Whamcloud Community JIRA

Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us

9.4.14

940014

05-12-2023

[LU-5560] SELinux support on the client side https://jira.whamcloud.com/browse/LU-5560 Lustre <p>The aim is to be able to enforce SELinux security policies on Lustre from SELinux-enabled clients.</p> <p>It requires to properly initiate file security context on client side, and store it on server side via extended attribute.</p> LU-5560

SELinux support on the client side

Improvement Minor Resolved Fixed Oleg Drokin Sebastien Buisson patch Fri, 29 Aug 2014 13:02:42 +0000 Thu, 8 Dec 2016 20:33:15 +0000 Wed, 27 Jul 2016 22:01:34 +0000 Lustre 2.8.0 Lustre 2.9.0 0 23 <p>As a first implementation, I added a call to a new function ll_init_security() after the calls to d_instantiate() in ll_create_it() and ll_new_node(). This new function retrieves security context via security_inode_init_security(), and stores it in extended attribute in MDT with ll_setxattr().</p> <p>To ensure security context coherency between clients, this basic implementation does not cache inodes at all. This is why I created a new function ll_drop_inode(), and also modified ll_ddelete() to always return 1 when SELinux is enabled.</p> <p>Of course this first, basic implementation severely hurts metadata performance because of the inode cache drop.</p> <p>I uploaded the patch here:<br/> <a href="http://review.whamcloud.com/11648" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/11648</a></p> <p>Ideally, to ensure security context coherency between clients, a new lock (let's call it MDS_INODELOCK_SECURITY) should be used to synchronize updates:</p> <ul class="alternate" type="square"> <li>take MDS_INODELOCK_SECURITY lock at setxattr time if SELinux is enabled and xattr is security.selinux (this also requires modifying mdc_enqueue() to ask for MDS_INODELOCK_SECURITY if it is called with IT_SETXATTR);</li> <li>when asked to release MDS_INODELOCK_SECURITY lock in ll_md_blocking_ast(), delete inode with a call to generic_delete_inode(), so that further access to the inode will retrieve fresh security context.</li> </ul> <p>My problem is the Lustre code is too complicated, I am not able to do what I described here. Could you help with the part taking the new MDS_INODELOCK_SECURITY lock at setxattr time?</p> <p>Hello Seb, this looks like a non-trivial task!<br/> Are there any paper/notes to describe all the situations that will need to be handled ?</p> <p>Hi Bruno,</p> <p>What do you think of the suggestion from Andrew Perepechko in <a href="http://review.whamcloud.com/11648" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/11648</a> to modify MDS behavior so that we cancel lookup lock in case of change on 'security.selinux" xattr?</p> <p>Can we exchange by IRC on #lustre for instance (sorry, no Skype available for me).</p> <p>Cheers,<br/> Sebastien.</p> <p>Oleg is looking into this</p> <p>Sebastien, do we need a separate lock bit for SELinux? We already have client-side xattr cache introduced in 2.5 that should result in the client-side xattr cache being cleaned if the selinux xattr is changed.</p> <p>The xattr cache is only filled in case of getxattr, not setxattr. So the MDS_INODELOCK_XATTR lock is not hold by a client creating a file with SELinux attributes. Then if another client modifies the SELinux attributes, it will not lead to any action on the client that initially created the file.</p> <p>Moreover, security context is stored in (struct inode*)->i_security besides its representation as an xattr in the Lustre/ldiskfs case. So in case of SELinux attributes modification by another client, the action required on the client that initially created the file would be to call delete_inode(), in order to force a new lookup of the inode. This could be overkill, maybe there is another mechanism already available in Lustre to force lookup without having to delete the inode.</p> <p>Hi,</p> <p>In order to make things easier, and because the coherency need comes from a very special use case, I have decided to tackle it separately.<br/> This is why I have pushed a new patch that stores security information permanently, and filters out security.selinux xattr from xattr cache (because security information is already in system slab cache).<br/> Please see:<br/> <a href="http://review.whamcloud.com/11648" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/11648</a></p> <p>Sebastien.</p> <p>Hello Sebastien Buisson,</p> <p>Could you please tell me how do you mount lustre client under enforcing mode with this patch?<br/> btw, do you have some selinux testsuite to verify this patch works? </p> <p>Best Regards,<br/> Wang Shilong</p> <p>Hi,</p> <p>There is no mount option required. As soon as SELinux is enforced on the client node, it will be taken into account at the Lustre level.<br/> I do not have specific testsuite for this patch for now.</p> <p>Cheers,<br/> Sebastien.</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/11648/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/11648/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5560" title="SELinux support on the client side" class="issue-link" data-issue-key="LU-5560"><del>LU-5560</del></a> llite: basic support of SELinux in CLIO<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 8a11cb6282cfbdc8617b809344e6a11223e86a38</p> <p>Hi,</p> <p>Please find attached the proposed Test Plan for SELinux support on the client side.</p> <p>Sebastien.</p> <p>Sebastien Buisson (sebastien.buisson@bull.net) uploaded a new patch: <a href="http://review.whamcloud.com/15818" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/15818</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5560" title="SELinux support on the client side" class="issue-link" data-issue-key="LU-5560"><del>LU-5560</del></a> tests: add sanity-selinux.sh<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 38ed4c38796c1903f4cfd553d886f7fbaebba972</p> <p>Hi,</p> <p>Here is an updated Test Plan for SELinux support on the client side, including functional tests.</p> <p>Sebastien.</p> <p>Hi,</p> <p>Here is an updated Test Plan for SELinux support on the client side, including remarks from Andrew Perepechko.</p> <p>Sebastien.</p> <p>Hello,</p> <p>For the upgrade/downgrade testing of this feature, how would you like the test be implemented? Is there any specific requirement?</p> <p>Thanks,<br/> Sarah</p> <p>This work has landed for the 2.8.0 release in patch <a href="http://review.whamcloud.com/#/c/11648/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/11648/</a></p> <p>Reopening ticket because the patch containing the SELinux test suite never landed; <a href="http://review.whamcloud.com/#/c/15818" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/15818</a>. </p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/19970/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/19970/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5560" title="SELinux support on the client side" class="issue-link" data-issue-key="LU-5560"><del>LU-5560</del></a> obd: reserve connection flag OBD_CONNECT2_FILE_SECCTX<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: a06b32d1c49eb6c31aeba556795841730de37006</p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/15818/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/15818/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5560" title="SELinux support on the client side" class="issue-link" data-issue-key="LU-5560"><del>LU-5560</del></a> tests: add sanity-selinux.sh<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: bfca8338e5f2ae1b7c16cc1d0c2376523d68685e</p> <p>Reclosing as the test script landed. Sebastien, you should open a new ticket to track the atomic context transfer during create patch also still in flight - <a href="http://review.whamcloud.com/#/c/19971/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/19971/</a></p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/19971/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/19971/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-5560" title="SELinux support on the client side" class="issue-link" data-issue-key="LU-5560"><del>LU-5560</del></a> security: send file security context for creates<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 4ea24bdabb2b318721605bd185c32bbc1e9bc924</p> Blocker LU-6784 Related LUDOC-335 LU-8654 LU-9193 LU-6950 LU-7417 Development End date Fri, 22 Apr 2016 13:02:42 +0000 Rank 1|hzwuxr: Rank (Obsolete) 15510 Start date Fri, 29 Aug 2014 13:02:42 +0000