From f6e931c58a2e4df5f330ae2e5969ba44398fa151 Mon Sep 17 00:00:00 2001 From: Alexey Lyashkov Date: Sun, 20 Jan 2013 06:42:22 +0200 Subject: [PATCH] LU-2655 obdclass: selinux support add ability to start lustre targers on selinux enabled nodes provide a fake xattr functions for a lustre mounts, add security context to mkfs mountpoint. Xyratex-bug-id: MPR-558 Signed-off-by: Alexey Lyashkov Change-Id: Iee8701912e71da21eb7e2417ebdc123f88ab86fa Reviewed-on: http://review.whamcloud.com/5135 Tested-by: Hudson Reviewed-by: Andreas Dilger Tested-by: Maloo Reviewed-by: Keith Mannthey --- lustre.spec.in | 5 +++++ lustre/autoconf/lustre-core.m4 | 15 +++++++++++++++ lustre/obdclass/obd_mount_server.c | 34 +++++++++++++++++++++++++++++++++- lustre/utils/Makefile.am | 2 +- lustre/utils/mount_utils_ldiskfs.c | 35 +++++++++++++++++++++++++++++++++++ 5 files changed, 89 insertions(+), 2 deletions(-) diff --git a/lustre.spec.in b/lustre.spec.in index a1d886e..fbed0fa 100644 --- a/lustre.spec.in +++ b/lustre.spec.in @@ -79,6 +79,11 @@ Requires: %{name}-modules = %{version} Requires: lustre-osd %endif # GSS requires this: BuildRequires: pkgconfig, libgssapi-devel >= 0.10 +%if %{_vendor}=="redhat" || %{_vendor}=="fedora" +#suse don't support selinux +BuildRequires: libselinux-devel +Requires: libselinux +%endif %description Userspace tools and files for the Lustre file system. diff --git a/lustre/autoconf/lustre-core.m4 b/lustre/autoconf/lustre-core.m4 index 9e6fb87..a362095 100644 --- a/lustre/autoconf/lustre-core.m4 +++ b/lustre/autoconf/lustre-core.m4 @@ -2758,6 +2758,21 @@ AC_CHECK_LIB([z], ) AC_SUBST(ZLIB) +SELINUX="" +AC_CHECK_LIB([selinux], + [is_selinux_enabled], + [AC_CHECK_HEADERS([selinux.h], + [SELINUX="-lselinux" + AC_DEFINE([HAVE_SELINUX], 1, + [support for selinux ])], + [AC_MSG_WARN([No selinux-devel package found, + unable to build selinux enabled + tools])])], + [AC_MSG_WARN([No selinux package found, unable to build selinux + enabled tools])] +) +AC_SUBST(SELINUX) + # Super safe df AC_ARG_ENABLE([mindf], AC_HELP_STRING([--enable-mindf], diff --git a/lustre/obdclass/obd_mount_server.c b/lustre/obdclass/obd_mount_server.c index f2d7785..9b8b144 100644 --- a/lustre/obdclass/obd_mount_server.c +++ b/lustre/obdclass/obd_mount_server.c @@ -57,6 +57,9 @@ #ifdef HAVE_KERNEL_LOCKED #include #endif +#ifdef HAVE_SELINUX_IS_ENABLED +#include +#endif /*********** mount lookup *********/ @@ -1557,6 +1560,35 @@ static struct super_operations server_ops = { .statfs = server_statfs, }; +/* + * Xattr support for Lustre servers + */ +static ssize_t lustre_getxattr(struct dentry *dentry, const char *name, + void *buffer, size_t size) +{ + if (!selinux_is_enabled()) + return -EOPNOTSUPP; + return -ENODATA; +} + +static int lustre_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) +{ + return -EOPNOTSUPP; +} + +static ssize_t lustre_listxattr(struct dentry *d_entry, char *name, + size_t size) +{ + return -EOPNOTSUPP; +} + +const struct inode_operations server_inode_operations = { + .setxattr = lustre_setxattr, + .getxattr = lustre_getxattr, + .listxattr = lustre_listxattr, +}; + #define log2(n) ffz(~(n)) #define LUSTRE_SUPER_MAGIC 0x0BD00BD1 @@ -1584,7 +1616,7 @@ static int server_fill_super_common(struct super_block *sb) /* make_bad_inode(root); -- badness - can't umount */ /* apparently we need to be a directory for the mount to finish */ root->i_mode = S_IFDIR; - + root->i_op = &server_inode_operations; sb->s_root = d_make_root(root); if (!sb->s_root) { CERROR("%s: can't make root dentry\n", sb->s_id); diff --git a/lustre/utils/Makefile.am b/lustre/utils/Makefile.am index 23bde35..4d28e62 100644 --- a/lustre/utils/Makefile.am +++ b/lustre/utils/Makefile.am @@ -125,7 +125,7 @@ lr_reader_SOURCES = lr_reader.c mount_lustre_SOURCES = mount_lustre.c mount_utils.c mount_utils.h mount_lustre_CPPFLAGS = $(AM_CPPFLAGS) -mount_lustre_LDADD := $(LIBPTLCTL) +mount_lustre_LDADD := $(LIBPTLCTL) $(SELINUX) mount_lustre_DEPENDENCIES := $(LIBPTLCTL) if LDISKFS_ENABLED mount_lustre_SOURCES += mount_utils_ldiskfs.c diff --git a/lustre/utils/mount_utils_ldiskfs.c b/lustre/utils/mount_utils_ldiskfs.c index bf8e2c8..9ce1e8f 100644 --- a/lustre/utils/mount_utils_ldiskfs.c +++ b/lustre/utils/mount_utils_ldiskfs.c @@ -80,6 +80,10 @@ #include #include +#ifdef HAVE_SELINUX +#include +#endif + #define MAX_HW_SECTORS_KB_PATH "queue/max_hw_sectors_kb" #define MAX_SECTORS_KB_PATH "queue/max_sectors_kb" #define SCHEDULER_PATH "queue/scheduler" @@ -94,6 +98,29 @@ extern char *progname; #define DUMMY_FILE_NAME_LEN 25 #define EXT3_DIRENT_SIZE DUMMY_FILE_NAME_LEN +/* + * Concatenate context of the temporary mount point iff selinux is enabled + */ +#ifdef HAVE_SELINUX +void append_context_for_mount(char *mntpt, struct mkfs_opts *mop) +{ + security_context_t fcontext; + + if (getfilecon(mntpt, &fcontext) < 0) { + /* Continuing with default behaviour */ + fprintf(stderr, "%s: Get file context failed : %s\n", + progname, strerror(errno)); + return; + } + + if (fcontext != NULL) { + strcat(mop->mo_ldd.ldd_mount_opts, ",context="); + strcat(mop->mo_ldd.ldd_mount_opts, fcontext); + freecon(fcontext); + } +} +#endif + /* Write the server config files */ int ldiskfs_write_ldd(struct mkfs_opts *mop) { @@ -111,6 +138,14 @@ int ldiskfs_write_ldd(struct mkfs_opts *mop) return errno; } + /* + * Append file context to mount options if SE Linux is enabled + */ + #ifdef HAVE_SELINUX + if (is_selinux_enabled() > 0) + append_context_for_mount(mntpt, mop); + #endif + dev = mop->mo_device; if (mop->mo_flags & MO_IS_LOOP) dev = mop->mo_loopdev; -- 1.8.3.1