1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
* Ceph distributed storage system
*
* (C) Copyright IBM Corporation 2022
* Author: Martin Ohmacht <mohmacht@us.ibm.com>
*
* Based on the file ceph/src/erasure-code/ErasureCodePlugin.cc
* Copyright (C) 2013,2014 Cloudwatt <libre.licensing@cloudwatt.com>
* Copyright (C) 2014 Red Hat <contact@redhat.com>
*
* Author: Loic Dachary <loic@dachary.org>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
*/
#include <errno.h>
#include "ceph_ver.h"
#include "ExtBlkDevPlugin.h"
#include "common/errno.h"
#include "include/dlfcn_compat.h"
#include "include/str_list.h"
#include "include/ceph_assert.h"
#include "common/ceph_context.h"
#include "common/debug.h"
#define dout_subsys ceph_subsys_bdev
#define dout_context cct
using namespace std;
namespace ceph {
namespace extblkdev {
#ifdef __linux__
// iterate across plugins and determine each capability's reqirement
// merge requirements into merge_caps set
int get_required_caps(CephContext *cct, cap_t &merge_caps)
{
cap_t plugin_caps = nullptr;
auto close_caps_on_return = make_scope_guard([&] {
if (plugin_caps != nullptr) {
cap_free(plugin_caps);
}
});
// plugin-private cap set to populate by a plugin
plugin_caps = cap_init();
if (plugin_caps == nullptr) {
return -errno;
}
auto registry = cct->get_plugin_registry();
std::lock_guard l(registry->lock);
// did we preload any extblkdev type plugins?
auto ptype = registry->plugins.find("extblkdev");
if (ptype != registry->plugins.end()) {
// iterate over all extblkdev plugins
for (auto& it : ptype->second) {
// clear cap set before passing to plugin
if (cap_clear(plugin_caps) < 0) {
return -errno;
}
// let plugin populate set with required caps
auto ebdplugin = dynamic_cast<ExtBlkDevPlugin*>(it.second);
if (ebdplugin == nullptr) {
derr << __func__ << " Is not an extblkdev plugin: " << it.first << dendl;
return -ENOENT;
}
int rc = ebdplugin->get_required_cap_set(plugin_caps);
if (rc != 0)
return rc;
// iterate over capabilities and check for active bits
for (int i = 0; i <= CAP_LAST_CAP; ++i) {
cap_flag_value_t val;
if (cap_get_flag(plugin_caps, i, CAP_PERMITTED, &val) < 0) {
return -errno;
}
if (val != CAP_CLEAR) {
cap_value_t arr[1];
arr[0] = i;
// set capability in merged set
if (cap_set_flag(merge_caps, CAP_PERMITTED, 1, arr, CAP_SET) < 0) {
return -errno;
}
}
}
}
}
return 0;
}
// trim away all capabilities of this process that are not explicitly set in merge_set
int trim_caps(CephContext *cct, cap_t &merge_caps)
{
cap_t proc_caps = nullptr;
auto close_caps_on_return = make_scope_guard([&] {
if (proc_caps != nullptr) {
cap_free(proc_caps);
}
});
bool changed = false;
// get process capability set
proc_caps = cap_get_proc();
if (proc_caps == nullptr) {
dout(1) << " cap_get_proc failed with errno: " << errno << dendl;
return -errno;
}
{
char *cap_str = cap_to_text(proc_caps, 0);
if (cap_str != nullptr){
dout(10) << " cap_get_proc yields: " << cap_str << dendl;
cap_free(cap_str);
}
}
// iterate over capabilities
for (int i = 0; i <= CAP_LAST_CAP; ++i) {
cap_flag_value_t val;
if (cap_get_flag(merge_caps, i, CAP_PERMITTED, &val) < 0) {
return -errno;
}
if (val == CAP_CLEAR) {
if (cap_get_flag(proc_caps, i, CAP_PERMITTED, &val) < 0) {
return -errno;
}
if (val != CAP_CLEAR) {
// if bit clear in merged set, but set in process set, clear in process set
changed = true;
cap_value_t arr[1];
arr[0] = i;
if (cap_set_flag(proc_caps, CAP_PERMITTED, 1, arr, CAP_CLEAR) < 0) {
return -errno;
}
if (cap_set_flag(proc_caps, CAP_EFFECTIVE, 1, arr, CAP_CLEAR) < 0) {
return -errno;
}
}
}
}
// apply reduced capability set to process
if (changed) {
char *cap_str = cap_to_text(proc_caps, 0);
if (cap_str != nullptr){
dout(10) << " new caps for cap_set_proc: " << cap_str << dendl;
cap_free(cap_str);
}
if (cap_set_proc(proc_caps) < 0) {
dout(1) << " cap_set_proc failed with errno: " << errno << dendl;
return -errno;
}
}
return 0;
}
int limit_caps(CephContext *cct)
{
cap_t merge_caps = nullptr;
auto close_caps_on_return = make_scope_guard([&] {
if (merge_caps != nullptr) {
cap_free(merge_caps);
}
});
// collect required caps in merge_caps
merge_caps = cap_init();
if (merge_caps == nullptr) {
return -errno;
}
int rc = get_required_caps(cct, merge_caps);
if (rc != 0) {
return rc;
}
return trim_caps(cct, merge_caps);
}
#endif
// preload set of extblkdev plugins defined in config
int preload(CephContext *cct)
{
const auto& conf = cct->_conf;
string plugins = conf.get_val<std::string>("osd_extblkdev_plugins");
dout(10) << "starting preload of extblkdev plugins: " << plugins << dendl;
list<string> plugins_list;
get_str_list(plugins, plugins_list);
auto registry = cct->get_plugin_registry();
{
std::lock_guard l(registry->lock);
for (auto& plg : plugins_list) {
dout(10) << "starting load of extblkdev plugin: " << plg << dendl;
int rc = registry->load("extblkdev", std::string("ebd_") + plg);
if (rc) {
derr << __func__ << " failed preloading extblkdev plugin: " << plg << dendl;
return rc;
}else{
dout(10) << "successful load of extblkdev plugin: " << plg << dendl;
}
}
}
#ifdef __linux__
// if we are still running as root, we do not need to trim capabilities
// as we are intended to use the privileges
if (geteuid() == 0) {
return 0;
}
return limit_caps(cct);
#else
return 0;
#endif
}
// scan extblkdev plugins for support of this device
int detect_device(CephContext *cct,
const std::string &logdevname,
ExtBlkDevInterfaceRef& ebd_impl)
{
int rc = -ENOENT;
std::string plg_name;
auto registry = cct->get_plugin_registry();
std::lock_guard l(registry->lock);
auto ptype = registry->plugins.find("extblkdev");
if (ptype == registry->plugins.end()) {
return -ENOENT;
}
for (auto& it : ptype->second) {
dout(10) << __func__ << " Trying to detect block device " << logdevname
<< " using plugin " << it.first << dendl;
auto ebdplugin = dynamic_cast<ExtBlkDevPlugin*>(it.second);
if (ebdplugin == nullptr) {
derr << __func__ << " Is not an extblkdev plugin: " << it.first << dendl;
return -ENOENT;
}
rc = ebdplugin->factory(logdevname, ebd_impl);
if (rc == 0) {
plg_name = it.first;
break;
}
}
if (rc == 0) {
dout(1) << __func__ << " using plugin " << plg_name << ", " << "volume " << ebd_impl->get_devname()
<< " maps to " << logdevname << dendl;
} else {
dout(10) << __func__ << " no plugin volume maps to " << logdevname << dendl;
}
return rc;
}
// release device object
int release_device(ExtBlkDevInterfaceRef& ebd_impl)
{
if (ebd_impl) {
ebd_impl.reset();
}
return 0;
}
}
}
|