From f69785a9e3f9ad55e81f1fe8212485b7e4dc11fe Mon Sep 17 00:00:00 2001 From: Anand Avati Date: Tue, 29 May 2012 22:01:42 -0700 Subject: fuse: make SELinux support configurable Make support for SELinux labels (extended attributes) configurable and disabled by default as it can cause significant performance penalty when enabled (it need not be enabled unless specially crafted policies are set -- which is not by default) Change-Id: I97bc4b1c26cf055fd520e9bf2d49e52b14fe7515 BUG: 811217 Signed-off-by: Anand Avati Reviewed-on: http://review.gluster.com/3485 Tested-by: Gluster Build System --- glusterfsd/src/glusterfsd.c | 15 +++++++++++++ glusterfsd/src/glusterfsd.h | 1 + libglusterfs/src/glusterfs.h | 1 + xlators/mount/fuse/src/fuse-bridge.c | 35 +++++++++++++++++------------ xlators/mount/fuse/src/fuse-bridge.h | 3 +-- xlators/mount/fuse/utils/mount.glusterfs.in | 5 +++++ 6 files changed, 44 insertions(+), 16 deletions(-) diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c index 903eac72a..ebd12bf0b 100644 --- a/glusterfsd/src/glusterfsd.c +++ b/glusterfsd/src/glusterfsd.c @@ -152,6 +152,8 @@ static struct argp_option gf_options[] = { "Mount the filesystem in 'read-only' mode"}, {"acl", ARGP_ACL_KEY, 0, 0, "Mount the filesystem with POSIX ACL support"}, + {"selinux", ARGP_SELINUX_KEY, 0, 0, + "Enable SELinux label (extened attributes) support on inodes"}, {"worm", ARGP_WORM_KEY, 0, 0, "Mount the filesystem in 'worm' mode"}, {"mac-compat", ARGP_MAC_COMPAT_KEY, "BOOL", OPTION_ARG_OPTIONAL, @@ -348,6 +350,15 @@ create_fuse_mount (glusterfs_ctx_t *ctx) } } + if (cmd_args->selinux) { + ret = dict_set_static_ptr (master->options, "selinux", "on"); + if (ret < 0) { + gf_log ("glusterfsd", GF_LOG_ERROR, + "failed to set dict value for key selinux"); + goto err; + } + } + if (cmd_args->read_only) { ret = dict_set_static_ptr (master->options, "read-only", "on"); if (ret < 0) { @@ -564,6 +575,10 @@ parse_opts (int key, char *arg, struct argp_state *state) cmd_args->acl = 1; break; + case ARGP_SELINUX_KEY: + cmd_args->selinux = 1; + break; + case ARGP_WORM_KEY: cmd_args->worm = 1; break; diff --git a/glusterfsd/src/glusterfsd.h b/glusterfsd/src/glusterfsd.h index 21f1cbb6c..8ec121954 100644 --- a/glusterfsd/src/glusterfsd.h +++ b/glusterfsd/src/glusterfsd.h @@ -86,6 +86,7 @@ enum argp_option_keys { ARGP_WORM_KEY = 155, ARGP_USER_MAP_ROOT_KEY = 156, ARGP_MEM_ACCOUNTING_KEY = 157, + ARGP_SELINUX_KEY = 158, }; struct _gfd_vol_top_priv_t { diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h index 0917ac1b5..cdfb64dea 100644 --- a/libglusterfs/src/glusterfs.h +++ b/libglusterfs/src/glusterfs.h @@ -288,6 +288,7 @@ struct _cmd_args { int debug_mode; int read_only; int acl; + int selinux; int worm; int mac_compat; struct list_head xlator_options; /* list of xlator_option_t */ diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c index 42190083a..fa728604d 100644 --- a/xlators/mount/fuse/src/fuse-bridge.c +++ b/xlators/mount/fuse/src/fuse-bridge.c @@ -2641,13 +2641,13 @@ fuse_setxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } -#ifdef DISABLE_SELINUX - if (!strncmp (name, "security.", 9)) { - send_fuse_err (this, finh, EOPNOTSUPP); - GF_FREE (finh); - return; - } -#endif + if (!priv->selinux) { + if (strncmp (name, "security.", 9) == 0) { + send_fuse_err (this, finh, EOPNOTSUPP); + GF_FREE (finh); + return; + } + } /* Check if the command is for changing the log level of process or specific xlator */ @@ -2913,13 +2913,13 @@ fuse_getxattr (xlator_t *this, fuse_in_header_t *finh, void *msg) } } -#ifdef DISABLE_SELINUX - if (!strncmp (name, "security.", 9)) { - send_fuse_err (this, finh, ENODATA); - GF_FREE (finh); - return; - } -#endif + if (!priv->selinux) { + if (strncmp (name, "security.", 9) == 0) { + send_fuse_err (this, finh, ENODATA); + GF_FREE (finh); + return; + } + } GET_STATE (this, finh, state); @@ -4496,6 +4496,13 @@ init (xlator_t *this_xl) if (priv->uid_map_root) priv->acl = 1; + priv->selinux = 0; + ret = dict_get_str (options, "selinux", &value_string); + if (ret == 0) { + ret = gf_string2boolean (value_string, &priv->selinux); + GF_ASSERT (ret == 0); + } + priv->read_only = 0; ret = dict_get_str (options, "read-only", &value_string); if (ret == 0) { diff --git a/xlators/mount/fuse/src/fuse-bridge.h b/xlators/mount/fuse/src/fuse-bridge.h index 3711ca54d..eb43e6686 100644 --- a/xlators/mount/fuse/src/fuse-bridge.h +++ b/xlators/mount/fuse/src/fuse-bridge.h @@ -66,8 +66,6 @@ #define MAX_FUSE_PROC_DELAY 1 -//#define DISABLE_SELINUX 1 - typedef struct fuse_in_header fuse_in_header_t; typedef void (fuse_handler_t) (xlator_t *this, fuse_in_header_t *finh, void *msg); @@ -109,6 +107,7 @@ struct fuse_private { gf_boolean_t client_pid_set; unsigned uid_map_root; gf_boolean_t acl; + gf_boolean_t selinux; gf_boolean_t read_only; fdtable_t *fdtable; diff --git a/xlators/mount/fuse/utils/mount.glusterfs.in b/xlators/mount/fuse/utils/mount.glusterfs.in index 3ca09b03b..8dcf8caff 100755 --- a/xlators/mount/fuse/utils/mount.glusterfs.in +++ b/xlators/mount/fuse/utils/mount.glusterfs.in @@ -77,6 +77,10 @@ start_glusterfs () cmd_line=$(echo "$cmd_line --acl"); fi + if [ -n "$selinux" ]; then + cmd_line=$(echo "$cmd_line --selinux"); + fi + if [ -n "$worm" ]; then cmd_line=$(echo "$cmd_line --worm"); fi @@ -250,6 +254,7 @@ main () case "$pair" in "ro") read_only=1 ;; "acl") acl=1 ;; + "selinux") selinux=1 ;; "worm") worm=1 ;; # "mount -t glusterfs" sends this, but it's useless. "rw") ;; -- cgit