| Message ID | 20190806180019.6213-2-jlayton@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] ceph: only set CEPH_I_SEC_INITED if we got a MAC label | expand |
On Tue, 2019-08-06 at 14:00 -0400, Jeff Layton wrote: > Most filesystems don't limit what security.* xattrs can be set or > fetched. I see no reason that we need to limit that on cephfs either. > > Drop the special xattr handler for "security." xattrs, and allow the > "other" xattr handler to handle security xattrs as well. > > In addition to fixing xfstest generic/093, this allows us to support > per-file capabilities (a'la setcap(8)). > > URL: https://tracker.ceph.com/issues/41135 > Signed-off-by: Jeff Layton <jlayton@kernel.org> > --- > fs/ceph/xattr.c | 35 ++--------------------------------- > 1 file changed, 2 insertions(+), 33 deletions(-) > > diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c > index 410eaf1ba211..d690debe6ef4 100644 > --- a/fs/ceph/xattr.c > +++ b/fs/ceph/xattr.c > @@ -20,7 +20,8 @@ static int __remove_xattr(struct ceph_inode_info *ci, > > static bool ceph_is_valid_xattr(const char *name) > { > - return !strncmp(name, XATTR_CEPH_PREFIX, XATTR_CEPH_PREFIX_LEN) || > + return !strncmp(name, XATTR_SECURITY_PREFIX, XATTR_TRUSTED_PREFIX_LEN) || Obviously, this should be XATTR_SECURITY_PREFIX_LEN. Fixed in my tree. > + !strncmp(name, XATTR_CEPH_PREFIX, XATTR_CEPH_PREFIX_LEN) || > !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) || > !strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN); > } > @@ -1265,35 +1266,6 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, > ceph_pagelist_release(pagelist); > return err; > } > - > -static int ceph_xattr_set_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, const void *buf, > - size_t buflen, int flags) > -{ > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_setxattr(inode, name, buf, buflen, flags); > - } > - return -EOPNOTSUPP; > -} > - > -static int ceph_xattr_get_security_label(const struct xattr_handler *handler, > - struct dentry *unused, struct inode *inode, > - const char *key, void *buf, size_t buflen) > -{ > - if (security_ismaclabel(key)) { > - const char *name = xattr_full_name(handler, key); > - return __ceph_getxattr(inode, name, buf, buflen); > - } > - return -EOPNOTSUPP; > -} > - > -static const struct xattr_handler ceph_security_label_handler = { > - .prefix = XATTR_SECURITY_PREFIX, > - .get = ceph_xattr_get_security_label, > - .set = ceph_xattr_set_security_label, > -}; > #endif /* CONFIG_CEPH_FS_SECURITY_LABEL */ > #endif /* CONFIG_SECURITY */ > > @@ -1318,9 +1290,6 @@ const struct xattr_handler *ceph_xattr_handlers[] = { > #ifdef CONFIG_CEPH_FS_POSIX_ACL > &posix_acl_access_xattr_handler, > &posix_acl_default_xattr_handler, > -#endif > -#ifdef CONFIG_CEPH_FS_SECURITY_LABEL > - &ceph_security_label_handler, > #endif > &ceph_other_xattr_handler, > NULL,
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index 410eaf1ba211..d690debe6ef4 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -20,7 +20,8 @@ static int __remove_xattr(struct ceph_inode_info *ci, static bool ceph_is_valid_xattr(const char *name) { - return !strncmp(name, XATTR_CEPH_PREFIX, XATTR_CEPH_PREFIX_LEN) || + return !strncmp(name, XATTR_SECURITY_PREFIX, XATTR_TRUSTED_PREFIX_LEN) || + !strncmp(name, XATTR_CEPH_PREFIX, XATTR_CEPH_PREFIX_LEN) || !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) || !strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN); } @@ -1265,35 +1266,6 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, ceph_pagelist_release(pagelist); return err; } - -static int ceph_xattr_set_security_label(const struct xattr_handler *handler, - struct dentry *unused, struct inode *inode, - const char *key, const void *buf, - size_t buflen, int flags) -{ - if (security_ismaclabel(key)) { - const char *name = xattr_full_name(handler, key); - return __ceph_setxattr(inode, name, buf, buflen, flags); - } - return -EOPNOTSUPP; -} - -static int ceph_xattr_get_security_label(const struct xattr_handler *handler, - struct dentry *unused, struct inode *inode, - const char *key, void *buf, size_t buflen) -{ - if (security_ismaclabel(key)) { - const char *name = xattr_full_name(handler, key); - return __ceph_getxattr(inode, name, buf, buflen); - } - return -EOPNOTSUPP; -} - -static const struct xattr_handler ceph_security_label_handler = { - .prefix = XATTR_SECURITY_PREFIX, - .get = ceph_xattr_get_security_label, - .set = ceph_xattr_set_security_label, -}; #endif /* CONFIG_CEPH_FS_SECURITY_LABEL */ #endif /* CONFIG_SECURITY */ @@ -1318,9 +1290,6 @@ const struct xattr_handler *ceph_xattr_handlers[] = { #ifdef CONFIG_CEPH_FS_POSIX_ACL &posix_acl_access_xattr_handler, &posix_acl_default_xattr_handler, -#endif -#ifdef CONFIG_CEPH_FS_SECURITY_LABEL - &ceph_security_label_handler, #endif &ceph_other_xattr_handler, NULL,
Most filesystems don't limit what security.* xattrs can be set or fetched. I see no reason that we need to limit that on cephfs either. Drop the special xattr handler for "security." xattrs, and allow the "other" xattr handler to handle security xattrs as well. In addition to fixing xfstest generic/093, this allows us to support per-file capabilities (a'la setcap(8)). URL: https://tracker.ceph.com/issues/41135 Signed-off-by: Jeff Layton <jlayton@kernel.org> --- fs/ceph/xattr.c | 35 ++--------------------------------- 1 file changed, 2 insertions(+), 33 deletions(-)