From be395fe8a31a580510595b672f72626d61d81493 Mon Sep 17 00:00:00 2001 From: Anand Avati Date: Tue, 29 May 2012 22:01:42 -0700 Subject: fuse: make SELinux support configurable Make support for SELinux labels (extended attributes) configurable and disabled by default as it can cause significant performance penalty when enabled (it need not be enabled unless specially crafted policies are set -- which is not by default) Change-Id: I97bc4b1c26cf055fd520e9bf2d49e52b14fe7515 BUG: 811217 Signed-off-by: Anand Avati Reviewed-on: http://review.gluster.com/3484 Tested-by: Gluster Build System Reviewed-by: Amar Tumballi --- xlators/mount/fuse/src/fuse-bridge.c | 35 +++++++++++++++++------------ xlators/mount/fuse/src/fuse-bridge.h | 3 +-- xlators/mount/fuse/utils/mount.glusterfs.in | 5 +++++ 3 files changed, 27 insertions(+), 16 deletions(-) (limited to 'xlators/mount/fuse') diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c index 5131d6c05ba..385666b0cf0 100644 --- a/xlators/mount/fuse/src/fuse-bridge.c +++ b/xlators/mount/fuse/src/fuse-bridge.c @@ -2642,13 +2642,13 @@ fuse_setxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } -#ifdef DISABLE_SELINUX - if (!strncmp (name, "security.", 9)) { - send_fuse_err (this, finh, EOPNOTSUPP); - GF_FREE (finh); - return; - } -#endif + if (!priv->selinux) { + if (strncmp (name, "security.", 9) == 0) { + send_fuse_err (this, finh, EOPNOTSUPP); + GF_FREE (finh); + return; + } + } /* Check if the command is for changing the log level of process or specific xlator */ @@ -2914,13 +2914,13 @@ fuse_getxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } -#ifdef DISABLE_SELINUX - if (!strncmp (name, "security.", 9)) { - send_fuse_err (this, finh, ENODATA); - GF_FREE (finh); - return; - } -#endif + if (!priv->selinux) { + if (strncmp (name, "security.", 9) == 0) { + send_fuse_err (this, finh, ENODATA); + GF_FREE (finh); + return; + } + } GET_STATE (this, finh, state); @@ -4484,6 +4484,13 @@ init (xlator_t *this_xl) if (priv->uid_map_root) priv->acl = 1; + priv->selinux = 0; + ret = dict_get_str (options, "selinux", &value_string); + if (ret == 0) { + ret = gf_string2boolean (value_string, &priv->selinux); + GF_ASSERT (ret == 0); + } + priv->read_only = 0; ret = dict_get_str (options, "read-only", &value_string); if (ret == 0) { diff --git a/xlators/mount/fuse/src/fuse-bridge.h b/xlators/mount/fuse/src/fuse-bridge.h index c13c2dc76fe..c6c8438a9ed 100644 --- a/xlators/mount/fuse/src/fuse-bridge.h +++ b/xlators/mount/fuse/src/fuse-bridge.h @@ -66,8 +66,6 @@ #define MAX_FUSE_PROC_DELAY 1 -//#define DISABLE_SELINUX 1 - typedef struct fuse_in_header fuse_in_header_t; typedef void (fuse_handler_t) (xlator_t *this, fuse_in_header_t *finh, void *msg); @@ -109,6 +107,7 @@ struct fuse_private { gf_boolean_t client_pid_set; unsigned uid_map_root; gf_boolean_t acl; + gf_boolean_t selinux; gf_boolean_t read_only; fdtable_t *fdtable; diff --git a/xlators/mount/fuse/utils/mount.glusterfs.in b/xlators/mount/fuse/utils/mount.glusterfs.in index c313e552fa1..c36ad6ff9ab 100755 --- a/xlators/mount/fuse/utils/mount.glusterfs.in +++ b/xlators/mount/fuse/utils/mount.glusterfs.in @@ -100,6 +100,10 @@ start_glusterfs () cmd_line=$(echo "$cmd_line --acl"); fi + if [ -n "$selinux" ]; then + cmd_line=$(echo "$cmd_line --selinux"); + fi + if [ -n "$worm" ]; then cmd_line=$(echo "$cmd_line --worm"); fi @@ -273,6 +277,7 @@ main () case "$pair" in "ro") read_only=1 ;; "acl") acl=1 ;; + "selinux") selinux=1 ;; "worm") worm=1 ;; # "mount -t glusterfs" sends this, but it's useless. "rw") ;; -- cgit