONNECT_FULL20 |
+ OBD_CONNECT_64BITHASH | OBD_CONNECT_MAXBYTES |
OBD_CONNECT_EINPROGRESS |
OBD_CONNECT_JOBSTATS | OBD_CONNECT_LVB_TYPE |
OBD_CONNECT_LAYOUTLOCK |
#ifdef HAVE_LRU_RESIZE_SUPPORT
data->ocd_connect_flags |= OBD_CONNECT_LRU_RESIZE;
#endif
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT)
- data->ocd_connect_flags |= OBD_CONNECT_RMT_CLIENT_FORCE;
-
/* always ping even if server suppress_pings */
if (sbi->ll_flags & LL_SBI_ALWAYS_PING)
data->ocd_connect_flags &= ~OBD_CONNECT_PINGLESS;
/* make root inode
* XXX: move this to after cbd setup? */
valid = OBD_MD_FLGETATTR | OBD_MD_FLBLOCKS | OBD_MD_FLMODEASIZE;
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT)
- valid |= OBD_MD_FLRMTPERM;
- else if (sbi->ll_flags & LL_SBI_ACL)
+ if (sbi->ll_flags & LL_SBI_ACL)
valid |= OBD_MD_FLACL;
OBD_ALLOC_PTR(op_data);
GOTO(out_root, err);
}
-#ifdef CONFIG_FS_POSIX_ACL
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT) {
- rct_init(&sbi->ll_rct);
- et_init(&sbi->ll_et);
- }
-#endif
-
checksum = sbi->ll_flags & LL_SBI_CHECKSUM;
err = obd_set_info_async(NULL, sbi->ll_dt_exp, sizeof(KEY_CHECKSUM),
KEY_CHECKSUM, sizeof(checksum), &checksum,
struct ll_sb_info *sbi = ll_s2sbi(sb);
ENTRY;
-#ifdef CONFIG_FS_POSIX_ACL
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT) {
- et_fini(&sbi->ll_et);
- rct_fini(&sbi->ll_rct);
- }
-#endif
-
cl_sb_fini(sb);
obd_fid_fini(sbi->ll_dt_exp->exp_obd);
tmp = ll_set_opt("rootcontext", s1, 1);
if (tmp)
goto next;
- tmp = ll_set_opt("remote_client", s1, LL_SBI_RMT_CLIENT);
- if (tmp) {
- *flags |= tmp;
- goto next;
- }
tmp = ll_set_opt("user_fid2path", s1, LL_SBI_USER_FID2PATH);
if (tmp) {
*flags |= tmp;
lli->lli_flags = 0;
spin_lock_init(&lli->lli_lock);
lli->lli_posix_acl = NULL;
- lli->lli_remote_perms = NULL;
- mutex_init(&lli->lli_rmtperm_mutex);
/* Do not set lli_fid, it has been initialized already. */
fid_zero(&lli->lli_pfid);
atomic_set(&lli->lli_open_count, 0);
- lli->lli_rmtperm_time = 0;
lli->lli_mds_read_och = NULL;
lli->lli_mds_write_och = NULL;
lli->lli_mds_exec_och = NULL;
ll_xattr_cache_destroy(inode);
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT) {
- LASSERT(lli->lli_posix_acl == NULL);
- if (lli->lli_remote_perms) {
- free_rmtperm_hash(lli->lli_remote_perms);
- lli->lli_remote_perms = NULL;
- }
- }
#ifdef CONFIG_FS_POSIX_ACL
- else if (lli->lli_posix_acl) {
+ if (lli->lli_posix_acl) {
LASSERT(atomic_read(&lli->lli_posix_acl->a_refcount) == 1);
- LASSERT(lli->lli_remote_perms == NULL);
posix_acl_release(lli->lli_posix_acl);
lli->lli_posix_acl = NULL;
}
return rc;
}
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT) {
- if (body->mbo_valid & OBD_MD_FLRMTPERM)
- ll_update_remote_perm(inode, md->remote_perm);
- }
#ifdef CONFIG_FS_POSIX_ACL
- else if (body->mbo_valid & OBD_MD_FLACL) {
+ if (body->mbo_valid & OBD_MD_FLACL) {
spin_lock(&lli->lli_lock);
if (lli->lli_posix_acl)
posix_acl_release(lli->lli_posix_acl);
+++ /dev/null
-/*
- * GPL HEADER START
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 only,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License version 2 for more details (a copy is included
- * in the LICENSE file that accompanied this code).
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; If not, see
- * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- *
- * GPL HEADER END
- */
-/*
- * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
- * Use is subject to license terms.
- *
- * Copyright (c) 2012, 2014, Intel Corporation.
- */
-/*
- * This file is part of Lustre, http://www.lustre.org/
- * Lustre is a trademark of Sun Microsystems, Inc.
- *
- * lustre/llite/llite_rmtacl.c
- *
- * Lustre Remote User Access Control List.
- *
- * Author: Fan Yong <fanyong@clusterfs.com>
- */
-
-#define DEBUG_SUBSYSTEM S_LLITE
-
-#ifdef CONFIG_FS_POSIX_ACL
-
-#include <lustre_eacl.h>
-#include "llite_internal.h"
-
-static inline __u32 rce_hashfunc(uid_t id)
-{
- return id & (RCE_HASHES - 1);
-}
-
-static inline __u32 ee_hashfunc(uid_t id)
-{
- return id & (EE_HASHES - 1);
-}
-
-u64 rce_ops2valid(int ops)
-{
- switch (ops) {
- case RMT_LSETFACL:
- return OBD_MD_FLRMTLSETFACL;
- case RMT_LGETFACL:
- return OBD_MD_FLRMTLGETFACL;
- case RMT_RSETFACL:
- return OBD_MD_FLRMTRSETFACL;
- case RMT_RGETFACL:
- return OBD_MD_FLRMTRGETFACL;
- default:
- return 0;
- }
-}
-
-static struct rmtacl_ctl_entry *rce_alloc(pid_t key, int ops)
-{
- struct rmtacl_ctl_entry *rce;
-
- OBD_ALLOC_PTR(rce);
- if (!rce)
- return NULL;
-
- INIT_LIST_HEAD(&rce->rce_list);
- rce->rce_key = key;
- rce->rce_ops = ops;
-
- return rce;
-}
-
-static void rce_free(struct rmtacl_ctl_entry *rce)
-{
- if (!list_empty(&rce->rce_list))
- list_del(&rce->rce_list);
-
- OBD_FREE_PTR(rce);
-}
-
-static struct rmtacl_ctl_entry *__rct_search(struct rmtacl_ctl_table *rct,
- pid_t key)
-{
- struct rmtacl_ctl_entry *rce;
- struct list_head *head = &rct->rct_entries[rce_hashfunc(key)];
-
- list_for_each_entry(rce, head, rce_list)
- if (rce->rce_key == key)
- return rce;
-
- return NULL;
-}
-
-struct rmtacl_ctl_entry *rct_search(struct rmtacl_ctl_table *rct, pid_t key)
-{
- struct rmtacl_ctl_entry *rce;
-
- spin_lock(&rct->rct_lock);
- rce = __rct_search(rct, key);
- spin_unlock(&rct->rct_lock);
- return rce;
-}
-
-int rct_add(struct rmtacl_ctl_table *rct, pid_t key, int ops)
-{
- struct rmtacl_ctl_entry *rce, *e;
-
- rce = rce_alloc(key, ops);
- if (rce == NULL)
- return -ENOMEM;
-
- spin_lock(&rct->rct_lock);
- e = __rct_search(rct, key);
- if (unlikely(e != NULL)) {
- CWARN("Unexpected stale rmtacl_entry found: "
- "[key: %d] [ops: %d]\n", (int)key, ops);
- rce_free(e);
- }
- list_add_tail(&rce->rce_list, &rct->rct_entries[rce_hashfunc(key)]);
- spin_unlock(&rct->rct_lock);
-
- return 0;
-}
-
-int rct_del(struct rmtacl_ctl_table *rct, pid_t key)
-{
- struct rmtacl_ctl_entry *rce;
-
- spin_lock(&rct->rct_lock);
- rce = __rct_search(rct, key);
- if (rce)
- rce_free(rce);
- spin_unlock(&rct->rct_lock);
-
- return rce ? 0 : -ENOENT;
-}
-
-void rct_init(struct rmtacl_ctl_table *rct)
-{
- int i;
-
- spin_lock_init(&rct->rct_lock);
- for (i = 0; i < RCE_HASHES; i++)
- INIT_LIST_HEAD(&rct->rct_entries[i]);
-}
-
-void rct_fini(struct rmtacl_ctl_table *rct)
-{
- struct rmtacl_ctl_entry *rce;
- int i;
-
- spin_lock(&rct->rct_lock);
- for (i = 0; i < RCE_HASHES; i++)
- while (!list_empty(&rct->rct_entries[i])) {
- rce = list_entry(rct->rct_entries[i].next,
- struct rmtacl_ctl_entry, rce_list);
- rce_free(rce);
- }
- spin_unlock(&rct->rct_lock);
-}
-
-
-static struct eacl_entry *ee_alloc(pid_t key, struct lu_fid *fid, int type,
- ext_acl_xattr_header *header)
-{
- struct eacl_entry *ee;
-
- OBD_ALLOC_PTR(ee);
- if (!ee)
- return NULL;
-
- INIT_LIST_HEAD(&ee->ee_list);
- ee->ee_key = key;
- ee->ee_fid = *fid;
- ee->ee_type = type;
- ee->ee_acl = header;
-
- return ee;
-}
-
-void ee_free(struct eacl_entry *ee)
-{
- if (!list_empty(&ee->ee_list))
- list_del(&ee->ee_list);
-
- if (ee->ee_acl)
- lustre_ext_acl_xattr_free(ee->ee_acl);
-
- OBD_FREE_PTR(ee);
-}
-
-static struct eacl_entry *__et_search_del(struct eacl_table *et, pid_t key,
- struct lu_fid *fid, int type)
-{
- struct eacl_entry *ee;
- struct list_head *head = &et->et_entries[ee_hashfunc(key)];
-
- LASSERT(fid != NULL);
- list_for_each_entry(ee, head, ee_list)
- if (ee->ee_key == key) {
- if (lu_fid_eq(&ee->ee_fid, fid) &&
- ee->ee_type == type) {
- list_del_init(&ee->ee_list);
- return ee;
- }
- }
-
- return NULL;
-}
-
-struct eacl_entry *et_search_del(struct eacl_table *et, pid_t key,
- struct lu_fid *fid, int type)
-{
- struct eacl_entry *ee;
-
- spin_lock(&et->et_lock);
- ee = __et_search_del(et, key, fid, type);
- spin_unlock(&et->et_lock);
- return ee;
-}
-
-void et_search_free(struct eacl_table *et, pid_t key)
-{
- struct eacl_entry *ee, *next;
- struct list_head *head = &et->et_entries[ee_hashfunc(key)];
-
- spin_lock(&et->et_lock);
- list_for_each_entry_safe(ee, next, head, ee_list)
- if (ee->ee_key == key)
- ee_free(ee);
-
- spin_unlock(&et->et_lock);
-}
-
-int ee_add(struct eacl_table *et, pid_t key, struct lu_fid *fid, int type,
- ext_acl_xattr_header *header)
-{
- struct eacl_entry *ee, *e;
-
- ee = ee_alloc(key, fid, type, header);
- if (ee == NULL)
- return -ENOMEM;
-
- spin_lock(&et->et_lock);
- e = __et_search_del(et, key, fid, type);
- if (unlikely(e != NULL)) {
- CWARN("Unexpected stale eacl_entry found: "
- "[key: %d] [fid: "DFID"] [type: %d]\n",
- (int)key, PFID(fid), type);
- ee_free(e);
- }
- list_add_tail(&ee->ee_list, &et->et_entries[ee_hashfunc(key)]);
- spin_unlock(&et->et_lock);
-
- return 0;
-}
-
-void et_init(struct eacl_table *et)
-{
- int i;
-
- spin_lock_init(&et->et_lock);
- for (i = 0; i < EE_HASHES; i++)
- INIT_LIST_HEAD(&et->et_entries[i]);
-}
-
-void et_fini(struct eacl_table *et)
-{
- struct eacl_entry *ee;
- int i;
-
- spin_lock(&et->et_lock);
- for (i = 0; i < EE_HASHES; i++)
- while (!list_empty(&et->et_entries[i])) {
- ee = list_entry(et->et_entries[i].next,
- struct eacl_entry, ee_list);
- ee_free(ee);
- }
- spin_unlock(&et->et_lock);
-}
-
-#endif
LASSERT(sbi != NULL);
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT)
- seq_puts(m, "remote client\n");
- else
- seq_puts(m, "local client\n");
+ seq_puts(m, "local client\n");
return 0;
}
LPROC_SEQ_FOPS_RO(ll_client_type);
+++ /dev/null
-/*
- * GPL HEADER START
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 only,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License version 2 for more details (a copy is included
- * in the LICENSE file that accompanied this code).
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; If not, see
- * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- *
- * GPL HEADER END
- */
-/*
- * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Use is subject to license terms.
- *
- * Copyright (c) 2012, 2014, Intel Corporation.
- */
-/*
- * This file is part of Lustre, http://www.lustre.org/
- * Lustre is a trademark of Sun Microsystems, Inc.
- *
- * lustre/llite/remote_perm.c
- *
- * Lustre Permission Cache for Remote Client
- *
- * Author: Lai Siyao <lsy@clusterfs.com>
- * Author: Fan Yong <fanyong@clusterfs.com>
- */
-
-#define DEBUG_SUBSYSTEM S_LLITE
-
-#include <linux/module.h>
-#include <linux/types.h>
-#include <linux/version.h>
-#include <linux/user_namespace.h>
-#ifdef HAVE_UIDGID_HEADER
-# include <linux/uidgid.h>
-#endif
-
-#include <lustre_dlm.h>
-#include <lustre_ha.h>
-#include <lustre_param.h>
-#include <lustre_swab.h>
-#include <lprocfs_status.h>
-#include <lustre_disk.h>
-
-#include "llite_internal.h"
-
-struct kmem_cache *ll_remote_perm_cachep;
-struct kmem_cache *ll_rmtperm_hash_cachep;
-
-static inline struct ll_remote_perm *alloc_ll_remote_perm(void)
-{
- struct ll_remote_perm *lrp;
-
- OBD_SLAB_ALLOC_PTR_GFP(lrp, ll_remote_perm_cachep, GFP_KERNEL);
- if (lrp)
- INIT_HLIST_NODE(&lrp->lrp_list);
- return lrp;
-}
-
-static inline void free_ll_remote_perm(struct ll_remote_perm *lrp)
-{
- if (!lrp)
- return;
-
- if (!hlist_unhashed(&lrp->lrp_list))
- hlist_del(&lrp->lrp_list);
- OBD_SLAB_FREE(lrp, ll_remote_perm_cachep, sizeof(*lrp));
-}
-
-static struct hlist_head *alloc_rmtperm_hash(void)
-{
- struct hlist_head *hash;
- int i;
-
- OBD_SLAB_ALLOC_GFP(hash, ll_rmtperm_hash_cachep,
- REMOTE_PERM_HASHSIZE * sizeof(*hash),
- GFP_NOFS);
- if (!hash)
- return NULL;
-
- for (i = 0; i < REMOTE_PERM_HASHSIZE; i++)
- INIT_HLIST_HEAD(hash + i);
-
- return hash;
-}
-
-void free_rmtperm_hash(struct hlist_head *hash)
-{
- int i;
- struct ll_remote_perm *lrp;
- struct hlist_node __maybe_unused *node;
- struct hlist_node *next;
-
- if(!hash)
- return;
-
- for (i = 0; i < REMOTE_PERM_HASHSIZE; i++)
- cfs_hlist_for_each_entry_safe(lrp, node, next, hash + i,
- lrp_list)
- free_ll_remote_perm(lrp);
- OBD_SLAB_FREE(hash, ll_rmtperm_hash_cachep,
- REMOTE_PERM_HASHSIZE * sizeof(*hash));
-}
-
-static inline int remote_perm_hashfunc(uid_t uid)
-{
- return uid & (REMOTE_PERM_HASHSIZE - 1);
-}
-
-/* NB: setxid permission is not checked here, instead it's done on
- * MDT when client get remote permission. */
-static int do_check_remote_perm(struct ll_inode_info *lli, int mask)
-{
- struct hlist_head *head;
- struct ll_remote_perm *lrp;
- struct hlist_node __maybe_unused *node;
- int found = 0, rc;
- ENTRY;
-
- if (!lli->lli_remote_perms)
- RETURN(-ENOENT);
-
- head = lli->lli_remote_perms +
- remote_perm_hashfunc(from_kuid(&init_user_ns, current_uid()));
-
- spin_lock(&lli->lli_lock);
- cfs_hlist_for_each_entry(lrp, node, head, lrp_list) {
- if (lrp->lrp_uid != from_kuid(&init_user_ns, current_uid()))
- continue;
- if (lrp->lrp_gid != from_kgid(&init_user_ns, current_gid()))
- continue;
- if (lrp->lrp_fsuid != from_kuid(&init_user_ns, current_fsuid()))
- continue;
- if (lrp->lrp_fsgid != from_kgid(&init_user_ns, current_fsgid()))
- continue;
- found = 1;
- break;
- }
-
- if (!found)
- GOTO(out, rc = -ENOENT);
-
- CDEBUG(D_SEC, "found remote perm: %u/%u/%u/%u - %#x\n",
- lrp->lrp_uid, lrp->lrp_gid, lrp->lrp_fsuid, lrp->lrp_fsgid,
- lrp->lrp_access_perm);
- rc = ((lrp->lrp_access_perm & mask) == mask) ? 0 : -EACCES;
-
-out:
- spin_unlock(&lli->lli_lock);
- return rc;
-}
-
-int ll_update_remote_perm(struct inode *inode, struct mdt_remote_perm *perm)
-{
- struct ll_inode_info *lli = ll_i2info(inode);
- struct ll_remote_perm *lrp = NULL, *tmp = NULL;
- struct hlist_head *head, *perm_hash = NULL;
- struct hlist_node __maybe_unused *node;
- ENTRY;
-
- LASSERT(ll_i2sbi(inode)->ll_flags & LL_SBI_RMT_CLIENT);
-
-#if 0
- if (perm->rp_uid != current->uid ||
- perm->rp_gid != current->gid ||
- perm->rp_fsuid != current->fsuid ||
- perm->rp_fsgid != current->fsgid) {
- /* user might setxid in this small period */
- CDEBUG(D_SEC,
- "remote perm user %u/%u/%u/%u != current %u/%u/%u/%u\n",
- perm->rp_uid, perm->rp_gid, perm->rp_fsuid,
- perm->rp_fsgid, current->uid, current->gid,
- current->fsuid, current->fsgid);
- RETURN(-EAGAIN);
- }
-#endif
-
- if (!lli->lli_remote_perms) {
- perm_hash = alloc_rmtperm_hash();
- if (perm_hash == NULL) {
- CERROR("alloc lli_remote_perms failed!\n");
- RETURN(-ENOMEM);
- }
- }
-
- spin_lock(&lli->lli_lock);
-
- if (!lli->lli_remote_perms)
- lli->lli_remote_perms = perm_hash;
- else if (perm_hash)
- free_rmtperm_hash(perm_hash);
-
- head = lli->lli_remote_perms + remote_perm_hashfunc(perm->rp_uid);
-
-again:
- cfs_hlist_for_each_entry(tmp, node, head, lrp_list) {
- if (tmp->lrp_uid != perm->rp_uid)
- continue;
- if (tmp->lrp_gid != perm->rp_gid)
- continue;
- if (tmp->lrp_fsuid != perm->rp_fsuid)
- continue;
- if (tmp->lrp_fsgid != perm->rp_fsgid)
- continue;
- if (lrp)
- free_ll_remote_perm(lrp);
- lrp = tmp;
- break;
- }
-
- if (!lrp) {
- spin_unlock(&lli->lli_lock);
- lrp = alloc_ll_remote_perm();
- if (!lrp) {
- CERROR("alloc memory for ll_remote_perm failed!\n");
- RETURN(-ENOMEM);
- }
- spin_lock(&lli->lli_lock);
- goto again;
- }
-
- lrp->lrp_access_perm = perm->rp_access_perm;
- if (lrp != tmp) {
- lrp->lrp_uid = perm->rp_uid;
- lrp->lrp_gid = perm->rp_gid;
- lrp->lrp_fsuid = perm->rp_fsuid;
- lrp->lrp_fsgid = perm->rp_fsgid;
- hlist_add_head(&lrp->lrp_list, head);
- }
- lli->lli_rmtperm_time = cfs_time_current();
- spin_unlock(&lli->lli_lock);
-
- CDEBUG(D_SEC, "new remote perm@%p: %u/%u/%u/%u - %#x\n",
- lrp, lrp->lrp_uid, lrp->lrp_gid, lrp->lrp_fsuid, lrp->lrp_fsgid,
- lrp->lrp_access_perm);
-
- RETURN(0);
-}
-
-int lustre_check_remote_perm(struct inode *inode, int mask)
-{
- struct ll_inode_info *lli = ll_i2info(inode);
- struct ll_sb_info *sbi = ll_i2sbi(inode);
- struct ptlrpc_request *req = NULL;
- struct mdt_remote_perm *perm;
- cfs_time_t save;
- int i = 0, rc;
- ENTRY;
-
- do {
- save = lli->lli_rmtperm_time;
- rc = do_check_remote_perm(lli, mask);
- if (!rc || (rc != -ENOENT && i))
- break;
-
- might_sleep();
-
- mutex_lock(&lli->lli_rmtperm_mutex);
- /* check again */
- if (save != lli->lli_rmtperm_time) {
- rc = do_check_remote_perm(lli, mask);
- if (!rc || (rc != -ENOENT && i)) {
- mutex_unlock(&lli->lli_rmtperm_mutex);
- break;
- }
- }
-
- if (i++ > 5) {
- CERROR("check remote perm falls in dead loop!\n");
- LBUG();
- }
-
- rc = md_get_remote_perm(sbi->ll_md_exp, ll_inode2fid(inode),
- ll_i2suppgid(inode), &req);
- if (rc) {
- mutex_unlock(&lli->lli_rmtperm_mutex);
- break;
- }
-
- perm = req_capsule_server_swab_get(&req->rq_pill, &RMF_ACL,
- lustre_swab_mdt_remote_perm);
- if (unlikely(perm == NULL)) {
- mutex_unlock(&lli->lli_rmtperm_mutex);
- rc = -EPROTO;
- break;
- }
-
- rc = ll_update_remote_perm(inode, perm);
- mutex_unlock(&lli->lli_rmtperm_mutex);
- if (rc == -ENOMEM)
- break;
-
- ptlrpc_req_finished(req);
- req = NULL;
- } while (1);
- ptlrpc_req_finished(req);
- RETURN(rc);
-}
if (ll_file_data_slab == NULL)
GOTO(out_cache, rc = -ENOMEM);
- ll_remote_perm_cachep = kmem_cache_create("ll_remote_perm_cache",
- sizeof(struct ll_remote_perm),
- 0, 0, NULL);
- if (ll_remote_perm_cachep == NULL)
- GOTO(out_cache, rc = -ENOMEM);
-
- ll_rmtperm_hash_cachep = kmem_cache_create("ll_rmtperm_hash_cache",
- REMOTE_PERM_HASHSIZE *
- sizeof(struct hlist_head),
- 0, 0, NULL);
- if (ll_rmtperm_hash_cachep == NULL)
- GOTO(out_cache, rc = -ENOMEM);
-
entry = lprocfs_register("llite", proc_lustre_root, NULL, NULL);
if (IS_ERR(entry)) {
rc = PTR_ERR(entry);
if (ll_file_data_slab != NULL)
kmem_cache_destroy(ll_file_data_slab);
- if (ll_remote_perm_cachep != NULL)
- kmem_cache_destroy(ll_remote_perm_cachep);
-
- if (ll_rmtperm_hash_cachep != NULL)
- kmem_cache_destroy(ll_rmtperm_hash_cachep);
-
return rc;
}
vvp_global_fini();
kmem_cache_destroy(ll_inode_cachep);
- kmem_cache_destroy(ll_rmtperm_hash_cachep);
- kmem_cache_destroy(ll_remote_perm_cachep);
kmem_cache_destroy(ll_file_data_slab);
}
struct ll_sb_info *sbi = ll_i2sbi(inode);
struct ptlrpc_request *req = NULL;
int xattr_type, rc;
- posix_acl_xattr_header *new_value = NULL;
- struct rmtacl_ctl_entry *rce = NULL;
- ext_acl_xattr_header *acl = NULL;
const char *pv = value;
ENTRY;
#endif
return -EPERM;
- /* b10667: ignore lustre special xattr for now */
+ /* b10667: ignore lustre special xattr for now */
if (strcmp(name, XATTR_NAME_HSM) == 0 ||
(xattr_type == XATTR_TRUSTED_T &&
strcmp(name, XATTR_NAME_LOV) == 0) ||
strcmp(name, "security.selinux") == 0)
RETURN(-EOPNOTSUPP);
-#ifdef CONFIG_FS_POSIX_ACL
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT &&
- (xattr_type == XATTR_ACL_ACCESS_T ||
- xattr_type == XATTR_ACL_DEFAULT_T)) {
- rce = rct_search(&sbi->ll_rct, current_pid());
- if (rce == NULL ||
- (rce->rce_ops != RMT_LSETFACL &&
- rce->rce_ops != RMT_RSETFACL))
- RETURN(-EOPNOTSUPP);
-
- if (rce->rce_ops == RMT_LSETFACL) {
- struct eacl_entry *ee;
-
- ee = et_search_del(&sbi->ll_et, current_pid(),
- ll_inode2fid(inode), xattr_type);
- LASSERT(ee != NULL);
- if (valid & OBD_MD_FLXATTR) {
- acl = lustre_acl_xattr_merge2ext(
- (posix_acl_xattr_header *)value,
- size, ee->ee_acl);
- if (IS_ERR(acl)) {
- ee_free(ee);
- RETURN(PTR_ERR(acl));
- }
- size = CFS_ACL_XATTR_SIZE(\
- le32_to_cpu(acl->a_count), \
- ext_acl_xattr);
- pv = (const char *)acl;
- }
- ee_free(ee);
- } else if (rce->rce_ops == RMT_RSETFACL) {
- int acl_size = lustre_posix_acl_xattr_filter(
- (posix_acl_xattr_header *)value,
- size, &new_value);
- if (unlikely(acl_size < 0))
- RETURN(acl_size);
- size = acl_size;
-
- pv = (const char *)new_value;
- } else
- RETURN(-EOPNOTSUPP);
-
- valid |= rce_ops2valid(rce->rce_ops);
- }
-#endif
rc = md_setxattr(sbi->ll_md_exp, ll_inode2fid(inode), valid, name, pv,
size, 0, flags, ll_i2suppgid(inode), &req);
-
-#ifdef CONFIG_FS_POSIX_ACL
- if (new_value != NULL)
- lustre_posix_acl_xattr_free(new_value, size);
- if (acl != NULL)
- lustre_ext_acl_xattr_free(acl);
-#endif
if (rc) {
if (rc == -EOPNOTSUPP && xattr_type == XATTR_USER_T) {
LCONSOLE_INFO("Disabling user_xattr feature because "
struct mdt_body *body;
int xattr_type, rc;
void *xdata;
- struct rmtacl_ctl_entry *rce = NULL;
struct ll_inode_info *lli = ll_i2info(inode);
ENTRY;
RETURN(-EOPNOTSUPP);
#ifdef CONFIG_FS_POSIX_ACL
- if (sbi->ll_flags & LL_SBI_RMT_CLIENT &&
- (xattr_type == XATTR_ACL_ACCESS_T ||
- xattr_type == XATTR_ACL_DEFAULT_T)) {
- rce = rct_search(&sbi->ll_rct, current_pid());
- if (rce == NULL ||
- (rce->rce_ops != RMT_LSETFACL &&
- rce->rce_ops != RMT_LGETFACL &&
- rce->rce_ops != RMT_RSETFACL &&
- rce->rce_ops != RMT_RGETFACL))
- RETURN(-EOPNOTSUPP);
- }
-
/* posix acl is under protection of LOOKUP lock. when calling to this,
* we just have path resolution to the target inode, so we have great
* chance that cached ACL is uptodate.
*/
- if (xattr_type == XATTR_ACL_ACCESS_T &&
- !(sbi->ll_flags & LL_SBI_RMT_CLIENT)) {
-
- struct posix_acl *acl;
+ if (xattr_type == XATTR_ACL_ACCESS_T) {
+ struct posix_acl *acl;
spin_lock(&lli->lli_lock);
acl = posix_acl_dup(lli->lli_posix_acl);
} else {
getxattr_nocache:
rc = md_getxattr(sbi->ll_md_exp, ll_inode2fid(inode),
- valid | (rce ? rce_ops2valid(rce->rce_ops) : 0),
- name, NULL, 0, size, 0, &req);
+ valid, name, NULL, 0, size, 0, &req);
if (rc < 0)
GOTO(out_xattr, rc);
rc = body->mbo_eadatasize;
}
-#ifdef CONFIG_FS_POSIX_ACL
- if (rce != NULL && rce->rce_ops == RMT_LSETFACL) {
- ext_acl_xattr_header *acl;
-
- acl = lustre_posix_acl_xattr_2ext(buffer, rc);
- if (IS_ERR(acl))
- GOTO(out, rc = PTR_ERR(acl));
-
- rc = ee_add(&sbi->ll_et, current_pid(), ll_inode2fid(inode),
- xattr_type, acl);
- if (unlikely(rc < 0)) {
- lustre_ext_acl_xattr_free(acl);
- GOTO(out, rc);
- }
- }
-#endif
EXIT;
out_xattr:
RETURN(md_clear_open_replay_data(tgt->ltd_exp, och));
}
-static int lmv_get_remote_perm(struct obd_export *exp, const struct lu_fid *fid,
- u32 suppgid, struct ptlrpc_request **request)
-{
- struct obd_device *obd = exp->exp_obd;
- struct lmv_obd *lmv = &obd->u.lmv;
- struct lmv_tgt_desc *tgt;
- int rc;
- ENTRY;
-
- rc = lmv_check_connect(obd);
- if (rc)
- RETURN(rc);
-
- tgt = lmv_find_target(lmv, fid);
- if (IS_ERR(tgt))
- RETURN(PTR_ERR(tgt));
-
- rc = md_get_remote_perm(tgt->ltd_exp, fid, suppgid, request);
- RETURN(rc);
-}
-
int lmv_intent_getattr_async(struct obd_export *exp,
struct md_enqueue_info *minfo)
{
.m_merge_attr = lmv_merge_attr,
.m_set_open_replay_data = lmv_set_open_replay_data,
.m_clear_open_replay_data = lmv_clear_open_replay_data,
- .m_get_remote_perm = lmv_get_remote_perm,
.m_intent_getattr_async = lmv_intent_getattr_async,
.m_revalidate_lock = lmv_revalidate_lock,
.m_get_fid_from_lsm = lmv_get_fid_from_lsm,
req_capsule_set_size(&req->rq_pill, &RMF_MDT_MD, RCL_SERVER,
obddev->u.cli.cl_max_mds_easize);
-
- /* for remote client, fetch remote perm for current user */
- if (client_is_remote(exp))
- req_capsule_set_size(&req->rq_pill, &RMF_ACL, RCL_SERVER,
- sizeof(struct mdt_remote_perm));
ptlrpc_request_set_replen(req);
return req;
}
struct obd_device *obddev = class_exp2obd(exp);
u64 valid = OBD_MD_FLGETATTR | OBD_MD_FLEASIZE |
OBD_MD_FLMODEASIZE | OBD_MD_FLDIREA |
- OBD_MD_MEA |
- (client_is_remote(exp) ?
- OBD_MD_FLRMTPERM : OBD_MD_FLACL);
+ OBD_MD_MEA | OBD_MD_FLACL;
struct ldlm_intent *lit;
int rc;
__u32 easize;
mdc_getattr_pack(req, valid, it->it_flags, op_data, easize);
req_capsule_set_size(&req->rq_pill, &RMF_MDT_MD, RCL_SERVER, easize);
- if (client_is_remote(exp))
- req_capsule_set_size(&req->rq_pill, &RMF_ACL, RCL_SERVER,
- sizeof(struct mdt_remote_perm));
ptlrpc_request_set_replen(req);
RETURN(req);
}
body->mbo_eadatasize);
}
}
-
- if (body->mbo_valid & OBD_MD_FLRMTPERM) {
- struct mdt_remote_perm *perm;
-
- LASSERT(client_is_remote(exp));
- perm = req_capsule_server_swab_get(pill, &RMF_ACL,
- lustre_swab_mdt_remote_perm);
- if (perm == NULL)
- RETURN(-EPROTO);
- }
} else if (it->it_op & IT_LAYOUT) {
/* maybe the lock was granted right away and layout
* is packed into RMF_DLM_LVB of req */
MDS_INODELOCK_UPDATE);
req = ptlrpc_request_alloc(class_exp2cliimp(exp),
- &RQF_MDS_REINT_CREATE_RMT_ACL);
+ &RQF_MDS_REINT_CREATE_ACL);
if (req == NULL) {
ldlm_lock_list_put(&cancels, l_bl_ast, count);
RETURN(-ENOMEM);
RETURN(-EPROTO);
}
- if (body->mbo_valid & OBD_MD_FLRMTPERM) {
- struct mdt_remote_perm *perm;
-
- LASSERT(client_is_remote(exp));
- perm = req_capsule_server_swab_get(pill, &RMF_ACL,
- lustre_swab_mdt_remote_perm);
- if (perm == NULL)
- RETURN(-EPROTO);
- }
-
RETURN(0);
}
req_capsule_set_size(&req->rq_pill, &RMF_MDT_MD, RCL_SERVER,
op_data->op_mode);
- if (op_data->op_valid & OBD_MD_FLRMTPERM) {
- LASSERT(client_is_remote(exp));
- req_capsule_set_size(&req->rq_pill, &RMF_ACL, RCL_SERVER,
- sizeof(struct mdt_remote_perm));
- }
ptlrpc_request_set_replen(req);
rc = mdc_getattr_common(exp, req);
}
rc = 0;
- if (md->body->mbo_valid & OBD_MD_FLRMTPERM) {
- /* remote permission */
- LASSERT(client_is_remote(exp));
- md->remote_perm = req_capsule_server_swab_get(pill, &RMF_ACL,
- lustre_swab_mdt_remote_perm);
- if (!md->remote_perm)
- GOTO(out, rc = -EPROTO);
- } else if (md->body->mbo_valid & OBD_MD_FLACL) {
+ if (md->body->mbo_valid & OBD_MD_FLACL) {
/* for ACL, it's possible that FLACL is set but aclsize is zero.
* only when aclsize != 0 there's an actual segment for ACL
* in reply buffer.
if (req == NULL)
GOTO(out, rc = -ENOMEM);
- mdc_pack_body(req, NULL, OBD_MD_FLRMTPERM, 0, -1, 0);
+ mdc_pack_body(req, NULL, 0, 0, -1, 0);
/* Copy hsm_progress struct */
req_hpk = req_capsule_client_get(&req->rq_pill, &RMF_MDS_HSM_PROGRESS);
if (req == NULL)
GOTO(out, rc = -ENOMEM);
- mdc_pack_body(req, NULL, OBD_MD_FLRMTPERM, 0, -1, 0);
+ mdc_pack_body(req, NULL, 0, 0, -1, 0);
/* Copy hsm_progress struct */
archive_mask = req_capsule_client_get(&req->rq_pill,
RETURN(rc);
}
- mdc_pack_body(req, &op_data->op_fid1, OBD_MD_FLRMTPERM, 0,
+ mdc_pack_body(req, &op_data->op_fid1, 0, 0,
op_data->op_suppgids[0], 0);
ptlrpc_request_set_replen(req);
if (req == NULL)
GOTO(out, rc = -ENOMEM);
- mdc_pack_body(req, NULL, OBD_MD_FLRMTPERM, 0, -1, 0);
+ mdc_pack_body(req, NULL, 0, 0, -1, 0);
ptlrpc_request_set_replen(req);
RETURN(rc);
}
- mdc_pack_body(req, &op_data->op_fid1, OBD_MD_FLRMTPERM, 0,
+ mdc_pack_body(req, &op_data->op_fid1, 0, 0,
op_data->op_suppgids[0], 0);
ptlrpc_request_set_replen(req);
RETURN(rc);
}
- mdc_pack_body(req, &op_data->op_fid1, OBD_MD_FLRMTPERM, 0,
+ mdc_pack_body(req, &op_data->op_fid1, 0, 0,
op_data->op_suppgids[0], 0);
/* Copy states */
RETURN(rc);
}
- mdc_pack_body(req, NULL, OBD_MD_FLRMTPERM, 0, -1, 0);
+ mdc_pack_body(req, NULL, 0, 0, -1, 0);
/* Copy hsm_request struct */
req_hr = req_capsule_client_get(&req->rq_pill, &RMF_MDS_HSM_REQUEST);
return (rc > 0 ? 0: rc);
}
-
-/* get remote permission for current user on fid */
-static int mdc_get_remote_perm(struct obd_export *exp, const struct lu_fid *fid,
- u32 suppgid, struct ptlrpc_request **request)
-{
- struct ptlrpc_request *req;
- int rc;
- ENTRY;
-
- LASSERT(client_is_remote(exp));
-
- *request = NULL;
- req = ptlrpc_request_alloc(class_exp2cliimp(exp), &RQF_MDS_GETATTR);
- if (req == NULL)
- RETURN(-ENOMEM);
-
- rc = ptlrpc_request_pack(req, LUSTRE_MDS_VERSION, MDS_GETATTR);
- if (rc) {
- ptlrpc_request_free(req);
- RETURN(rc);
- }
-
- mdc_pack_body(req, fid, OBD_MD_FLRMTPERM, 0, suppgid, 0);
-
- req_capsule_set_size(&req->rq_pill, &RMF_ACL, RCL_SERVER,
- sizeof(struct mdt_remote_perm));
-
- ptlrpc_request_set_replen(req);
-
- rc = ptlrpc_queue_wait(req);
- if (rc)
- ptlrpc_req_finished(req);
- else
- *request = req;
- RETURN(rc);
-}
-
static struct obd_ops mdc_obd_ops = {
.o_owner = THIS_MODULE,
.o_setup = mdc_setup,
.m_free_lustre_md = mdc_free_lustre_md,
.m_set_open_replay_data = mdc_set_open_replay_data,
.m_clear_open_replay_data = mdc_clear_open_replay_data,
- .m_get_remote_perm = mdc_get_remote_perm,
.m_intent_getattr_async = mdc_intent_getattr_async,
.m_revalidate_lock = mdc_revalidate_lock
};
MODULES := mdt
mdt-objs := mdt_handler.o mdt_lib.o mdt_reint.o mdt_xattr.o mdt_recovery.o
-mdt-objs += mdt_open.o mdt_idmap.o mdt_identity.o mdt_lproc.o mdt_fs.o
+mdt-objs += mdt_open.o mdt_identity.o mdt_lproc.o mdt_fs.o
mdt-objs += mdt_lvb.o mdt_hsm.o mdt_mds.o
mdt-objs += mdt_hsm_cdt_actions.o
mdt-objs += mdt_hsm_cdt_requests.o
PFID(fid), b->mbo_nlink, b->mbo_mode, b->mbo_valid);
}
- if (info != NULL)
- mdt_body_reverse_idmap(info, b);
-
if (!(attr->la_valid & LA_TYPE))
return;
repbody->mbo_max_mdsize);
}
- if (exp_connect_rmtclient(info->mti_exp) &&
- reqbody->mbo_valid & OBD_MD_FLRMTPERM) {
- void *buf = req_capsule_server_get(pill, &RMF_ACL);
-
- /* mdt_getattr_lock only */
- rc = mdt_pack_remote_perm(info, o, buf);
- if (rc) {
- repbody->mbo_valid &= ~OBD_MD_FLRMTPERM;
- repbody->mbo_aclsize = 0;
- RETURN(rc);
- } else {
- repbody->mbo_valid |= OBD_MD_FLRMTPERM;
- repbody->mbo_aclsize = sizeof(struct mdt_remote_perm);
- }
- }
#ifdef CONFIG_FS_POSIX_ACL
- else if ((exp_connect_flags(req->rq_export) & OBD_CONNECT_ACL) &&
+ if ((exp_connect_flags(req->rq_export) & OBD_CONNECT_ACL) &&
(reqbody->mbo_valid & OBD_MD_FLACL)) {
struct lu_nodemap *nodemap = nodemap_get_from_exp(exp);
if (IS_ERR(nodemap))
repbody->mbo_eadatasize = 0;
repbody->mbo_aclsize = 0;
- if (reqbody->mbo_valid & OBD_MD_FLRMTPERM)
- rc = mdt_init_ucred(info, reqbody);
- else
- rc = mdt_check_ucred(info);
+ rc = mdt_check_ucred(info);
if (unlikely(rc))
GOTO(out_shrink, rc);
info->mti_cross_ref = !!(reqbody->mbo_valid & OBD_MD_FLCROSSREF);
rc = mdt_getattr_internal(info, obj, 0);
- if (reqbody->mbo_valid & OBD_MD_FLRMTPERM)
- mdt_exit_ucred(info);
EXIT;
out_shrink:
mdt_client_compatibility(info);
return rc;
}
+static int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op)
+{
+ struct lu_ucred *uc = mdt_ucred_check(info);
+ struct lu_attr *attr = &info->mti_attr.ma_attr;
+
+ if (uc == NULL)
+ return -EINVAL;
+
+ if (op != REINT_SETATTR) {
+ if ((attr->la_valid & LA_UID) && (attr->la_uid != -1))
+ attr->la_uid = uc->uc_fsuid;
+ /* for S_ISGID, inherit gid from his parent, such work will be
+ * done in cmm/mdd layer, here set all cases as uc->uc_fsgid. */
+ if ((attr->la_valid & LA_GID) && (attr->la_gid != -1))
+ attr->la_gid = uc->uc_fsgid;
+ }
+
+ return 0;
+}
+
static int mdt_reint_internal(struct mdt_thread_info *info,
struct mdt_lock_handle *lhc,
__u32 op)
GOTO(out_nodemap, rc = -EFAULT);
}
- /* map uid/gid for remote client */
id = oqctl->qc_id;
- if (exp_connect_rmtclient(exp)) {
- struct lustre_idmap_table *idmap;
-
- idmap = exp->exp_mdt_data.med_idmap;
-
- if (unlikely(oqctl->qc_cmd != Q_GETQUOTA &&
- oqctl->qc_cmd != Q_GETINFO))
- GOTO(out_nodemap, rc = -EPERM);
-
- if (oqctl->qc_type == USRQUOTA)
- id = lustre_idmap_lookup_uid(NULL, idmap, 0,
- oqctl->qc_id);
- else if (oqctl->qc_type == GRPQUOTA)
- id = lustre_idmap_lookup_gid(NULL, idmap, 0,
- oqctl->qc_id);
- else
- GOTO(out_nodemap, rc = -EINVAL);
-
- if (id == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_QUOTA, "no mapping for id %u\n", oqctl->qc_id);
- GOTO(out_nodemap, rc = -EACCES);
- }
- }
-
if (oqctl->qc_type == USRQUOTA)
id = nodemap_map_id(nodemap, NODEMAP_UID,
NODEMAP_CLIENT_TO_FS, id);
*/
static int mdt_sec_ctx_handle(struct tgt_session_info *tsi)
{
- int rc;
-
- rc = mdt_handle_idmap(tsi);
- if (unlikely(rc)) {
- struct ptlrpc_request *req = tgt_ses_req(tsi);
- __u32 opc;
-
- opc = lustre_msg_get_opc(req->rq_reqmsg);
- if (opc == SEC_CTX_INIT || opc == SEC_CTX_INIT_CONT)
- sptlrpc_svc_ctx_invalidate(req);
- }
-
CFS_FAIL_TIMEOUT(OBD_FAIL_SEC_CTX_HDL_PAUSE, cfs_fail_val);
- return rc;
+ return 0;
}
/*
static int mdt_tgt_connect(struct tgt_session_info *tsi)
{
- struct ptlrpc_request *req = tgt_ses_req(tsi);
- int rc;
-
- ENTRY;
-
if (OBD_FAIL_CHECK(OBD_FAIL_TGT_DELAY_CONDITIONAL) &&
cfs_fail_val ==
tsi2mdt_info(tsi)->mti_mdt->mdt_seq_site.ss_node_id) {
schedule_timeout(msecs_to_jiffies(3 * MSEC_PER_SEC));
}
- rc = tgt_connect(tsi);
- if (rc != 0)
- RETURN(rc);
-
- rc = mdt_init_idmap(tsi);
- if (rc != 0)
- GOTO(err, rc);
- RETURN(0);
-err:
- obd_disconnect(class_export_get(req->rq_export));
- return rc;
+ return tgt_connect(tsi);
}
enum mdt_it_code {
INIT_LIST_HEAD(&med->med_open_head);
spin_lock_init(&med->med_open_lock);
- mutex_init(&med->med_idmap_mutex);
- med->med_idmap = NULL;
spin_lock(&exp->exp_lock);
exp->exp_connecting = 1;
spin_unlock(&exp->exp_lock);
{
ENTRY;
- if (exp_connect_rmtclient(exp))
- mdt_cleanup_idmap(&exp->exp_mdt_data);
-
target_destroy_export(exp);
/* destroy can be called from failed obd_setup, so
* checking uuid is safer than obd_self_export */
* If there is LNET_NID_ANY in perm[i].mp_nid,
* it must be perm[0].mp_nid, and act as default perm.
*/
-__u32 mdt_identity_get_perm(struct md_identity *identity,
- __u32 is_rmtclient, lnet_nid_t nid)
+__u32 mdt_identity_get_perm(struct md_identity *identity, lnet_nid_t nid)
{
- struct md_perm *perm;
- int i;
- if (!identity) {
- LASSERT(is_rmtclient == 0);
- return CFS_SETGRP_PERM;
- }
+ struct md_perm *perm;
+ int i;
+
+ if (!identity)
+ return CFS_SETGRP_PERM;
perm = identity->mi_perms;
/* check exactly matched nid first */
return perm[0].mp_perm;
/* return default last */
- return is_rmtclient ? 0 : CFS_SETGRP_PERM;
-}
-
-int mdt_pack_remote_perm(struct mdt_thread_info *info, struct mdt_object *o,
- void *buf)
-{
- struct lu_ucred *uc = mdt_ucred_check(info);
- struct md_object *next = mdt_object_child(o);
- struct mdt_remote_perm *perm = buf;
-
- ENTRY;
-
- /* remote client request always pack ptlrpc_user_desc! */
- LASSERT(perm);
-
- if (!exp_connect_rmtclient(info->mti_exp))
- RETURN(-EBADE);
-
- if (uc == NULL)
- RETURN(-EINVAL);
-
- perm->rp_uid = uc->uc_o_uid;
- perm->rp_gid = uc->uc_o_gid;
- perm->rp_fsuid = uc->uc_o_fsuid;
- perm->rp_fsgid = uc->uc_o_fsgid;
-
- perm->rp_access_perm = 0;
- if (mo_permission(info->mti_env, NULL, next, NULL, MAY_READ) == 0)
- perm->rp_access_perm |= MAY_READ;
- if (mo_permission(info->mti_env, NULL, next, NULL, MAY_WRITE) == 0)
- perm->rp_access_perm |= MAY_WRITE;
- if (mo_permission(info->mti_env, NULL, next, NULL, MAY_EXEC) == 0)
- perm->rp_access_perm |= MAY_EXEC;
-
- RETURN(0);
+ return CFS_SETGRP_PERM;
}
+++ /dev/null
-/*
- * GPL HEADER START
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 only,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License version 2 for more details (a copy is included
- * in the LICENSE file that accompanied this code).
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; If not, see
- * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- *
- * GPL HEADER END
- */
-/*
- * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Use is subject to license terms.
- *
- * Copyright (c) 2012, 2013, Intel Corporation.
- */
-/*
- * This file is part of Lustre, http://www.lustre.org/
- * Lustre is a trademark of Sun Microsystems, Inc.
- *
- * lustre/mdt/mdt_idmap.c
- *
- * Author: Lai Siyao <lsy@clusterfs.com>
- * Author: Fan Yong <fanyong@clusterfs.com>
- */
-
-#define DEBUG_SUBSYSTEM S_MDS
-
-#include <linux/module.h>
-#include <linux/kernel.h>
-#include <linux/mm.h>
-#include <linux/kmod.h>
-#include <linux/user_namespace.h>
-#ifdef HAVE_UIDGID_HEADER
-# include <linux/uidgid.h>
-#endif
-#include <linux/string.h>
-#include <linux/stat.h>
-#include <linux/errno.h>
-#include <linux/version.h>
-#include <linux/unistd.h>
-#include <asm/uaccess.h>
-#include <linux/fs.h>
-#include <linux/stat.h>
-#include <asm/uaccess.h>
-#include <linux/slab.h>
-
-#include <libcfs/libcfs.h>
-#include <obd.h>
-#include <obd_class.h>
-#include <obd_support.h>
-#include <lustre_net.h>
-#include <lustre_import.h>
-#include <lustre_dlm.h>
-#include <lustre_sec.h>
-#include <lustre_lib.h>
-
-#include "mdt_internal.h"
-
-int mdt_init_idmap(struct tgt_session_info *tsi)
-{
- struct ptlrpc_request *req = tgt_ses_req(tsi);
- struct mdt_export_data *med = mdt_req2med(req);
- struct obd_export *exp = req->rq_export;
- char *client = libcfs_nid2str(req->rq_peer.nid);
- int rc = 0;
- ENTRY;
-
- if (exp_connect_rmtclient(exp)) {
- mutex_lock(&med->med_idmap_mutex);
- if (!med->med_idmap)
- med->med_idmap = lustre_idmap_init();
- mutex_unlock(&med->med_idmap_mutex);
-
- if (IS_ERR(med->med_idmap)) {
- long err = PTR_ERR(med->med_idmap);
-
- med->med_idmap = NULL;
- CERROR("%s: client %s -> target %s "
- "failed to init idmap [%ld]!\n",
- tgt_name(tsi->tsi_tgt), client,
- tgt_name(tsi->tsi_tgt), err);
- RETURN(err);
- } else if (!med->med_idmap) {
- CERROR("%s: client %s -> target %s "
- "failed to init(2) idmap!\n",
- tgt_name(tsi->tsi_tgt), client,
- tgt_name(tsi->tsi_tgt));
- RETURN(-ENOMEM);
- }
-
- CDEBUG(D_SEC, "%s: client %s -> target %s is remote.\n",
- tgt_name(tsi->tsi_tgt), client,
- tgt_name(tsi->tsi_tgt));
- /* NB, MDS_CONNECT establish root idmap too! */
- rc = mdt_handle_idmap(tsi);
- }
- RETURN(rc);
-}
-
-void mdt_cleanup_idmap(struct mdt_export_data *med)
-{
- mutex_lock(&med->med_idmap_mutex);
- if (med->med_idmap != NULL) {
- lustre_idmap_fini(med->med_idmap);
- med->med_idmap = NULL;
- }
- mutex_unlock(&med->med_idmap_mutex);
-}
-
-static inline void mdt_revoke_export_locks(struct obd_export *exp)
-{
- /* don't revoke locks during recovery */
- if (exp->exp_obd->obd_recovering)
- return;
-
- ldlm_revoke_export_locks(exp);
-}
-
-int mdt_handle_idmap(struct tgt_session_info *tsi)
-{
- struct ptlrpc_request *req = tgt_ses_req(tsi);
- struct mdt_device *mdt = mdt_exp2dev(req->rq_export);
- struct mdt_export_data *med;
- struct ptlrpc_user_desc *pud = req->rq_user_desc;
- struct md_identity *identity;
- __u32 opc;
- int rc = 0;
- ENTRY;
-
- if (!req->rq_export)
- RETURN(0);
-
- med = mdt_req2med(req);
- if (!exp_connect_rmtclient(req->rq_export))
- RETURN(0);
-
- opc = lustre_msg_get_opc(req->rq_reqmsg);
- /* Bypass other opc */
- if ((opc != SEC_CTX_INIT) && (opc != SEC_CTX_INIT_CONT) &&
- (opc != SEC_CTX_FINI) && (opc != MDS_CONNECT))
- RETURN(0);
-
- LASSERT(med->med_idmap);
-
- if (unlikely(!pud)) {
- CDEBUG(D_SEC, "remote client must run with rq_user_desc "
- "present\n");
- RETURN(-EACCES);
- }
-
- if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_mapped_uid))) {
- CDEBUG(D_SEC, "invalid authorized mapped uid, please check "
- "/etc/lustre/idmap.conf!\n");
- RETURN(-EACCES);
- }
-
- if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
- CDEBUG(D_SEC, "remote client must run with identity_get "
- "enabled!\n");
- RETURN(-EACCES);
- }
-
- identity = mdt_identity_get(mdt->mdt_identity_cache,
- req->rq_auth_mapped_uid);
- if (IS_ERR(identity)) {
- CDEBUG(D_SEC, "can't get mdt identity(%u), no mapping added\n",
- req->rq_auth_mapped_uid);
- RETURN(-EACCES);
- }
-
- switch (opc) {
- case SEC_CTX_INIT:
- case SEC_CTX_INIT_CONT:
- case MDS_CONNECT:
- rc = lustre_idmap_add(med->med_idmap,
- pud->pud_uid, identity->mi_uid,
- pud->pud_gid, identity->mi_gid);
- break;
- case SEC_CTX_FINI:
- rc = lustre_idmap_del(med->med_idmap,
- pud->pud_uid, identity->mi_uid,
- pud->pud_gid, identity->mi_gid);
- break;
- }
-
- mdt_identity_put(mdt->mdt_identity_cache, identity);
-
- if (rc)
- RETURN(rc);
-
- switch (opc) {
- case SEC_CTX_INIT:
- case SEC_CTX_INIT_CONT:
- case SEC_CTX_FINI:
- mdt_revoke_export_locks(req->rq_export);
- break;
- }
-
- RETURN(0);
-}
-
-int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *req,
- struct ptlrpc_user_desc *pud)
-{
- struct mdt_export_data *med = mdt_req2med(req);
- struct lustre_idmap_table *idmap = med->med_idmap;
- uid_t uid, fsuid;
- gid_t gid, fsgid;
-
- /* Only remote client need desc_to_idmap. */
- if (!exp_connect_rmtclient(req->rq_export))
- return 0;
-
- uid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_uid);
- if (uid == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_SEC, "no mapping for uid %u\n", pud->pud_uid);
- return -EACCES;
- }
-
- if (pud->pud_uid == pud->pud_fsuid) {
- fsuid = uid;
- } else {
- fsuid = lustre_idmap_lookup_uid(NULL, idmap, 0, pud->pud_fsuid);
- if (fsuid == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_SEC, "no mapping for fsuid %u\n",
- pud->pud_fsuid);
- return -EACCES;
- }
- }
-
- gid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_gid);
- if (gid == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_SEC, "no mapping for gid %u\n", pud->pud_gid);
- return -EACCES;
- }
-
- if (pud->pud_gid == pud->pud_fsgid) {
- fsgid = gid;
- } else {
- fsgid = lustre_idmap_lookup_gid(NULL, idmap, 0, pud->pud_fsgid);
- if (fsgid == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_SEC, "no mapping for fsgid %u\n",
- pud->pud_fsgid);
- return -EACCES;
- }
- }
-
- pud->pud_uid = uid;
- pud->pud_gid = gid;
- pud->pud_fsuid = fsuid;
- pud->pud_fsgid = fsgid;
-
- return 0;
-}
-
-/*
- * Reverse mapping
- */
-void mdt_body_reverse_idmap(struct mdt_thread_info *info, struct mdt_body *body)
-{
- struct ptlrpc_request *req = mdt_info_req(info);
- struct lu_ucred *uc = mdt_ucred(info);
- struct mdt_export_data *med = mdt_req2med(req);
- struct lustre_idmap_table *idmap = med->med_idmap;
-
- if (!exp_connect_rmtclient(info->mti_exp))
- return;
-
- if (body->mbo_valid & OBD_MD_FLUID) {
- uid_t uid;
-
- uid = lustre_idmap_lookup_uid(uc, idmap, 1, body->mbo_uid);
-
- if (uid == CFS_IDMAP_NOTFOUND) {
- uid = NOBODY_UID;
- if (body->mbo_valid & OBD_MD_FLMODE)
- body->mbo_mode = (body->mbo_mode & ~S_IRWXU) |
- ((body->mbo_mode & S_IRWXO) << 6);
- }
-
- body->mbo_uid = uid;
- }
-
- if (body->mbo_valid & OBD_MD_FLGID) {
- gid_t gid;
-
- gid = lustre_idmap_lookup_gid(uc, idmap, 1, body->mbo_gid);
-
- if (gid == CFS_IDMAP_NOTFOUND) {
- gid = NOBODY_GID;
- if (body->mbo_valid & OBD_MD_FLMODE)
- body->mbo_mode = (body->mbo_mode & ~S_IRWXG) |
- ((body->mbo_mode & S_IRWXO) << 3);
- }
-
- body->mbo_gid = gid;
- }
-}
-
-/* Do not ignore root_squash for non-setattr case. */
-int mdt_fix_attr_ucred(struct mdt_thread_info *info, __u32 op)
-{
- struct ptlrpc_request *req = mdt_info_req(info);
- struct lu_ucred *uc = mdt_ucred_check(info);
- struct lu_attr *attr = &info->mti_attr.ma_attr;
- struct mdt_export_data *med = mdt_req2med(req);
- struct lustre_idmap_table *idmap = med->med_idmap;
-
- if (uc == NULL)
- return -EINVAL;
-
- if (op != REINT_SETATTR) {
- if ((attr->la_valid & LA_UID) && (attr->la_uid != -1))
- attr->la_uid = uc->uc_fsuid;
- /* for S_ISGID, inherit gid from his parent, such work will be
- * done in cmm/mdd layer, here set all cases as uc->uc_fsgid. */
- if ((attr->la_valid & LA_GID) && (attr->la_gid != -1))
- attr->la_gid = uc->uc_fsgid;
- } else if (exp_connect_rmtclient(info->mti_exp)) {
- /* NB: -1 case will be handled by mdt_fix_attr() later. */
- if ((attr->la_valid & LA_UID) && (attr->la_uid != -1)) {
- uid_t uid = lustre_idmap_lookup_uid(uc, idmap, 0,
- attr->la_uid);
-
- if (uid == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_SEC, "Deny chown to uid %u\n",
- attr->la_uid);
- return -EPERM;
- }
-
- attr->la_uid = uid;
- }
- if ((attr->la_valid & LA_GID) && (attr->la_gid != -1)) {
- gid_t gid = lustre_idmap_lookup_gid(uc, idmap, 0,
- attr->la_gid);
-
- if (gid == CFS_IDMAP_NOTFOUND) {
- CDEBUG(D_SEC, "Deny chown to gid %u\n",
- attr->la_gid);
- return -EPERM;
- }
-
- attr->la_gid = gid;
- }
- }
-
- return 0;
-}
struct linkea_data *ldata);
int mdt_close_internal(struct mdt_thread_info *info, struct ptlrpc_request *req,
struct mdt_body *repbody);
-/* mdt_idmap.c */
-int mdt_init_idmap(struct tgt_session_info *tsi);
-void mdt_cleanup_idmap(struct mdt_export_data *);
-int mdt_handle_idmap(struct tgt_session_info *tsi);
-int ptlrpc_user_desc_do_idmap(struct ptlrpc_request *,
- struct ptlrpc_user_desc *);
-void mdt_body_reverse_idmap(struct mdt_thread_info *,
- struct mdt_body *);
-int mdt_remote_perm_reverse_idmap(struct ptlrpc_request *,
- struct mdt_remote_perm *);
-int mdt_fix_attr_ucred(struct mdt_thread_info *, __u32);
static inline struct mdt_device *mdt_dev(struct lu_device *d)
{
void mdt_flush_identity(struct upcall_cache *, int);
-__u32 mdt_identity_get_perm(struct md_identity *, __u32, lnet_nid_t);
-
-int mdt_pack_remote_perm(struct mdt_thread_info *, struct mdt_object *, void *);
+__u32 mdt_identity_get_perm(struct md_identity *, lnet_nid_t);
/* mdt/mdt_recovery.c */
__u64 mdt_req_from_lrd(struct ptlrpc_request *req, struct tg_reply_data *trd);
struct lu_ucred *ucred = mdt_ucred(info);
lnet_nid_t peernid = req->rq_peer.nid;
__u32 perm = 0;
- __u32 remote = exp_connect_rmtclient(info->mti_exp);
int setuid;
int setgid;
int rc = 0;
ucred->uc_suppgids[1] = -1;
}
- /* sanity check: we expect the uid which client claimed is true */
- if (remote) {
- if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_mapped_uid))) {
- CDEBUG(D_SEC, "remote user not mapped, deny access!\n");
- RETURN(-EACCES);
- }
-
- if (ptlrpc_user_desc_do_idmap(req, pud))
- RETURN(-EACCES);
-
- if (req->rq_auth_mapped_uid != pud->pud_uid) {
- CDEBUG(D_SEC, "remote client %s: auth/mapped uid %u/%u "
- "while client claims %u:%u/%u:%u\n",
- libcfs_nid2str(peernid), req->rq_auth_uid,
- req->rq_auth_mapped_uid,
- pud->pud_uid, pud->pud_gid,
- pud->pud_fsuid, pud->pud_fsgid);
- RETURN(-EACCES);
- }
- } else {
- if (!flvr_is_rootonly(req->rq_flvr.sf_rpc) &&
- req->rq_auth_uid != pud->pud_uid) {
- CDEBUG(D_SEC, "local client %s: auth uid %u "
- "while client claims %u:%u/%u:%u\n",
- libcfs_nid2str(peernid), req->rq_auth_uid,
- pud->pud_uid, pud->pud_gid,
- pud->pud_fsuid, pud->pud_fsgid);
- RETURN(-EACCES);
- }
- }
+ if (!flvr_is_rootonly(req->rq_flvr.sf_rpc) &&
+ req->rq_auth_uid != pud->pud_uid) {
+ CDEBUG(D_SEC, "local client %s: auth uid %u "
+ "while client claims %u:%u/%u:%u\n",
+ libcfs_nid2str(peernid), req->rq_auth_uid,
+ pud->pud_uid, pud->pud_gid,
+ pud->pud_fsuid, pud->pud_fsgid);
+ RETURN(-EACCES);
+ }
- if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
- if (remote) {
- CDEBUG(D_SEC, "remote client must run with identity_get "
- "enabled!\n");
- RETURN(-EACCES);
- } else {
- ucred->uc_identity = NULL;
- perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
- CFS_SETGRP_PERM;
- }
- } else {
- struct md_identity *identity;
+ if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
+ ucred->uc_identity = NULL;
+ perm = CFS_SETUID_PERM | CFS_SETGID_PERM | CFS_SETGRP_PERM;
+ } else {
+ struct md_identity *identity;
- identity = mdt_identity_get(mdt->mdt_identity_cache,
- pud->pud_uid);
- if (IS_ERR(identity)) {
- if (unlikely(PTR_ERR(identity) == -EREMCHG &&
- !remote)) {
+ identity = mdt_identity_get(mdt->mdt_identity_cache,
+ pud->pud_uid);
+ if (IS_ERR(identity)) {
+ if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
ucred->uc_identity = NULL;
- perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
- CFS_SETGRP_PERM;
- } else {
- CDEBUG(D_SEC, "Deny access without identity: uid %u\n",
- pud->pud_uid);
- RETURN(-EACCES);
- }
- } else {
+ perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
+ CFS_SETGRP_PERM;
+ } else {
+ CDEBUG(D_SEC,
+ "Deny access without identity: uid %u\n",
+ pud->pud_uid);
+ RETURN(-EACCES);
+ }
+ } else {
ucred->uc_identity = identity;
perm = mdt_identity_get_perm(ucred->uc_identity,
- remote, peernid);
- }
- }
+ peernid);
+ }
+ }
- /* find out the setuid/setgid attempt */
- setuid = (pud->pud_uid != pud->pud_fsuid);
+ /* find out the setuid/setgid attempt */
+ setuid = (pud->pud_uid != pud->pud_fsuid);
setgid = ((pud->pud_gid != pud->pud_fsgid) ||
(ucred->uc_identity &&
(pud->pud_gid != ucred->uc_identity->mi_gid)));
GOTO(out, rc = -EACCES);
}
- /*
- * NB: remote client not allowed to setgroups anyway.
- */
- if (!remote && perm & CFS_SETGRP_PERM) {
+ if (perm & CFS_SETGRP_PERM) {
if (pud->pud_ngroups) {
/* setgroups for local client */
ucred->uc_ginfo = groups_alloc(pud->pud_ngroups);
ucred->uc_cap = pud->pud_cap & ~CFS_CAP_FS_MASK;
else
ucred->uc_cap = pud->pud_cap;
- if (remote && !(perm & CFS_RMTOWN_PERM))
- ucred->uc_cap &= ~(CFS_CAP_SYS_RESOURCE_MASK |
- CFS_CAP_CHOWN_MASK);
ucred->uc_valid = UCRED_NEW;
ucred_set_jobid(info, ucred);
*/
bool allow_client_chgrp(struct mdt_thread_info *info, struct lu_ucred *uc)
{
- __u32 remote = exp_connect_rmtclient(info->mti_exp);
__u32 perm;
- /* 1. If identity_upcall is disabled, then forbid remote client to set
- * supplementary group IDs, but permit local client to do that. */
- if (is_identity_get_disabled(info->mti_mdt->mdt_identity_cache)) {
- if (remote)
- return false;
-
+ /* 1. If identity_upcall is disabled,
+ * permit local client to do anything. */
+ if (is_identity_get_disabled(info->mti_mdt->mdt_identity_cache))
return true;
- }
/* 2. If fail to get related identities, then forbid any client to
* set supplementary group IDs. */
return false;
/* 3. Check the permission in the identities. */
- perm = mdt_identity_get_perm(uc->uc_identity, remote,
+ perm = mdt_identity_get_perm(uc->uc_identity,
mdt_info_req(info)->rq_peer.nid);
if (perm & CFS_SETGRP_PERM)
return true;
struct md_identity *identity = NULL;
lnet_nid_t peernid = req->rq_peer.nid;
__u32 perm = 0;
- __u32 remote = exp_connect_rmtclient(info->mti_exp);
int setuid;
int setgid;
int rc = 0;
if ((ucred->uc_valid == UCRED_OLD) || (ucred->uc_valid == UCRED_NEW))
RETURN(0);
- if (!req->rq_auth_gss || req->rq_auth_usr_mdt || !req->rq_user_desc)
- RETURN(0);
-
- /* sanity check: if we use strong authentication, we expect the
- * uid which client claimed is true */
- if (remote) {
- if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_mapped_uid))) {
- CDEBUG(D_SEC, "remote user not mapped, deny access!\n");
- RETURN(-EACCES);
- }
+ if (!req->rq_auth_gss || req->rq_auth_usr_mdt || !req->rq_user_desc)
+ RETURN(0);
- if (ptlrpc_user_desc_do_idmap(req, pud))
- RETURN(-EACCES);
-
- if (req->rq_auth_mapped_uid != pud->pud_uid) {
- CDEBUG(D_SEC, "remote client %s: auth/mapped uid %u/%u "
- "while client claims %u:%u/%u:%u\n",
- libcfs_nid2str(peernid), req->rq_auth_uid,
- req->rq_auth_mapped_uid,
- pud->pud_uid, pud->pud_gid,
- pud->pud_fsuid, pud->pud_fsgid);
- RETURN(-EACCES);
- }
- } else {
- if (!flvr_is_rootonly(req->rq_flvr.sf_rpc) &&
- req->rq_auth_uid != pud->pud_uid) {
- CDEBUG(D_SEC, "local client %s: auth uid %u "
- "while client claims %u:%u/%u:%u\n",
- libcfs_nid2str(peernid), req->rq_auth_uid,
- pud->pud_uid, pud->pud_gid,
- pud->pud_fsuid, pud->pud_fsgid);
- RETURN(-EACCES);
- }
- }
+ /* sanity check: if we use strong authentication, we expect the
+ * uid which client claimed is true */
+ if (!flvr_is_rootonly(req->rq_flvr.sf_rpc) &&
+ req->rq_auth_uid != pud->pud_uid) {
+ CDEBUG(D_SEC, "local client %s: auth uid %u "
+ "while client claims %u:%u/%u:%u\n",
+ libcfs_nid2str(peernid), req->rq_auth_uid,
+ pud->pud_uid, pud->pud_gid,
+ pud->pud_fsuid, pud->pud_fsgid);
+ RETURN(-EACCES);
+ }
- if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
- if (remote) {
- CDEBUG(D_SEC, "remote client must run with identity_get "
- "enabled!\n");
- RETURN(-EACCES);
- }
- RETURN(0);
- }
+ if (is_identity_get_disabled(mdt->mdt_identity_cache))
+ RETURN(0);
- identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid);
- if (IS_ERR(identity)) {
- if (unlikely(PTR_ERR(identity) == -EREMCHG &&
- !remote)) {
- RETURN(0);
- } else {
- CDEBUG(D_SEC, "Deny access without identity: uid %u\n",
- pud->pud_uid);
- RETURN(-EACCES);
- }
- }
+ identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid);
+ if (IS_ERR(identity)) {
+ if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
+ RETURN(0);
+ } else {
+ CDEBUG(D_SEC, "Deny access without identity: uid %u\n",
+ pud->pud_uid);
+ RETURN(-EACCES);
+ }
+ }
- perm = mdt_identity_get_perm(identity, remote, peernid);
+ perm = mdt_identity_get_perm(identity, peernid);
/* find out the setuid/setgid attempt */
setuid = (pud->pud_uid != pud->pud_fsuid);
setgid = (pud->pud_gid != pud->pud_fsgid ||
if (tgt == NULL)
RETURN(-EFAULT);
} else {
- req_capsule_extend(pill, &RQF_MDS_REINT_CREATE_RMT_ACL);
+ req_capsule_extend(pill, &RQF_MDS_REINT_CREATE_ACL);
if (S_ISDIR(attr->la_mode) &&
req_capsule_get_size(pill, &RMF_EADATA, RCL_CLIENT) > 0) {
sp->u.sp_ea.eadata =
RETURN(-ENOENT);
}
- if (exp_connect_rmtclient(exp)) {
- void *buf = req_capsule_server_get(info->mti_pill, &RMF_ACL);
-
- rc = mdt_pack_remote_perm(info, o, buf);
- if (rc) {
- repbody->mbo_valid &= ~OBD_MD_FLRMTPERM;
- repbody->mbo_aclsize = 0;
- } else {
- repbody->mbo_valid |= OBD_MD_FLRMTPERM;
- repbody->mbo_aclsize = sizeof(struct mdt_remote_perm);
- }
- }
#ifdef CONFIG_FS_POSIX_ACL
- else if (exp_connect_flags(exp) & OBD_CONNECT_ACL) {
+ if (exp_connect_flags(exp) & OBD_CONNECT_ACL) {
struct lu_nodemap *nodemap = nodemap_get_from_exp(exp);
if (IS_ERR(nodemap))
RETURN(PTR_ERR(nodemap));
RETURN(size);
}
-static int
-mdt_getxattr_one(struct mdt_thread_info *info,
- char *xattr_name, struct md_object *next,
- struct lu_buf *buf, struct mdt_export_data *med,
- struct lu_ucred *uc)
-{
- __u32 remote = exp_connect_rmtclient(info->mti_exp);
- int flags = CFS_IC_NOTHING, rc;
-
- ENTRY;
-
- CDEBUG(D_INODE, "getxattr %s\n", xattr_name);
-
- rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
- if (rc < 0)
- GOTO(out, rc);
-
- if (info->mti_body->mbo_valid &
- (OBD_MD_FLRMTLSETFACL | OBD_MD_FLRMTLGETFACL))
- flags = CFS_IC_ALL;
- else if (info->mti_body->mbo_valid & OBD_MD_FLRMTRGETFACL)
- flags = CFS_IC_MAPPED;
-
- if (rc > 0 && flags != CFS_IC_NOTHING) {
- int rc1;
-
- if (unlikely(!remote))
- GOTO(out, rc = -EINVAL);
-
- rc1 = lustre_posix_acl_xattr_id2client(uc,
- med->med_idmap,
- (posix_acl_xattr_header *)(buf->lb_buf),
- rc, flags);
- if (unlikely(rc1 < 0))
- rc = rc1;
- }
-
-out:
- return rc;
-}
-
static int mdt_getxattr_all(struct mdt_thread_info *info,
struct mdt_body *reqbody, struct mdt_body *repbody,
struct lu_buf *buf, struct md_object *next)
{
const struct lu_env *env = info->mti_env;
- struct ptlrpc_request *req = mdt_info_req(info);
- struct mdt_export_data *med = mdt_req2med(req);
- struct lu_ucred *uc = mdt_ucred(info);
char *v, *b, *eadatahead, *eadatatail;
__u32 *sizes;
int eadatasize, eavallen = 0, eavallens = 0, rc;
for (b = eadatahead; b < eadatatail; b += strlen(b) + 1, v += rc) {
buf->lb_buf = v;
buf->lb_len = reqbody->mbo_eadatasize - eavallen;
- rc = mdt_getxattr_one(info, b, next, buf, med, uc);
+ rc = mo_xattr_get(env, next, buf, b);
if (rc < 0)
GOTO(out_shrink, rc);
int mdt_getxattr(struct mdt_thread_info *info)
{
struct ptlrpc_request *req = mdt_info_req(info);
- struct mdt_export_data *med = mdt_req2med(req);
- struct lu_ucred *uc = lu_ucred(info->mti_env);
struct mdt_body *reqbody;
struct mdt_body *repbody = NULL;
struct md_object *next;
struct lu_buf *buf;
- __u32 remote = exp_connect_rmtclient(info->mti_exp);
- __u32 perm;
int easize, rc;
u64 valid;
ENTRY;
RETURN(err_serious(rc));
next = mdt_object_child(info->mti_object);
-
- if (info->mti_body->mbo_valid & OBD_MD_FLRMTRGETFACL) {
- if (unlikely(!remote))
- GOTO(out, rc = err_serious(-EINVAL));
-
- perm = mdt_identity_get_perm(uc->uc_identity, remote,
- req->rq_peer.nid);
- if (!(perm & CFS_RMTACL_PERM))
- GOTO(out, rc = err_serious(-EPERM));
-
- rc = mo_permission(info->mti_env, NULL, next, NULL,
- MAY_RGETFACL);
- if (rc)
- GOTO(out, rc = err_serious(rc));
- }
-
easize = mdt_getxattr_pack_reply(info);
if (easize < 0)
GOTO(out, rc = err_serious(easize));
if (valid == OBD_MD_FLXATTR) {
char *xattr_name = req_capsule_client_get(info->mti_pill,
&RMF_NAME);
- rc = mdt_getxattr_one(info, xattr_name, next, buf, med, uc);
+ rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
} else if (valid == OBD_MD_FLXATTRLS) {
CDEBUG(D_INODE, "listxattr\n");
return rc;
}
-static int mdt_rmtlsetfacl(struct mdt_thread_info *info,
- struct md_object *next,
- const char *xattr_name,
- ext_acl_xattr_header *header,
- posix_acl_xattr_header **out)
-{
- struct ptlrpc_request *req = mdt_info_req(info);
- struct mdt_export_data *med = mdt_req2med(req);
- struct lu_ucred *uc = mdt_ucred(info);
- struct lu_buf *buf = &info->mti_buf;
- int rc;
- ENTRY;
-
- rc = lustre_ext_acl_xattr_id2server(uc, med->med_idmap, header);
- if (rc)
- RETURN(rc);
-
- rc = mo_xattr_get(info->mti_env, next, &LU_BUF_NULL, xattr_name);
- if (rc == -ENODATA)
- rc = 0;
- else if (rc < 0)
- RETURN(rc);
-
- buf->lb_len = rc;
- if (buf->lb_len > 0) {
- OBD_ALLOC_LARGE(buf->lb_buf, buf->lb_len);
- if (unlikely(buf->lb_buf == NULL))
- RETURN(-ENOMEM);
-
- rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
- if (rc < 0) {
- CERROR("getxattr failed: %d\n", rc);
- GOTO(_out, rc);
- }
- } else
- buf->lb_buf = NULL;
-
- rc = lustre_acl_xattr_merge2posix((posix_acl_xattr_header *)(buf->lb_buf),
- buf->lb_len, header, out);
- EXIT;
-
-_out:
- if (rc <= 0 && buf->lb_buf != NULL)
- OBD_FREE_LARGE(buf->lb_buf, buf->lb_len);
- return rc;
-}
-
int mdt_reint_setxattr(struct mdt_thread_info *info,
struct mdt_lock_handle *unused)
{
struct ptlrpc_request *req = mdt_info_req(info);
- struct lu_ucred *uc = lu_ucred(info->mti_env);
struct mdt_lock_handle *lh;
const struct lu_env *env = info->mti_env;
struct lu_buf *buf = &info->mti_buf;
int xattr_len = rr->rr_eadatalen;
__u64 lockpart;
int rc;
- posix_acl_xattr_header *new_xattr = NULL;
- __u32 remote = exp_connect_rmtclient(info->mti_exp);
- __u32 perm;
ENTRY;
CDEBUG(D_INODE, "setxattr for "DFID": %s %s\n", PFID(rr->rr_fid1),
if (rc != 0)
RETURN(rc);
- if (valid & OBD_MD_FLRMTRSETFACL) {
- if (unlikely(!remote))
- GOTO(out, rc = err_serious(-EINVAL));
-
- perm = mdt_identity_get_perm(uc->uc_identity, remote,
- req->rq_peer.nid);
- if (!(perm & CFS_RMTACL_PERM))
- GOTO(out, rc = err_serious(-EPERM));
- }
-
if (strncmp(xattr_name, XATTR_USER_PREFIX,
sizeof(XATTR_USER_PREFIX) - 1) == 0) {
if (!(exp_connect_flags(req->rq_export) & OBD_CONNECT_XATTR))
attr->la_valid = LA_CTIME;
child = mdt_object_child(obj);
if (valid & OBD_MD_FLXATTR) {
- void *xattr = rr->rr_eadata;
int flags = 0;
- if (valid & OBD_MD_FLRMTLSETFACL) {
- if (unlikely(!remote))
- GOTO(out_unlock, rc = -EINVAL);
-
- xattr_len = mdt_rmtlsetfacl(info, child, xattr_name,
- xattr, &new_xattr);
- if (xattr_len < 0)
- GOTO(out_unlock, rc = xattr_len);
-
- xattr = new_xattr;
- }
-
if (attr->la_flags & XATTR_REPLACE)
flags |= LU_XATTR_REPLACE;
mdt_fail_write(env, info->mti_mdt->mdt_bottom,
OBD_FAIL_MDS_SETXATTR_WRITE);
- buf->lb_buf = xattr;
+ buf->lb_buf = rr->rr_eadata;
buf->lb_len = xattr_len;
rc = mo_xattr_set(env, child, buf, xattr_name, flags);
/* update ctime after xattr changed */
EXIT;
out_unlock:
mdt_object_unlock_put(info, obj, lh, rc);
- if (unlikely(new_xattr != NULL))
- lustre_posix_acl_xattr_free(new_xattr, xattr_len);
out:
mdt_exit_ucred(info);
return rc;
obdclass-all-objs += statfs_pack.o obdo.o obd_config.o obd_mount.o
obdclass-all-objs += lu_object.o dt_object.o
obdclass-all-objs += cl_object.o cl_page.o cl_lock.o cl_io.o lu_ref.o
-obdclass-all-objs += acl.o
obdclass-all-objs += linkea.o
obdclass-all-objs += kernelcomm.o
+@SERVER_TRUE@obdclass-all-objs += acl.o
@SERVER_TRUE@obdclass-all-objs += idmap.o
@SERVER_TRUE@obdclass-all-objs += upcall_cache.o
@SERVER_TRUE@obdclass-all-objs += lprocfs_jobstats.o
EXTRA_DIST = $(obdclass-all-objs:.o=.c) llog_test.c llog_internal.h
EXTRA_DIST += cl_internal.h local_storage.h
+@SERVER_FALSE@EXTRA_DIST += acl.c
@SERVER_FALSE@EXTRA_DIST += idmap.c
@SERVER_FALSE@EXTRA_DIST += upcall_cache.c
@SERVER_FALSE@EXTRA_DIST += lprocfs_jobstats.c
#ifdef CONFIG_FS_POSIX_ACL
-#define CFS_ACL_XATTR_VERSION POSIX_ACL_XATTR_VERSION
-
-enum {
- ES_UNK = 0, /* unknown stat */
- ES_UNC = 1, /* ACL entry is not changed */
- ES_MOD = 2, /* ACL entry is modified */
- ES_ADD = 3, /* ACL entry is added */
- ES_DEL = 4 /* ACL entry is deleted */
-};
-
-static inline void lustre_ext_acl_le_to_cpu(ext_acl_xattr_entry *d,
- ext_acl_xattr_entry *s)
-{
- d->e_tag = le16_to_cpu(s->e_tag);
- d->e_perm = le16_to_cpu(s->e_perm);
- d->e_id = le32_to_cpu(s->e_id);
- d->e_stat = le32_to_cpu(s->e_stat);
-}
-
-static inline void lustre_ext_acl_cpu_to_le(ext_acl_xattr_entry *d,
- ext_acl_xattr_entry *s)
-{
- d->e_tag = cpu_to_le16(s->e_tag);
- d->e_perm = cpu_to_le16(s->e_perm);
- d->e_id = cpu_to_le32(s->e_id);
- d->e_stat = cpu_to_le32(s->e_stat);
-}
-
static inline void lustre_posix_acl_le_to_cpu(posix_acl_xattr_entry *d,
posix_acl_xattr_entry *s)
{
d->e_id = le32_to_cpu(s->e_id);
}
-static inline void lustre_posix_acl_cpu_to_le(posix_acl_xattr_entry *d,
+/*static inline void lustre_posix_acl_cpu_to_le(posix_acl_xattr_entry *d,
posix_acl_xattr_entry *s)
{
d->e_tag = cpu_to_le16(s->e_tag);
d->e_perm = cpu_to_le16(s->e_perm);
d->e_id = cpu_to_le32(s->e_id);
-}
+}*/
-#ifdef HAVE_SERVER_SUPPORT
/*
* Check permission based on POSIX ACL.
*/
* Returns 0 if the acl can be exactly represented in the traditional
* file mode permission bits, or else 1. Returns -E... on error.
*/
- int
+int
lustre_posix_acl_equiv_mode(posix_acl_xattr_entry *entry, mode_t *mode_p,
- int count)
+ int count)
{
posix_acl_xattr_entry *pa, *pe;
mode_t mode = 0;
return not_equiv;
}
EXPORT_SYMBOL(lustre_posix_acl_create_masq);
-
-/*
- * Convert server-side uid/gid in the posix ACL items to the client-side ones.
- * convert rule:
- * @CFS_IC_NOTHING
- * nothing to be converted.
- * @CFS_IC_ALL
- * mapped ids are converted to client-side ones,
- * unmapped ones are converted to "nobody".
- * @CFS_IC_MAPPED
- * only mapped ids are converted to "nobody".
- * @CFS_IC_UNMAPPED
- * only unmapped ids are converted to "nobody".
- */
-int lustre_posix_acl_xattr_id2client(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- posix_acl_xattr_header *header,
- int size, int flags)
-{
- int count, i;
- __u32 id;
- ENTRY;
-
- if (unlikely(size < 0))
- RETURN(-EINVAL);
- else if (!size)
- RETURN(0);
-
- if (unlikely(flags == CFS_IC_NOTHING))
- RETURN(0);
-
- count = CFS_ACL_XATTR_COUNT(size, posix_acl_xattr);
- for (i = 0; i < count; i++) {
- id = le32_to_cpu(header->a_entries[i].e_id);
- switch (le16_to_cpu(header->a_entries[i].e_tag)) {
- case ACL_USER_OBJ:
- case ACL_GROUP_OBJ:
- case ACL_MASK:
- case ACL_OTHER:
- if (id != ACL_UNDEFINED_ID)
- RETURN(-EIO);
- break;
- case ACL_USER:
- id = lustre_idmap_lookup_uid(mu, t, 1, id);
- if (flags == CFS_IC_ALL) {
- if (id == CFS_IDMAP_NOTFOUND)
- id = NOBODY_UID;
- header->a_entries[i].e_id = cpu_to_le32(id);
- } else if (flags == CFS_IC_MAPPED) {
- if (id != CFS_IDMAP_NOTFOUND)
- header->a_entries[i].e_id =
- cpu_to_le32(NOBODY_UID);
- } else if (flags == CFS_IC_UNMAPPED) {
- if (id == CFS_IDMAP_NOTFOUND)
- header->a_entries[i].e_id =
- cpu_to_le32(NOBODY_UID);
- }
- break;
- case ACL_GROUP:
- id = lustre_idmap_lookup_gid(mu, t, 1, id);
- if (flags == CFS_IC_ALL) {
- if (id == CFS_IDMAP_NOTFOUND)
- id = NOBODY_GID;
- header->a_entries[i].e_id = cpu_to_le32(id);
- } else if (flags == CFS_IC_MAPPED) {
- if (id != CFS_IDMAP_NOTFOUND)
- header->a_entries[i].e_id =
- cpu_to_le32(NOBODY_GID);
- } else if (flags == CFS_IC_UNMAPPED) {
- if (id == CFS_IDMAP_NOTFOUND)
- header->a_entries[i].e_id =
- cpu_to_le32(NOBODY_GID);
- }
- break;
- default:
- RETURN(-EIO);
- }
- }
-
- RETURN(0);
-}
-EXPORT_SYMBOL(lustre_posix_acl_xattr_id2client);
-
-/*
- * Converts client-side uid/gid in the extended ACL items to server-side ones.
- * convert rule:
- * mapped ids are converted to server-side ones,
- * unmapped ones cause "EPERM" error.
- */
-int lustre_ext_acl_xattr_id2server(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- ext_acl_xattr_header *header)
-{
- int i, count = le32_to_cpu(header->a_count);
- __u32 id;
- ENTRY;
-
- for (i = 0; i < count; i++) {
- id = le32_to_cpu(header->a_entries[i].e_id);
- switch (le16_to_cpu(header->a_entries[i].e_tag)) {
- case ACL_USER_OBJ:
- case ACL_GROUP_OBJ:
- case ACL_MASK:
- case ACL_OTHER:
- if (id != ACL_UNDEFINED_ID)
- RETURN(-EIO);
- break;
- case ACL_USER:
- id = lustre_idmap_lookup_uid(mu, t, 0, id);
- if (id == CFS_IDMAP_NOTFOUND)
- RETURN(-EPERM);
- else
- header->a_entries[i].e_id = cpu_to_le32(id);
- break;
- case ACL_GROUP:
- id = lustre_idmap_lookup_gid(mu, t, 0, id);
- if (id == CFS_IDMAP_NOTFOUND)
- RETURN(-EPERM);
- else
- header->a_entries[i].e_id = cpu_to_le32(id);
- break;
- default:
- RETURN(-EIO);
- }
- }
-
- RETURN(0);
-}
-EXPORT_SYMBOL(lustre_ext_acl_xattr_id2server);
-#endif /* HAVE_SERVER_SUPPORT */
-
-/* if "new_count == 0", then "new = {a_version, NULL}", NOT NULL. */
-static int lustre_posix_acl_xattr_reduce_space(posix_acl_xattr_header **header,
- int old_count, int new_count)
-{
- int old_size = CFS_ACL_XATTR_SIZE(old_count, posix_acl_xattr);
- int new_size = CFS_ACL_XATTR_SIZE(new_count, posix_acl_xattr);
- posix_acl_xattr_header *new;
-
- if (unlikely(old_count <= new_count))
- return old_size;
-
- OBD_ALLOC(new, new_size);
- if (unlikely(new == NULL))
- return -ENOMEM;
-
- memcpy(new, *header, new_size);
- OBD_FREE(*header, old_size);
- *header = new;
- return new_size;
-}
-
-/* if "new_count == 0", then "new = {0, NULL}", NOT NULL. */
-static int lustre_ext_acl_xattr_reduce_space(ext_acl_xattr_header **header,
- int old_count)
-{
- int ext_count = le32_to_cpu((*header)->a_count);
- int ext_size = CFS_ACL_XATTR_SIZE(ext_count, ext_acl_xattr);
- int old_size = CFS_ACL_XATTR_SIZE(old_count, ext_acl_xattr);
- ext_acl_xattr_header *new;
-
- if (unlikely(old_count <= ext_count))
- return 0;
-
- OBD_ALLOC(new, ext_size);
- if (unlikely(new == NULL))
- return -ENOMEM;
-
- memcpy(new, *header, ext_size);
- OBD_FREE(*header, old_size);
- *header = new;
- return 0;
-}
-
-/*
- * Generate new extended ACL based on the posix ACL.
- */
-ext_acl_xattr_header *
-lustre_posix_acl_xattr_2ext(posix_acl_xattr_header *header, int size)
-{
- int count, i, esize;
- ext_acl_xattr_header *new;
- ENTRY;
-
- if (unlikely(size < 0))
- RETURN(ERR_PTR(-EINVAL));
- else if (!size)
- count = 0;
- else
- count = CFS_ACL_XATTR_COUNT(size, posix_acl_xattr);
- esize = CFS_ACL_XATTR_SIZE(count, ext_acl_xattr);
- OBD_ALLOC(new, esize);
- if (unlikely(new == NULL))
- RETURN(ERR_PTR(-ENOMEM));
-
- new->a_count = cpu_to_le32(count);
- for (i = 0; i < count; i++) {
- new->a_entries[i].e_tag = header->a_entries[i].e_tag;
- new->a_entries[i].e_perm = header->a_entries[i].e_perm;
- new->a_entries[i].e_id = header->a_entries[i].e_id;
- new->a_entries[i].e_stat = cpu_to_le32(ES_UNK);
- }
-
- RETURN(new);
-}
-EXPORT_SYMBOL(lustre_posix_acl_xattr_2ext);
-
-/*
- * Filter out the "nobody" entries in the posix ACL.
- */
-int lustre_posix_acl_xattr_filter(posix_acl_xattr_header *header, int size,
- posix_acl_xattr_header **out)
-{
- int count, i, j, rc = 0;
- __u32 id;
- posix_acl_xattr_header *new;
- ENTRY;
-
- if (unlikely(size < 0))
- RETURN(-EINVAL);
- else if (!size)
- RETURN(0);
-
- OBD_ALLOC(new, size);
- if (unlikely(new == NULL))
- RETURN(-ENOMEM);
-
- new->a_version = cpu_to_le32(CFS_ACL_XATTR_VERSION);
- count = CFS_ACL_XATTR_COUNT(size, posix_acl_xattr);
- for (i = 0, j = 0; i < count; i++) {
- id = le32_to_cpu(header->a_entries[i].e_id);
- switch (le16_to_cpu(header->a_entries[i].e_tag)) {
- case ACL_USER_OBJ:
- case ACL_GROUP_OBJ:
- case ACL_MASK:
- case ACL_OTHER:
- if (id != ACL_UNDEFINED_ID)
- GOTO(_out, rc = -EIO);
-
- memcpy(&new->a_entries[j++], &header->a_entries[i],
- sizeof(posix_acl_xattr_entry));
- break;
- case ACL_USER:
- if (id != NOBODY_UID)
- memcpy(&new->a_entries[j++],
- &header->a_entries[i],
- sizeof(posix_acl_xattr_entry));
- break;
- case ACL_GROUP:
- if (id != NOBODY_GID)
- memcpy(&new->a_entries[j++],
- &header->a_entries[i],
- sizeof(posix_acl_xattr_entry));
- break;
- default:
- GOTO(_out, rc = -EIO);
- }
- }
-
- /* free unused space. */
- rc = lustre_posix_acl_xattr_reduce_space(&new, count, j);
- if (rc >= 0) {
- size = rc;
- *out = new;
- rc = 0;
- }
- EXIT;
-
-_out:
- if (rc) {
- OBD_FREE(new, size);
- size = rc;
- }
- return size;
-}
-EXPORT_SYMBOL(lustre_posix_acl_xattr_filter);
-
-/*
- * Release the posix ACL space.
- */
-void lustre_posix_acl_xattr_free(posix_acl_xattr_header *header, int size)
-{
- OBD_FREE(header, size);
-}
-EXPORT_SYMBOL(lustre_posix_acl_xattr_free);
-
-/*
- * Release the extended ACL space.
- */
-void lustre_ext_acl_xattr_free(ext_acl_xattr_header *header)
-{
- OBD_FREE(header, CFS_ACL_XATTR_SIZE(le32_to_cpu(header->a_count), \
- ext_acl_xattr));
-}
-EXPORT_SYMBOL(lustre_ext_acl_xattr_free);
-
-static ext_acl_xattr_entry *
-lustre_ext_acl_xattr_search(ext_acl_xattr_header *header,
- posix_acl_xattr_entry *entry, int *pos)
-{
- int once, start, end, i, j, count = le32_to_cpu(header->a_count);
-
- once = 0;
- start = *pos;
- end = count;
-
-again:
- for (i = start; i < end; i++) {
- if (header->a_entries[i].e_tag == entry->e_tag &&
- header->a_entries[i].e_id == entry->e_id) {
- j = i;
- if (++i >= count)
- i = 0;
- *pos = i;
- return &header->a_entries[j];
- }
- }
-
- if (!once) {
- once = 1;
- start = 0;
- end = *pos;
- goto again;
- }
-
- return NULL;
-}
-
-/*
- * Merge the posix ACL and the extended ACL into new posix ACL.
- */
-int lustre_acl_xattr_merge2posix(posix_acl_xattr_header *posix_header, int size,
- ext_acl_xattr_header *ext_header,
- posix_acl_xattr_header **out)
-{
- int posix_count, posix_size, i, j;
- int ext_count = le32_to_cpu(ext_header->a_count), pos = 0, rc = 0;
- posix_acl_xattr_entry pe = {ACL_MASK, 0, ACL_UNDEFINED_ID};
- posix_acl_xattr_header *new;
- ext_acl_xattr_entry *ee, ae;
- ENTRY;
-
- lustre_posix_acl_cpu_to_le(&pe, &pe);
- ee = lustre_ext_acl_xattr_search(ext_header, &pe, &pos);
- if (ee == NULL || le32_to_cpu(ee->e_stat) == ES_DEL) {
- /* there are only base ACL entries at most. */
- posix_count = 3;
- posix_size = CFS_ACL_XATTR_SIZE(posix_count, posix_acl_xattr);
- OBD_ALLOC(new, posix_size);
- if (unlikely(new == NULL))
- RETURN(-ENOMEM);
-
- new->a_version = cpu_to_le32(CFS_ACL_XATTR_VERSION);
- for (i = 0, j = 0; i < ext_count; i++) {
- lustre_ext_acl_le_to_cpu(&ae,
- &ext_header->a_entries[i]);
- switch (ae.e_tag) {
- case ACL_USER_OBJ:
- case ACL_GROUP_OBJ:
- case ACL_OTHER:
- if (ae.e_id != ACL_UNDEFINED_ID)
- GOTO(_out, rc = -EIO);
-
- if (ae.e_stat != ES_DEL) {
- new->a_entries[j].e_tag =
- ext_header->a_entries[i].e_tag;
- new->a_entries[j].e_perm =
- ext_header->a_entries[i].e_perm;
- new->a_entries[j++].e_id =
- ext_header->a_entries[i].e_id;
- }
- break;
- case ACL_MASK:
- case ACL_USER:
- case ACL_GROUP:
- if (ae.e_stat == ES_DEL)
- break;
- default:
- GOTO(_out, rc = -EIO);
- }
- }
- } else {
- /* maybe there are valid ACL_USER or ACL_GROUP entries in the
- * original server-side ACL, they are regarded as ES_UNC stat.*/
- int ori_posix_count;
-
- if (unlikely(size < 0))
- RETURN(-EINVAL);
- else if (!size)
- ori_posix_count = 0;
- else
- ori_posix_count =
- CFS_ACL_XATTR_COUNT(size, posix_acl_xattr);
- posix_count = ori_posix_count + ext_count;
- posix_size =
- CFS_ACL_XATTR_SIZE(posix_count, posix_acl_xattr);
- OBD_ALLOC(new, posix_size);
- if (unlikely(new == NULL))
- RETURN(-ENOMEM);
-
- new->a_version = cpu_to_le32(CFS_ACL_XATTR_VERSION);
- /* 1. process the unchanged ACL entries
- * in the original server-side ACL. */
- pos = 0;
- for (i = 0, j = 0; i < ori_posix_count; i++) {
- ee = lustre_ext_acl_xattr_search(ext_header,
- &posix_header->a_entries[i], &pos);
- if (ee == NULL)
- memcpy(&new->a_entries[j++],
- &posix_header->a_entries[i],
- sizeof(posix_acl_xattr_entry));
- }
-
- /* 2. process the non-deleted entries
- * from client-side extended ACL. */
- for (i = 0; i < ext_count; i++) {
- if (le16_to_cpu(ext_header->a_entries[i].e_stat) !=
- ES_DEL) {
- new->a_entries[j].e_tag =
- ext_header->a_entries[i].e_tag;
- new->a_entries[j].e_perm =
- ext_header->a_entries[i].e_perm;
- new->a_entries[j++].e_id =
- ext_header->a_entries[i].e_id;
- }
- }
- }
-
- /* free unused space. */
- rc = lustre_posix_acl_xattr_reduce_space(&new, posix_count, j);
- if (rc >= 0) {
- posix_size = rc;
- *out = new;
- rc = 0;
- }
- EXIT;
-
-_out:
- if (rc) {
- OBD_FREE(new, posix_size);
- posix_size = rc;
- }
- return posix_size;
-}
-EXPORT_SYMBOL(lustre_acl_xattr_merge2posix);
-
-/*
- * Merge the posix ACL and the extended ACL into new extended ACL.
- */
-ext_acl_xattr_header *
-lustre_acl_xattr_merge2ext(posix_acl_xattr_header *posix_header, int size,
- ext_acl_xattr_header *ext_header)
-{
- int ori_ext_count, posix_count, ext_count, ext_size;
- int i, j, pos = 0, rc = 0;
- posix_acl_xattr_entry pae;
- ext_acl_xattr_header *new;
- ext_acl_xattr_entry *ee, eae;
- ENTRY;
-
- if (unlikely(size < 0))
- RETURN(ERR_PTR(-EINVAL));
- else if (!size)
- posix_count = 0;
- else
- posix_count = CFS_ACL_XATTR_COUNT(size, posix_acl_xattr);
- ori_ext_count = le32_to_cpu(ext_header->a_count);
- ext_count = posix_count + ori_ext_count;
- ext_size = CFS_ACL_XATTR_SIZE(ext_count, ext_acl_xattr);
-
- OBD_ALLOC(new, ext_size);
- if (unlikely(new == NULL))
- RETURN(ERR_PTR(-ENOMEM));
-
- for (i = 0, j = 0; i < posix_count; i++) {
- lustre_posix_acl_le_to_cpu(&pae, &posix_header->a_entries[i]);
- switch (pae.e_tag) {
- case ACL_USER_OBJ:
- case ACL_GROUP_OBJ:
- case ACL_MASK:
- case ACL_OTHER:
- if (pae.e_id != ACL_UNDEFINED_ID)
- GOTO(out, rc = -EIO);
- case ACL_USER:
- /* ignore "nobody" entry. */
- if (pae.e_id == NOBODY_UID)
- break;
-
- new->a_entries[j].e_tag =
- posix_header->a_entries[i].e_tag;
- new->a_entries[j].e_perm =
- posix_header->a_entries[i].e_perm;
- new->a_entries[j].e_id =
- posix_header->a_entries[i].e_id;
- ee = lustre_ext_acl_xattr_search(ext_header,
- &posix_header->a_entries[i], &pos);
- if (ee) {
- if (posix_header->a_entries[i].e_perm !=
- ee->e_perm)
- /* entry modified. */
- ee->e_stat =
- new->a_entries[j++].e_stat =
- cpu_to_le32(ES_MOD);
- else
- /* entry unchanged. */
- ee->e_stat =
- new->a_entries[j++].e_stat =
- cpu_to_le32(ES_UNC);
- } else {
- /* new entry. */
- new->a_entries[j++].e_stat =
- cpu_to_le32(ES_ADD);
- }
- break;
- case ACL_GROUP:
- /* ignore "nobody" entry. */
- if (pae.e_id == NOBODY_GID)
- break;
- new->a_entries[j].e_tag =
- posix_header->a_entries[i].e_tag;
- new->a_entries[j].e_perm =
- posix_header->a_entries[i].e_perm;
- new->a_entries[j].e_id =
- posix_header->a_entries[i].e_id;
- ee = lustre_ext_acl_xattr_search(ext_header,
- &posix_header->a_entries[i], &pos);
- if (ee) {
- if (posix_header->a_entries[i].e_perm !=
- ee->e_perm)
- /* entry modified. */
- ee->e_stat =
- new->a_entries[j++].e_stat =
- cpu_to_le32(ES_MOD);
- else
- /* entry unchanged. */
- ee->e_stat =
- new->a_entries[j++].e_stat =
- cpu_to_le32(ES_UNC);
- } else {
- /* new entry. */
- new->a_entries[j++].e_stat =
- cpu_to_le32(ES_ADD);
- }
- break;
- default:
- GOTO(out, rc = -EIO);
- }
- }
-
- /* process deleted entries. */
- for (i = 0; i < ori_ext_count; i++) {
- lustre_ext_acl_le_to_cpu(&eae, &ext_header->a_entries[i]);
- if (eae.e_stat == ES_UNK) {
- /* ignore "nobody" entry. */
- if ((eae.e_tag == ACL_USER && eae.e_id == NOBODY_UID) ||
- (eae.e_tag == ACL_GROUP && eae.e_id == NOBODY_GID))
- continue;
-
- new->a_entries[j].e_tag =
- ext_header->a_entries[i].e_tag;
- new->a_entries[j].e_perm =
- ext_header->a_entries[i].e_perm;
- new->a_entries[j].e_id = ext_header->a_entries[i].e_id;
- new->a_entries[j++].e_stat = cpu_to_le32(ES_DEL);
- }
- }
-
- new->a_count = cpu_to_le32(j);
- /* free unused space. */
- rc = lustre_ext_acl_xattr_reduce_space(&new, ext_count);
- EXIT;
-
-out:
- if (rc) {
- OBD_FREE(new, ext_size);
- new = ERR_PTR(rc);
- }
- return new;
-}
-EXPORT_SYMBOL(lustre_acl_xattr_merge2ext);
-
#endif
return rc;
}
EXPORT_SYMBOL(lustre_in_group_p);
-
-struct lustre_idmap_entry {
- struct list_head lie_rmt_uid_hash; /* hashed as lie_rmt_uid; */
- struct list_head lie_lcl_uid_hash; /* hashed as lie_lcl_uid; */
- struct list_head lie_rmt_gid_hash; /* hashed as lie_rmt_gid; */
- struct list_head lie_lcl_gid_hash; /* hashed as lie_lcl_gid; */
- uid_t lie_rmt_uid; /* remote uid */
- uid_t lie_lcl_uid; /* local uid */
- gid_t lie_rmt_gid; /* remote gid */
- gid_t lie_lcl_gid; /* local gid */
-};
-
-static inline __u32 lustre_idmap_hashfunc(__u32 id)
-{
- return id & (CFS_IDMAP_HASHSIZE - 1);
-}
-
-static
-struct lustre_idmap_entry *idmap_entry_alloc(uid_t rmt_uid, uid_t lcl_uid,
- gid_t rmt_gid, gid_t lcl_gid)
-{
- struct lustre_idmap_entry *e;
-
- OBD_ALLOC_PTR(e);
- if (e == NULL)
- return NULL;
-
- INIT_LIST_HEAD(&e->lie_rmt_uid_hash);
- INIT_LIST_HEAD(&e->lie_lcl_uid_hash);
- INIT_LIST_HEAD(&e->lie_rmt_gid_hash);
- INIT_LIST_HEAD(&e->lie_lcl_gid_hash);
- e->lie_rmt_uid = rmt_uid;
- e->lie_lcl_uid = lcl_uid;
- e->lie_rmt_gid = rmt_gid;
- e->lie_lcl_gid = lcl_gid;
-
- return e;
-}
-
-static void idmap_entry_free(struct lustre_idmap_entry *e)
-{
- list_del(&e->lie_rmt_uid_hash);
- list_del(&e->lie_lcl_uid_hash);
- list_del(&e->lie_rmt_gid_hash);
- list_del(&e->lie_lcl_gid_hash);
- OBD_FREE_PTR(e);
-}
-
-/*
- * return value
- * NULL: not found entry
- * ERR_PTR(-EACCES): found 1(remote):N(local) mapped entry
- * others: found normal entry
- */
-static
-struct lustre_idmap_entry *idmap_search_entry(struct lustre_idmap_table *t,
- uid_t rmt_uid, uid_t lcl_uid,
- gid_t rmt_gid, gid_t lcl_gid)
-{
- struct list_head *head;
- struct lustre_idmap_entry *e;
-
- head = &t->lit_idmaps[RMT_UIDMAP_IDX][lustre_idmap_hashfunc(rmt_uid)];
- list_for_each_entry(e, head, lie_rmt_uid_hash)
- if (e->lie_rmt_uid == rmt_uid) {
- if (e->lie_lcl_uid == lcl_uid) {
- if (e->lie_rmt_gid == rmt_gid &&
- e->lie_lcl_gid == lcl_gid)
- /* must be quaternion match */
- return e;
- } else {
- /* 1:N uid mapping */
- CERROR("rmt uid %u already be mapped to %u"
- " (new %u)\n", e->lie_rmt_uid,
- e->lie_lcl_uid, lcl_uid);
- return ERR_PTR(-EACCES);
- }
- }
-
- head = &t->lit_idmaps[RMT_GIDMAP_IDX][lustre_idmap_hashfunc(rmt_gid)];
- list_for_each_entry(e, head, lie_rmt_gid_hash)
- if (e->lie_rmt_gid == rmt_gid) {
- if (e->lie_lcl_gid == lcl_gid) {
- if (unlikely(e->lie_rmt_uid == rmt_uid &&
- e->lie_lcl_uid == lcl_uid))
- /* after uid mapping search above,
- * we should never come here */
- LBUG();
- } else {
- /* 1:N gid mapping */
- CERROR("rmt gid %u already be mapped to %u"
- " (new %u)\n", e->lie_rmt_gid,
- e->lie_lcl_gid, lcl_gid);
- return ERR_PTR(-EACCES);
- }
- }
-
- return NULL;
-}
-
-static __u32 idmap_lookup_uid(struct list_head *hash, int reverse,
- __u32 uid)
-{
- struct list_head *head = &hash[lustre_idmap_hashfunc(uid)];
- struct lustre_idmap_entry *e;
-
- if (!reverse) {
- list_for_each_entry(e, head, lie_rmt_uid_hash)
- if (e->lie_rmt_uid == uid)
- return e->lie_lcl_uid;
- } else {
- list_for_each_entry(e, head, lie_lcl_uid_hash)
- if (e->lie_lcl_uid == uid)
- return e->lie_rmt_uid;
- }
-
- return CFS_IDMAP_NOTFOUND;
-}
-
-static __u32 idmap_lookup_gid(struct list_head *hash, int reverse, __u32 gid)
-{
- struct list_head *head = &hash[lustre_idmap_hashfunc(gid)];
- struct lustre_idmap_entry *e;
-
- if (!reverse) {
- list_for_each_entry(e, head, lie_rmt_gid_hash)
- if (e->lie_rmt_gid == gid)
- return e->lie_lcl_gid;
- } else {
- list_for_each_entry(e, head, lie_lcl_gid_hash)
- if (e->lie_lcl_gid == gid)
- return e->lie_rmt_gid;
- }
-
- return CFS_IDMAP_NOTFOUND;
-}
-
-int lustre_idmap_add(struct lustre_idmap_table *t,
- uid_t ruid, uid_t luid,
- gid_t rgid, gid_t lgid)
-{
- struct lustre_idmap_entry *e0, *e1;
-
- LASSERT(t);
-
- spin_lock(&t->lit_lock);
- e0 = idmap_search_entry(t, ruid, luid, rgid, lgid);
- spin_unlock(&t->lit_lock);
- if (!e0) {
- e0 = idmap_entry_alloc(ruid, luid, rgid, lgid);
- if (!e0)
- return -ENOMEM;
-
- spin_lock(&t->lit_lock);
- e1 = idmap_search_entry(t, ruid, luid, rgid, lgid);
- if (e1 == NULL) {
- list_add_tail(&e0->lie_rmt_uid_hash,
- &t->lit_idmaps[RMT_UIDMAP_IDX]
- [lustre_idmap_hashfunc(ruid)]);
- list_add_tail(&e0->lie_lcl_uid_hash,
- &t->lit_idmaps[LCL_UIDMAP_IDX]
- [lustre_idmap_hashfunc(luid)]);
- list_add_tail(&e0->lie_rmt_gid_hash,
- &t->lit_idmaps[RMT_GIDMAP_IDX]
- [lustre_idmap_hashfunc(rgid)]);
- list_add_tail(&e0->lie_lcl_gid_hash,
- &t->lit_idmaps[LCL_GIDMAP_IDX]
- [lustre_idmap_hashfunc(lgid)]);
- }
- spin_unlock(&t->lit_lock);
- if (e1 != NULL) {
- idmap_entry_free(e0);
- if (IS_ERR(e1))
- return PTR_ERR(e1);
- }
- } else if (IS_ERR(e0)) {
- return PTR_ERR(e0);
- }
-
- return 0;
-}
-EXPORT_SYMBOL(lustre_idmap_add);
-
-int lustre_idmap_del(struct lustre_idmap_table *t,
- uid_t ruid, uid_t luid,
- gid_t rgid, gid_t lgid)
-{
- struct lustre_idmap_entry *e;
- int rc = 0;
-
- LASSERT(t);
-
- spin_lock(&t->lit_lock);
- e = idmap_search_entry(t, ruid, luid, rgid, lgid);
- if (IS_ERR(e))
- rc = PTR_ERR(e);
- else if (e)
- idmap_entry_free(e);
- spin_unlock(&t->lit_lock);
-
- return rc;
-}
-EXPORT_SYMBOL(lustre_idmap_del);
-
-int lustre_idmap_lookup_uid(struct lu_ucred *mu,
- struct lustre_idmap_table *t,
- int reverse, uid_t uid)
-{
- struct list_head *hash;
-
- if (mu && (mu->uc_valid == UCRED_OLD || mu->uc_valid == UCRED_NEW)) {
- if (!reverse) {
- if (uid == mu->uc_o_uid)
- return mu->uc_uid;
- else if (uid == mu->uc_o_fsuid)
- return mu->uc_fsuid;
- } else {
- if (uid == mu->uc_uid)
- return mu->uc_o_uid;
- else if (uid == mu->uc_fsuid)
- return mu->uc_o_fsuid;
- }
- }
-
- if (t == NULL)
- return CFS_IDMAP_NOTFOUND;
-
- hash = t->lit_idmaps[reverse ? LCL_UIDMAP_IDX : RMT_UIDMAP_IDX];
-
- spin_lock(&t->lit_lock);
- uid = idmap_lookup_uid(hash, reverse, uid);
- spin_unlock(&t->lit_lock);
-
- return uid;
-}
-EXPORT_SYMBOL(lustre_idmap_lookup_uid);
-
-int lustre_idmap_lookup_gid(struct lu_ucred *mu, struct lustre_idmap_table *t,
- int reverse, gid_t gid)
-{
- struct list_head *hash;
-
- if (mu && (mu->uc_valid == UCRED_OLD || mu->uc_valid == UCRED_NEW)) {
- if (!reverse) {
- if (gid == mu->uc_o_gid)
- return mu->uc_gid;
- else if (gid == mu->uc_o_fsgid)
- return mu->uc_fsgid;
- } else {
- if (gid == mu->uc_gid)
- return mu->uc_o_gid;
- else if (gid == mu->uc_fsgid)
- return mu->uc_o_fsgid;
- }
- }
-
- if (t == NULL)
- return CFS_IDMAP_NOTFOUND;
-
- hash = t->lit_idmaps[reverse ? LCL_GIDMAP_IDX : RMT_GIDMAP_IDX];
-
- spin_lock(&t->lit_lock);
- gid = idmap_lookup_gid(hash, reverse, gid);
- spin_unlock(&t->lit_lock);
-
- return gid;
-}
-EXPORT_SYMBOL(lustre_idmap_lookup_gid);
-
-struct lustre_idmap_table *lustre_idmap_init(void)
-{
- struct lustre_idmap_table *t;
- int i, j;
-
- OBD_ALLOC_PTR(t);
- if(unlikely(t == NULL))
- return (ERR_PTR(-ENOMEM));
-
- spin_lock_init(&t->lit_lock);
- for (i = 0; i < ARRAY_SIZE(t->lit_idmaps); i++)
- for (j = 0; j < ARRAY_SIZE(t->lit_idmaps[i]); j++)
- INIT_LIST_HEAD(&t->lit_idmaps[i][j]);
-
- return t;
-}
-EXPORT_SYMBOL(lustre_idmap_init);
-
-void lustre_idmap_fini(struct lustre_idmap_table *t)
-{
- struct list_head *list;
- struct lustre_idmap_entry *e;
- int i;
- LASSERT(t);
-
- list = t->lit_idmaps[RMT_UIDMAP_IDX];
- spin_lock(&t->lit_lock);
- for (i = 0; i < CFS_IDMAP_HASHSIZE; i++)
- while (!list_empty(&list[i])) {
- e = list_entry(list[i].next,
- struct lustre_idmap_entry,
- lie_rmt_uid_hash);
- idmap_entry_free(e);
- }
- spin_unlock(&t->lit_lock);
-
- OBD_FREE_PTR(t);
-}
-EXPORT_SYMBOL(lustre_idmap_fini);
LPROCFS_MD_OP_INIT(num_private_stats, stats, set_lock_data);
LPROCFS_MD_OP_INIT(num_private_stats, stats, lock_match);
LPROCFS_MD_OP_INIT(num_private_stats, stats, cancel_unused);
- LPROCFS_MD_OP_INIT(num_private_stats, stats, get_remote_perm);
LPROCFS_MD_OP_INIT(num_private_stats, stats, intent_getattr_async);
LPROCFS_MD_OP_INIT(num_private_stats, stats, revalidate_lock);
}
obdo_from_la(&repbody->oa, &fti->fti_attr,
OFD_VALID_FLAGS | LA_UID | LA_GID);
- tgt_drop_id(tsi->tsi_exp, &repbody->oa);
/* Store object version in reply */
curr_version = dt_version_get(tsi->tsi_env,
obdo_from_la(&repbody->oa, &fti->fti_attr,
OFD_VALID_FLAGS | LA_UID | LA_GID);
- tgt_drop_id(tsi->tsi_exp, &repbody->oa);
ofd_counter_incr(tsi->tsi_exp, LPROC_OFD_STATS_SETATTR,
tsi->tsi_jobid, 1);
lnb[j+k].lnb_flags = rnb[i].rnb_flags;
if (!(rnb[i].rnb_flags & OBD_BRW_GRANTED))
lnb[j+k].lnb_rc = -ENOSPC;
-
- /* remote client can't break through quota */
- if (exp_connect_rmtclient(exp))
- lnb[j+k].lnb_flags &= ~OBD_BRW_NOQUOTA;
}
j += rc;
*nr_local += rc;
oap->oap_obj_off = offset;
LASSERT(!(offset & ~PAGE_MASK));
- if (!client_is_remote(exp) && cfs_capable(CFS_CAP_SYS_RESOURCE))
+ if (cfs_capable(CFS_CAP_SYS_RESOURCE))
oap->oap_brw_flags = OBD_BRW_NOQUOTA;
INIT_LIST_HEAD(&oap->oap_pending_item);
/* Set the OBD_BRW_SRVLOCK before the page is queued. */
brw_flags |= ops->ops_srvlock ? OBD_BRW_SRVLOCK : 0;
- if (!client_is_remote(osc_export(osc)) &&
- cfs_capable(CFS_CAP_SYS_RESOURCE)) {
+ if (cfs_capable(CFS_CAP_SYS_RESOURCE)) {
brw_flags |= OBD_BRW_NOQUOTA;
cmd |= OBD_BRW_NOQUOTA;
}
enum cl_req_type crt, int brw_flags)
{
struct osc_async_page *oap = &opg->ops_oap;
- struct osc_object *obj = oap->oap_obj;
LINVRNT(osc_page_protected(env, opg,
crt == CRT_WRITE ? CLM_WRITE : CLM_READ, 1));
oap->oap_count = opg->ops_to - opg->ops_from;
oap->oap_brw_flags = OBD_BRW_SYNC | brw_flags;
- if (!client_is_remote(osc_export(obj)) &&
- cfs_capable(CFS_CAP_SYS_RESOURCE)) {
+ if (cfs_capable(CFS_CAP_SYS_RESOURCE)) {
oap->oap_brw_flags |= OBD_BRW_NOQUOTA;
oap->oap_cmd |= OBD_BRW_NOQUOTA;
}
LASSERT (grctx->src_ctx);
req->rq_auth_gss = 1;
- req->rq_auth_remote = grctx->src_ctx->gsc_remote;
req->rq_auth_usr_mdt = grctx->src_ctx->gsc_usr_mds;
req->rq_auth_usr_ost = grctx->src_ctx->gsc_usr_oss;
req->rq_auth_usr_root = grctx->src_ctx->gsc_usr_root;
&RMF_DLM_REQ
};
-static const struct req_msg_field *mds_reint_create_rmt_acl_client[] = {
+static const struct req_msg_field *mds_reint_create_acl_client[] = {
&RMF_PTLRPC_BODY,
&RMF_REC_REINT,
&RMF_CAPA1,
&RQF_MDS_SYNC,
&RQF_MDS_CLOSE,
&RQF_MDS_INTENT_CLOSE,
- &RQF_MDS_READPAGE,
- &RQF_MDS_REINT,
- &RQF_MDS_REINT_CREATE,
- &RQF_MDS_REINT_CREATE_RMT_ACL,
+ &RQF_MDS_READPAGE,
+ &RQF_MDS_REINT,
+ &RQF_MDS_REINT_CREATE,
+ &RQF_MDS_REINT_CREATE_ACL,
&RQF_MDS_REINT_CREATE_SLAVE,
&RQF_MDS_REINT_CREATE_SYM,
&RQF_MDS_REINT_OPEN,
mds_reint_create_client, mdt_body_capa);
EXPORT_SYMBOL(RQF_MDS_REINT_CREATE);
-struct req_format RQF_MDS_REINT_CREATE_RMT_ACL =
- DEFINE_REQ_FMT0("MDS_REINT_CREATE_RMT_ACL",
- mds_reint_create_rmt_acl_client, mdt_body_capa);
-EXPORT_SYMBOL(RQF_MDS_REINT_CREATE_RMT_ACL);
+struct req_format RQF_MDS_REINT_CREATE_ACL =
+ DEFINE_REQ_FMT0("MDS_REINT_CREATE_ACL",
+ mds_reint_create_acl_client, mdt_body_capa);
+EXPORT_SYMBOL(RQF_MDS_REINT_CREATE_ACL);
struct req_format RQF_MDS_REINT_CREATE_SLAVE =
DEFINE_REQ_FMT0("MDS_REINT_CREATE_EA",
lustre_swab_obd_dqblk (&q->qc_dqblk);
}
-void lustre_swab_mdt_remote_perm (struct mdt_remote_perm *p)
-{
- __swab32s (&p->rp_uid);
- __swab32s (&p->rp_gid);
- __swab32s (&p->rp_fsuid);
- __swab32s (&p->rp_fsuid_h);
- __swab32s (&p->rp_fsgid);
- __swab32s (&p->rp_fsgid_h);
- __swab32s (&p->rp_access_perm);
- __swab32s (&p->rp_padding);
-};
-EXPORT_SYMBOL(lustre_swab_mdt_remote_perm);
-
void lustre_swab_fid2path(struct getinfo_fid2path *gf)
{
lustre_swab_lu_fid(&gf->gf_fid);
OBD_MD_FLXATTRRM);
LASSERTF(OBD_MD_FLACL == (0x0000008000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLACL);
- LASSERTF(OBD_MD_FLRMTPERM == (0x0000010000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTPERM);
LASSERTF(OBD_MD_FLMDSCAPA == (0x0000020000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLMDSCAPA);
LASSERTF(OBD_MD_FLOSSCAPA == (0x0000040000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLCROSSREF);
LASSERTF(OBD_MD_FLGETATTRLOCK == (0x0000200000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLGETATTRLOCK);
- LASSERTF(OBD_MD_FLRMTLSETFACL == (0x0001000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTLSETFACL);
- LASSERTF(OBD_MD_FLRMTLGETFACL == (0x0002000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTLGETFACL);
- LASSERTF(OBD_MD_FLRMTRSETFACL == (0x0004000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTRSETFACL);
- LASSERTF(OBD_MD_FLRMTRGETFACL == (0x0008000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTRGETFACL);
LASSERTF(OBD_MD_FLDATAVERSION == (0x0010000000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLDATAVERSION);
CLASSERT(OBD_FL_INLINEDATA == 0x00000001);
LASSERTF((int)sizeof(((struct mdt_ioepoch *)0)->mio_padding) == 4, "found %lld\n",
(long long)(int)sizeof(((struct mdt_ioepoch *)0)->mio_padding));
- /* Checks for struct mdt_remote_perm */
- LASSERTF((int)sizeof(struct mdt_remote_perm) == 32, "found %lld\n",
- (long long)(int)sizeof(struct mdt_remote_perm));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_uid) == 0, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_uid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_uid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_uid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_gid) == 4, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_gid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_gid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_gid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_fsuid) == 8, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_fsuid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_fsuid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_fsuid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_fsgid) == 16, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_fsgid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_fsgid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_fsgid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_access_perm) == 24, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_access_perm));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_access_perm) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_access_perm));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_padding) == 28, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_padding));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_padding) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_padding));
- LASSERTF(CFS_SETUID_PERM == 0x00000001UL, "found 0x%.8xUL\n",
- (unsigned)CFS_SETUID_PERM);
- LASSERTF(CFS_SETGID_PERM == 0x00000002UL, "found 0x%.8xUL\n",
- (unsigned)CFS_SETGID_PERM);
- LASSERTF(CFS_SETGRP_PERM == 0x00000004UL, "found 0x%.8xUL\n",
- (unsigned)CFS_SETGRP_PERM);
- LASSERTF(CFS_RMTACL_PERM == 0x00000008UL, "found 0x%.8xUL\n",
- (unsigned)CFS_RMTACL_PERM);
- LASSERTF(CFS_RMTOWN_PERM == 0x00000010UL, "found 0x%.8xUL\n",
- (unsigned)CFS_RMTOWN_PERM);
-
/* Checks for struct mdt_rec_setattr */
LASSERTF((int)sizeof(struct mdt_rec_setattr) == 136, "found %lld\n",
(long long)(int)sizeof(struct mdt_rec_setattr));
*/
static inline void tgt_init_sec_none(struct obd_connect_data *reply)
{
- reply->ocd_connect_flags &= ~(OBD_CONNECT_RMT_CLIENT |
- OBD_CONNECT_RMT_CLIENT_FORCE);
}
static int tgt_init_sec_level(struct ptlrpc_request *req)
char *client;
struct obd_connect_data *data, *reply;
int rc = 0;
- bool remote;
ENTRY;
data = req_capsule_client_get(&req->rq_pill, &RMF_CONNECT_DATA);
}
/* old version case */
- if (unlikely(!(data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT) ||
- !(data->ocd_connect_flags & OBD_CONNECT_MDS_CAPA) ||
+ if (unlikely(!(data->ocd_connect_flags & OBD_CONNECT_MDS_CAPA) ||
!(data->ocd_connect_flags & OBD_CONNECT_OSS_CAPA))) {
if (tgt->lut_sec_level > LUSTRE_SEC_NONE) {
CWARN("client %s -> target %s uses old version, "
}
}
- remote = data->ocd_connect_flags & OBD_CONNECT_RMT_CLIENT_FORCE;
- if (remote) {
- if (!req->rq_auth_remote)
- CDEBUG(D_SEC, "client (local realm) %s -> target %s "
- "asked to be remote.\n", client, tgt_name(tgt));
- } else if (req->rq_auth_remote) {
- remote = true;
- CDEBUG(D_SEC, "client (remote realm) %s -> target %s is set "
- "as remote by default.\n", client, tgt_name(tgt));
+ if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_uid))) {
+ CDEBUG(D_SEC, "client %s -> target %s: user is not "
+ "authenticated!\n", client, tgt_name(tgt));
+ RETURN(-EACCES);
}
- if (remote == 0) {
- if (!uid_valid(make_kuid(&init_user_ns, req->rq_auth_uid))) {
- CDEBUG(D_SEC, "client %s -> target %s: user is not "
- "authenticated!\n", client, tgt_name(tgt));
- RETURN(-EACCES);
- }
- }
-
-
switch (tgt->lut_sec_level) {
case LUSTRE_SEC_NONE:
- if (remote) {
- CDEBUG(D_SEC,
- "client %s -> target %s is set as remote, "
- "can not run under security level %d.\n",
- client, tgt_name(tgt), tgt->lut_sec_level);
- RETURN(-EACCES);
- }
- tgt_init_sec_none(reply);
- break;
case LUSTRE_SEC_REMOTE:
- if (!remote)
- tgt_init_sec_none(reply);
+ tgt_init_sec_none(reply);
break;
case LUSTRE_SEC_ALL:
- if (remote)
- break;
- reply->ocd_connect_flags &= ~(OBD_CONNECT_RMT_CLIENT |
- OBD_CONNECT_RMT_CLIENT_FORCE);
reply->ocd_connect_flags &= ~OBD_CONNECT_OSS_CAPA;
reply->ocd_connect_flags &= ~OBD_CONNECT_MDS_CAPA;
break;
/* Must commit after prep above in all cases */
rc = obd_commitrw(tsi->tsi_env, OBD_BRW_READ, exp, &repbody->oa, 1, ioo,
remote_nb, npages, local_nb, rc);
- if (rc == 0)
- tgt_drop_id(exp, &repbody->oa);
out_lock:
tgt_brw_unlock(ioo, remote_nb, &lockh, LCK_PR);
}
LASSERT(j == npages);
ptlrpc_lprocfs_brw(req, nob);
-
- tgt_drop_id(exp, &repbody->oa);
}
out_lock:
tgt_brw_unlock(ioo, remote_nb, &lockh, LCK_PW);
nobase_noinst_SCRIPTS += racer/dir_remote.sh racer/dir_migrate.sh racer/file_chmod.sh
nobase_noinst_SCRIPTS += racer/file_chown.sh racer/file_delxattr.sh racer/file_getxattr.sh
nobase_noinst_SCRIPTS += racer/file_mknod.sh racer/file_setxattr.sh racer/file_truncate.sh
-nobase_noinst_SCRIPTS += rmtacl/make-tree rmtacl/run
nobase_noinst_SCRIPTS += posix/posix.cfg
nobase_noinst_DATA = acl/cp.test acl/getfacl-noacl.test acl/inheritance.test
nobase_noinst_DATA += acl/misc.test acl/permissions.test acl/setfacl.test
nobase_noinst_DATA += acl/974.test acl/974_remote.test
nobase_noinst_DATA += acl/2561.test acl/2561_zfs.test acl/4924.test
-nobase_noinst_DATA += rmtacl/misc.test rmtacl/permissions.test
-nobase_noinst_DATA += rmtacl/setfacl.test rmtacl/cp.test
-nobase_noinst_DATA += rmtacl/getfacl-noacl.test rmtacl/inheritance.test
nobase_noinst_DATA += clientapi/simple_test.c
EXTRA_DIST = $(noinst_SCRIPTS) $(noinst_DATA) \
+++ /dev/null
-- adapt based on test/acl/
+++ /dev/null
-The "lfs cp" utility should only copy ACLs if `-p' is given.
-
- $ umask 022
- $ mkdir d
- $ cd d
- $ touch f
- $ lfs lsetfacl -m u:bin:rw f
- $ lfs ls -l f | awk -- '{ print $1 }'
- > -rw-rw-r--+
-
- $ lfs cp f g
- $ lfs ls -l g | awk -- '{ print $1 }'
- > -rw-r--r--
-
- $ rm g
- $ lfs cp -p f g
- $ lfs ls -l f | awk -- '{ print $1 }'
- > -rw-rw-r--+
-
- $ mkdir h
- $ echo blubb > h/x
- $ lfs cp -rp h i
- $ cat i/x
- > blubb
-
- $ rm -r i
-
-Use to be "$lfs lsetfacl -R -m u:bin:rwX h", but RHEL4 uncorrectly set the x flag,
-so we change to the following test
-
- $ lfs lsetfacl -R -m u:bin:rwx h
- $ lfs lgetfacl --omit-header h/x
- > user::rw-
- > user:bin:rwx
- > group::r--
- > mask::rwx
- > other::r--
- >
-
- $ lfs cp -rp h i
- $ lfs lgetfacl --omit-header i/x
- > user::rw-
- > user:bin:rwx
- > group::r--
- > mask::rwx
- > other::r--
- >
-
- $ cd ..
- $ rm -r d
+++ /dev/null
-Getfacl utility option parsing tests. This test can be run on a
-filesystem with or without ACL support.
-
- $ mkdir test
- $ cd test
- $ umask 027
- $ touch x
- $ lfs lgetfacl --omit-header x
- > user::rw-
- > group::r--
- > other::---
- >
-
- $ lfs lgetfacl --omit-header --access x
- > user::rw-
- > group::r--
- > other::---
- >
-
- $ lfs lgetfacl --omit-header -d x
- $ lfs lgetfacl --omit-header -d .
- $ lfs lgetfacl --omit-header -d /
- > getfacl: Removing leading '/' from absolute path names
-
- $ lfs lgetfacl --skip-base x
- $ lfs lgetfacl --omit-header --all-effective x
- > user::rw-
- > group::r--
- > other::---
- >
-
- $ lfs lgetfacl --omit-header --no-effective x
- > user::rw-
- > group::r--
- > other::---
- >
-
- $ mkdir d
- $ touch d/y
- $ ln -s d l
-The result of "lfs lgetfacl -dR . | grep file | sort" is related with
-the dentry item order in parent directory. Such order depends on
-FS implementation. Fix with -P (--physical) option.
-# $ lfs lgetfacl -dR . | grep file | sort
- $ lfs lgetfacl -dRP . | grep file | sort
- > # file: .
- > # file: d
- > # file: d/y
- > # file: x
-
- $ ln -s l ll
-# $ lfs lgetfacl -dLR ll | grep file | sort
-# (rhel4)
-# > # file: ll
-# > # file: ll/y
-# (rhel5)
-# > # file: l
-# > # file: l/y
-
- $ rm l ll x
- $ rm -rf d
- $ cd ..
- $ rmdir test
+++ /dev/null
-ACL inheritance test. Run these tests on a filesystem with ACL support.
-
-
- $ id -u
- > 0
-
- $ mkdir d
- $ lfs lsetfacl -d -m group:bin:r-x d
- $ lfs lgetfacl d
- > # file: d
- > # owner: root
- > # group: root
- > user::rwx
- > group::r-x
- > other::r-x
- > default:user::rwx
- > default:group::r-x
- > default:group:bin:r-x
- > default:mask::r-x
- > default:other::r-x
- >
-
- $ mkdir d/subdir
- $ lfs lgetfacl d/subdir
- > # file: d/subdir
- > # owner: root
- > # group: root
- > user::rwx
- > group::r-x
- > group:bin:r-x
- > mask::r-x
- > other::r-x
- > default:user::rwx
- > default:group::r-x
- > default:group:bin:r-x
- > default:mask::r-x
- > default:other::r-x
- >
-
- $ touch d/f
- $ lfs ls -l d/f | awk -- '{ print $1 }'
- > -rw-r--r--+
- $ lfs lgetfacl d/f
- > # file: d/f
- > # owner: root
- > # group: root
- > user::rw-
- > group::r-x #effective:r--
- > group:bin:r-x #effective:r--
- > mask::r--
- > other::r--
- >
-
- $ su bin
- $ echo i >> d/f
- > d/f: Permission denied
-
-Changed by CFS: (1). reduce the tree level to 2 (for shortening
-time of local tests). (2). add one more lfs lgetfacl test since dir
-might be distributed around MDS's.
-
- $ su
- $ rm d/f
- $ rmdir d/subdir
- $ mv d tree
- $ ./make-tree
- $ lfs lgetfacl tree/dir0/dir5/file4
- > # file: tree/dir0/dir5/file4
- > # owner: root
- > # group: root
- > user::rw-
- > group::r-x #effective:r--
- > group:bin:r-x #effective:r--
- > mask::r--
- > other::r--
- >
- $ lfs lgetfacl tree/dir0/dir6/file4
- > # file: tree/dir0/dir6/file4
- > # owner: root
- > # group: root
- > user::rw-
- > group::r-x #effective:r--
- > group:bin:r-x #effective:r--
- > mask::r--
- > other::r--
- >
- $ echo i >> tree/dir6/dir2/file2
- $ echo i > tree/dir1/f
- $ lfs ls -l tree/dir1/f | awk -- '{ print $1 }'
- > -rw-r--r--+
-in following item, the error message is dependant on distributions.
-success on FC3, but not on FC2 and SLES3 etc. comment out by CFS.
-# $ su bin
-# $ echo i > tree/dir6/dir2/f
-# > tree/dir6/dir2/f: No such file or directory
-# $ su
-
- $ rm -rf tree
-
-
-Original scripts, comment out by CFS.
-#
-# $ su
-# $ rm d/f
-# $ rmdir d/subdir
-# $ mv d tree
-# $ ./make-tree
-# $ lfs lgetfacl tree/dir0/dir5/dir7/file4
-# > # file: tree/dir0/dir5/dir7/file4
-# > # owner: root
-# > # group: root
-# > user::rw-
-# > group::r-x #effective:r--
-# > group:bin:r-x #effective:r--
-# > mask::r--
-# > other::r--
-# >
-# $ echo i >> tree/dir6/dir2/dir1/file2
-# $ echo i > tree/dir1/f
-# $ lfs ls -l tree/dir1/f | awk -- '{ print $1 }'
-# > -rw-r--r--+
-# $ su bin
-# $ echo i > tree/dir6/dir2/f
-# > tree/dir6/dir2/f: No such file or directory
-# $ su
-#
-# $ rm -rf tree
-
-
-
-
+++ /dev/null
-#!/bin/sh
-
-# reduce LEVELS from 3 => 2 by CFS
-LEVELS=2 ; [ -z "$1" ] || LEVELS=$1
-DIRS=10 ; [ -z "$2" ] || DIRS=$2
-FILES=10 ; [ -z "$2" ] || FILES=$3
-NUMBER_OF_ACLS=50 ; [ -z "$3" ] || NUMBER_OF_ACLS=$4
-
-function random_dir() {
- mkdir -p $1
- #lfs lsetfacl -s "u::rwx,u:$[($RANDOM % $NUMBER_OF_ACLS)+1000]:rwx,g::rx,o:-" $1
-}
-
-function random_file() {
- touch $1
- #lfs lsetfacl -s "u::rw,u:$[($RANDOM % $NUMBER_OF_ACLS)+1000]:rw,g::r,o:-" $1
-}
-
-function create () {
- local LEVEL=$1
- if [ $LEVEL -eq 0 ]; then
- local I=0
- while [ $I -lt $FILES ]; do
- random_file file$I
- I=$[$I+1]
- done
- else
- local I=0
- while [ $I -lt $DIRS ]; do
- random_dir dir$I
- cd dir$I
- create $[$LEVEL-1]
- cd ..
- I=$[$I+1]
- done
- fi
- return
-}
-
-mkdir -p tree
-cd tree
-create $LEVELS
-cd ..
-exit 0
-
+++ /dev/null
-Pretty comprehensive ACL tests.
-
-This must be run on a filesystem with ACL support. Also, you will need
-two dummy users (bin and daemon) and a dummy group (daemon).
-
- $ umask 027
- $ touch f
-
-Only change a base ACL:
- $ lfs lsetfacl -m u::r f
- $ lfs lsetfacl -m u::rw,u:bin:rw f
- $ lfs ls -dl f | awk '{print $1}'
- > -rw-rw----+
-
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:bin:rw-
- > group::r--
- > mask::rw-
- > other::---
- >
-
- $ rm f
- $ umask 022
- $ touch f
- $ lfs lsetfacl -m u:bin:rw f
- $ lfs ls -dl f | awk '{print $1}'
- > -rw-rw-r--+
-
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:bin:rw-
- > group::r--
- > mask::rw-
- > other::r--
- >
-
- $rm f
- $ umask 027
- $ mkdir d
- $ lfs lsetfacl -m u:bin:rwx d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxrwx---+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:rwx
- > group::r-x
- > mask::rwx
- > other::---
- >
-
- $ rmdir d
- $ umask 022
- $ mkdir d
- $ lfs lsetfacl -m u:bin:rwx d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxrwxr-x+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:rwx
- > group::r-x
- > mask::rwx
- > other::r-x
- >
-
- $ rmdir d
-
-
-Multiple users
-
- $ umask 022
- $ touch f
- $ lfs lsetfacl -m u:bin:rw,u:daemon:r f
- $ lfs ls -dl f | awk '{print $1}'
- > -rw-rw-r--+
-
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:bin:rw-
- > user:daemon:r--
- > group::r--
- > mask::rw-
- > other::r--
- >
-
-Multiple groups
-
- $ lfs lsetfacl -m g:users:rw,g:daemon:r f
- $ lfs ls -dl f | awk '{print $1}'
- > -rw-rw-r--+
-
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:bin:rw-
- > user:daemon:r--
- > group::r--
- > group:daemon:r--
- > group:users:rw-
- > mask::rw-
- > other::r--
- >
-
-Remove one group
-
- $ lfs lsetfacl -x g:users f
- $ lfs ls -dl f | awk '{print $1}'
- > -rw-rw-r--+
-
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:bin:rw-
- > user:daemon:r--
- > group::r--
- > group:daemon:r--
- > mask::rw-
- > other::r--
- >
-
-Remove one user
-
- $ lfs lsetfacl -x u:daemon f
- $ lfs ls -dl f | awk '{print $1}'
- > -rw-rw-r--+
-
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:bin:rw-
- > group::r--
- > group:daemon:r--
- > mask::rw-
- > other::r--
- >
-
- $ rm f
-
-Default ACL
-
- $ umask 027
- $ mkdir d
- $ lfs lsetfacl -m u:bin:rwx,u:daemon:rw,d:u:bin:rwx,d:m:rx d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxrwx---+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:rwx
- > user:daemon:rw-
- > group::r-x
- > mask::rwx
- > other::---
- > default:user::rwx
- > default:user:bin:rwx #effective:r-x
- > default:group::r-x
- > default:mask::r-x
- > default:other::---
- >
-
-Umask now ignored?
-
- $ umask 027
- $ touch d/f
- $ lfs ls -dl d/f | awk '{print $1}'
- > -rw-r-----+
-
- $ lfs lgetfacl --omit-header d/f
- > user::rw-
- > user:bin:rwx #effective:r--
- > group::r-x #effective:r--
- > mask::r--
- > other::---
- >
-
- $ rm d/f
- $ umask 022
- $ touch d/f
- $ lfs ls -dl d/f | awk '{print $1}'
- > -rw-r-----+
-
- $ lfs lgetfacl --omit-header d/f
- > user::rw-
- > user:bin:rwx #effective:r--
- > group::r-x #effective:r--
- > mask::r--
- > other::---
- >
-
- $ rm d/f
-
-Default ACL copying
-
- $ umask 000
- $ mkdir d/d
- $ lfs ls -dl d/d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d/d
- > user::rwx
- > user:bin:rwx #effective:r-x
- > group::r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:rwx #effective:r-x
- > default:group::r-x
- > default:mask::r-x
- > default:other::---
- >
-
- $ rmdir d/d
- $ umask 022
- $ mkdir d/d
- $ lfs ls -dl d/d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d/d
- > user::rwx
- > user:bin:rwx #effective:r-x
- > group::r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:rwx #effective:r-x
- > default:group::r-x
- > default:mask::r-x
- > default:other::---
- >
-
-Add some users and groups
-
- $ lfs lsetfacl -nm u:daemon:rx,d:u:daemon:rx,g:users:rx,g:daemon:rwx d/d
- $ lfs ls -dl d/d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d/d
- > user::rwx
- > user:bin:rwx #effective:r-x
- > user:daemon:r-x
- > group::r-x
- > group:daemon:rwx #effective:r-x
- > group:users:r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:rwx #effective:r-x
- > default:user:daemon:r-x
- > default:group::r-x
- > default:mask::r-x
- > default:other::---
- >
-
-Symlink in directory with default ACL?
-
- $ ln -s d d/l
- $ lfs ls -dl d/l | awk '{print $1}'
- > lrwxrwxrwx
-
- $ lfs ls -dl -L d/l | awk '{print $1}'
- > drwxr-x---+
-
-# XXX:there is an issue with getfacl dealing symbol link
-# $ lfs lgetfacl --omit-header d/l
- $ cd d
- $ lfs lgetfacl --omit-header l
- > user::rwx
- > user:bin:rwx #effective:r-x
- > user:daemon:r-x
- > group::r-x
- > group:daemon:rwx #effective:r-x
- > group:users:r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:rwx #effective:r-x
- > default:user:daemon:r-x
- > default:group::r-x
- > default:mask::r-x
- > default:other::---
- >
-# XXX
- $ cd ..
-
- $ rm d/l
-
-Does mask manipulation work?
-
- $ lfs lsetfacl -m g:daemon:rx,u:bin:rx d/d
- $ lfs ls -dl d/d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d/d
- > user::rwx
- > user:bin:r-x
- > user:daemon:r-x
- > group::r-x
- > group:daemon:r-x
- > group:users:r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:rwx #effective:r-x
- > default:user:daemon:r-x
- > default:group::r-x
- > default:mask::r-x
- > default:other::---
- >
-
- $ lfs lsetfacl -m d:u:bin:rwx d/d
- $ lfs ls -dl d/d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d/d
- > user::rwx
- > user:bin:r-x
- > user:daemon:r-x
- > group::r-x
- > group:daemon:r-x
- > group:users:r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:rwx
- > default:user:daemon:r-x
- > default:group::r-x
- > default:mask::rwx
- > default:other::---
- >
-
- $ rmdir d/d
-
-Remove the default ACL
-
- $ lfs lsetfacl -k d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxrwx---+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:rwx
- > user:daemon:rw-
- > group::r-x
- > mask::rwx
- > other::---
- >
-
-Reset to base entries
-
- $ lfs lsetfacl -b d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxr-x---
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > group::r-x
- > other::---
- >
-
-Now, chmod should change the group_obj entry
-
- $ chmod 775 d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxrwxr-x
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > group::rwx
- > other::r-x
- >
-
- $ rmdir d
- $ umask 002
- $ mkdir d
- $ lfs lsetfacl -m u:daemon:rwx,u:bin:rx,d:u:daemon:rwx,d:u:bin:rx d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxrwxr-x+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:r-x
- > user:daemon:rwx
- > group::rwx
- > mask::rwx
- > other::r-x
- > default:user::rwx
- > default:user:bin:r-x
- > default:user:daemon:rwx
- > default:group::rwx
- > default:mask::rwx
- > default:other::r-x
- >
-
- $ chmod 750 d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:r-x
- > user:daemon:rwx #effective:r-x
- > group::rwx #effective:r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:r-x
- > default:user:daemon:rwx
- > default:group::rwx
- > default:mask::rwx
- > default:other::r-x
- >
-
- $ chmod 750 d
- $ lfs ls -dl d | awk '{print $1}'
- > drwxr-x---+
-
- $ lfs lgetfacl --omit-header d
- > user::rwx
- > user:bin:r-x
- > user:daemon:rwx #effective:r-x
- > group::rwx #effective:r-x
- > mask::r-x
- > other::---
- > default:user::rwx
- > default:user:bin:r-x
- > default:user:daemon:rwx
- > default:group::rwx
- > default:mask::rwx
- > default:other::r-x
- >
-
- $ rmdir d
+++ /dev/null
-This script tests if file permissions are properly checked with and
-without ACLs. The script must be run as root to allow switching users.
-The following users are required. They must be a member in the groups
-listed in parentheses.
-
- bin (bin)
- daemon (bin, daemon)
-
-
-Cry immediately if we are not running as root.
-
- $ id -u
- > 0
-
-
-First, set up a temporary directory and create a regular file with
-defined permissions.
-
- $ mkdir d
- $ cd d
- $ umask 027
- $ touch f
- $ lfs ls -l f | awk -- '{ print $1, $3, $4 }'
- > -rw-r----- root root
-
-
-Make sure root has access to the file. Verify that user daemon does not
-have access to the file owned by root.
-
- $ echo root > f
-
- $ su daemon
- $ echo daemon >> f
- > f: Permission denied
-
- $ su
-
-
-Now, change the ownership of the file to bin:bin and verify that this
-gives user bin write access.
-
- $ chown bin:bin f
- $ lfs ls -l f | awk -- '{ print $1, $3, $4 }'
- > -rw-r----- bin bin
- $ su bin
- $ echo bin >> f
-
-
-User daemon is a member in the owning group, which has only read access.
-Verify this.
-
- $ su daemon
- $ cat f
- > root
- > bin
-
- $ echo daemon >> f
- > f: Permission denied
-
-
-Now, add an ACL entry for user daemon that grants him rw- access. File
-owners and users capable of CAP_FOWNER are allowed to change ACLs.
-
- $ su bin
- $ lfs lsetfacl -m u:daemon:rw f
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:daemon:rw-
- > group::r--
- > mask::rw-
- > other::---
- >
-
-
-Verify that the additional ACL entry grants user daemon write access.
-
- $ su daemon
- $ echo daemon >> f
- $ cat f
- > root
- > bin
- > daemon
-
-
-Remove write access from the group class permission bits, and
-verify that this masks daemon's write permission.
-
- $ su bin
- $ chmod g-w f
- $ lfs lgetfacl --omit-header f
- > user::rw-
- > user:daemon:rw- #effective:r--
- > group::r--
- > mask::r--
- > other::---
- >
-
- $ su daemon
- $ echo daemon >> f
- > f: Permission denied
-
-
-Add an entry for group daemon with rw- access, and change the
-permissions for user daemon to r--. Also change the others permissions t
-rw-. The user entry should take precedence, so daemon should be denied
-access.
-
- $ su bin
- $ lfs lsetfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
-
- $ su daemon
- $ echo daemon >> f
- > f: Permission denied
-
-
-Remove the entry for user daemon. The group daemon permissions should
-now give user daemon rw- access.
-
- $ su bin
- $ lfs lsetfacl -x u:daemon f
-
- $ su daemon
- $ echo daemon2 >> f
- $ cat f
- > root
- > bin
- > daemon
- > daemon2
-
-
-Set the group daemon permissions to r-- and verify that after than, user
-daemon does not have write access anymore.
-
- $ su bin
- $ lfs lsetfacl -m g:daemon:r f
-
- $ su daemon
- $ echo daemon3 >> f
- > f: Permission denied
-
-
-Now, remove the group daemon entry. Because user daemon is a member in
-the owning group, he should still have no write access.
-
- $ su bin
- $ lfs lsetfacl -x g:daemon f
-
- $ su daemon
- $ echo daemon4 >> f
- > f: Permission denied
-
-
-Change the owning group. The other permissions should now grant user
-daemon write access.
-
- $ su
- $ chgrp root f
-
- $ su daemon
- $ echo daemon5 >> f
- $ cat f
- > root
- > bin
- > daemon
- > daemon2
- > daemon5
-
-
-Verify that permissions in separate matching ACL entries do not
-accumulate.
-
- $ su
- $ lfs lsetfacl -m g:bin:r,g:daemon:w f
-
- $ su daemon
- $ : < f # open for reading
- $ : > f # open for writing
- $ : <> f # open for read-write
- > f: Permission denied
-
-
-Test if directories can have ACLs. We assume that only one access check
-algorithm is used for all file types the file system, so these tests
-only need to verify that ACL permissions make a difference.
-
- $ su
- $ mkdir -m 750 e
- $ touch e/h
-
- $ su bin
- $ shopt -s nullglob ; echo e/*
- >
-
- $ echo i > e/i
- > e/i: Permission denied
-
- $ su
- $ lfs lsetfacl -m u:bin:rx e
-
- $ su bin
- $ echo e/*
- > e/h
-following 2 lines seems not valid, which also failed on ext3 in FC3 enviroment,
-although it pass in FC2. commented out by CFS (agreed with HP)
-Replaced "echo" with "touch" can resolve such problem.
-# $ echo i > e/i
-# > e/i: Permission denied
- $ touch e/i
- > touch: cannot touch `e/i': Permission denied
-
- $ su
- $ lfs lsetfacl -m u:bin:rwx e
-
- $ su bin
- $ echo i > e/i
-
-
-Test if symlinks are properly followed.
-
- $ su
- $ touch g
- $ ln -s g l
- $ lfs lsetfacl -m u:bin:rw l
- $ lfs ls -l g | awk -- '{ print $1, $3, $4 }'
- > -rw-rw----+ root root
-
-
-Test if ACLs are effective for block and character special files, fifos,
-sockets. This is done by creating special files locally. The devices do
-not need to exist: The access check is earlier in the code path than the
-test if the device exists.
-
-
- $ mknod -m 0660 hdt b 91 64 # /dev/hdt
- $ mknod -m 0660 null c 1 3 # /dev/null
- $ mkfifo -m 0660 fifo
-
- $ su bin
- $ : < hdt
- > hdt: Permission denied
- $ : < null
- > null: Permission denied
- $ : < fifo
- > fifo: Permission denied
-
- $ su
- $ lfs lsetfacl -m u:bin:rw hdt null fifo
-
- $ su bin
- $ : < hdt
- > hdt: No such device or address
- $ : < null
- $ ( echo blah > fifo & ) ; cat fifo
- > blah
-
-
-Test if CAP_FOWNER is properly honored for directories. This addresses a
-specific bug in XFS 1.2, which does not grant root access to files in
-directories if the file has an ACL and only CAP_FOWNER would grant them.
-
- $ su
- $ mkdir -m 600 x
- $ chown daemon:daemon x
- $ echo j > x/j
- $ lfs ls -l x/j | awk -- '{ print $1, $3, $4 }'
- > -rw-r----- root root
-
- $ lfs lsetfacl -m u:daemon:r x
-
- $ lfs ls -l x/j | awk -- '{ print $1, $3, $4 }'
- > -rw-r----- root root
- (With the bug this gives: `ls: x/j: Permission denied'.)
-
- $ echo k > x/k
- (With the bug this gives: `x/k: Permission denied'.)
-
- $ chmod 750 x
-
-
-Clean up.
-
- $ su
- $ cd ..
- $ rm -rf d
+++ /dev/null
-#!/usr/bin/perl -w -U
-
-#
-# Possible improvements:
-#
-# - distinguish stdout and stderr output
-# - add environment variable like assignments
-# - run up to a specific line
-# - resume at a specific line
-#
-
-use strict;
-use FileHandle;
-use Getopt::Std;
-use POSIX qw(isatty setuid);
-use vars qw($opt_v);
-
-no warnings qw(taint);
-
-getopts('v');
-
-my ($OK, $FAILED) = ("ok", "failed");
-if (isatty(fileno(STDOUT))) {
- $OK = "\033[32m" . $OK . "\033[m";
- $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m";
-}
-
-sub exec_test($$);
-sub process_test($$$$);
-
-my ($prog, $in, $out) = ([], [], []);
-my $line_number = 0;
-my $prog_line;
-my ($tests, $failed) = (0,0);
-
-for (;;) {
- my $line = <>; $line_number++;
- if (defined $line) {
- # Substitute %VAR and %{VAR} with environment variables.
- $line =~ s[%(?:(\w+)|\{(\w+)\})][$ENV{"$1$2"}]eg;
- }
- if (defined $line) {
- if ($line =~ s/^\s*< ?//) {
- push @$in, $line;
- } elsif ($line =~ s/^\s*> ?//) {
- push @$out, $line;
- } else {
- process_test($prog, $prog_line, $in, $out);
-
- $prog = [];
- $prog_line = 0;
- }
- if ($line =~ s/^\s*\$ ?//) {
- $line =~ s/\s+#.*//; # remove comments here...
- $prog = [ map { s/\\(.)/$1/g; $_ } split /(?<!\\)\s+/, $line ];
- $prog_line = $line_number;
- $in = [];
- $out = [];
- }
- } else {
- process_test($prog, $prog_line, $in, $out);
- last;
- }
-}
-
-my $status = sprintf("%d commands (%d passed, %d failed)",
- $tests, $tests-$failed, $failed);
-if (isatty(fileno(STDOUT))) {
- if ($failed) {
- $status = "\033[31m\033[1m" . $status . "\033[m";
- } else {
- $status = "\033[32m" . $status . "\033[m";
- }
-}
-print $status, "\n";
-exit $failed ? 1 : 0;
-
-
-sub process_test($$$$) {
- my ($prog, $prog_line, $in, $out) = @_;
-
- return unless @$prog;
-
- my $p = [ @$prog ];
- print "[$prog_line] \$ ", join(' ',
- map { s/\s/\\$&/g; $_ } @$p), " -- ";
- my $result = exec_test($prog, $in);
- my $good = 1;
- my $nmax = (@$out > @$result) ? @$out : @$result;
- for (my $n=0; $n < $nmax; $n++) {
- if (!defined($out->[$n]) || !defined($result->[$n]) ||
- $out->[$n] ne $result->[$n]) {
- $good = 0;
- }
- }
- $tests++;
- $failed++ unless $good;
- print $good ? $OK : $FAILED, "\n";
- if (!$good) {
- for (my $n=0; $n < $nmax; $n++) {
- my $l = defined($out->[$n]) ? $out->[$n] : "~";
- chomp $l;
- my $r = defined($result->[$n]) ? $result->[$n] : "~";
- chomp $r;
- print sprintf("%-37s %s %-39s\n", $l, $l eq $r ? "|" : "?", $r);
- }
- } elsif ($opt_v) {
- print join('', @$result);
- }
-}
-
-
-sub su($) {
- my ($user) = @_;
-
- $user ||= "root";
-
- my ($login, $pass, $uid, $gid) = getpwnam($user)
- or return [ "su: user $user does not exist\n" ];
- my @groups = ();
- my $fh = new FileHandle("/etc/group")
- or return [ "opening /etc/group: $!\n" ];
- while (<$fh>) {
- chomp;
- my ($group, $passwd, $gid, $users) = split /:/;
- foreach my $u (split /,/, $users) {
- push @groups, $gid
- if ($user eq $u);
- }
- }
- $fh->close;
-
- my $groups = join(" ", ($gid, $gid, @groups));
- #print STDERR "[[$groups]]\n";
- $! = 0; # reset errno
- $> = 0;
- $( = $gid;
- $) = $groups;
- if ($!) {
- return [ "su: $!\n" ];
- }
- if ($uid != 0) {
- $> = $uid;
- #$< = $uid;
- if ($!) {
- return [ "su: $prog->[1]: $!\n" ];
- }
- }
- #print STDERR "[($>,$<)($(,$))]";
- return [];
-}
-
-
-sub sg($) {
- my ($group) = @_;
-
- my $gid = getgrnam($group)
- or return [ "sg: group $group does not exist\n" ];
- my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $));
-
- #print STDERR "<<", join("/", keys %groups), ">>\n";
- my $groups = join(" ", ($gid, $gid, keys %groups));
- #print STDERR "[[$groups]]\n";
- $! = 0; # reset errno
- if ($> != 0) {
- my $uid = $>;
- $> = 0;
- $( = $gid;
- $) = $groups;
- $> = $uid;
- } else {
- $( = $gid;
- $) = $groups;
- }
- if ($!) {
- return [ "sg: $!\n" ];
- }
- print STDERR "[($>,$<)($(,$))]";
- return [];
-}
-
-
-sub exec_test($$) {
- my ($prog, $in) = @_;
- local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2);
- my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/);
-
- if ($prog->[0] eq "umask") {
- umask oct $prog->[1];
- return [];
- } elsif ($prog->[0] eq "cd") {
- if (!chdir $prog->[1]) {
- return [ "chdir: $prog->[1]: $!\n" ];
- }
- return [];
- } elsif ($prog->[0] eq "su") {
- return su($prog->[1]);
- } elsif ($prog->[0] eq "sg") {
- return sg($prog->[1]);
- }
-
- pipe *IN2, *OUT
- or die "Can't create pipe for reading: $!";
- open *IN_DUP, "<&STDIN"
- or *IN_DUP = undef;
- open *STDIN, "<&IN2"
- or die "Can't duplicate pipe for reading: $!";
- close *IN2;
-
- open *OUT_DUP, ">&STDOUT"
- or die "Can't duplicate STDOUT: $!";
- pipe *IN, *OUT2
- or die "Can't create pipe for writing: $!";
- open *STDOUT, ">&OUT2"
- or die "Can't duplicate pipe for writing: $!";
- close *OUT2;
-
- *STDOUT->autoflush();
- *OUT->autoflush();
-
- if (fork()) {
- # Server
- if (*IN_DUP) {
- open *STDIN, "<&IN_DUP"
- or die "Can't duplicate STDIN: $!";
- close *IN_DUP
- or die "Can't close STDIN duplicate: $!";
- }
- open *STDOUT, ">&OUT_DUP"
- or die "Can't duplicate STDOUT: $!";
- close *OUT_DUP
- or die "Can't close STDOUT duplicate: $!";
-
- foreach my $line (@$in) {
- #print "> $line";
- print OUT $line;
- }
- close *OUT
- or die "Can't close pipe for writing: $!";
-
- my $result = [];
- while (<IN>) {
- #print "< $_";
- if ($needs_shell) {
- s#^/bin/sh: line \d+: ##;
- s#^/bin/sh: ##; # temporarily added by ericm
- }
- push @$result, $_;
- }
- return $result;
- } else {
- # Client
- $< = $>;
- close IN
- or die "Can't close read end for input pipe: $!";
- close OUT
- or die "Can't close write end for output pipe: $!";
- close OUT_DUP
- or die "Can't close STDOUT duplicate: $!";
- local *ERR_DUP;
- open ERR_DUP, ">&STDERR"
- or die "Can't duplicate STDERR: $!";
- open STDERR, ">&STDOUT"
- or die "Can't join STDOUT and STDERR: $!";
-
- if ($needs_shell) {
- exec ('/bin/sh', '-c', join(" ", @$prog));
- } else {
- exec @$prog;
- }
- print STDERR $prog->[0], ": $!\n";
- exit;
- }
-}
-
+++ /dev/null
-Setfacl utility tests. Run these tests on a filesystem with ACL support.
-
- $ mkdir d
- $ chown bin:bin d
- $ cd d
-
- $ su bin
- $ sg bin
- $ umask 027
- $ touch g
- $ lfs ls -dl g | awk '{print $1}'
- > -rw-r-----
-
- $ lfs lsetfacl -m m:- g
- $ lfs ls -dl g | awk '{print $1}'
- > -rw-------+
-
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rw-
- > group::r-- #effective:---
- > mask::---
- > other::---
- >
-
- $ lfs lsetfacl -x m g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rw-
- > group::r--
- > other::---
- >
-
- $ lfs lsetfacl -m u:daemon:rw g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rw-
- > user:daemon:rw-
- > group::r--
- > mask::rw-
- > other::---
- >
-
- $ lfs lsetfacl -m u::rwx,g::r-x,o:- g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rwx
- > user:daemon:rw-
- > group::r-x
- > mask::rwx
- > other::---
- >
-
- $ lfs lsetfacl -m u::rwx,g::r-x,o:-,m:- g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rwx
- > user:daemon:rw- #effective:---
- > group::r-x #effective:---
- > mask::---
- > other::---
- >
-
- $ lfs lsetfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rwx
- > user:root:---
- > user:daemon:rw- #effective:---
- > group::r-x #effective:---
- > mask::---
- > other::---
- >
-
- $ lfs lsetfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rwx
- > user:root:---
- > user:daemon:rw- #effective:---
- > group::r-x #effective:---
- > mask::---
- > other::---
- >
-
- $ lfs lsetfacl -m u::rwx,g::r-x,o:-,u:root:- g
- $ lfs lgetfacl g
- > # file: g
- > # owner: bin
- > # group: bin
- > user::rwx
- > user:root:---
- > user:daemon:rw-
- > group::r-x
- > mask::rwx
- > other::---
- >
-
- $ lfs lsetfacl --test -x u: g
- > setfacl: g: Malformed access ACL `user:root:---,user:daemon:rw-,group::r-x,mask::rwx,other::---': Missing or wrong entry at entry 1
-
- $ lfs lsetfacl --test -x u:x
- > setfacl: Option -x: Invalid argument near character 3
-
- $ lfs lsetfacl -m d:u:root:rwx g
- > setfacl: g: Only directories can have default ACLs
-
- $ lfs lsetfacl -x m g
- > setfacl: g: Malformed access ACL `user::rwx,user:root:---,user:daemon:rw-,group::r-x,other::---': Missing or wrong entry at entry 5
- lfs lsetfacl --test -m d:u:daemon:rwx lfs lsetfacl
- lfs lsetfacl --test -n -m d:u:daemon:rwx lfs lsetfacl
-
-Check if the mask is properly recalculated
-
- $ mkdir d
- $ lfs lsetfacl --test -m u::rwx,u:bin:rwx,g::r-x,o::--- d
- > d: u::rwx,u:bin:rwx,g::r-x,m::rwx,o::---,*
-
- $ lfs lsetfacl --test -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
- > d: u::rwx,u:bin:rwx,g::r-x,m::---,o::---,*
-
- $ lfs lsetfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,o::--- d
- > d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::rwx,d:o::---
-
- $ lfs lsetfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
- > d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::---,d:o::---
-
- $ su
- $ cd ..
- $ rm -r d
IDENTITY_UPCALL=mdt.$MDT.identity_upcall
MDSSECLEVEL=mdt.$MDT.sec_level
-# for CLIENT_TYPE
-if [ -z "$(lctl get_param -n llite.*.client_type | grep remote 2>/dev/null)" ]
-then
- CLIENT_TYPE="local"
- echo "local client"
-else
- CLIENT_TYPE="remote"
- echo "remote client"
-fi
-
SAVE_PWD=$PWD
build_test_filter
chmod 0755 $DIR || error "chmod (1)"
rm -rf $DIR/$tdir || error "rm (1)"
mkdir -p $DIR/$tdir || error "mkdir (1)"
-
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "echo '* 0 normtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- chown $USER0 $DIR/$tdir && error "chown (1)"
- do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- else
- chown $USER0 $DIR/$tdir || error "chown (2)"
- fi
-
+ chown $USER0 $DIR/$tdir || error "chown (2)"
$RUNAS_CMD -u $ID0 ls $DIR || error "ls (1)"
rm -f $DIR/f0 || error "rm (2)"
$RUNAS_CMD -u $ID0 touch $DIR/f0 && error "touch (1)"
$RUNAS_CMD -u $ID1 touch $DIR/$tdir/f5 && error "touch (6)"
touch $DIR/$tdir/f6 || error "touch (7)"
rm -rf $DIR/$tdir || error "rm (3)"
-
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
}
run_test 0 "uid permission ============================="
test_1() {
[ $GSS_SUP = 0 ] && skip "without GSS support." && return
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
-
rm -rf $DIR/$tdir
mkdir -p $DIR/$tdir
}
run_test 1 "setuid/gid ============================="
-run_rmtacl_subtest() {
- $SAVE_PWD/rmtacl/run $SAVE_PWD/rmtacl/$1.test
- return $?
-}
-
-# remote_acl
-# for remote client only
-test_2 () {
- [ "$CLIENT_TYPE" = "local" ] &&
- skip "remote_acl for remote client only" && return
- [ -z "$(lctl get_param -n mdc.*-mdc-*.connect_flags | grep ^acl)" ] &&
- skip "must have acl enabled" && return
- [ -z "$(which setfacl 2>/dev/null)" ] &&
- skip "could not find setfacl" && return
- [ "$UID" != 0 ] && skip "must run as root" && return
-
- do_facet $SINGLEMDS "echo '* 0 rmtacl,rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-
- sec_login root root
- sec_login bin bin
- sec_login daemon daemon
- sec_login games users
-
- SAVE_UMASK=$(umask)
- umask 0022
- cd $DIR
-
- echo "performing cp ..."
- run_rmtacl_subtest cp || error "cp"
- echo "performing getfacl-noacl..."
- run_rmtacl_subtest getfacl-noacl || error "getfacl-noacl"
- echo "performing misc..."
- run_rmtacl_subtest misc || error "misc"
- echo "performing permissions..."
- run_rmtacl_subtest permissions || error "permissions"
- echo "performing setfacl..."
- run_rmtacl_subtest setfacl || error "setfacl"
-
- # inheritance test got from HP
- echo "performing inheritance..."
- cp $SAVE_PWD/rmtacl/make-tree .
- chmod +x make-tree
- run_rmtacl_subtest inheritance || error "inheritance"
- rm -f make-tree
-
- cd $SAVE_PWD
- umask $SAVE_UMASK
-
- do_facet $SINGLEMDS "rm -f $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
-}
-run_test 2 "rmtacl ============================="
-
# bug 3285 - supplementary group should always succeed.
# NB: the supplementary groups are set for local client only,
# as for remote client, the groups of the specified uid on MDT
$server_version -lt $(version_code 2.5.50) ]] ||
{ skip "Need MDS version at least 2.6.93 or 2.5.35"; return; }
- if [ "$CLIENT_TYPE" = "remote" ]; then
- do_facet $SINGLEMDS "echo '* 0 rmtown' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- fi
-
rm -rf $DIR/$tdir
mkdir -p $DIR/$tdir
chmod 0771 $DIR/$tdir
chgrp $ID0 $DIR/$tdir
$RUNAS_CMD -u $ID0 ls $DIR/$tdir || error "setgroups (1)"
- if [ "$CLIENT_TYPE" = "local" ]; then
- do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
- do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
- $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
- error "setgroups (2)"
- fi
+ do_facet $SINGLEMDS "echo '* $ID1 setgrp' > $PERM_CONF"
+ do_facet $SINGLEMDS "lctl set_param -n $IDENTITY_FLUSH=-1"
+ $RUNAS_CMD -u $ID1 -G1,2,$ID0 ls $DIR/$tdir ||
+ error "setgroups (2)"
$RUNAS_CMD -u $ID1 -G1,2 ls $DIR/$tdir && error "setgroups (3)"
rm -rf $DIR/$tdir
"RESET_KDC=false".
2) The script will create principals for some runas users and add them into
- the Kerberos database by default. The UIDs of the runas users specified in
+ the Kerberos database by default. The UIDs of the runas users specified in
"LOCAL_UIDS" variable need exist on KDC, MDS and Client nodes. If you do not
need runas users, please set "CFG_RUNAS=false".
- 3) The script will create idmap.conf and perm.conf under /etc/lustre dir on
- MDS node for remote ACL by default. If you do not need remote ACL, please
- set "CFG_IDMAP=false".
-
EOF
}
# check and configure runas users
CFG_RUNAS=${CFG_RUNAS:-true}
-# uids for local and remote users
+# uids for local users
LOCAL_UIDS=${LOCAL_UIDS:-"500 501"}
-REMOTE_UIDS=${REMOTE_UIDS:-"500 501"} # for remote ACL testing
# remove the original Kerberos and KDC settings
RESET_KDC=${RESET_KDC:-true}
GSSAPI_MECH_CONF=${GSSAPI_MECH_CONF:-"/etc/gssapi_mech.conf"}
REQUEST_KEY_CONF=${REQUEST_KEY_CONF:-"/etc/request-key.conf"}
-# create configuration files for remote ACL testing
-CFG_IDMAP=${CFG_IDMAP:-true}
-LUSTRE_CONF_DIR=${LUSTRE_CONF_DIR:-"/etc/lustre"}
-IDMAP_CONF=$LUSTRE_CONF_DIR/idmap.conf
-PERM_CONF=$LUSTRE_CONF_DIR/perm.conf
-
# krb5 realm & domain
KRB5_REALM=${KRB5_REALM:-"CO.CFS"}
KRB5_DOMAIN=$(echo $KRB5_REALM | tr '[A-Z]' '[a-z]')
echo -n "Checking uid/gid $id/$id on $node..."
user=$(my_do_node $node getent passwd | grep :$id:$id: | cut -d: -f1)
if [ -z "$user" ]; then
- echo -e "\nPlease set LOCAL_UIDS and REMOTE_UIDS to some users \
+ echo -e "\nPlease set LOCAL_UIDS to some users \
which exist on KDC, MDS and client or add user/group $id/$id on these nodes."
return 1
fi
return 0
}
-#
-# create and install idmap.conf on the MDS
-#
-cfg_idmap_conf() {
- local tmpcfg="$TMP/idmap.conf"
- local fqdn
- local user
- local uid
- local client_nids client_nid
- local rc
-
- echo "+++ Installing idmap.conf on MDS"
- echo "Getting Client NID..."
- client_nids=$(get_client_nids)
- rc=${PIPESTATUS[0]}
- if [ $rc -ne 0 ]; then
- echo $client_nids
- return $rc
- fi
-
- rm -f $tmpcfg
- if $SPLIT_KEYTAB; then
- for fqdn in $MY_CLIENTNODES; do
- echo "lustre_root/$fqdn@$KRB5_REALM * 0" >> $tmpcfg
- done
- else
- echo "lustre_root@$KRB5_REALM * 0" >> $tmpcfg
- fi
- cat <<EOF >> $tmpcfg
-bin@$KRB5_REALM * 1
-daemon@$KRB5_REALM * 2
-games@$KRB5_REALM * 12
-EOF
-
- for node in $MY_MDSNODES; do
- for uid in $LOCAL_UIDS; do
- user=$(my_do_node $node getent passwd $uid | cut -d: -f1)
- for client_nid in $client_nids; do
- echo "$user@$KRB5_REALM $client_nid $uid" >> $tmpcfg
- done
- done
- done
-
- for node in $MY_MDSNODES; do
- my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
- $SCP $tmpcfg root@$node:$IDMAP_CONF || return ${PIPESTATUS[0]}
- done
- rm -f $tmpcfg
- echo "OK!"
-}
-
-#
-# create and install perm.conf on the MDS for remote ACL testing
-#
-cfg_perm_conf() {
- local tmpcfg="$TMP/perm.conf"
- local uid
-
- echo "+++ Installing perm.conf on MDS"
-
- rm -f $tmpcfg
- for node in $MY_MDSNODES; do
- my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
-
- for uid in $LOCAL_UIDS $REMOTE_UIDS; do
- if ! grep -q " $uid " $tmpcfg 2>/dev/null; then
- echo "* $uid rmtacl" >> $tmpcfg
- fi
- done
-
- echo "* 0 setgid" >> $tmpcfg
-
- $SCP $tmpcfg root@$node:$PERM_CONF || return ${PIPESTATUS[0]}
- done
- rm -f $tmpcfg
- echo "OK!"
-}
-
# ******************************** Main Flow ******************************** #
normalize_names || exit ${PIPESTATUS[0]}
check_rsh || exit ${PIPESTATUS[0]}
if $CFG_RUNAS; then
check_users || exit ${PIPESTATUS[0]}
-elif $CFG_IDMAP; then
- echo "Remote ACL operations need local and remote users!"
- exit 1
fi
check_kdc || exit ${PIPESTATUS[0]}
cfg_kdc_princs || exit ${PIPESTATUS[0]}
cfg_keytab || exit ${PIPESTATUS[0]}
-if $CFG_IDMAP; then
- cfg_idmap_conf || exit ${PIPESTATUS[0]}
- cfg_perm_conf || exit ${PIPESTATUS[0]}
-fi
-
echo "Complete successfully!"
{ "setuid", CFS_SETUID_PERM },
{ "setgid", CFS_SETGID_PERM },
{ "setgrp", CFS_SETGRP_PERM },
- { "rmtacl", CFS_RMTACL_PERM },
- { "rmtown", CFS_RMTOWN_PERM },
{ 0 }
};
{ "nosetuid", CFS_SETUID_PERM },
{ "nosetgid", CFS_SETGID_PERM },
{ "nosetgrp", CFS_SETGRP_PERM },
- { "normtacl", CFS_RMTACL_PERM },
- { "normtown", CFS_RMTOWN_PERM },
{ 0 }
};
static int lfs_lsetfacl(int argc, char **argv)
{
- argv[0]++;
- return(llapi_lsetfacl(argc, argv));
+ fprintf(stderr, "local client sets facl for remote client.\n"
+ "obsolete, does not support it anymore.\n");
+ return 0;
}
static int lfs_lgetfacl(int argc, char **argv)
{
- argv[0]++;
- return(llapi_lgetfacl(argc, argv));
+ fprintf(stderr, "local client gets facl for remote client.\n"
+ "obsolete, does not support it anymore.\n");
+ return 0;
}
static int lfs_rsetfacl(int argc, char **argv)
{
- argv[0]++;
- return(llapi_rsetfacl(argc, argv));
+ fprintf(stderr, "remote client sets facl for remote client.\n"
+ "obsolete, does not support it anymore.\n");
+ return 0;
}
static int lfs_rgetfacl(int argc, char **argv)
{
- argv[0]++;
- return(llapi_rgetfacl(argc, argv));
+ fprintf(stderr, "remote client gets facl for remote client.\n"
+ "obsolete, does not support it anymore.\n");
+ return 0;
}
static int lfs_cp(int argc, char **argv)
{
- return(llapi_cp(argc, argv));
+ fprintf(stderr, "remote client copy file(s).\n"
+ "obsolete, does not support it anymore.\n");
+ return 0;
}
static int lfs_ls(int argc, char **argv)
{
- return(llapi_ls(argc, argv));
+ fprintf(stderr, "remote client lists directory contents.\n"
+ "obsolete, does not support it anymore.\n");
+ return 0;
}
static int lfs_changelog(int argc, char **argv)
return rc;
}
-#include <pwd.h>
-#include <grp.h>
-#include <mntent.h>
-#include <sys/wait.h>
-#include <errno.h>
-#include <ctype.h>
-
-static int rmtacl_notify(int ops)
-{
- FILE *fp;
- struct mntent *mnt;
- int found = 0, fd = 0, rc = 0;
-
- fp = setmntent(MOUNTED, "r");
- if (fp == NULL) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc,
- "error setmntent(%s)", MOUNTED);
- return rc;
- }
-
- while (1) {
- mnt = getmntent(fp);
- if (!mnt)
- break;
-
- if (!llapi_is_lustre_mnt(mnt))
- continue;
-
- fd = open(mnt->mnt_dir, O_RDONLY | O_DIRECTORY);
- if (fd < 0) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc,
- "Can't open '%s'", mnt->mnt_dir);
- goto out;
- }
-
- rc = ioctl(fd, LL_IOC_RMTACL, ops);
- close(fd);
- if (rc < 0) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc,
- "ioctl RMTACL on '%s' err %d",
- mnt->mnt_dir, rc);
- goto out;
- }
-
- found++;
- }
-
-out:
- endmntent(fp);
- return ((rc != 0) ? rc : found);
-}
-
-static char *next_token(char *p, int div)
-{
- if (p == NULL)
- return NULL;
-
- if (div)
- while (*p && *p != ':' && !isspace(*p))
- p++;
- else
- while (*p == ':' || isspace(*p))
- p++;
-
- return *p ? p : NULL;
-}
-
-static int rmtacl_name2id(char *name, int is_user)
-{
- if (is_user) {
- struct passwd *pw;
-
- pw = getpwnam(name);
- if (pw == NULL)
- return INVALID_ID;
- else
- return (int)(pw->pw_uid);
- } else {
- struct group *gr;
-
- gr = getgrnam(name);
- if (gr == NULL)
- return INVALID_ID;
- else
- return (int)(gr->gr_gid);
- }
-}
-
-static int isodigit(int c)
-{
- return (c >= '0' && c <= '7') ? 1 : 0;
-}
-
-/*
- * Whether the name is just digits string (uid/gid) already or not.
- * Return value:
- * 1: str is id
- * 0: str is not id
- */
-static int str_is_id(char *str)
-{
- if (str == NULL)
- return 0;
-
- if (*str == '0') {
- str++;
- if (*str == 'x' || *str == 'X') { /* for Hex. */
- if (!isxdigit(*(++str)))
- return 0;
-
- while (isxdigit(*(++str)));
- } else if (isodigit(*str)) { /* for Oct. */
- while (isodigit(*(++str)));
- }
- } else if (isdigit(*str)) { /* for Dec. */
- while (isdigit(*(++str)));
- }
-
- return (*str == 0) ? 1 : 0;
-}
-
-typedef struct {
- char *name;
- int length;
- int is_user;
- int next_token;
-} rmtacl_name_t;
-
-#define RMTACL_OPTNAME(name) name, sizeof(name) - 1
-
-static rmtacl_name_t rmtacl_namelist[] = {
- { RMTACL_OPTNAME("user:"), 1, 0 },
- { RMTACL_OPTNAME("group:"), 0, 0 },
- { RMTACL_OPTNAME("default:user:"), 1, 0 },
- { RMTACL_OPTNAME("default:group:"), 0, 0 },
- /* for --tabular option */
- { RMTACL_OPTNAME("user"), 1, 1 },
- { RMTACL_OPTNAME("group"), 0, 1 },
- { 0 }
-};
-
-static int rgetfacl_output(char *str)
-{
- char *start = NULL, *end = NULL;
- int is_user = 0, n, id;
- char c;
- rmtacl_name_t *rn;
-
- if (str == NULL)
- return -1;
-
- for (rn = rmtacl_namelist; rn->name; rn++) {
- if(strncmp(str, rn->name, rn->length) == 0) {
- if (!rn->next_token)
- start = str + rn->length;
- else
- start = next_token(str + rn->length, 0);
- is_user = rn->is_user;
- break;
- }
- }
-
- end = next_token(start, 1);
- if (end == NULL || start == end) {
- n = printf("%s", str);
- return n;
- }
-
- c = *end;
- *end = 0;
- id = rmtacl_name2id(start, is_user);
- if (id == INVALID_ID) {
- if (str_is_id(start)) {
- *end = c;
- n = printf("%s", str);
- } else
- return -1;
- } else if ((id == NOBODY_UID && is_user) ||
- (id == NOBODY_GID && !is_user)) {
- *end = c;
- n = printf("%s", str);
- } else {
- *end = c;
- *start = 0;
- n = printf("%s%d%s", str, id, end);
- }
- return n;
-}
-
-static int child_status(int status)
-{
- return WIFEXITED(status) ? WEXITSTATUS(status) : -1;
-}
-
-static int do_rmtacl(int argc, char *argv[], int ops, int (output_func)(char *))
-{
- pid_t pid = 0;
- int fd[2], status, rc;
- FILE *fp;
- char buf[PIPE_BUF];
-
- if (output_func) {
- if (pipe(fd) < 0) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc, "Can't create pipe");
- return rc;
- }
-
- pid = fork();
- if (pid < 0) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc, "Can't fork");
- close(fd[0]);
- close(fd[1]);
- return rc;
- } else if (!pid) {
- /* child process redirects its output. */
- close(fd[0]);
- close(1);
- if (dup2(fd[1], 1) < 0) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc,
- "Can't dup2 %d", fd[1]);
- close(fd[1]);
- return rc;
- }
- } else {
- close(fd[1]);
- }
- }
-
- if (!pid) {
- status = rmtacl_notify(ops);
- if (status < 0)
- return -errno;
-
- exit(execvp(argv[0], argv));
- }
-
- /* the following is parent process */
- fp = fdopen(fd[0], "r");
- if (fp == NULL) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc, "fdopen %d failed", fd[0]);
- kill(pid, SIGKILL);
- close(fd[0]);
- return rc;
- }
-
- while (fgets(buf, PIPE_BUF, fp) != NULL) {
- if (output_func(buf) < 0)
- fprintf(stderr, "WARNING: unexpected error!\n[%s]\n",
- buf);
- }
- fclose(fp);
- close(fd[0]);
-
- if (waitpid(pid, &status, 0) < 0) {
- rc = -errno;
- llapi_error(LLAPI_MSG_ERROR, rc, "waitpid %d failed", pid);
- return rc;
- }
-
- return child_status(status);
-}
-
-int llapi_lsetfacl(int argc, char *argv[])
-{
- return do_rmtacl(argc, argv, RMT_LSETFACL, NULL);
-}
-
-int llapi_lgetfacl(int argc, char *argv[])
-{
- return do_rmtacl(argc, argv, RMT_LGETFACL, NULL);
-}
-
-int llapi_rsetfacl(int argc, char *argv[])
-{
- return do_rmtacl(argc, argv, RMT_RSETFACL, NULL);
-}
-
-int llapi_rgetfacl(int argc, char *argv[])
-{
- return do_rmtacl(argc, argv, RMT_RGETFACL, rgetfacl_output);
-}
-
-int llapi_cp(int argc, char *argv[])
-{
- int rc;
-
- rc = rmtacl_notify(RMT_RSETFACL);
- if (rc < 0)
- return rc;
-
- exit(execvp(argv[0], argv));
-}
-
-int llapi_ls(int argc, char *argv[])
-{
- int rc;
-
- rc = rmtacl_notify(RMT_LGETFACL);
- if (rc < 0)
- return rc;
-
- exit(execvp(argv[0], argv));
-}
-
/* Print mdtname 'name' into 'buf' using 'format'. Add -MDT0000 if needed.
* format must have %s%s, buf must be > 16
* Eg: if name = "lustre-MDT0000", "lustre", or "lustre-MDT0000_UUID"
CHECK_DEFINE_64X(OBD_MD_FLXATTRLS);
CHECK_DEFINE_64X(OBD_MD_FLXATTRRM);
CHECK_DEFINE_64X(OBD_MD_FLACL);
- CHECK_DEFINE_64X(OBD_MD_FLRMTPERM);
CHECK_DEFINE_64X(OBD_MD_FLMDSCAPA);
CHECK_DEFINE_64X(OBD_MD_FLOSSCAPA);
CHECK_DEFINE_64X(OBD_MD_FLCKSPLIT);
CHECK_DEFINE_64X(OBD_MD_FLCROSSREF);
CHECK_DEFINE_64X(OBD_MD_FLGETATTRLOCK);
- CHECK_DEFINE_64X(OBD_MD_FLRMTLSETFACL);
- CHECK_DEFINE_64X(OBD_MD_FLRMTLGETFACL);
- CHECK_DEFINE_64X(OBD_MD_FLRMTRSETFACL);
- CHECK_DEFINE_64X(OBD_MD_FLRMTRGETFACL);
CHECK_DEFINE_64X(OBD_MD_FLDATAVERSION);
CHECK_CVALUE_X(OBD_FL_INLINEDATA);
}
static void
-check_mdt_remote_perm(void)
-{
- BLANK_LINE();
- CHECK_STRUCT(mdt_remote_perm);
- CHECK_MEMBER(mdt_remote_perm, rp_uid);
- CHECK_MEMBER(mdt_remote_perm, rp_gid);
- CHECK_MEMBER(mdt_remote_perm, rp_fsuid);
- CHECK_MEMBER(mdt_remote_perm, rp_fsgid);
- CHECK_MEMBER(mdt_remote_perm, rp_access_perm);
- CHECK_MEMBER(mdt_remote_perm, rp_padding);
-
- CHECK_VALUE_X(CFS_SETUID_PERM);
- CHECK_VALUE_X(CFS_SETGID_PERM);
- CHECK_VALUE_X(CFS_SETGRP_PERM);
- CHECK_VALUE_X(CFS_RMTACL_PERM);
- CHECK_VALUE_X(CFS_RMTOWN_PERM);
-}
-
-static void
check_mdt_rec_setattr(void)
{
BLANK_LINE();
check_ll_fid();
check_mdt_body();
check_mdt_ioepoch();
- check_mdt_remote_perm();
check_mdt_rec_setattr();
check_mdt_rec_create();
check_mdt_rec_link();
OBD_MD_FLXATTRRM);
LASSERTF(OBD_MD_FLACL == (0x0000008000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLACL);
- LASSERTF(OBD_MD_FLRMTPERM == (0x0000010000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTPERM);
LASSERTF(OBD_MD_FLMDSCAPA == (0x0000020000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLMDSCAPA);
LASSERTF(OBD_MD_FLOSSCAPA == (0x0000040000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLCROSSREF);
LASSERTF(OBD_MD_FLGETATTRLOCK == (0x0000200000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLGETATTRLOCK);
- LASSERTF(OBD_MD_FLRMTLSETFACL == (0x0001000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTLSETFACL);
- LASSERTF(OBD_MD_FLRMTLGETFACL == (0x0002000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTLGETFACL);
- LASSERTF(OBD_MD_FLRMTRSETFACL == (0x0004000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTRSETFACL);
- LASSERTF(OBD_MD_FLRMTRGETFACL == (0x0008000000000000ULL), "found 0x%.16llxULL\n",
- OBD_MD_FLRMTRGETFACL);
LASSERTF(OBD_MD_FLDATAVERSION == (0x0010000000000000ULL), "found 0x%.16llxULL\n",
OBD_MD_FLDATAVERSION);
CLASSERT(OBD_FL_INLINEDATA == 0x00000001);
LASSERTF((int)sizeof(((struct mdt_ioepoch *)0)->mio_padding) == 4, "found %lld\n",
(long long)(int)sizeof(((struct mdt_ioepoch *)0)->mio_padding));
- /* Checks for struct mdt_remote_perm */
- LASSERTF((int)sizeof(struct mdt_remote_perm) == 32, "found %lld\n",
- (long long)(int)sizeof(struct mdt_remote_perm));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_uid) == 0, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_uid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_uid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_uid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_gid) == 4, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_gid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_gid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_gid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_fsuid) == 8, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_fsuid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_fsuid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_fsuid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_fsgid) == 16, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_fsgid));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_fsgid) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_fsgid));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_access_perm) == 24, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_access_perm));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_access_perm) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_access_perm));
- LASSERTF((int)offsetof(struct mdt_remote_perm, rp_padding) == 28, "found %lld\n",
- (long long)(int)offsetof(struct mdt_remote_perm, rp_padding));
- LASSERTF((int)sizeof(((struct mdt_remote_perm *)0)->rp_padding) == 4, "found %lld\n",
- (long long)(int)sizeof(((struct mdt_remote_perm *)0)->rp_padding));
- LASSERTF(CFS_SETUID_PERM == 0x00000001UL, "found 0x%.8xUL\n",
- (unsigned)CFS_SETUID_PERM);
- LASSERTF(CFS_SETGID_PERM == 0x00000002UL, "found 0x%.8xUL\n",
- (unsigned)CFS_SETGID_PERM);
- LASSERTF(CFS_SETGRP_PERM == 0x00000004UL, "found 0x%.8xUL\n",
- (unsigned)CFS_SETGRP_PERM);
- LASSERTF(CFS_RMTACL_PERM == 0x00000008UL, "found 0x%.8xUL\n",
- (unsigned)CFS_RMTACL_PERM);
- LASSERTF(CFS_RMTOWN_PERM == 0x00000010UL, "found 0x%.8xUL\n",
- (unsigned)CFS_RMTOWN_PERM);
-
/* Checks for struct mdt_rec_setattr */
LASSERTF((int)sizeof(struct mdt_rec_setattr) == 136, "found %lld\n",
(long long)(int)sizeof(struct mdt_rec_setattr));