diff options
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | glusterfs.spec.in | 1 | ||||
| -rw-r--r-- | libglusterfs/src/glfs-message-id.h | 8 | ||||
| -rw-r--r-- | xlators/features/Makefile.am | 2 | ||||
| -rw-r--r-- | xlators/features/selinux/Makefile.am | 3 | ||||
| -rw-r--r-- | xlators/features/selinux/src/Makefile.am | 19 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux-mem-types.h | 20 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux-messages.h | 98 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux.c | 324 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux.h | 24 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.c | 30 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.h | 1 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 11 |
13 files changed, 536 insertions, 7 deletions
diff --git a/configure.ac b/configure.ac index c04bbbf62d8..9f04bad1df7 100644 --- a/configure.ac +++ b/configure.ac @@ -145,6 +145,8 @@ AC_CONFIG_FILES([Makefile xlators/features/quota/src/Makefile xlators/features/marker/Makefile xlators/features/marker/src/Makefile + xlators/features/selinux/Makefile + xlators/features/selinux/src/Makefile xlators/features/read-only/Makefile xlators/features/read-only/src/Makefile xlators/features/compress/Makefile diff --git a/glusterfs.spec.in b/glusterfs.spec.in index b429e2dfbcb..6ae3979757a 100644 --- a/glusterfs.spec.in +++ b/glusterfs.spec.in @@ -1193,6 +1193,7 @@ exit 0 %{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/snapview-server.so %{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/marker.so %{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/quota* +%{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/selinux.so %{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/trash.so %{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/upcall.so %{_libdir}/glusterfs/%{version}%{?prereltag}/xlator/features/leases.so diff --git a/libglusterfs/src/glfs-message-id.h b/libglusterfs/src/glfs-message-id.h index f4adbfbff2c..f14b0fb0818 100644 --- a/libglusterfs/src/glfs-message-id.h +++ b/libglusterfs/src/glfs-message-id.h @@ -145,7 +145,7 @@ GLFS_MSGID_SEGMENT) #define GLFS_MSGID_COMP_SYMLINK_CACHE \ -GLFS_MSGID_COMP_READDIR_AHEAD_END + GLFS_MSGID_COMP_READDIR_AHEAD_END #define GLFS_MSGID_COMP_SYMLINK_CACHE_END \ (GLFS_MSGID_COMP_SYMLINK_CACHE+ \ GLFS_MSGID_SEGMENT) @@ -191,6 +191,12 @@ GLFS_MSGID_COMP_SYMLINK_CACHE_END #define GLFS_MSGID_COMP_NLC_END (GLFS_MSGID_COMP_NLC +\ GLFS_MSGID_SEGMENT) +#define GLFS_MSGID_COMP_SL GLFS_MSGID_COMP_NLC +#define GLFS_MSGID_COMP_SL_END (GLFS_MSGID_COMP_SL +\ + GLFS_MSGID_SEGMENT) + + + /* --- new segments for messages goes above this line --- */ #endif /* !_GLFS_MESSAGE_ID_H_ */ diff --git a/xlators/features/Makefile.am b/xlators/features/Makefile.am index 3cc34c9379f..f7791b0cc32 100644 --- a/xlators/features/Makefile.am +++ b/xlators/features/Makefile.am @@ -1,6 +1,6 @@ SUBDIRS = locks quota read-only quiesce marker index barrier \ arbiter compress changelog changetimerecorder \ gfid-access $(GLUPY_SUBDIR) upcall snapview-client snapview-server \ - trash shard bit-rot leases + trash shard bit-rot leases selinux CLEANFILES = diff --git a/xlators/features/selinux/Makefile.am b/xlators/features/selinux/Makefile.am new file mode 100644 index 00000000000..a985f42a877 --- /dev/null +++ b/xlators/features/selinux/Makefile.am @@ -0,0 +1,3 @@ +SUBDIRS = src + +CLEANFILES = diff --git a/xlators/features/selinux/src/Makefile.am b/xlators/features/selinux/src/Makefile.am new file mode 100644 index 00000000000..34105d2a45b --- /dev/null +++ b/xlators/features/selinux/src/Makefile.am @@ -0,0 +1,19 @@ +xlator_LTLIBRARIES = selinux.la + +xlatordir = $(libdir)/glusterfs/$(PACKAGE_VERSION)/xlator/features + +selinux_la_LDFLAGS = -module $(GF_XLATOR_DEFAULT_LDFLAGS) + +selinux_la_SOURCES = selinux.c + +selinux_la_LIBADD = $(top_builddir)/libglusterfs/src/libglusterfs.la + +noinst_HEADERS = selinux.h selinux-messages.h selinux-mem-types.h + +AM_CPPFLAGS = $(GF_CPPFLAGS) -I$(top_srcdir)/libglusterfs/src \ + -I$(top_srcdir)/rpc/xdr/src -I$(top_builddir)/rpc/xdr/src + +AM_CFLAGS = -Wall $(GF_CFLAGS) + +CLEANFILES = + diff --git a/xlators/features/selinux/src/selinux-mem-types.h b/xlators/features/selinux/src/selinux-mem-types.h new file mode 100644 index 00000000000..f9f356dd39a --- /dev/null +++ b/xlators/features/selinux/src/selinux-mem-types.h @@ -0,0 +1,20 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ +#ifndef __SELINUX_MEM_TYPES_H__ +#define __SELINUX_MEM_TYPES_H__ + +#include "mem-types.h" + +enum gf_selinux_mem_types_ { + gf_selinux_mt_selinux_priv_t = gf_common_mt_end + 1, + gf_selinux_mt_end +}; +#endif + diff --git a/xlators/features/selinux/src/selinux-messages.h b/xlators/features/selinux/src/selinux-messages.h new file mode 100644 index 00000000000..a498dc21471 --- /dev/null +++ b/xlators/features/selinux/src/selinux-messages.h @@ -0,0 +1,98 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ + +#ifndef _SELINUX_MESSAGES_H__ +#define _SELINUX_MESSAGES_H__ + +#include "glfs-message-id.h" + +/*! \file selinux-messages.h + * \brief Selinux log-message IDs and their descriptions + */ + +/* NOTE: Rules for message additions + * 1) Each instance of a message is _better_ left with a unique message ID, even + * if the message format is the same. Reasoning is that, if the message + * format needs to change in one instance, the other instances are not + * impacted or the new change does not change the ID of the instance being + * modified. + * 2) Addition of a message, + * - Should increment the GLFS_NUM_MESSAGES + * - Append to the list of messages defined, towards the end + * - Retain macro naming as glfs_msg_X (for readability across developers) + * NOTE: Rules for message format modifications + * 3) Check acorss the code if the message ID macro in question is reused + * anywhere. If reused then then the modifications should ensure correctness + * everywhere, or needs a new message ID as (1) above was not adhered to. If + * not used anywhere, proceed with the required modification. + * NOTE: Rules for message deletion + * 4) Check (3) and if used anywhere else, then cannot be deleted. If not used + * anywhere, then can be deleted, but will leave a hole by design, as + * addition rules specify modification to the end of the list and not filling + * holes. + */ + +#define GLFS_SL_BASE GLFS_MSGID_COMP_SL +#define GLFS_SL_NUM_MESSAGES 5 +#define GLFS_SL_MSGID_END (GLFS_SL_BASE + GLFS_NUM_MESSAGES + 1) +/* Messages with message IDs */ +#define glfs_msg_start_x GLFS_SL_BASE, "Invalid: Start of messages" +/*------------*/ + +#define SL_MSG_INVALID_VOLFILE (GLFS_SL_BASE + 1) + +/*! + * @messageid + * @diagnosis + * @recommendedaction + * + */ + +#define SL_MSG_ENOMEM (GLFS_SL_BASE + 2) + +/*! + * @messageid + * @diagnosis + * @recommendedaction + * + */ + +#define SL_MSG_MEM_ACCT_INIT_FAILED (GLFS_SL_BASE + 3) + +/*! + * @messageid + * @diagnosis + * @recommendedaction + * + */ + +#define SL_MSG_SELINUX_GLUSTER_XATTR_MISSING (GLFS_SL_BASE + 4) + +/*! + * @messageid + * @diagnosis + * @recommendedaction + * + */ + +#define SL_MSG_SELINUX_XATTR_MISSING (GLFS_SL_BASE + 5) + +/*! + * @messageid + * @diagnosis + * @recommendedaction + * + */ + +/*-----------*/ +#define glfs_msg_end_x GLFS_MSGID_END, "Invalid: End of messages" + +#endif /*_SELINUX_MESSAGES_H */ + diff --git a/xlators/features/selinux/src/selinux.c b/xlators/features/selinux/src/selinux.c new file mode 100644 index 00000000000..1a4b39f253c --- /dev/null +++ b/xlators/features/selinux/src/selinux.c @@ -0,0 +1,324 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ + +#include "xlator.h" + +#include "selinux.h" +#include "selinux-messages.h" +#include "selinux-mem-types.h" +#include "compat-errno.h" + +static int +selinux_fgetxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *dict, dict_t *xdata) +{ + int ret = 0; + char *name = cookie; + + if (op_errno == 0 && name && (!strcmp(name, SELINUX_GLUSTER_XATTR))) { + ret = dict_rename_key (dict, SELINUX_GLUSTER_XATTR, + SELINUX_XATTR); + if (ret < 0) + gf_msg (this->name, GF_LOG_ERROR, op_errno, + SL_MSG_SELINUX_GLUSTER_XATTR_MISSING, + "getxattr failed for %s", SELINUX_XATTR); + + } + + STACK_UNWIND_STRICT (fgetxattr, frame, op_ret, op_errno, + dict, xdata); + return ret; +} + + +static int +selinux_fgetxattr (call_frame_t *frame, xlator_t *this, fd_t *fd, + const char *name, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + char *xattr_name = (char *) name; + + priv = this->private; + + GF_VALIDATE_OR_GOTO ("selinux", priv, err); + + /* name can be NULL for listxattr calls */ + if (!priv->selinux_enabled || !name) + goto off; + + if (strcmp (name, SELINUX_XATTR) == 0) + xattr_name = SELINUX_GLUSTER_XATTR; + +off: + STACK_WIND_COOKIE (frame, selinux_fgetxattr_cbk, xattr_name, + FIRST_CHILD(this), + FIRST_CHILD(this)->fops->fgetxattr, fd, xattr_name, + xdata); + return 0; +err: + STACK_UNWIND_STRICT (fgetxattr, frame, op_ret, op_errno, NULL, xdata); + + return 0; +} + +static int +selinux_getxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *dict, dict_t *xdata) +{ + int ret = 0; + char *name = cookie; + + if (op_errno == 0 && name && (!strcmp(name, SELINUX_GLUSTER_XATTR))) { + ret = dict_rename_key (dict, SELINUX_GLUSTER_XATTR, + SELINUX_XATTR); + if (ret < 0) + gf_msg (this->name, GF_LOG_ERROR, op_errno, + SL_MSG_SELINUX_GLUSTER_XATTR_MISSING, + "getxattr failed for %s", SELINUX_XATTR); + + } + + STACK_UNWIND_STRICT (getxattr, frame, op_ret, op_errno, dict, xdata); + + return 0; +} + + +static int +selinux_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc, + const char *name, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + char *xattr_name = (char *) name; + + priv = this->private; + + GF_VALIDATE_OR_GOTO ("selinux", priv, err); + + /* name can be NULL for listxattr calls */ + if (!priv->selinux_enabled || !name) + goto off; + + if (strcmp (name, SELINUX_XATTR) == 0) + xattr_name = SELINUX_GLUSTER_XATTR; + +off: + STACK_WIND_COOKIE (frame, selinux_getxattr_cbk, xattr_name, + FIRST_CHILD(this), + FIRST_CHILD(this)->fops->getxattr, loc, xattr_name, + xdata); + return 0; +err: + STACK_UNWIND_STRICT (getxattr, frame, op_ret, op_errno, NULL, xdata); + return 0; +} + +static int +selinux_fsetxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *xdata) +{ + STACK_UNWIND_STRICT (fsetxattr, frame, op_ret, op_errno, xdata); + return 0; + +} + + +static int +selinux_fsetxattr (call_frame_t *frame, xlator_t *this, fd_t *fd, dict_t *dict, + int flags, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + int32_t ret = -1; + + priv = this->private; + + GF_VALIDATE_OR_GOTO ("selinux", priv, err); + + if (!priv->selinux_enabled) + goto off; + + ret = dict_rename_key (dict, SELINUX_XATTR, SELINUX_GLUSTER_XATTR); + if (ret < 0 && ret != -ENODATA) + goto err; + +off: + STACK_WIND (frame, selinux_fsetxattr_cbk, FIRST_CHILD(this), + FIRST_CHILD(this)->fops->fsetxattr, fd, dict, flags, + xdata); + + + return 0; +err: + STACK_UNWIND_STRICT (fsetxattr, frame, op_ret, op_errno, xdata); + return 0; + +} + +static int +selinux_setxattr_cbk (call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *xdata) +{ + STACK_UNWIND_STRICT (setxattr, frame, op_ret, op_errno, xdata); + return 0; +} + + +static int +selinux_setxattr (call_frame_t *frame, xlator_t *this, loc_t *loc, + dict_t *dict, int flags, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + int32_t ret = -1; + + priv = this->private; + + GF_VALIDATE_OR_GOTO ("selinux", priv, err); + + if (!priv->selinux_enabled) + goto off; + + ret = dict_rename_key (dict, SELINUX_XATTR, SELINUX_GLUSTER_XATTR); + if (ret < 0 && ret != -ENODATA) + goto err; + +off: + STACK_WIND (frame, selinux_setxattr_cbk, FIRST_CHILD(this), + FIRST_CHILD(this)->fops->setxattr, loc, dict, flags, + xdata); + return 0; +err: + STACK_UNWIND_STRICT (setxattr, frame, op_ret, op_errno, xdata); + return 0; +} + +int32_t +mem_acct_init (xlator_t *this) +{ + int ret = -1; + + GF_VALIDATE_OR_GOTO("selinux", this, out); + + ret = xlator_mem_acct_init (this, gf_selinux_mt_end + 1); + + if (ret != 0) { + gf_msg (this->name, GF_LOG_ERROR, 0, + SL_MSG_MEM_ACCT_INIT_FAILED, + "Memory accounting init failed"); + return ret; + } +out: + return ret; +} + +int32_t +init (xlator_t *this) +{ + int32_t ret = -1; + selinux_priv_t *priv = NULL; + + GF_VALIDATE_OR_GOTO ("selinux", this, out); + + if (!this->children || this->children->next) { + gf_msg (this->name, GF_LOG_WARNING, 0, SL_MSG_INVALID_VOLFILE, + "Error: SELinux (%s) not configured with exactly one " + "child", this->name); + return -1; + } + + if (this->parents == NULL) { + gf_msg (this->name, GF_LOG_WARNING, 0, SL_MSG_INVALID_VOLFILE, + "Dangling volume. Please check the volfile"); + } + + priv = GF_CALLOC (1, sizeof (*priv), gf_selinux_mt_selinux_priv_t); + if (!priv) { + gf_log (this->name, GF_LOG_ERROR, "out of memory"); + ret = ENOMEM; + goto out; + } + + GF_OPTION_INIT ("selinux", priv->selinux_enabled, bool, out); + + this->local_pool = mem_pool_new (selinux_priv_t, 64); + if (!this->local_pool) { + ret = -1; + gf_msg (this->name, GF_LOG_ERROR, ENOMEM, SL_MSG_ENOMEM, + "Failed to create local_t's memory pool"); + goto out; + } + + this->private = (void *)priv; + ret = 0; +out: + if (ret) { + if (priv) { + GF_FREE (priv); + } + mem_pool_destroy (this->local_pool); + } + return ret; +} + +int +reconfigure (xlator_t *this, dict_t *options) +{ + int32_t ret = -1; + selinux_priv_t *priv = NULL; + + priv = this->private; + + GF_OPTION_RECONF ("selinux", priv->selinux_enabled, options, + bool, out); + + ret = 0; +out: + return ret; + +} + +void +fini (xlator_t *this) +{ + selinux_priv_t *priv = NULL; + + priv = this->private; + GF_FREE (priv); + + mem_pool_destroy (this->local_pool); + + return; +} + +struct xlator_fops fops = { + .getxattr = selinux_getxattr, + .fgetxattr = selinux_fgetxattr, + .setxattr = selinux_setxattr, + .fsetxattr = selinux_fsetxattr, +}; + +struct xlator_cbks cbks = { +}; + +struct volume_options options[] = { + { .key = { "selinux" }, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "on", + .description = "Enable/disable selinux translator", + }, + { .key = { NULL }, } +}; diff --git a/xlators/features/selinux/src/selinux.h b/xlators/features/selinux/src/selinux.h new file mode 100644 index 00000000000..2ff57b5080a --- /dev/null +++ b/xlators/features/selinux/src/selinux.h @@ -0,0 +1,24 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ +#ifndef __SELINUX_H__ +#define __SELINUX_H__ + +#include "common-utils.h" + +#define SELINUX_XATTR "security.selinux" +#define SELINUX_GLUSTER_XATTR "trusted.glusterfs.selinux" + +struct selinux_priv { + gf_boolean_t selinux_enabled; +}; + +typedef struct selinux_priv selinux_priv_t; + +#endif diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c index 77b7d55fa29..30f690bb379 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c @@ -1441,11 +1441,11 @@ brick_graph_add_posix (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, dict_t *set_dict, glusterd_brickinfo_t *brickinfo) { int ret = -1; - gf_boolean_t quota_enabled = _gf_true; - gf_boolean_t trash_enabled = _gf_false; - gf_boolean_t pgfid_feat = _gf_false; - char *value = NULL; - xlator_t *xl = NULL; + gf_boolean_t quota_enabled = _gf_true; + gf_boolean_t trash_enabled = _gf_false; + gf_boolean_t pgfid_feat = _gf_false; + char *value = NULL; + xlator_t *xl = NULL; if (!graph || !volinfo || !set_dict || !brickinfo) goto out; @@ -1496,6 +1496,25 @@ out: } static int +brick_graph_add_selinux (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, + dict_t *set_dict, glusterd_brickinfo_t *brickinfo) +{ + xlator_t *xl = NULL; + int ret = -1; + + if (!graph || !volinfo) + goto out; + + xl = volgen_graph_add (graph, "features/selinux", volinfo->volname); + if (!xl) + goto out; + + ret = 0; +out: + return ret; +} + +static int brick_graph_add_trash (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, dict_t *set_dict, glusterd_brickinfo_t *brickinfo) { @@ -2433,6 +2452,7 @@ static volgen_brick_xlator_t server_graph_table[] = { {brick_graph_add_index, "index"}, {brick_graph_add_barrier, NULL}, {brick_graph_add_marker, "marker"}, + {brick_graph_add_selinux, "selinux"}, {brick_graph_add_fdl, "fdl"}, {brick_graph_add_iot, "io-threads"}, {brick_graph_add_upcall, "upcall"}, diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.h b/xlators/mgmt/glusterd/src/glusterd-volgen.h index 8f725c46380..5941fd959ae 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.h +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.h @@ -32,6 +32,7 @@ #define VKEY_FEATURES_TRASH "features.trash" #define VKEY_FEATURES_BITROT "features.bitrot" #define VKEY_FEATURES_SCRUB "features.scrub" +#define VKEY_FEATURES_SELINUX "features.selinux" #define VKEY_PARALLEL_READDIR "performance.parallel-readdir" #define VKEY_READDIR_AHEAD "performance.readdir-ahead" #define VKEY_RDA_CACHE_LIMIT "performance.rda-cache-limit" diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index 30f93310356..fe291f1d845 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -3036,6 +3036,17 @@ struct volopt_map_entry glusterd_volopt_map[] = { "The max value is 262144 pages i.e 1 GB and " "the min value is 1000 pages i.e ~4 MB." }, + { .key = VKEY_FEATURES_SELINUX, + .voltype = "features/selinux", + .type = NO_DOC, + .value = "on", + .op_version = GD_OP_VERSION_3_11_0, + .description = "Convert security.selinux xattrs to " + "trusted.gluster.selinux on the bricks. Recommended " + "to have enabled when clients and/or bricks support " + "SELinux." + }, + #endif /* USE_GFDB */ { .key = "locks.trace", .voltype = "features/locks", |