DAOS-14639 dfuse: Do not allow security. xattr to be set. (#13333)

fuse will call this often to read non-existent xattrs for every write request so short-circuit these to avoid server round-trips. Required-githooks: true Change-Id: I3337b1724f237cc50a5a537e0844f05f0ed9cc61 Signed-off-by: Ashley Pittman <ashley.m.pittman@intel.com>
daos-stack · Feb 28, 2024 · 86e39da · 86e39da
1 parent c05c83f
commit 86e39da
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/src/client/dfuse/dfuse_fuseops.c b/src/client/dfuse/dfuse_fuseops.c
@@ -464,6 +464,11 @@ df_ll_symlink(fuse_req_t req, const char *link, fuse_ino_t parent,
 	DFUSE_REPLY_ERR_RAW(fs_handle, req, rc);
 }
 
+/* Do not allow security xattrs to be set or read, see DAOS-14639 */
+#define XATTR_SEC   "security."
+/* Do not allow either system.posix_acl_default or system.posix_acl_access */
+#define XATTR_P_ACL "system.posix_acl"
+
 void
 df_ll_setxattr(fuse_req_t req, fuse_ino_t ino, const char *name,
 	       const char *value, size_t size, int flags)
@@ -479,6 +484,12 @@ df_ll_setxattr(fuse_req_t req, fuse_ino_t ino, const char *name,
 		D_GOTO(err, rc = EPERM);
 	}
 
+	if (strncmp(name, XATTR_SEC, sizeof(XATTR_SEC) - 1) == 0)
+		D_GOTO(err, rc = ENOTSUP);
+
+	if (strncmp(name, XATTR_P_ACL, sizeof(XATTR_P_ACL) - 1) == 0)
+		D_GOTO(err, rc = ENOTSUP);
+
 	rlink = d_hash_rec_find(&fs_handle->dpi_iet, &ino, sizeof(ino));
 	if (!rlink) {
 		DFUSE_TRA_ERROR(fs_handle, "Failed to find inode %#lx", ino);
@@ -508,6 +519,12 @@ df_ll_getxattr(fuse_req_t req, fuse_ino_t ino, const char *name, size_t size)
 	d_list_t			*rlink;
 	int				rc;
 
+	if (strncmp(name, XATTR_SEC, sizeof(XATTR_SEC) - 1) == 0)
+		D_GOTO(err, rc = ENODATA);
+
+	if (strncmp(name, XATTR_P_ACL, sizeof(XATTR_P_ACL) - 1) == 0)
+		D_GOTO(err, rc = ENODATA);
+
 	rlink = d_hash_rec_find(&fs_handle->dpi_iet, &ino, sizeof(ino));
 	if (!rlink) {
 		DFUSE_TRA_ERROR(fs_handle, "Failed to find inode %#lx", ino);

diff --git a/src/tests/ftest/dfuse/daos_build.py b/src/tests/ftest/dfuse/daos_build.py
@@ -214,7 +214,12 @@ def run_build_test(self, cache_mode, intercept=False, run_on_vms=False):
                 'python3 -m pip install pip --upgrade',
                 'python3 -m pip install -r {}/requirements.txt'.format(build_dir),
                 'scons -C {} --jobs {} --build-deps=only'.format(build_dir, build_jobs),
-                'scons -C {} --jobs {}'.format(build_dir, intercept_jobs)]
+                'daos filesystem query {}'.format(mount_dir),
+                'daos filesystem evict {}'.format(build_dir),
+                'daos filesystem query {}'.format(mount_dir),
+                'scons -C {} --jobs {}'.format(build_dir, intercept_jobs),
+                'scons -C {} --jobs {} install'.format(build_dir, intercept_jobs),
+                'daos filesystem query {}'.format(mount_dir)]
         for cmd in cmds:
             command = '{};{}'.format(preload_cmd, cmd)
             # Use a short timeout for most commands, but vary the build timeout based on dfuse mode.