[v4,1/1] NFSv4.2: condition READDIR's mask for security label based on LSM state

Commit Message

Olga Kornievskaia Nov. 6, 2020, 5:55 p.m. UTC

From: Olga Kornievskaia <kolga@netapp.com>

Currently, the client will always ask for security_labels if the server
returns that it supports that feature regardless of any LSM modules
(such as Selinux) enforcing security policy. This adds performance
penalty to the READDIR operation.

Client adjusts superblock's support of the security_label based on
the server's support but also current client's configuration of the
LSM modules. Thus, prior to using the default bitmask in READDIR,
this patch checks the server's capabilities and then instructs
READDIR to remove FATTR4_WORD2_SECURITY_LABEL from the bitmask.

v4: simplifying logic
v3: changing label's initialization per Ondrej's comment
v2: dropping selinux hook and using the sb cap.

Suggested-by: Ondrej Mosnacek <omosnace@redhat.com>
Suggested-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
---
 fs/nfs/nfs4proc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

kernel test robot Nov. 9, 2020, 10:21 a.m. UTC | #1

Hi Olga,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nfs/linux-next]
[also build test ERROR on v5.10-rc3 next-20201109]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Olga-Kornievskaia/NFSv4-2-condition-READDIR-s-mask-for-security-label-based-on-LSM-state/20201109-095958
base:   git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
config: powerpc64-randconfig-r016-20201109 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project 09ec07827b1128504457a93dee80b2ceee1af600)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install powerpc64 cross compiling tool for clang build
        # apt-get install binutils-powerpc64-linux-gnu
        # https://github.com/0day-ci/linux/commit/e0d917660042c74411f25268b6c9c9c1c85425f2
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Olga-Kornievskaia/NFSv4-2-condition-READDIR-s-mask-for-security-label-based-on-LSM-state/20201109-095958
        git checkout e0d917660042c74411f25268b6c9c9c1c85425f2
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=powerpc64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

>> fs/nfs/nfs4proc.c:4984:18: error: use of undeclared identifier 'server'
                   args.bitmask = server->attr_bitmask_nl;
                                  ^
   fs/nfs/nfs4proc.c:4986:18: error: use of undeclared identifier 'server'
                   args.bitmask = server->attr_bitmask;
                                  ^
   2 errors generated.

vim +/server +4984 fs/nfs/nfs4proc.c

  4959	
  4960	static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,
  4961			u64 cookie, struct page **pages, unsigned int count, bool plus)
  4962	{
  4963		struct inode		*dir = d_inode(dentry);
  4964		struct nfs4_readdir_arg args = {
  4965			.fh = NFS_FH(dir),
  4966			.pages = pages,
  4967			.pgbase = 0,
  4968			.count = count,
  4969			.plus = plus,
  4970		};
  4971		struct nfs4_readdir_res res;
  4972		struct rpc_message msg = {
  4973			.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_READDIR],
  4974			.rpc_argp = &args,
  4975			.rpc_resp = &res,
  4976			.rpc_cred = cred,
  4977		};
  4978		int			status;
  4979	
  4980		dprintk("%s: dentry = %pd2, cookie = %Lu\n", __func__,
  4981				dentry,
  4982				(unsigned long long)cookie);
  4983		if (!(NFS_SERVER(d_inode(dentry))->caps & NFS_CAP_SECURITY_LABEL))
> 4984			args.bitmask = server->attr_bitmask_nl;
  4985		else
  4986			args.bitmask = server->attr_bitmask;
  4987	
  4988		nfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry, &args);
  4989		res.pgbase = args.pgbase;
  4990		status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0);
  4991		if (status >= 0) {
  4992			memcpy(NFS_I(dir)->cookieverf, res.verifier.data, NFS4_VERIFIER_SIZE);
  4993			status += args.pgbase;
  4994		}
  4995	
  4996		nfs_invalidate_atime(dir);
  4997	
  4998		dprintk("%s: returns %d\n", __func__, status);
  4999		return status;
  5000	}
  5001	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Patch

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 9e0ca9b2b210..ea72202887c0 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -4966,7 +4966,6 @@  static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,
 		.pages = pages,
 		.pgbase = 0,
 		.count = count,
-		.bitmask = NFS_SERVER(d_inode(dentry))->attr_bitmask,
 		.plus = plus,
 	};
 	struct nfs4_readdir_res res;
@@ -4981,6 +4980,11 @@  static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,
 	dprintk("%s: dentry = %pd2, cookie = %Lu\n", __func__,
 			dentry,
 			(unsigned long long)cookie);
+	if (!(NFS_SERVER(d_inode(dentry))->caps & NFS_CAP_SECURITY_LABEL))
+		args.bitmask = server->attr_bitmask_nl;
+	else
+		args.bitmask = server->attr_bitmask;
+
 	nfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry, &args);
 	res.pgbase = args.pgbase;
 	status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0);