From ac629e574935a8aed6526936bc83b1c6d295ae67 Mon Sep 17 00:00:00 2001
From: Poornima G <pgurusid@redhat.com>
Date: Mon, 26 Dec 2016 14:28:22 +0530
Subject: md-cache: Cache security.ima xattrs

From kernel version 3.X or greater, creating of a file
results in removexattr call on security.ima xattr. But
this xattr is not set on the file unless IMA feature
is active. With this patch, removxattr call returns
ENODATA if it is not found in the cache.

Change-Id: I8136096598a983aebc09901945eba1db1b2f93c9
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-on: http://review.gluster.org/16296
Smoke: Gluster Build System <jenkins@build.gluster.org>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
---
 tests/basic/md-cache/bug-1317785.t              | 34 +++++++++++
 tests/bugs/fuse/bug-1317785.t                   | 22 -------
 xlators/mgmt/glusterd/src/glusterd-volume-set.c | 15 +++++
 xlators/performance/md-cache/src/md-cache.c     | 81 ++++++++++++++++++++++++-
 4 files changed, 128 insertions(+), 24 deletions(-)
 create mode 100644 tests/basic/md-cache/bug-1317785.t
 delete mode 100644 tests/bugs/fuse/bug-1317785.t

diff --git a/tests/basic/md-cache/bug-1317785.t b/tests/basic/md-cache/bug-1317785.t
new file mode 100644
index 0000000000..5076e3612a
--- /dev/null
+++ b/tests/basic/md-cache/bug-1317785.t
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+. $(dirname $0)/../../include.rc
+. $(dirname $0)/../../volume.rc
+
+cleanup;
+
+TEST glusterd
+
+TEST $CLI volume create $V0 $H0:$B0/$V0
+TEST $CLI volume start $V0
+
+TEST $CLI volume set $V0 cache-swift-metadata on
+EXPECT 'on' volinfo_field $V0 'performance.cache-swift-metadata'
+
+TEST $CLI volume set $V0 cache-swift-metadata off
+EXPECT 'off' volinfo_field $V0 'performance.cache-swift-metadata'
+
+TEST $CLI volume set $V0 performance.cache-capability-xattrs off
+EXPECT 'off' volinfo_field $V0 'performance.cache-capability-xattrs'
+
+TEST $CLI volume set $V0 performance.cache-capability-xattrs on
+EXPECT 'on' volinfo_field $V0 'performance.cache-capability-xattrs'
+
+TEST $CLI volume set $V0 performance.cache-ima-xattrs off
+EXPECT 'off' volinfo_field $V0 'performance.cache-ima-xattrs'
+
+TEST $CLI volume set $V0 performance.cache-ima-xattrs on
+EXPECT 'on' volinfo_field $V0 'performance.cache-ima-xattrs'
+
+TEST $CLI volume stop $V0
+TEST $CLI volume delete $V0
+
+cleanup;
diff --git a/tests/bugs/fuse/bug-1317785.t b/tests/bugs/fuse/bug-1317785.t
deleted file mode 100644
index 87c6540553..0000000000
--- a/tests/bugs/fuse/bug-1317785.t
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-. $(dirname $0)/../../include.rc
-. $(dirname $0)/../../volume.rc
-
-cleanup;
-
-TEST glusterd
-
-TEST $CLI volume create $V0 $H0:$B0/$V0
-TEST $CLI volume start $V0
-
-TEST $CLI volume set $V0 cache-swift-metadata on
-EXPECT 'on' volinfo_field $V0 'performance.cache-swift-metadata'
-
-TEST $CLI volume set $V0 cache-swift-metadata off
-EXPECT 'off' volinfo_field $V0 'performance.cache-swift-metadata'
-
-TEST $CLI volume stop $V0
-TEST $CLI volume delete $V0
-
-cleanup;
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
index ae569c66a2..96e76cd795 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
@@ -1598,6 +1598,21 @@ struct volopt_map_entry glusterd_volopt_map[] = {
                          " xattr)",
           .flags      = OPT_FLAG_CLIENT_OPT
         },
+        { .key        = "performance.cache-capability-xattrs",
+          .voltype    = "performance/md-cache",
+          .option     = "cache-capability-xattrs",
+          .op_version = GD_OP_VERSION_3_10_0,
+          .description = "Cache xattrs required for capability based security",
+          .flags      = OPT_FLAG_CLIENT_OPT
+        },
+        { .key        = "performance.cache-ima-xattrs",
+          .voltype    = "performance/md-cache",
+          .option     = "cache-ima-xattrs",
+          .op_version = GD_OP_VERSION_3_10_0,
+          .description = "Cache xattrs required for IMA "
+                         "(Integrity Measurement Architecture)",
+          .flags      = OPT_FLAG_CLIENT_OPT
+        },
 
          /* Crypt xlator options */
 
diff --git a/xlators/performance/md-cache/src/md-cache.c b/xlators/performance/md-cache/src/md-cache.c
index 36cedc64d7..026b890cd8 100644
--- a/xlators/performance/md-cache/src/md-cache.c
+++ b/xlators/performance/md-cache/src/md-cache.c
@@ -49,6 +49,8 @@ struct mdc_conf {
 	int  timeout;
 	gf_boolean_t cache_posix_acl;
 	gf_boolean_t cache_selinux;
+        gf_boolean_t cache_capability;
+        gf_boolean_t cache_ima;
 	gf_boolean_t force_readdirp;
         gf_boolean_t cache_swift_metadata;
         gf_boolean_t cache_samba_metadata;
@@ -114,6 +116,11 @@ static struct mdc_key {
 		.load = 0,
 		.check = 1,
 	},
+        {
+                .name = "security.ima",
+                .load = 0,
+                .check = 1,
+        },
         {
                 .name = NULL,
                 .load = 0,
@@ -2226,6 +2233,10 @@ mdc_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
 		 const char *name, dict_t *xdata)
 {
         mdc_local_t  *local = NULL;
+        int           op_errno = ENODATA;
+        int           ret = 0;
+        dict_t       *xattr = NULL;
+        struct mdc_conf *conf = this->private;
 
         local = mdc_local_get (frame);
 
@@ -2233,6 +2244,25 @@ mdc_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
 
 	local->key = gf_strdup (name);
 
+        if (!is_mdc_key_satisfied (name))
+                goto uncached;
+
+        ret = mdc_inode_xatt_get (this, loc->inode, &xattr);
+        if (ret != 0)
+                goto uncached;
+
+        if (!xattr || !dict_get (xattr, (char *)name)) {
+                ret = -1;
+                op_errno = ENODATA;
+        }
+
+        INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_hit);
+        MDC_STACK_UNWIND (removexattr, frame, ret, op_errno, xdata);
+
+        return 0;
+
+uncached:
+        INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_miss);
         STACK_WIND (frame, mdc_removexattr_cbk,
                     FIRST_CHILD(this), FIRST_CHILD(this)->fops->removexattr,
                     loc, name, xdata);
@@ -2272,6 +2302,10 @@ mdc_fremovexattr (call_frame_t *frame, xlator_t *this, fd_t *fd,
 		  const char *name, dict_t *xdata)
 {
         mdc_local_t  *local = NULL;
+        int           op_errno = ENODATA;
+        int           ret = 0;
+        dict_t       *xattr = NULL;
+        struct mdc_conf *conf = this->private;
 
         local = mdc_local_get (frame);
 
@@ -2279,6 +2313,24 @@ mdc_fremovexattr (call_frame_t *frame, xlator_t *this, fd_t *fd,
 
 	local->key = gf_strdup (name);
 
+        if (!is_mdc_key_satisfied (name))
+                goto uncached;
+
+        ret = mdc_inode_xatt_get (this, fd->inode, &xattr);
+        if (ret != 0)
+                goto uncached;
+
+        if (!xattr || !dict_get (xattr, (char *)name)) {
+                ret = -1;
+                op_errno = ENODATA;
+        }
+
+        INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_hit);
+        MDC_STACK_UNWIND (fremovexattr, frame, ret, op_errno, xdata);
+        return 0;
+
+uncached:
+        INCREMENT_ATOMIC (conf->mdc_counter.lock, conf->mdc_counter.xattr_miss);
         STACK_WIND (frame, mdc_fremovexattr_cbk,
                     FIRST_CHILD(this), FIRST_CHILD(this)->fops->fremovexattr,
                     fd, name, xdata);
@@ -2829,7 +2881,16 @@ reconfigure (xlator_t *this, dict_t *options)
 	GF_OPTION_RECONF ("md-cache-timeout", timeout, options, int32, out);
 
 	GF_OPTION_RECONF ("cache-selinux", conf->cache_selinux, options, bool, out);
-	mdc_key_load_set (mdc_keys, "security.", conf->cache_selinux);
+	mdc_key_load_set (mdc_keys, "security.selinux", conf->cache_selinux);
+
+        GF_OPTION_RECONF ("cache-capability-xattrs", conf->cache_capability,
+                          options, bool, out);
+        mdc_key_load_set (mdc_keys, "security.capability",
+                          conf->cache_capability);
+
+        GF_OPTION_RECONF ("cache-ima-xattrs", conf->cache_ima, options, bool,
+                          out);
+        mdc_key_load_set (mdc_keys, "security.ima", conf->cache_ima);
 
 	GF_OPTION_RECONF ("cache-posix-acl", conf->cache_posix_acl, options, bool, out);
 	mdc_key_load_set (mdc_keys, "system.posix_acl_", conf->cache_posix_acl);
@@ -2892,7 +2953,15 @@ init (xlator_t *this)
         GF_OPTION_INIT ("md-cache-timeout", timeout, int32, out);
 
 	GF_OPTION_INIT ("cache-selinux", conf->cache_selinux, bool, out);
-	mdc_key_load_set (mdc_keys, "security.", conf->cache_selinux);
+	mdc_key_load_set (mdc_keys, "security.selinux", conf->cache_selinux);
+
+        GF_OPTION_INIT ("cache-capability-xattrs", conf->cache_capability,
+                        bool, out);
+        mdc_key_load_set (mdc_keys, "security.capability",
+                          conf->cache_capability);
+
+        GF_OPTION_INIT ("cache-ima-xattrs", conf->cache_ima, bool, out);
+        mdc_key_load_set (mdc_keys, "security.ima", conf->cache_ima);
 
 	GF_OPTION_INIT ("cache-posix-acl", conf->cache_posix_acl, bool, out);
 	mdc_key_load_set (mdc_keys, "system.posix_acl_", conf->cache_posix_acl);
@@ -3039,6 +3108,14 @@ struct volume_options options[] = {
 	  .type = GF_OPTION_TYPE_BOOL,
 	  .default_value = "false",
 	},
+        { .key = {"cache-capability-xattrs"},
+          .type = GF_OPTION_TYPE_BOOL,
+          .default_value = "true",
+        },
+        { .key = {"cache-ima-xattrs"},
+          .type = GF_OPTION_TYPE_BOOL,
+          .default_value = "true",
+        },
         { .key = {"cache-swift-metadata"},
           .type = GF_OPTION_TYPE_BOOL,
           .default_value = "true",
-- 
cgit