From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>,
Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.de>
Cc: Lustre Development List <lustre-devel@lists.lustre.org>
Subject: [lustre-devel] [PATCH 05/20] lustre: sec: do not expose security.c to listxattr/getxattr
Date: Mon, 11 Oct 2021 13:40:34 -0400 [thread overview]
Message-ID: <1633974049-26490-6-git-send-email-jsimmons@infradead.org> (raw)
In-Reply-To: <1633974049-26490-1-git-send-email-jsimmons@infradead.org>
From: Sebastien Buisson <sbuisson@ddn.com>
security.c xattr, which contains encryption context, should not be
exposed by the xattr-related system calls such as listxattr() and
getxattr() because of its special semantics.
Update sanity-sec test_57 to test this.
WC-bug-id: https://jira.whamcloud.com/browse/LU-14677
Lustre-commit: efb66de719329ce4d ("LU-14677 sec: do not expose security.c to listxattr/getxattr")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/44101
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Patrick Farrell <pfarrell@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
fs/lustre/llite/crypto.c | 16 ++++++++++++++++
fs/lustre/llite/llite_internal.h | 5 +++++
fs/lustre/llite/xattr.c | 32 +++++++++++++++++++++++++++++++-
3 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/fs/lustre/llite/crypto.c b/fs/lustre/llite/crypto.c
index 5d99037..0fae9a5 100644
--- a/fs/lustre/llite/crypto.c
+++ b/fs/lustre/llite/crypto.c
@@ -32,10 +32,26 @@
static int ll_get_context(struct inode *inode, void *ctx, size_t len)
{
struct dentry *dentry = d_find_any_alias(inode);
+ struct lu_env *env;
+ u16 refcheck;
int rc;
+ env = cl_env_get(&refcheck);
+ if (IS_ERR(env))
+ return PTR_ERR(env);
+
+ /* Set lcc_getencctx=1 to allow this thread to read
+ * LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr, as requested by llcrypt.
+ */
+ ll_cl_add(inode, env, NULL, LCC_RW);
+ ll_env_info(env)->lti_io_ctx.lcc_getencctx = 1;
+
rc = __vfs_getxattr(dentry, inode, LL_XATTR_NAME_ENCRYPTION_CONTEXT,
ctx, len);
+
+ ll_cl_remove(inode, env);
+ cl_env_put(env, &refcheck);
+
if (dentry)
dput(dentry);
diff --git a/fs/lustre/llite/llite_internal.h b/fs/lustre/llite/llite_internal.h
index cfeec14..e0fda00 100644
--- a/fs/lustre/llite/llite_internal.h
+++ b/fs/lustre/llite/llite_internal.h
@@ -1312,6 +1312,11 @@ struct ll_cl_context {
struct cl_io *lcc_io;
struct cl_page *lcc_page;
enum lcc_type lcc_type;
+ /**
+ * Get encryption context operation in progress,
+ * allow getxattr of LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr
+ */
+ unsigned int lcc_getencctx:1;
};
struct ll_thread_info {
diff --git a/fs/lustre/llite/xattr.c b/fs/lustre/llite/xattr.c
index 001c828..59a1400 100644
--- a/fs/lustre/llite/xattr.c
+++ b/fs/lustre/llite/xattr.c
@@ -366,6 +366,21 @@ int ll_xattr_list(struct inode *inode, const char *name, int type, void *buffer,
void *xdata;
int rc;
+ /* Getting LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr is only allowed
+ * when it comes from ll_get_context(), ie when llcrypt needs to
+ * know the encryption context.
+ * Otherwise, any direct reading of this xattr returns -EPERM.
+ */
+ if (type == XATTR_SECURITY_T &&
+ !strcmp(name, LL_XATTR_NAME_ENCRYPTION_CONTEXT)) {
+ struct ll_cl_context *lcc = ll_cl_find(inode);
+
+ if (!lcc || !lcc->lcc_getencctx) {
+ rc = -EPERM;
+ goto out_xattr;
+ }
+ }
+
if (sbi->ll_xattr_cache_enabled && type != XATTR_ACL_ACCESS_T &&
(type != XATTR_SECURITY_T || strcmp(name, "security.selinux"))) {
rc = ll_xattr_cache_get(inode, name, buffer, size, valid);
@@ -632,9 +647,24 @@ ssize_t ll_listxattr(struct dentry *dentry, char *buffer, size_t size)
rem = rc;
while (rem > 0) {
+ bool hide_xattr = false;
+
+ /* Listing xattrs should not expose
+ * LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr, unless it comes
+ * from llcrypt.
+ */
+ if (get_xattr_type(xattr_name)->flags == XATTR_SECURITY_T &&
+ !strcmp(xattr_name, LL_XATTR_NAME_ENCRYPTION_CONTEXT)) {
+ struct ll_cl_context *lcc = ll_cl_find(inode);
+
+ if (!lcc || !lcc->lcc_getencctx)
+ hide_xattr = true;
+ }
+
len = strnlen(xattr_name, rem - 1) + 1;
rem -= len;
- if (!xattr_type_filter(sbi, get_xattr_type(xattr_name))) {
+ if (!xattr_type_filter(sbi, hide_xattr ? NULL :
+ get_xattr_type(xattr_name))) {
/* Skip OK xattr type, leave it in buffer. */
xattr_name += len;
continue;
--
1.8.3.1
_______________________________________________
lustre-devel mailing list
lustre-devel@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-devel-lustre.org
next prev parent reply other threads:[~2021-10-11 17:41 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-11 17:40 [lustre-devel] [PATCH 00/20] lustre: sync to OpenSFS Oct 11, 2021 James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 01/20] lustre: nfs: don't store parent fid James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 02/20] lustre: sec: filename encryption - symlink support James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 03/20] lustre: llite: support fallocate() on selected mirror James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 04/20] lustre: llite: move env contexts to ll_inode_info level James Simmons
2021-10-11 17:40 ` James Simmons [this message]
2021-10-11 17:40 ` [lustre-devel] [PATCH 06/20] lustre: brw: log T10 GRD tags during checksum calcs James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 07/20] lustre: lov: prefer mirrors on non-rotational OSTs James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 08/20] lustre: sec: access to enc file's xattrs James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 09/20] lustre: update version to 2.14.55 James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 10/20] lustre: osc: Do not attempt sending empty pages James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 11/20] lustre: ptlrpc: handle reply and resend reorder James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 12/20] lustre: ptlrpc: use wait_woken() in ptlrpcd() James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 13/20] lustre: quota: fix quota with root squash enabled James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 14/20] lustre: llite: harden ll_sbi ll_flags James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 15/20] lustre: osc: use original cli for osc_lru_reclaim for debug msg James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 16/20] lustre: obdclass: lu_ref_add() called in atomic context James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 17/20] lnet: Ensure round robin selection of local NIs James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 18/20] lnet: Ensure round robin selection of peer NIs James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 19/20] lustre: mdc: update max_easize on reconnect James Simmons
2021-10-11 17:40 ` [lustre-devel] [PATCH 20/20] lnet: include linux/ethtool.h James Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1633974049-26490-6-git-send-email-jsimmons@infradead.org \
--to=jsimmons@infradead.org \
--cc=adilger@whamcloud.com \
--cc=green@whamcloud.com \
--cc=lustre-devel@lists.lustre.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.