Re: [PATCH v5 1/1] NFSv4.2: condition READDIR's mask for security label based on LSM state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2020-11-06 at 16:03 -0500, Olga Kornievskaia wrote:
> From: Olga Kornievskaia <kolga@xxxxxxxxxx>
> 
> Currently, the client will always ask for security_labels if the
> server
> returns that it supports that feature regardless of any LSM modules
> (such as Selinux) enforcing security policy. This adds performance
> penalty to the READDIR operation.
> 
> Client adjusts superblock's support of the security_label based on
> the server's support but also current client's configuration of the
> LSM modules. Thus, prior to using the default bitmask in READDIR,
> this patch checks the server's capabilities and then instructs
> READDIR to remove FATTR4_WORD2_SECURITY_LABEL from the bitmask.
> 
> v5: fixing silly mistakes of the rushed v4
> v4: simplifying logic
> v3: changing label's initialization per Ondrej's comment
> v2: dropping selinux hook and using the sb cap.
> 
> Suggested-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> Suggested-by: Scott Mayhew <smayhew@xxxxxxxxxx>
> Signed-off-by: Olga Kornievskaia <kolga@xxxxxxxxxx>
> ---
>  fs/nfs/nfs4proc.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index 9e0ca9b2b210..7fa63e282af0 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -4961,12 +4961,12 @@ static int _nfs4_proc_readdir(struct dentry
> *dentry, const struct cred *cred,
>                 u64 cookie, struct page **pages, unsigned int count,
> bool plus)
>  {
>         struct inode            *dir = d_inode(dentry);
> +       struct nfs_server       *server = NFS_SERVER(dir);
>         struct nfs4_readdir_arg args = {
>                 .fh = NFS_FH(dir),
>                 .pages = pages,
>                 .pgbase = 0,
>                 .count = count,
> -               .bitmask = NFS_SERVER(d_inode(dentry))->attr_bitmask,
>                 .plus = plus,
>         };
>         struct nfs4_readdir_res res;
> @@ -4981,9 +4981,15 @@ static int _nfs4_proc_readdir(struct dentry
> *dentry, const struct cred *cred,
>         dprintk("%s: dentry = %pd2, cookie = %Lu\n", __func__,
>                         dentry,
>                         (unsigned long long)cookie);
> +       if (!(server->caps & NFS_CAP_SECURITY_LABEL))
> +               args.bitmask = server->attr_bitmask_nl;
> +       else
> +               args.bitmask = server->attr_bitmask;
> +
>         nfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry,
> &args);
>         res.pgbase = args.pgbase;
> -       status = nfs4_call_sync(NFS_SERVER(dir)->client,
> NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0);
> +       status = nfs4_call_sync(server->client, server, &msg,
> &args.seq_args,
> +                       &res.seq_res, 0);
>         if (status >= 0) {
>                 memcpy(NFS_I(dir)->cookieverf, res.verifier.data,
> NFS4_VERIFIER_SIZE);
>                 status += args.pgbase;

That version looks good to me. Thanks Olga!

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@xxxxxxxxxxxxxxx






[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux