From: Olga Kornievskaia <[email protected]>
Currently, the client will always ask for security_labels if the server
returns that it supports that feature regardless of any LSM modules
(such as Selinux) enforcing security policy. This adds performance
penalty to the READDIR operation.
Client adjusts superblock's support of the security_label based on
the server's support but also current client's configuration of the
LSM modules. Thus, prior to using the default bitmask in READDIR,
this patch checks the server's capabilities and then instructs
READDIR to remove FATTR4_WORD2_SECURITY_LABEL from the bitmask.
v4: simplifying logic
v3: changing label's initialization per Ondrej's comment
v2: dropping selinux hook and using the sb cap.
Suggested-by: Ondrej Mosnacek <[email protected]>
Suggested-by: Scott Mayhew <[email protected]>
Signed-off-by: Olga Kornievskaia <[email protected]>
---
fs/nfs/nfs4proc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 9e0ca9b2b210..ea72202887c0 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -4966,7 +4966,6 @@ static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,
.pages = pages,
.pgbase = 0,
.count = count,
- .bitmask = NFS_SERVER(d_inode(dentry))->attr_bitmask,
.plus = plus,
};
struct nfs4_readdir_res res;
@@ -4981,6 +4980,11 @@ static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,
dprintk("%s: dentry = %pd2, cookie = %Lu\n", __func__,
dentry,
(unsigned long long)cookie);
+ if (!(NFS_SERVER(d_inode(dentry))->caps & NFS_CAP_SECURITY_LABEL))
+ args.bitmask = server->attr_bitmask_nl;
+ else
+ args.bitmask = server->attr_bitmask;
+
nfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry, &args);
res.pgbase = args.pgbase;
status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0);
--
2.18.2
Hi Olga,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nfs/linux-next]
[also build test ERROR on v5.10-rc3 next-20201109]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Olga-Kornievskaia/NFSv4-2-condition-READDIR-s-mask-for-security-label-based-on-LSM-state/20201109-095958
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
config: powerpc64-randconfig-r016-20201109 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project 09ec07827b1128504457a93dee80b2ceee1af600)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install powerpc64 cross compiling tool for clang build
# apt-get install binutils-powerpc64-linux-gnu
# https://github.com/0day-ci/linux/commit/e0d917660042c74411f25268b6c9c9c1c85425f2
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Olga-Kornievskaia/NFSv4-2-condition-READDIR-s-mask-for-security-label-based-on-LSM-state/20201109-095958
git checkout e0d917660042c74411f25268b6c9c9c1c85425f2
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=powerpc64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
>> fs/nfs/nfs4proc.c:4984:18: error: use of undeclared identifier 'server'
args.bitmask = server->attr_bitmask_nl;
^
fs/nfs/nfs4proc.c:4986:18: error: use of undeclared identifier 'server'
args.bitmask = server->attr_bitmask;
^
2 errors generated.
vim +/server +4984 fs/nfs/nfs4proc.c
4959
4960 static int _nfs4_proc_readdir(struct dentry *dentry, const struct cred *cred,
4961 u64 cookie, struct page **pages, unsigned int count, bool plus)
4962 {
4963 struct inode *dir = d_inode(dentry);
4964 struct nfs4_readdir_arg args = {
4965 .fh = NFS_FH(dir),
4966 .pages = pages,
4967 .pgbase = 0,
4968 .count = count,
4969 .plus = plus,
4970 };
4971 struct nfs4_readdir_res res;
4972 struct rpc_message msg = {
4973 .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_READDIR],
4974 .rpc_argp = &args,
4975 .rpc_resp = &res,
4976 .rpc_cred = cred,
4977 };
4978 int status;
4979
4980 dprintk("%s: dentry = %pd2, cookie = %Lu\n", __func__,
4981 dentry,
4982 (unsigned long long)cookie);
4983 if (!(NFS_SERVER(d_inode(dentry))->caps & NFS_CAP_SECURITY_LABEL))
> 4984 args.bitmask = server->attr_bitmask_nl;
4985 else
4986 args.bitmask = server->attr_bitmask;
4987
4988 nfs4_setup_readdir(cookie, NFS_I(dir)->cookieverf, dentry, &args);
4989 res.pgbase = args.pgbase;
4990 status = nfs4_call_sync(NFS_SERVER(dir)->client, NFS_SERVER(dir), &msg, &args.seq_args, &res.seq_res, 0);
4991 if (status >= 0) {
4992 memcpy(NFS_I(dir)->cookieverf, res.verifier.data, NFS4_VERIFIER_SIZE);
4993 status += args.pgbase;
4994 }
4995
4996 nfs_invalidate_atime(dir);
4997
4998 dprintk("%s: returns %d\n", __func__, status);
4999 return status;
5000 }
5001
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]