On Wed, 2008-02-20 at 08:50 -0500, Stephen Smalley wrote:
On Wed, 2008-02-20 at 11:08 +0100, Miklos Szeredi wrote:
Please don't introduce a special case for just nfs. All filesystems
should control their mount options, so please provide some library
helpers for context= handling and
On Wed, 2008-02-20 at 11:08 +0100, Miklos Szeredi wrote:
Please don't introduce a special case for just nfs. All filesystems
should control their mount options, so please provide some library
helpers for context= handling and move it into all filesystems that
can support selinux.
Hmm,
These patches add local caching for network filesystems such as NFS.
The patches can roughly be broken down into a number of sets:
(*) 01-keys-inc-payload.diff
(*) 02-keys-search-keyring.diff
(*) 03-keys-callout-blob.diff
Three patches to the keyring code made to help the CIFS
Make NFSD work with detached security, using the patches that excise the
security information from task_struct to struct task_security as a base.
Each time NFSD wants a new security descriptor (to do NFS4 recovery or just to
do NFS operations), a task_security record is derived from NFSD's
Change current-fs[ug]id to current_fs[ug]id() so that fsgid and fsuid can be
separated from the task_struct.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
arch/ia64/kernel/perfmon.c|4 ++--
arch/powerpc/platforms/cell/spufs/inode.c |4 ++--
Register NFS for caching and retrieve the top-level cache index object cookie.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/Makefile|1 +
fs/nfs/fscache-index.c | 53
fs/nfs/fscache.h | 35
Check the starting keyring as part of the search to (a) see if that is what
we're searching for, and (b) to check it is still valid for searching.
The scenario: User in process A does things that cause things to be
created in its process session keyring. The user then does an su to
another user
Permit local filesystem caching to be enabled for NFS in the kernel
configuration.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/Kconfig |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/fs/Kconfig b/fs/Kconfig
index c42ec50..fa8e978 100644
---
Define and create inode-level cache data storage objects (as managed by
nfs_inode structs).
Each inode-level object is created in a superblock-level index object and is
itself a data storage object into which pages from the inode are stored.
The inode object key is the NFS file handle for the
The attached patch causes read_cache_pages() to release page-private data on a
page for which add_to_page_cache() fails or the filler function fails. This
permits pages with caching references associated with them to be cleaned up.
The invalidatepage() address space op is called (indirectly) to
Increase the size of a payload that can be used to instantiate a key in
add_key() and keyctl_instantiate_key(). This permits huge CIFS SPNEGO blobs to
be passed around. The limit is raised to 1MB. If kmalloc() can't allocate a
buffer of sufficient size, vmalloc() will be tried instead.
Bind data storage objects in the local cache to NFS inodes.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/fscache.c | 131
fs/nfs/fscache.h | 19 +++
fs/nfs/inode.c | 39 --
Add a keyctl() function to get the security label of a key.
The following is added to Documentation/keys.txt:
(*) Get the LSM security context attached to a key.
long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,
size_t buflen)
This function
Define and create superblock-level cache index objects (as managed by
nfs_server structs).
Each superblock object is created in a server level index object and is itself
an index into which inode-level objects are inserted.
Ideally there would be one superblock-level object per server, and the
Add FS-Cache option bit to nfs_server struct. This is set to indicate local
on-disk caching is enabled for a particular superblock.
Also add debug bit for local caching operations.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
include/linux/nfs_fs.h|1 +
include/linux/nfs_fs_sb.h
Change all the usages of file-f_mapping in ext3_*write_end() functions to use
the mapping argument directly. This has two consequences:
(*) Consistency. Without this patch sometimes one is used and sometimes the
other is.
(*) A NULL file pointer can be passed. This feature is then made
Recruit a couple of page flags to aid in cache management. The following extra
flags are defined:
(1) PG_fscache (PG_private_2)
The marked page is backed by a local cache and is pinning resources in the
cache driver.
(2) PG_fscache_write (PG_owner_priv_2)
The marked page is
Invalidate the FsCache page flags on the pages belonging to an inode when the
cache backing that NFS inode is removed.
This allows a live cache to be withdrawn.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/fscache-index.c | 40
1 files
nfs_readpage_async() needs to be non-static so that it can be used as a
fallback for the local on-disk caching should an EIO crop up when reading the
cache.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/read.c |4 ++--
include/linux/nfs_fs.h |2 ++
2 files changed,
Display the local caching state in /proc/fs/nfsfs/volumes.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/client.c |7 ---
fs/nfs/fscache.h | 15 +++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index
This one-line patch fixes the missing export of copy_page introduced
by the cachefile patches. This patch is not yet upstream, but is required
for cachefile on ia64. It will be pushed upstream when cachefile goes
upstream.
Signed-off-by: Prarit Bhargava [EMAIL PROTECTED]
Signed-off-by: David
Read pages from an FS-Cache data storage object representing an inode into an
NFS inode.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/fscache.c | 112 ++
fs/nfs/fscache.h | 47 +++
fs/nfs/read.c| 18
Add a function to install a monitor on the page lock waitqueue for a particular
page, thus allowing the page being unlocked to be detected.
This is used by CacheFiles to detect read completion on a page in the backing
filesystem so that it can then copy the data to the waiting netfs page.
FS-Cache page management for NFS. This includes hooking the releasing and
invalidation of pages marked with PG_fscache (aka PG_private_2) and waiting for
completion of the write-to-cache flag (PG_fscache_write aka PG_owner_priv_2).
Signed-off-by: David Howells [EMAIL PROTECTED]
---
Store pages from an NFS inode into the cache data storage object associated
with that inode.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/fscache.c | 26 ++
fs/nfs/fscache.h | 16
fs/nfs/read.c|5 +
3 files changed, 47
Add an address space operation to write one single page of data to an inode at
a page-aligned location (thus permitting the implementation to be highly
optimised). The data source is a single page.
This is used by CacheFiles to store the contents of netfs pages into their
backing file pages.
Add NFS mount options to allow the local caching support to be enabled.
The attached patch makes it possible for the NFS filesystem to be told to make
use of the network filesystem local caching service (FS-Cache).
To be able to use this, a recent nfsutils package is required.
There are three
Add some new NFS I/O event counters for FS-Cache events. They have to be
added as byte counters because I may need to be able to increase the numbers
by more than 1 at a time.
Signed-off-by: David Howells [EMAIL PROTECTED]
---
fs/nfs/iostat.h |7 +++
1 files changed, 7 insertions(+), 0
Quoting Casey Schaufler ([EMAIL PROTECTED]):
From: Casey Schaufler [EMAIL PROTECTED]
Update the Smack LSM to allow the registration of the capability
module as a secondary LSM. Integrate the new hooks required for
file based capabilities.
Hi Casey,
to help people keep their mailboxes
Serge E. Hallyn [EMAIL PROTECTED] wrote:
Seems *really* weird that every time you send this, patch 6 doesn't seem
to reach me in any of my mailboxes... (did get it from the url
you listed)
It's the largest of the patches, so that's not entirely surprising. Hence why
I included the URL to
--- Serge E. Hallyn [EMAIL PROTECTED] wrote:
Quoting Casey Schaufler ([EMAIL PROTECTED]):
From: Casey Schaufler [EMAIL PROTECTED]
Update the Smack LSM to allow the registration of the capability
module as a secondary LSM. Integrate the new hooks required for
file based capabilities.
Hi David,
On Wednesday 20 February 2008 08:05, David Howells wrote:
These patches add local caching for network filesystems such as NFS.
Have you got before/after benchmark results?
Regards,
Daniel
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body
32 matches
Mail list logo