From 5b5f03d2665687ab717f123da1266bcd3a83da0f Mon Sep 17 00:00:00 2001 From: Poornima G Date: Fri, 26 Feb 2016 06:42:14 -0500 Subject: fuse: Add a new mount option capability Originally all security.* xattrs were forbidden if selinux is disabled, which was causing Samba's acl_xattr module to not work, as it would store the NTACL in security.NTACL. To fix this http://review.gluster.org/#/c/12826/ was sent, which forbid only security.selinux. This opened up a getxattr call on security.capability before every write fop and others. Capabilities can be used without selinux, hence if selinux is disabled, security.capability cannot be forbidden. Hence adding a new mount option called capability. Only when "--capability" or "--selinux" mount option is used, security.capability is sent to the brick, else it is forbidden. Change-Id: I77f60e0fb541deaa416159e45c78dd2ae653105e BUG: 1309462 Signed-off-by: Poornima G Reviewed-on: http://review.gluster.org/13540 Smoke: Gluster Build System NetBSD-regression: NetBSD Build System CentOS-regression: Gluster Build System Reviewed-by: Raghavendra G --- xlators/mount/fuse/src/fuse-bridge.c | 21 +++++++++++++++++++++ xlators/mount/fuse/src/fuse-bridge.h | 3 +++ 2 files changed, 24 insertions(+) (limited to 'xlators/mount/fuse/src') diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c index ff42ec11273..d34e85fb2fd 100644 --- a/xlators/mount/fuse/src/fuse-bridge.c +++ b/xlators/mount/fuse/src/fuse-bridge.c @@ -3244,6 +3244,14 @@ fuse_setxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } + if ((!priv->capability) && (!priv->selinux)) { + if (strcmp (name, "security.capability") == 0) { + send_fuse_err (this, finh, EOPNOTSUPP); + GF_FREE (finh); + return; + } + } + /* Check if the command is for changing the log level of process or specific xlator */ ret = is_gf_log_command (this, name, value); @@ -3573,6 +3581,13 @@ fuse_getxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } + if ((!priv->capability) && (!priv->selinux)) { + if (strcmp (name, "security.capability") == 0) { + op_errno = ENODATA; + goto err; + } + } + fuse_resolve_inode_init (state, &state->resolve, finh->nodeid); rv = fuse_flip_xattr_ns (priv, name, &newkey); @@ -5558,6 +5573,8 @@ init (xlator_t *this_xl) GF_OPTION_INIT ("selinux", priv->selinux, bool, cleanup_exit); + GF_OPTION_INIT ("capability", priv->capability, bool, cleanup_exit); + GF_OPTION_INIT ("read-only", priv->read_only, bool, cleanup_exit); GF_OPTION_INIT ("enable-ino32", priv->enable_ino32, bool, cleanup_exit); @@ -5892,5 +5909,9 @@ struct volume_options options[] = { "does not have any affect and the volume option for root-squash is " "honoured.", }, + { .key = {"capability"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "false" + }, { .key = {NULL} }, }; diff --git a/xlators/mount/fuse/src/fuse-bridge.h b/xlators/mount/fuse/src/fuse-bridge.h index 1da04c57f8f..4f031d03581 100644 --- a/xlators/mount/fuse/src/fuse-bridge.h +++ b/xlators/mount/fuse/src/fuse-bridge.h @@ -131,6 +131,9 @@ struct fuse_private { /* resolve gid with getgrouplist() instead of /proc/%d/status */ gf_boolean_t resolve_gids; + + /* Enable or disable capability support */ + gf_boolean_t capability; }; typedef struct fuse_private fuse_private_t; -- cgit