diff options
Diffstat (limited to 'xlators/features/selinux')
| -rw-r--r-- | xlators/features/selinux/Makefile.am | 3 | ||||
| -rw-r--r-- | xlators/features/selinux/src/Makefile.am | 20 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux-mem-types.h | 19 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux-messages.h | 30 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux.c | 323 | ||||
| -rw-r--r-- | xlators/features/selinux/src/selinux.h | 24 |
6 files changed, 419 insertions, 0 deletions
diff --git a/xlators/features/selinux/Makefile.am b/xlators/features/selinux/Makefile.am new file mode 100644 index 00000000000..a985f42a877 --- /dev/null +++ b/xlators/features/selinux/Makefile.am @@ -0,0 +1,3 @@ +SUBDIRS = src + +CLEANFILES = diff --git a/xlators/features/selinux/src/Makefile.am b/xlators/features/selinux/src/Makefile.am new file mode 100644 index 00000000000..4f1e5e149b3 --- /dev/null +++ b/xlators/features/selinux/src/Makefile.am @@ -0,0 +1,20 @@ +if WITH_SERVER +xlator_LTLIBRARIES = selinux.la +endif +xlatordir = $(libdir)/glusterfs/$(PACKAGE_VERSION)/xlator/features + +selinux_la_LDFLAGS = -module $(GF_XLATOR_DEFAULT_LDFLAGS) + +selinux_la_SOURCES = selinux.c + +selinux_la_LIBADD = $(top_builddir)/libglusterfs/src/libglusterfs.la + +noinst_HEADERS = selinux.h selinux-messages.h selinux-mem-types.h + +AM_CPPFLAGS = $(GF_CPPFLAGS) -I$(top_srcdir)/libglusterfs/src \ + -I$(top_srcdir)/rpc/xdr/src -I$(top_builddir)/rpc/xdr/src + +AM_CFLAGS = -Wall $(GF_CFLAGS) + +CLEANFILES = + diff --git a/xlators/features/selinux/src/selinux-mem-types.h b/xlators/features/selinux/src/selinux-mem-types.h new file mode 100644 index 00000000000..553e59e5a9d --- /dev/null +++ b/xlators/features/selinux/src/selinux-mem-types.h @@ -0,0 +1,19 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ +#ifndef __SELINUX_MEM_TYPES_H__ +#define __SELINUX_MEM_TYPES_H__ + +#include <glusterfs/mem-types.h> + +enum gf_selinux_mem_types_ { + gf_selinux_mt_selinux_priv_t = gf_common_mt_end + 1, + gf_selinux_mt_end +}; +#endif diff --git a/xlators/features/selinux/src/selinux-messages.h b/xlators/features/selinux/src/selinux-messages.h new file mode 100644 index 00000000000..f49a54f956c --- /dev/null +++ b/xlators/features/selinux/src/selinux-messages.h @@ -0,0 +1,30 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ + +#ifndef _SELINUX_MESSAGES_H__ +#define _SELINUX_MESSAGES_H__ + +#include <glusterfs/glfs-message-id.h> + +/* To add new message IDs, append new identifiers at the end of the list. + * + * Never remove a message ID. If it's not used anymore, you can rename it or + * leave it as it is, but not delete it. This is to prevent reutilization of + * IDs by other messages. + * + * The component name must match one of the entries defined in + * glfs-message-id.h. + */ + +GLFS_MSGID(SL, SL_MSG_INVALID_VOLFILE, SL_MSG_ENOMEM, + SL_MSG_MEM_ACCT_INIT_FAILED, SL_MSG_SELINUX_GLUSTER_XATTR_MISSING, + SL_MSG_SELINUX_XATTR_MISSING); + +#endif /*_SELINUX_MESSAGES_H */ diff --git a/xlators/features/selinux/src/selinux.c b/xlators/features/selinux/src/selinux.c new file mode 100644 index 00000000000..9b1b4b55e1a --- /dev/null +++ b/xlators/features/selinux/src/selinux.c @@ -0,0 +1,323 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ + +#include <glusterfs/xlator.h> + +#include "selinux.h" +#include "selinux-messages.h" +#include "selinux-mem-types.h" +#include <glusterfs/compat-errno.h> + +static int +selinux_fgetxattr_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *dict, dict_t *xdata) +{ + int ret = 0; + char *name = cookie; + + if (op_errno == 0 && dict && name && + (!strcmp(name, SELINUX_GLUSTER_XATTR))) { + ret = dict_rename_key(dict, SELINUX_GLUSTER_XATTR, SELINUX_XATTR); + if (ret < 0) + gf_msg(this->name, GF_LOG_ERROR, op_errno, + SL_MSG_SELINUX_GLUSTER_XATTR_MISSING, + "getxattr failed for %s", SELINUX_XATTR); + } + + STACK_UNWIND_STRICT(fgetxattr, frame, op_ret, op_errno, dict, xdata); + return ret; +} + +static int +selinux_fgetxattr(call_frame_t *frame, xlator_t *this, fd_t *fd, + const char *name, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + char *xattr_name = (char *)name; + + priv = this->private; + + GF_VALIDATE_OR_GOTO("selinux", priv, err); + + /* name can be NULL for listxattr calls */ + if (!priv->selinux_enabled || !name) + goto off; + + if (strcmp(name, SELINUX_XATTR) == 0) + xattr_name = SELINUX_GLUSTER_XATTR; + +off: + STACK_WIND_COOKIE(frame, selinux_fgetxattr_cbk, xattr_name, + FIRST_CHILD(this), FIRST_CHILD(this)->fops->fgetxattr, fd, + xattr_name, xdata); + return 0; +err: + STACK_UNWIND_STRICT(fgetxattr, frame, op_ret, op_errno, NULL, xdata); + + return 0; +} + +static int +selinux_getxattr_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *dict, dict_t *xdata) +{ + int ret = 0; + char *name = cookie; + + if (op_errno == 0 && dict && name && + (!strcmp(name, SELINUX_GLUSTER_XATTR))) { + ret = dict_rename_key(dict, SELINUX_GLUSTER_XATTR, SELINUX_XATTR); + if (ret < 0) + gf_msg(this->name, GF_LOG_ERROR, op_errno, + SL_MSG_SELINUX_GLUSTER_XATTR_MISSING, + "getxattr failed for %s", SELINUX_XATTR); + } + + STACK_UNWIND_STRICT(getxattr, frame, op_ret, op_errno, dict, xdata); + + return 0; +} + +static int +selinux_getxattr(call_frame_t *frame, xlator_t *this, loc_t *loc, + const char *name, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + char *xattr_name = (char *)name; + + priv = this->private; + + GF_VALIDATE_OR_GOTO("selinux", priv, err); + + /* name can be NULL for listxattr calls */ + if (!priv->selinux_enabled || !name) + goto off; + + if (strcmp(name, SELINUX_XATTR) == 0) + xattr_name = SELINUX_GLUSTER_XATTR; + +off: + STACK_WIND_COOKIE(frame, selinux_getxattr_cbk, xattr_name, + FIRST_CHILD(this), FIRST_CHILD(this)->fops->getxattr, loc, + xattr_name, xdata); + return 0; +err: + STACK_UNWIND_STRICT(getxattr, frame, op_ret, op_errno, NULL, xdata); + return 0; +} + +static int +selinux_fsetxattr_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *xdata) +{ + STACK_UNWIND_STRICT(fsetxattr, frame, op_ret, op_errno, xdata); + return 0; +} + +static int +selinux_fsetxattr(call_frame_t *frame, xlator_t *this, fd_t *fd, dict_t *dict, + int flags, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + int32_t ret = -1; + + priv = this->private; + + GF_VALIDATE_OR_GOTO("selinux", priv, err); + + if (!priv->selinux_enabled && !dict) + goto off; + + ret = dict_rename_key(dict, SELINUX_XATTR, SELINUX_GLUSTER_XATTR); + if (ret < 0 && ret != -ENODATA) + goto err; + +off: + STACK_WIND(frame, selinux_fsetxattr_cbk, FIRST_CHILD(this), + FIRST_CHILD(this)->fops->fsetxattr, fd, dict, flags, xdata); + + return 0; +err: + STACK_UNWIND_STRICT(fsetxattr, frame, op_ret, op_errno, xdata); + return 0; +} + +static int +selinux_setxattr_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + int op_ret, int op_errno, dict_t *xdata) +{ + STACK_UNWIND_STRICT(setxattr, frame, op_ret, op_errno, xdata); + return 0; +} + +static int +selinux_setxattr(call_frame_t *frame, xlator_t *this, loc_t *loc, dict_t *dict, + int flags, dict_t *xdata) +{ + selinux_priv_t *priv = NULL; + int32_t op_ret = -1; + int32_t op_errno = EINVAL; + int32_t ret = -1; + + priv = this->private; + + GF_VALIDATE_OR_GOTO("selinux", priv, err); + + if (!priv->selinux_enabled && !dict) + goto off; + + ret = dict_rename_key(dict, SELINUX_XATTR, SELINUX_GLUSTER_XATTR); + if (ret < 0 && ret != -ENODATA) + goto err; + +off: + STACK_WIND(frame, selinux_setxattr_cbk, FIRST_CHILD(this), + FIRST_CHILD(this)->fops->setxattr, loc, dict, flags, xdata); + return 0; +err: + STACK_UNWIND_STRICT(setxattr, frame, op_ret, op_errno, xdata); + return 0; +} + +int32_t +mem_acct_init(xlator_t *this) +{ + int ret = -1; + + GF_VALIDATE_OR_GOTO("selinux", this, out); + + ret = xlator_mem_acct_init(this, gf_selinux_mt_end + 1); + + if (ret != 0) { + gf_msg(this->name, GF_LOG_ERROR, 0, SL_MSG_MEM_ACCT_INIT_FAILED, + "Memory accounting init failed"); + return ret; + } +out: + return ret; +} + +int32_t +init(xlator_t *this) +{ + int32_t ret = -1; + selinux_priv_t *priv = NULL; + + GF_VALIDATE_OR_GOTO("selinux", this, out); + + if (!this->children || this->children->next) { + gf_msg(this->name, GF_LOG_WARNING, 0, SL_MSG_INVALID_VOLFILE, + "Error: SELinux (%s) not configured with exactly one " + "child", + this->name); + return -1; + } + + if (this->parents == NULL) { + gf_msg(this->name, GF_LOG_WARNING, 0, SL_MSG_INVALID_VOLFILE, + "Dangling volume. Please check the volfile"); + } + + priv = GF_CALLOC(1, sizeof(*priv), gf_selinux_mt_selinux_priv_t); + if (!priv) { + gf_log(this->name, GF_LOG_ERROR, "out of memory"); + goto out; + } + + GF_OPTION_INIT("selinux", priv->selinux_enabled, bool, out); + + this->local_pool = mem_pool_new(selinux_priv_t, 64); + if (!this->local_pool) { + gf_msg(this->name, GF_LOG_ERROR, ENOMEM, SL_MSG_ENOMEM, + "Failed to create local_t's memory pool"); + goto out; + } + + this->private = (void *)priv; + ret = 0; +out: + if (ret) { + GF_FREE(priv); + mem_pool_destroy(this->local_pool); + this->local_pool = NULL; + } + return ret; +} + +int +reconfigure(xlator_t *this, dict_t *options) +{ + int32_t ret = -1; + selinux_priv_t *priv = NULL; + + priv = this->private; + + GF_OPTION_RECONF("selinux", priv->selinux_enabled, options, bool, out); + + ret = 0; +out: + return ret; +} + +void +fini(xlator_t *this) +{ + selinux_priv_t *priv = NULL; + + priv = this->private; + GF_FREE(priv); + + mem_pool_destroy(this->local_pool); + this->local_pool = NULL; + + return; +} + +struct xlator_fops fops = { + .getxattr = selinux_getxattr, + .fgetxattr = selinux_fgetxattr, + .setxattr = selinux_setxattr, + .fsetxattr = selinux_fsetxattr, +}; + +struct xlator_cbks cbks = {}; + +struct volume_options options[] = { + { + .key = {"selinux"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "on", + .description = "Enable/disable selinux translator", + .op_version = {GD_OP_VERSION_3_11_0}, + .flags = OPT_FLAG_SETTABLE, + .tags = {"security", "linux"}, + }, + { + .key = {NULL}, + }}; + +xlator_api_t xlator_api = { + .init = init, + .fini = fini, + .reconfigure = reconfigure, + .mem_acct_init = mem_acct_init, + .op_version = {1}, /* Present from the initial version */ + .fops = &fops, + .cbks = &cbks, + .options = options, + .identifier = "selinux", + .category = GF_MAINTAINED, +}; diff --git a/xlators/features/selinux/src/selinux.h b/xlators/features/selinux/src/selinux.h new file mode 100644 index 00000000000..1bbdad3bb36 --- /dev/null +++ b/xlators/features/selinux/src/selinux.h @@ -0,0 +1,24 @@ +/* + Copyright (c) 2017 Red Hat, Inc. <http://www.redhat.com> + This file is part of GlusterFS. + + This file is licensed to you under your choice of the GNU Lesser + General Public License, version 3 or any later version (LGPLv3 or + later), or the GNU General Public License, version 2 (GPLv2), in all + cases as published by the Free Software Foundation. +*/ +#ifndef __SELINUX_H__ +#define __SELINUX_H__ + +#include <glusterfs/common-utils.h> + +#define SELINUX_XATTR "security.selinux" +#define SELINUX_GLUSTER_XATTR "trusted.glusterfs.selinux" + +struct selinux_priv { + gf_boolean_t selinux_enabled; +}; + +typedef struct selinux_priv selinux_priv_t; + +#endif |