4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see http://www.gnu.org/licenses
23 * Copyright (c) 2014 Bull SAS
25 * Copyright (c) 2015, 2016, Intel Corporation.
26 * Author: Sebastien Buisson sebastien.buisson@bull.net
30 * lustre/llite/xattr_security.c
31 * Handler for storing security labels as extended attributes.
34 #include <linux/types.h>
35 #include <linux/security.h>
36 #ifdef HAVE_LINUX_SELINUX_IS_ENABLED
37 #include <linux/selinux.h>
39 #include <linux/xattr.h>
40 #include "llite_internal.h"
42 #ifndef XATTR_SELINUX_SUFFIX
43 # define XATTR_SELINUX_SUFFIX "selinux"
46 #ifndef XATTR_NAME_SELINUX
47 # define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
51 * Check for LL_SBI_FILE_SECCTX before calling.
53 int ll_dentry_init_security(struct dentry *dentry, int mode, struct qstr *name,
54 const char **secctx_name, __u32 *secctx_name_size,
55 void **secctx, __u32 *secctx_size)
57 struct ll_sb_info *sbi = ll_s2sbi(dentry->d_sb);
58 #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG
59 const char *secctx_name_lsm = NULL;
64 * Before kernel 5.15-rc1-20-g15bf32398ad4,
65 * security_inode_init_security() does not return to us the name of the
66 * extended attribute to store the context under (for example
67 * "security.selinux"). So we only call it when we think we know what
68 * the name of the extended attribute will be. This is OK-ish since
69 * SELinux is the only module that implements
70 * security_dentry_init_security(). Note that the NFS client code just
71 * calls it and assumes that if anything is returned then it must come
75 *secctx_name_size = ll_secctx_name_get(sbi, secctx_name);
76 /* xattr name length == 0 means no LSM module manage file contexts */
77 if (*secctx_name_size == 0)
80 rc = security_dentry_init_security(dentry, mode, name,
81 #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG
85 /* ignore error if the hook is not supported by the LSM module */
86 if (rc == -EOPNOTSUPP)
91 #ifdef HAVE_SECURITY_DENTRY_INIT_WITH_XATTR_NAME_ARG
92 if (strncmp(*secctx_name, secctx_name_lsm, *secctx_name_size) != 0) {
93 CERROR("%s: LSM secctx_name '%s' does not match the one stored by Lustre '%s'\n",
94 sbi->ll_fsname, secctx_name_lsm, *secctx_name);
103 * A helper function for security_inode_init_security()
104 * that takes care of setting xattrs
106 * Get security context of @inode from @xattr_array,
107 * and put it in 'security.xxx' xattr of dentry
108 * stored in @fs_info.
111 * \retval -ENOMEM if no memory could be allocated for xattr name
112 * \retval < 0 failure to set xattr
115 ll_initxattrs(struct inode *inode, const struct xattr *xattr_array,
118 struct dentry *dentry = fs_info;
119 const struct xattr *xattr;
122 for (xattr = xattr_array; xattr->name; xattr++) {
125 full_name = kasprintf(GFP_KERNEL, "%s%s",
126 XATTR_SECURITY_PREFIX, xattr->name);
132 err = ll_vfs_setxattr(dentry, inode, full_name, xattr->value,
133 xattr->value_len, XATTR_CREATE);
142 * Initializes security context
144 * Get security context of @inode in @dir,
145 * and put it in 'security.xxx' xattr of @dentry.
147 * \retval 0 success, or SELinux is disabled
148 * \retval -ENOMEM if no memory could be allocated for xattr name
149 * \retval < 0 failure to get security context or set xattr
152 ll_inode_init_security(struct dentry *dentry, struct inode *inode,
157 if (!ll_security_xattr_wanted(dir))
160 rc = security_inode_init_security(inode, dir, NULL,
161 &ll_initxattrs, dentry);
162 if (rc == -EOPNOTSUPP)
169 * Notify security context to the security layer
171 * Notify security context @secctx of inode @inode to the security layer.
173 * \retval 0 success, or SELinux is disabled or not supported by the fs
174 * \retval < 0 failure to set the security context
176 int ll_inode_notifysecctx(struct inode *inode,
177 void *secctx, __u32 secctxlen)
179 struct ll_sb_info *sbi = ll_i2sbi(inode);
182 if (!test_bit(LL_SBI_FILE_SECCTX, sbi->ll_flags) ||
183 !ll_security_xattr_wanted(inode) ||
184 !secctx || !secctxlen)
187 /* no need to protect selinux_inode_setsecurity() by
188 * inode_lock. Taking it would lead to a client deadlock
191 rc = security_inode_notifysecctx(inode, secctx, secctxlen);
193 CWARN("%s: cannot set security context for "DFID": rc = %d\n",
194 sbi->ll_fsname, PFID(ll_inode2fid(inode)), rc);
200 * Free the security context xattr name used by policy
202 void ll_secctx_name_free(struct ll_sb_info *sbi)
204 OBD_FREE(sbi->ll_secctx_name, sbi->ll_secctx_name_size + 1);
205 sbi->ll_secctx_name = NULL;
206 sbi->ll_secctx_name_size = 0;
210 * Get security context xattr name used by policy and save it.
212 * \retval > 0 length of xattr name
213 * \retval == 0 no LSM module registered supporting security contexts
214 * \retval <= 0 failure to get xattr name or xattr is not supported
216 int ll_secctx_name_store(struct inode *in)
218 struct ll_sb_info *sbi = ll_i2sbi(in);
221 if (!ll_security_xattr_wanted(in))
224 /* get size of xattr name */
225 rc = security_inode_listsecurity(in, NULL, 0);
229 if (sbi->ll_secctx_name)
230 ll_secctx_name_free(sbi);
232 OBD_ALLOC(sbi->ll_secctx_name, rc + 1);
233 if (!sbi->ll_secctx_name)
236 /* save the xattr name */
237 sbi->ll_secctx_name_size = rc;
238 rc = security_inode_listsecurity(in, sbi->ll_secctx_name,
239 sbi->ll_secctx_name_size);
243 if (rc > sbi->ll_secctx_name_size) {
249 sbi->ll_secctx_name[rc] = '\0';
250 if (rc < sizeof(XATTR_SECURITY_PREFIX)) {
254 if (strncmp(sbi->ll_secctx_name, XATTR_SECURITY_PREFIX,
255 sizeof(XATTR_SECURITY_PREFIX) - 1) != 0) {
263 ll_secctx_name_free(sbi);
268 * Retrieved file security context xattr name stored.
270 * \retval security context xattr name size stored.
271 * \retval 0 no xattr name stored.
273 __u32 ll_secctx_name_get(struct ll_sb_info *sbi, const char **secctx_name)
275 if (!sbi->ll_secctx_name || !sbi->ll_secctx_name_size)
278 *secctx_name = sbi->ll_secctx_name;
280 return sbi->ll_secctx_name_size;
284 * Filter out xattr file security context if not managed by LSM
286 * This is done to improve performance for application that blindly try to get
287 * file context (like "ls -l" for security.linux).
288 * See LU-549 for more information.
290 * \retval 0 xattr not filtered
291 * \retval -EOPNOTSUPP no enabled LSM security module supports the xattr
293 int ll_security_secctx_name_filter(struct ll_sb_info *sbi, int xattr_type,
296 const char *cached_suffix = NULL;
298 if (xattr_type != XATTR_SECURITY_T ||
299 !ll_xattr_suffix_is_seclabel(suffix))
302 /* is the xattr label used by lsm ? */
303 if (!ll_secctx_name_get(sbi, &cached_suffix))
306 cached_suffix += sizeof(XATTR_SECURITY_PREFIX) - 1;
307 if (strcmp(suffix, cached_suffix) != 0)