From a8a8feb25216db2fa426b09d778f61c0f89d514c Mon Sep 17 00:00:00 2001
From: Poornima G <pgurusid@redhat.com>
Date: Fri, 26 Feb 2016 06:42:14 -0500
Subject: fuse: Add a new mount option capability

Originally all security.* xattrs were forbidden if selinux is disabled,
which was causing Samba's acl_xattr module to not work, as it would
store the NTACL in security.NTACL. To fix this http://review.gluster.org/#/c/12826/
was sent, which forbid only security.selinux. This opened up a getxattr
call on security.capability before every write fop and others.

Capabilities can be used without selinux, hence if selinux is disabled,
security.capability cannot be forbidden. Hence adding a new mount
option called capability.

Only when "--capability" or "--selinux" mount option is used,
security.capability is sent to the brick, else it is forbidden.

Backport of : http://review.gluster.org/#/c/13540/ &
              http://review.gluster.org/#/c/13653/

BUG: 1309462
Change-Id: Ib8d4f32d9f1458f4d71a05785f92b526aa7033ff
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-on: http://review.gluster.org/13626
Tested-by: Vijay Bellur <vbellur@redhat.com>
Smoke: Gluster Build System <jenkins@build.gluster.com>
CentOS-regression: Gluster Build System <jenkins@build.gluster.com>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
---
 glusterfsd/src/glusterfsd.c | 17 ++++++++++++++++-
 glusterfsd/src/glusterfsd.h |  1 +
 2 files changed, 17 insertions(+), 1 deletion(-)

(limited to 'glusterfsd')

diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c
index e41064a1372..45dbc26801a 100644
--- a/glusterfsd/src/glusterfsd.c
+++ b/glusterfsd/src/glusterfsd.c
@@ -155,7 +155,9 @@ static struct argp_option gf_options[] = {
         {"acl", ARGP_ACL_KEY, 0, 0,
          "Mount the filesystem with POSIX ACL support"},
         {"selinux", ARGP_SELINUX_KEY, 0, 0,
-         "Enable SELinux label (extened attributes) support on inodes"},
+         "Enable SELinux label (extended attributes) support on inodes"},
+        {"capability", ARGP_CAPABILITY_KEY, 0, 0,
+         "Enable file capability setting and retrival"},
 
         {"print-netgroups", ARGP_PRINT_NETGROUPS, "NETGROUP-FILE", 0,
          "Validate the netgroups file and print it out"},
@@ -371,6 +373,15 @@ set_fuse_mount_options (glusterfs_ctx_t *ctx, dict_t *options)
                 }
         }
 
+        if (cmd_args->capability) {
+                ret = dict_set_static_ptr (options, "capability", "on");
+                if (ret < 0) {
+                        gf_msg ("glusterfsd", GF_LOG_ERROR, 0, glusterfsd_msg_4,
+                                "capability");
+                        goto err;
+                }
+        }
+
         if (cmd_args->aux_gfid_mount) {
                 ret = dict_set_static_ptr (options, "virtual-gfid-access",
                                            "on");
@@ -799,6 +810,10 @@ parse_opts (int key, char *arg, struct argp_state *state)
                 gf_remember_xlator_option ("*-md-cache.cache-selinux=true");
                 break;
 
+        case ARGP_CAPABILITY_KEY:
+                cmd_args->capability = 1;
+                break;
+
         case ARGP_AUX_GFID_MOUNT_KEY:
                 cmd_args->aux_gfid_mount = 1;
                 break;
diff --git a/glusterfsd/src/glusterfsd.h b/glusterfsd/src/glusterfsd.h
index f5f0e62c51f..bb7966ebd58 100644
--- a/glusterfsd/src/glusterfsd.h
+++ b/glusterfsd/src/glusterfsd.h
@@ -96,6 +96,7 @@ enum argp_option_keys {
         ARGP_SECURE_MGMT_KEY              = 172,
         ARGP_GLOBAL_TIMER_WHEEL           = 173,
         ARGP_RESOLVE_GIDS_KEY             = 174,
+        ARGP_CAPABILITY_KEY               = 175,
 };
 
 struct _gfd_vol_top_priv_t {
-- 
cgit