From: Venky Shankar <vshankar@redhat.com>
Date: Tue, 25 Aug 2020 01:48:53 +0000 (-0400)
Subject: mds: restrict setting/removing certain xattrs in ceph namespace
X-Git-Tag: v16.1.0~827^2~5
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=dac72ff0b3b34dfe85bc7527bca5505ac09f3be8;p=ceph.git

mds: restrict setting/removing certain xattrs in ceph namespace

Since all ceph.* xattrs need not be virtual (stored in inode
structure), restrict certain xattrs (ceph.mirror.info) to be
persisted in xattr_map. Other ceph.* xattrs which do not pass
the virtual xattr check are rejected.

Signed-off-by: Venky Shankar <vshankar@redhat.com>
---

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 91598f173f0f..c5881e1b351c 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -6012,6 +6012,11 @@ void Server::handle_client_setxattr(MDRequestRef& mdr)
     return;
   }
 
+  if (!is_allowed_ceph_xattr(name)) {
+    respond_to_request(mdr, -EINVAL);
+    return;
+  }
+
   CInode *cur = rdlock_path_pin_ref(mdr, true);
   if (!cur)
     return;
@@ -6105,6 +6110,11 @@ void Server::handle_client_removexattr(MDRequestRef& mdr)
     return;
   }
 
+  if (!is_allowed_ceph_xattr(name)) {
+    respond_to_request(mdr, -EINVAL);
+    return;
+  }
+
   CInode* cur = rdlock_path_pin_ref(mdr, true);
   if (!cur)
     return;
diff --git a/src/mds/Server.h b/src/mds/Server.h
index 10c9df553f07..df0b9cb16c42 100644
--- a/src/mds/Server.h
+++ b/src/mds/Server.h
@@ -417,6 +417,15 @@ private:
            xattr_name == "ceph.dir.pin.distributed"sv;
   }
 
+  static bool is_allowed_ceph_xattr(std::string_view xattr_name) {
+    // not a ceph xattr -- allow!
+    if (xattr_name.rfind("ceph.", 0) != 0) {
+      return true;
+    }
+
+    return xattr_name == "ceph.mirror.info";
+  }
+
   void reply_client_request(MDRequestRef& mdr, const ref_t<MClientReply> &reply);
   void flush_session(Session *session, MDSGatherBuilder& gather);