summaryrefslogtreecommitdiffstats
path: root/xlators/mount
diff options
context:
space:
mode:
authorPoornima G <pgurusid@redhat.com>2016-02-26 06:42:14 -0500
committerVijay Bellur <vbellur@redhat.com>2016-03-09 19:09:43 -0800
commita8a8feb25216db2fa426b09d778f61c0f89d514c (patch)
treeb8f2ef368c065194f236bb3042b9b269cc5d2584 /xlators/mount
parent73f415353b0d70a4e6e4a4cedc05cd9b8418625f (diff)
fuse: Add a new mount option capability
Originally all security.* xattrs were forbidden if selinux is disabled, which was causing Samba's acl_xattr module to not work, as it would store the NTACL in security.NTACL. To fix this http://review.gluster.org/#/c/12826/ was sent, which forbid only security.selinux. This opened up a getxattr call on security.capability before every write fop and others. Capabilities can be used without selinux, hence if selinux is disabled, security.capability cannot be forbidden. Hence adding a new mount option called capability. Only when "--capability" or "--selinux" mount option is used, security.capability is sent to the brick, else it is forbidden. Backport of : http://review.gluster.org/#/c/13540/ & http://review.gluster.org/#/c/13653/ BUG: 1309462 Change-Id: Ib8d4f32d9f1458f4d71a05785f92b526aa7033ff Signed-off-by: Poornima G <pgurusid@redhat.com> Reviewed-on: http://review.gluster.org/13626 Tested-by: Vijay Bellur <vbellur@redhat.com> Smoke: Gluster Build System <jenkins@build.gluster.com> CentOS-regression: Gluster Build System <jenkins@build.gluster.com> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
Diffstat (limited to 'xlators/mount')
-rw-r--r--xlators/mount/fuse/src/fuse-bridge.c27
-rw-r--r--xlators/mount/fuse/src/fuse-bridge.h4
-rw-r--r--xlators/mount/fuse/src/fuse-helpers.c26
-rwxr-xr-xxlators/mount/fuse/utils/mount_glusterfs.in7
4 files changed, 53 insertions, 11 deletions
diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
index a6aa96e456c..85b212af951 100644
--- a/xlators/mount/fuse/src/fuse-bridge.c
+++ b/xlators/mount/fuse/src/fuse-bridge.c
@@ -3175,12 +3175,11 @@ fuse_setxattr (xlator_t *this, fuse_in_header_t *finh, void *msg)
}
}
- if (!priv->selinux) {
- if (strcmp (name, "security.selinux") == 0) {
- send_fuse_err (this, finh, EOPNOTSUPP);
- GF_FREE (finh);
- return;
- }
+ ret = fuse_check_selinux_cap_xattr (priv, name);
+ if (ret) {
+ send_fuse_err (this, finh, EOPNOTSUPP);
+ GF_FREE (finh);
+ return;
}
/* Check if the command is for changing the log
@@ -3474,6 +3473,7 @@ fuse_getxattr (xlator_t *this, fuse_in_header_t *finh, void *msg)
int rv = 0;
int op_errno = EINVAL;
char *newkey = NULL;
+ int ret = 0;
priv = this->private;
GET_STATE (this, finh, state);
@@ -3505,11 +3505,10 @@ fuse_getxattr (xlator_t *this, fuse_in_header_t *finh, void *msg)
}
}
- if (!priv->selinux) {
- if (strcmp (name, "security.selinux") == 0) {
- op_errno = ENODATA;
- goto err;
- }
+ ret = fuse_check_selinux_cap_xattr (priv, name);
+ if (ret) {
+ op_errno = ENODATA;
+ goto err;
}
fuse_resolve_inode_init (state, &state->resolve, finh->nodeid);
@@ -5484,6 +5483,8 @@ init (xlator_t *this_xl)
GF_OPTION_INIT ("selinux", priv->selinux, bool, cleanup_exit);
+ GF_OPTION_INIT ("capability", priv->capability, bool, cleanup_exit);
+
GF_OPTION_INIT ("read-only", priv->read_only, bool, cleanup_exit);
GF_OPTION_INIT ("enable-ino32", priv->enable_ino32, bool, cleanup_exit);
@@ -5818,5 +5819,9 @@ struct volume_options options[] = {
"does not have any affect and the volume option for root-squash is "
"honoured.",
},
+ { .key = {"capability"},
+ .type = GF_OPTION_TYPE_BOOL,
+ .default_value = "false"
+ },
{ .key = {NULL} },
};
diff --git a/xlators/mount/fuse/src/fuse-bridge.h b/xlators/mount/fuse/src/fuse-bridge.h
index 807bc302a59..ee09b252bde 100644
--- a/xlators/mount/fuse/src/fuse-bridge.h
+++ b/xlators/mount/fuse/src/fuse-bridge.h
@@ -136,6 +136,9 @@ struct fuse_private {
/* resolve gid with getgrouplist() instead of /proc/%d/status */
gf_boolean_t resolve_gids;
+
+ /* Enable or disable capability support */
+ gf_boolean_t capability;
};
typedef struct fuse_private fuse_private_t;
@@ -424,4 +427,5 @@ int fuse_resolve_fd_init (fuse_state_t *state, fuse_resolve_t *resolve,
int fuse_ignore_xattr_set (fuse_private_t *priv, char *key);
void fuse_fop_resume (fuse_state_t *state);
int dump_history_fuse (circular_buffer_t *cb, void *data);
+int fuse_check_selinux_cap_xattr (fuse_private_t *priv, char *name);
#endif /* _GF_FUSE_BRIDGE_H_ */
diff --git a/xlators/mount/fuse/src/fuse-helpers.c b/xlators/mount/fuse/src/fuse-helpers.c
index 0f8abf03d32..3ccd46efaeb 100644
--- a/xlators/mount/fuse/src/fuse-helpers.c
+++ b/xlators/mount/fuse/src/fuse-helpers.c
@@ -652,3 +652,29 @@ fuse_ignore_xattr_set (fuse_private_t *priv, char *key)
return ret;
}
+
+int
+fuse_check_selinux_cap_xattr (fuse_private_t *priv, char *name)
+{
+ int ret = -1;
+
+ if (strcmp (name, "security.selinux") &&
+ strcmp (name, "security.capability")) {
+ /* if xattr name is not of interest, no validations needed */
+ ret = 0;
+ goto out;
+ }
+
+ if ((strcmp (name, "security.selinux") == 0) &&
+ (priv->selinux)) {
+ ret = 0;
+ }
+
+ if ((strcmp (name, "security.capability") == 0) &&
+ ((priv->capability) || (priv->selinux))) {
+ ret = 0;
+ }
+
+out:
+ return ret;
+}
diff --git a/xlators/mount/fuse/utils/mount_glusterfs.in b/xlators/mount/fuse/utils/mount_glusterfs.in
index 50a301c26a8..3d58c29e0cf 100755
--- a/xlators/mount/fuse/utils/mount_glusterfs.in
+++ b/xlators/mount/fuse/utils/mount_glusterfs.in
@@ -173,6 +173,10 @@ start_glusterfs ()
cmd_line=$(echo "$cmd_line --no-root-squash");
fi
+ if [ -n "$capability" ]; then
+ cmd_line=$(echo "$cmd_line --capability");
+ fi
+
#options with values start here
if [ -n "$log_level" ]; then
cmd_line=$(echo "$cmd_line --log-level=$log_level");
@@ -440,6 +444,9 @@ without_options()
;;
"_netdev")
;;
+ "capability")
+ capability=1
+ ;;
*)
warn "Invalid option $option";
exit 1