[PATCH] vfs_gpfs: add optional ACL auditing

Ralph Böhme slow at samba.org
Fri Dec 16 11:29:45 UTC 2016 

Hi!

Attached is a patch for vfs_gpfs that adds an optional hook for kernel auditing
frameworks to audit ACL changes.

Please review&push if ok.

Cheerio!
-slow
-------------- next part --------------
From ac405a5391a7b88fc273c6a8a264f1b51239af94 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Wed, 9 Nov 2016 14:43:35 +0100
Subject: [PATCH] vfs_gpfs: add optional ACL auditing

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Signed-off-by: Ralph Boehme <slow at samba.org>
---
 docs-xml/manpages/vfs_gpfs.8.xml | 22 ++++++++++++++++++
 source3/modules/vfs_gpfs.c       | 48 ++++++++++++++++++++++++++++++++++------
 2 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml
index abf997b..4703ddd 100644
--- a/docs-xml/manpages/vfs_gpfs.8.xml
+++ b/docs-xml/manpages/vfs_gpfs.8.xml
@@ -363,6 +363,28 @@
 		</listitem>
 
 		</varlistentry>
+
+		<varlistentry>
+
+		<term>gpfs:acl_change_auditing = [ yes | no ]</term>
+		<listitem>
+		<para>
+		Whenever an ACL is successfully set, also set the extended
+		attribute <emphasis>inode_table_acl_audit</emphasis> on the file
+		or directory, with the raw GPFS acl blob as xattr value.
+		</para>
+
+		<itemizedlist>
+		<listitem><para><command>yes</command> - Enable ACL
+		auditing.</para></listitem>
+
+		<listitem><para><command>no (default)</command> - Do
+		not use ACL auditing.</para></listitem>
+		</itemizedlist>
+		</listitem>
+
+		</varlistentry>
+
 		<varlistentry>
 
 		<term>nfs4:mode = [ simple | special ]</term>
diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index f7434c9..768bf63 100644
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -52,6 +52,7 @@ struct gpfs_config_data {
 	bool acl;
 	bool settimes;
 	bool recalls;
+	bool acl_change_auditing;
 };
 
 struct gpfs_fsp_extension {
@@ -74,6 +75,36 @@ static inline gpfs_ace_v4_t *gpfs_ace_ptr(gpfs_acl_t *gacl, unsigned int i)
 	return &gacl->ace_v4[i];
 }
 
+/* additional wrapper for gpfswrap_putacl() to notify kernel VFS based audit
+   frameworks about ACL updates.
+ */
+static int gpfs_putacl_audit(vfs_handle_struct *handle,
+			     char *pathname,
+			     int flags,
+			     void *acl)
+{
+	int ret;
+	gpfs_acl_t *gacl = acl;
+	struct gpfs_config_data *config = NULL;
+
+	SMB_VFS_HANDLE_GET_DATA(handle, config,
+				struct gpfs_config_data,
+				return -1);
+
+	ret = gpfswrap_putacl(pathname, flags, acl);
+	if ((ret == 0) && config->acl_change_auditing) {
+		setxattr(pathname, "inode_table_acl_audit",
+			 gacl, gacl->acl_len, 0);
+		/*
+		 * Reset errno as setxattr() is expected to fail with
+		 * ENOTSUP because xattr name is missing a namespace
+		 * prefix.
+		 */
+		errno = 0;
+	}
+	return ret;
+}
+
 static bool set_gpfs_sharemode(files_struct *fsp, uint32_t access_mask,
 			       uint32_t share_access)
 {
@@ -766,8 +797,8 @@ static bool gpfsacl_process_smbacl(vfs_handle_struct *handle,
 	if (gacl == NULL) { /* out of memory */
 		return False;
 	}
-	ret = gpfswrap_putacl(fsp->fsp_name->base_name,
-			      GPFS_PUTACL_STRUCT | GPFS_ACL_SAMBA, gacl);
+	ret = gpfs_putacl_audit(handle, fsp->fsp_name->base_name,
+				GPFS_PUTACL_STRUCT | GPFS_ACL_SAMBA, gacl);
 
 	if ((ret != 0) && (errno == EINVAL)) {
 		DEBUG(10, ("Retry without nfs41 control flags\n"));
@@ -776,9 +807,9 @@ static bool gpfsacl_process_smbacl(vfs_handle_struct *handle,
 		if (gacl == NULL) { /* out of memory */
 			return False;
 		}
-		ret = gpfswrap_putacl(fsp->fsp_name->base_name,
-				      GPFS_PUTACL_STRUCT | GPFS_ACL_SAMBA,
-				      gacl);
+		ret = gpfs_putacl_audit(handle, fsp->fsp_name->base_name,
+					GPFS_PUTACL_STRUCT | GPFS_ACL_SAMBA,
+					gacl);
 	}
 
 	if (ret != 0) {
@@ -1253,8 +1284,8 @@ static int gpfsacl_sys_acl_set_file(vfs_handle_struct *handle,
 		return -1;
 	}
 
-	result = gpfswrap_putacl(discard_const_p(char, name),
-				 GPFS_PUTACL_STRUCT|GPFS_ACL_SAMBA, gpfs_acl);
+	result = gpfs_putacl_audit(handle, discard_const_p(char, name),
+				   GPFS_PUTACL_STRUCT|GPFS_ACL_SAMBA, gpfs_acl);
 
 	SAFE_FREE(gpfs_acl);
 	return result;
@@ -2061,6 +2092,9 @@ static int vfs_gpfs_connect(struct vfs_handle_struct *handle,
 	config->recalls = lp_parm_bool(SNUM(handle->conn), "gpfs",
 				       "recalls", true);
 
+	config->acl_change_auditing = lp_parm_bool(SNUM(handle->conn), "gpfs",
+						   "acl_change_auditing", false);
+
 	SMB_VFS_HANDLE_SET_DATA(handle, config,
 				NULL, struct gpfs_config_data,
 				return -1);
-- 
2.7.4

More information about the samba-technical mailing list