Commit ac6713cc authored by Yan, Zheng's avatar Yan, Zheng Committed by Ilya Dryomov
Browse files

ceph: add selinux support 



When creating new file/directory, use security_dentry_init_security() to
prepare selinux context for the new inode, then send openc/mkdir request
to MDS, together with selinux xattr.

security_dentry_init_security() only supports single security module and
only selinux has dentry_init_security hook. So only selinux is supported
for now. We can add support for other security modules once kernel has a
generic version of dentry_init_security()

Signed-off-by: default avatar"Yan, Zheng" <zyan@redhat.com>
Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
parent 5c31e92d

fs/ceph/Kconfig

+12 −0
Original line number Diff line number Diff line
@@ -36,3 +36,15 @@ config CEPH_FS_POSIX_ACL 
	  groups beyond the owner/group/world scheme.



	  If you don't know what Access Control Lists are, say N



config CEPH_FS_SECURITY_LABEL

	bool "CephFS Security Labels"

	depends on CEPH_FS && SECURITY

	help

	  Security labels support alternative access control models

	  implemented by security modules like SELinux. This option

	  enables an extended attribute handler for file security

	  labels in the Ceph filesystem.



	  If you are not using a security module that requires using

	  extended attributes for file security labels, say N.

fs/ceph/caps.c

+1 −0
Original line number Diff line number Diff line
@@ -3156,6 +3156,7 @@ static void handle_cap_grant(struct inode *inode, 
			ci->i_xattrs.blob = ceph_buffer_get(xattr_buf);

			ci->i_xattrs.version = version;

			ceph_forget_all_cached_acls(inode);

			ceph_security_invalidate_secctx(inode);

		}

	}

fs/ceph/dir.c

+12 −0
Original line number Diff line number Diff line
@@ -837,6 +837,9 @@ static int ceph_mknod(struct inode *dir, struct dentry *dentry, 
	}



	err = ceph_pre_init_acls(dir, &mode, &as_ctx);

	if (err < 0)

		goto out;

	err = ceph_security_init_secctx(dentry, mode, &as_ctx);

	if (err < 0)

		goto out;
@@ -884,6 +887,7 @@ static int ceph_symlink(struct inode *dir, struct dentry *dentry, 
	struct ceph_fs_client *fsc = ceph_sb_to_client(dir->i_sb);

	struct ceph_mds_client *mdsc = fsc->mdsc;

	struct ceph_mds_request *req;

	struct ceph_acl_sec_ctx as_ctx = {};

	int err;



	if (ceph_snap(dir) != CEPH_NOSNAP)
@@ -894,6 +898,10 @@ static int ceph_symlink(struct inode *dir, struct dentry *dentry, 
		goto out;

	}



	err = ceph_security_init_secctx(dentry, S_IFLNK | 0777, &as_ctx);

	if (err < 0)

		goto out;



	dout("symlink in dir %p dentry %p to '%s'\n", dir, dentry, dest);

	req = ceph_mdsc_create_request(mdsc, CEPH_MDS_OP_SYMLINK, USE_AUTH_MDS);

	if (IS_ERR(req)) {
@@ -919,6 +927,7 @@ static int ceph_symlink(struct inode *dir, struct dentry *dentry, 
out:

	if (err)

		d_drop(dentry);

	ceph_release_acl_sec_ctx(&as_ctx);

	return err;

}
@@ -951,6 +960,9 @@ static int ceph_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) 


	mode |= S_IFDIR;

	err = ceph_pre_init_acls(dir, &mode, &as_ctx);

	if (err < 0)

		goto out;

	err = ceph_security_init_secctx(dentry, mode, &as_ctx);

	if (err < 0)

		goto out;

fs/ceph/file.c

+3 −0
Original line number Diff line number Diff line
@@ -454,6 +454,9 @@ int ceph_atomic_open(struct inode *dir, struct dentry *dentry, 
		err = ceph_pre_init_acls(dir, &mode, &as_ctx);

		if (err < 0)

			return err;

		err = ceph_security_init_secctx(dentry, mode, &as_ctx);

		if (err < 0)

			goto out_ctx;

	}



	/* do the open */

fs/ceph/inode.c

+1 −0
Original line number Diff line number Diff line
@@ -888,6 +888,7 @@ static int fill_inode(struct inode *inode, struct page *locked_page, 
			       iinfo->xattr_data, iinfo->xattr_len);

		ci->i_xattrs.version = le64_to_cpu(info->xattr_version);

		ceph_forget_all_cached_acls(inode);

		ceph_security_invalidate_secctx(inode);

		xattr_blob = NULL;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE