[PATCH][CIFS] Add 'nodelete' mount parm

[PATCH][CIFS] Add 'nodelete' mount parm

[Steve French]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

    In order to handle workloads where it is important to make sure that
    a buggy app did not delete content on the drive, the new mount option
    "nodelete" allows standard permission checks on the server to work,
    but prevents on the client any attempts to unlink a file or delete
    a directory on that mount point.  This can be helpful when running
    a little understood app on a network mount that contains important
    content that should not be deleted.


-- 
Thanks,

Steve

[-- Attachment #2: 0001-smb3-Add-new-parm-nodelete.patch --]
[-- Type: text/x-patch, Size: 4509 bytes --]

From 2755388f5e8b5c6dc949fa0108d3210e818ca883 Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Tue, 19 May 2020 03:06:57 -0500
Subject: [PATCH] smb3: Add new parm "nodelete"

In order to handle workloads where it is important to make sure that
a buggy app did not delete content on the drive, the new mount option
"nodelete" allows standard permission checks on the server to work,
but prevents on the client any attempts to unlink a file or delete
a directory on that mount point.  This can be helpful when running
a little understood app on a network mount that contains important
content that should not be deleted.

Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
---
 fs/cifs/cifsfs.c   |  2 ++
 fs/cifs/cifsglob.h |  2 ++
 fs/cifs/connect.c  |  9 ++++++++-
 fs/cifs/inode.c    | 11 +++++++++++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index c31f362fa098..889f9c71049b 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -534,6 +534,8 @@ cifs_show_options(struct seq_file *s, struct dentry *root)
 		seq_puts(s, ",signloosely");
 	if (tcon->nocase)
 		seq_puts(s, ",nocase");
+	if (tcon->nodelete)
+		seq_puts(s, ",nodelete");
 	if (tcon->local_lease)
 		seq_puts(s, ",locallease");
 	if (tcon->retry)
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 39b708d9d86d..4d261fd78fcb 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -562,6 +562,7 @@ struct smb_vol {
 	bool override_gid:1;
 	bool dynperm:1;
 	bool noperm:1;
+	bool nodelete:1;
 	bool mode_ace:1;
 	bool no_psx_acl:1; /* set if posix acl support should be disabled */
 	bool cifs_acl:1;
@@ -1136,6 +1137,7 @@ struct cifs_tcon {
 	bool retry:1;
 	bool nocase:1;
 	bool nohandlecache:1; /* if strange server resource prob can turn off */
+	bool nodelete:1;
 	bool seal:1;      /* transport encryption for this mounted share */
 	bool unix_ext:1;  /* if false disable Linux extensions to CIFS protocol
 				for this mount even if server would support */
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 62503fbed2ab..cde7ff55f0a3 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -75,7 +75,7 @@ enum {
 	Opt_forceuid, Opt_noforceuid,
 	Opt_forcegid, Opt_noforcegid,
 	Opt_noblocksend, Opt_noautotune, Opt_nolease,
-	Opt_hard, Opt_soft, Opt_perm, Opt_noperm,
+	Opt_hard, Opt_soft, Opt_perm, Opt_noperm, Opt_nodelete,
 	Opt_mapposix, Opt_nomapposix,
 	Opt_mapchars, Opt_nomapchars, Opt_sfu,
 	Opt_nosfu, Opt_nodfs, Opt_posixpaths,
@@ -141,6 +141,7 @@ static const match_table_t cifs_mount_option_tokens = {
 	{ Opt_soft, "soft" },
 	{ Opt_perm, "perm" },
 	{ Opt_noperm, "noperm" },
+	{ Opt_nodelete, "nodelete" },
 	{ Opt_mapchars, "mapchars" }, /* SFU style */
 	{ Opt_nomapchars, "nomapchars" },
 	{ Opt_mapposix, "mapposix" }, /* SFM style */
@@ -1761,6 +1762,9 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
 		case Opt_noperm:
 			vol->noperm = 1;
 			break;
+		case Opt_nodelete:
+			vol->nodelete = 1;
+			break;
 		case Opt_mapchars:
 			vol->sfu_remap = true;
 			vol->remap = false; /* disable SFM mapping */
@@ -3363,6 +3367,8 @@ static int match_tcon(struct cifs_tcon *tcon, struct smb_vol *volume_info)
 		return 0;
 	if (tcon->no_lease != volume_info->no_lease)
 		return 0;
+	if (tcon->nodelete != volume_info->nodelete)
+		return 0;
 	return 1;
 }
 
@@ -3598,6 +3604,7 @@ cifs_get_tcon(struct cifs_ses *ses, struct smb_vol *volume_info)
 	tcon->retry = volume_info->retry;
 	tcon->nocase = volume_info->nocase;
 	tcon->nohandlecache = volume_info->nohandlecache;
+	tcon->nodelete = volume_info->nodelete;
 	tcon->local_lease = volume_info->local_lease;
 	INIT_LIST_HEAD(&tcon->pending_opens);
 
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 5d2965a23730..873b1effd412 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1418,6 +1418,11 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry)
 
 	xid = get_xid();
 
+	if (tcon->nodelete) {
+		rc = -EACCES;
+		goto unlink_out;
+	}
+
 	/* Unlink can be called from rename so we can not take the
 	 * sb->s_vfs_rename_mutex here */
 	full_path = build_path_from_dentry(dentry);
@@ -1746,6 +1751,12 @@ int cifs_rmdir(struct inode *inode, struct dentry *direntry)
 		goto rmdir_exit;
 	}
 
+	if (tcon->nodelete) {
+		rc = -EACCES;
+		cifs_put_tlink(tlink);
+		goto rmdir_exit;
+	}
+
 	rc = server->ops->rmdir(xid, tcon, full_path, cifs_sb);
 	cifs_put_tlink(tlink);
 
-- 
2.25.1

Re: [PATCH][CIFS] Add 'nodelete' mount parm

[Pavel Shilovsky]

Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
--
Best regards,
Pavel Shilovsky

вт, 19 мая 2020 г. в 01:14, Steve French <smfrench@gmail.com>:
>
>     In order to handle workloads where it is important to make sure that
>     a buggy app did not delete content on the drive, the new mount option
>     "nodelete" allows standard permission checks on the server to work,
>     but prevents on the client any attempts to unlink a file or delete
>     a directory on that mount point.  This can be helpful when running
>     a little understood app on a network mount that contains important
>     content that should not be deleted.
>
>
> --
> Thanks,
>
> Steve

Re: [PATCH][CIFS] Add 'nodelete' mount parm

[ronnie sahlberg]

Hm.

Do we need this in the cifs module? We already have so many cifs
specific options.

I mean, this feature might be useful for when handling buggy applications
but there is nothing cifs specific in it.

Should this rather be a mount option that affects the VFS layer
itself, and thus protects
ALL filesystems from these kind of buggy applications?

(It can also be solved by ACLs on the server. A top level ACE that
denied delete and that is inherited to all
child objects)

Regards
ronnie s


On Tue, May 19, 2020 at 6:14 PM Steve French <smfrench@gmail.com> wrote:
>
>     In order to handle workloads where it is important to make sure that
>     a buggy app did not delete content on the drive, the new mount option
>     "nodelete" allows standard permission checks on the server to work,
>     but prevents on the client any attempts to unlink a file or delete
>     a directory on that mount point.  This can be helpful when running
>     a little understood app on a network mount that contains important
>     content that should not be deleted.
>
>
> --
> Thanks,
>
> Steve