diff options
| author | Poornima G <pgurusid@redhat.com> | 2016-12-26 14:28:22 +0530 |
|---|---|---|
| committer | Shyamsundar Ranganathan <srangana@redhat.com> | 2017-01-30 09:25:03 -0500 |
| commit | 9e661d9496125d03c668353a9c718e8812f3fe05 (patch) | |
| tree | 0825644a8deeeaa1def2ee931adb2248826e5842 | |
| parent | feddaae9d4f796fc0f18a7a04cd6c41586876484 (diff) | |
md-cache: Cache security.ima xattrs
Backport of http://review.gluster.org/16296
From kernel version 3.X or greater, creating of a file
results in removexattr call on security.ima xattr. But
this xattr is not set on the file unless IMA feature
is active. With this patch, removxattr call returns
ENODATA if it is not found in the cache.
> Change-Id: I8136096598a983aebc09901945eba1db1b2f93c9
> Signed-off-by: Poornima G <pgurusid@redhat.com>
> Reviewed-on: http://review.gluster.org/16296
> Smoke: Gluster Build System <jenkins@build.gluster.org>
> NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
> Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
> (cherry picked from commit ac629e574935a8aed6526936bc83b1c6d295ae67)
Change-Id: I27abc23024c8fcf07389608df61ef6e64736d414
BUG: 1415918
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-on: https://review.gluster.org/16460
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
| -rw-r--r-- | tests/basic/md-cache/bug-1317785.t | 34 | ||||
| -rw-r--r-- | tests/bugs/fuse/bug-1317785.t | 22 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 15 | ||||
| -rw-r--r-- | xlators/performance/md-cache/src/md-cache.c | 81 |
4 files changed, 128 insertions, 24 deletions
diff --git a/tests/basic/md-cache/bug-1317785.t b/tests/basic/md-cache/bug-1317785.t new file mode 100644 index 00000000000..5076e3612ac --- /dev/null +++ b/tests/basic/md-cache/bug-1317785.t @@ -0,0 +1,34 @@ +#!/bin/bash + +. $(dirname $0)/../../include.rc +. $(dirname $0)/../../volume.rc + +cleanup; + +TEST glusterd + +TEST $CLI volume create $V0 $H0:$B0/$V0 +TEST $CLI volume start $V0 + +TEST $CLI volume set $V0 cache-swift-metadata on +EXPECT 'on' volinfo_field $V0 'performance.cache-swift-metadata' + +TEST $CLI volume set $V0 cache-swift-metadata off +EXPECT 'off' volinfo_field $V0 'performance.cache-swift-metadata' + +TEST $CLI volume set $V0 performance.cache-capability-xattrs off +EXPECT 'off' volinfo_field $V0 'performance.cache-capability-xattrs' + +TEST $CLI volume set $V0 performance.cache-capability-xattrs on +EXPECT 'on' volinfo_field $V0 'performance.cache-capability-xattrs' + +TEST $CLI volume set $V0 performance.cache-ima-xattrs off +EXPECT 'off' volinfo_field $V0 'performance.cache-ima-xattrs' + +TEST $CLI volume set $V0 performance.cache-ima-xattrs on +EXPECT 'on' volinfo_field $V0 'performance.cache-ima-xattrs' + +TEST $CLI volume stop $V0 +TEST $CLI volume delete $V0 + +cleanup; diff --git a/tests/bugs/fuse/bug-1317785.t b/tests/bugs/fuse/bug-1317785.t deleted file mode 100644 index 87c65405537..00000000000 --- a/tests/bugs/fuse/bug-1317785.t +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -. $(dirname $0)/../../include.rc -. $(dirname $0)/../../volume.rc - -cleanup; - -TEST glusterd - -TEST $CLI volume create $V0 $H0:$B0/$V0 -TEST $CLI volume start $V0 - -TEST $CLI volume set $V0 cache-swift-metadata on -EXPECT 'on' volinfo_field $V0 'performance.cache-swift-metadata' - -TEST $CLI volume set $V0 cache-swift-metadata off -EXPECT 'off' volinfo_field $V0 'performance.cache-swift-metadata' - -TEST $CLI volume stop $V0 -TEST $CLI volume delete $V0 - -cleanup; diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index 5ecc6df47cc..2e9609306d4 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -1598,6 +1598,21 @@ struct volopt_map_entry glusterd_volopt_map[] = { " xattr)", .flags = OPT_FLAG_CLIENT_OPT }, + { .key = "performance.cache-capability-xattrs", + .voltype = "performance/md-cache", + .option = "cache-capability-xattrs", + .op_version = GD_OP_VERSION_3_10_0, + .description = "Cache xattrs required for capability based security", + .flags = OPT_FLAG_CLIENT_OPT + }, + { .key = "performance.cache-ima-xattrs", + .voltype = "performance/md-cache", + .option = "cache-ima-xattrs", + .op_version = GD_OP_VERSION_3_10_0, + .description = "Cache xattrs required for IMA " + "(Integrity Measurement Architecture)", + .flags = OPT_FLAG_CLIENT_OPT + }, /* Crypt xlator options */ diff --git a/xlators/performance/md-cache/src/md-cache.c b/xlators/performance/md-cache/src/md-cache.c index d70fa6a8d1a..61f4da34067 100644 --- a/xlators/performance/md-cache/src/md-cache.c +++ b/xlators/performance/md-cache/src/md-cache.c @@ -49,6 +49,8 @@ struct mdc_conf { int timeout; gf_boolean_t cache_posix_acl; gf_boolean_t cache_selinux; + gf_boolean_t cache_capability; + gf_boolean_t cache_ima; gf_boolean_t force_readdirp; gf_boolean_t cache_swift_metadata; gf_boolean_t cache_samba_metadata; @@ -115,6 +117,11 @@ static struct mdc_key { .check = 1, }, { + .name = "security.ima", + .load = 0, + .check = 1, + }, + { .name = NULL, .load = 0, .check = 0, @@ -2226,6 +2233,10 @@ mdc_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc, const char *name, dict_t *xdata) { mdc_local_t *local = NULL; + int op_errno = ENODATA; + int ret = 0; + dict_t *xattr = NULL; + struct mdc_conf *conf = this->private; local = mdc_local_get (frame); @@ -2233,6 +2244,25 @@ mdc_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc, local->key = gf_strdup (name); + if (!is_mdc_key_satisfied (name)) + goto uncached; + + ret = mdc_inode_xatt_get (this, loc->inode, &xattr); + if (ret != 0) + goto uncached; + + if (!xattr || !dict_get (xattr, (char *)name)) { + ret = -1; + op_errno = ENODATA; + } + + INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_hit); + MDC_STACK_UNWIND (removexattr, frame, ret, op_errno, xdata); + + return 0; + +uncached: + INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_miss); STACK_WIND (frame, mdc_removexattr_cbk, FIRST_CHILD(this), FIRST_CHILD(this)->fops->removexattr, loc, name, xdata); @@ -2272,6 +2302,10 @@ mdc_fremovexattr (call_frame_t *frame, xlator_t *this, fd_t *fd, const char *name, dict_t *xdata) { mdc_local_t *local = NULL; + int op_errno = ENODATA; + int ret = 0; + dict_t *xattr = NULL; + struct mdc_conf *conf = this->private; local = mdc_local_get (frame); @@ -2279,6 +2313,24 @@ mdc_fremovexattr (call_frame_t *frame, xlator_t *this, fd_t *fd, local->key = gf_strdup (name); + if (!is_mdc_key_satisfied (name)) + goto uncached; + + ret = mdc_inode_xatt_get (this, fd->inode, &xattr); + if (ret != 0) + goto uncached; + + if (!xattr || !dict_get (xattr, (char *)name)) { + ret = -1; + op_errno = ENODATA; + } + + INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_hit); + MDC_STACK_UNWIND (fremovexattr, frame, ret, op_errno, xdata); + return 0; + +uncached: + INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_miss); STACK_WIND (frame, mdc_fremovexattr_cbk, FIRST_CHILD(this), FIRST_CHILD(this)->fops->fremovexattr, fd, name, xdata); @@ -2829,7 +2881,16 @@ reconfigure (xlator_t *this, dict_t *options) GF_OPTION_RECONF ("md-cache-timeout", timeout, options, int32, out); GF_OPTION_RECONF ("cache-selinux", conf->cache_selinux, options, bool, out); - mdc_key_load_set (mdc_keys, "security.", conf->cache_selinux); + mdc_key_load_set (mdc_keys, "security.selinux", conf->cache_selinux); + + GF_OPTION_RECONF ("cache-capability-xattrs", conf->cache_capability, + options, bool, out); + mdc_key_load_set (mdc_keys, "security.capability", + conf->cache_capability); + + GF_OPTION_RECONF ("cache-ima-xattrs", conf->cache_ima, options, bool, + out); + mdc_key_load_set (mdc_keys, "security.ima", conf->cache_ima); GF_OPTION_RECONF ("cache-posix-acl", conf->cache_posix_acl, options, bool, out); mdc_key_load_set (mdc_keys, "system.posix_acl_", conf->cache_posix_acl); @@ -2892,7 +2953,15 @@ init (xlator_t *this) GF_OPTION_INIT ("md-cache-timeout", timeout, int32, out); GF_OPTION_INIT ("cache-selinux", conf->cache_selinux, bool, out); - mdc_key_load_set (mdc_keys, "security.", conf->cache_selinux); + mdc_key_load_set (mdc_keys, "security.selinux", conf->cache_selinux); + + GF_OPTION_INIT ("cache-capability-xattrs", conf->cache_capability, + bool, out); + mdc_key_load_set (mdc_keys, "security.capability", + conf->cache_capability); + + GF_OPTION_INIT ("cache-ima-xattrs", conf->cache_ima, bool, out); + mdc_key_load_set (mdc_keys, "security.ima", conf->cache_ima); GF_OPTION_INIT ("cache-posix-acl", conf->cache_posix_acl, bool, out); mdc_key_load_set (mdc_keys, "system.posix_acl_", conf->cache_posix_acl); @@ -3039,6 +3108,14 @@ struct volume_options options[] = { .type = GF_OPTION_TYPE_BOOL, .default_value = "false", }, + { .key = {"cache-capability-xattrs"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "true", + }, + { .key = {"cache-ima-xattrs"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "true", + }, { .key = {"cache-swift-metadata"}, .type = GF_OPTION_TYPE_BOOL, .default_value = "true", |