| From f9b9fbb5d3580dfb8cceedeb972e03069a1d7b8f Mon Sep 17 00:00:00 2001 |
| From: Jeremy Allison <jra@samba.org> |
| Date: Thu, 19 Feb 2015 09:26:18 -0800 |
| Subject: [PATCH] s3: smbd: Add new no_new_files VFS module. |
| |
| Provides a read-only filesystem on which files can still be deleted. |
| |
| Signed-off-by: Jeremy Allison <jra@samba.org> |
| Extra config patches added by: Jeffrey Kardatzke <jkardatzke@google.com> |
| --- |
| source3/Makefile.in | 5 + |
| source3/configure | 36 ++++++++ |
| source3/configure.in | 2 + |
| source3/include/config.h.in | 3 + |
| source3/modules/vfs_no_new_files.c | 181 +++++++++++++++++++++++++++++++++++++ |
| source3/modules/wscript_build | 8 ++ |
| source3/wscript | 2 +- |
| 7 files changed, 236 insertions(+), 1 deletion(-) |
| create mode 100644 source3/modules/vfs_no_new_files.c |
| |
| diff --git a/source3/Makefile.in b/source3/Makefile.in |
| index 9e8e03d..67274fa 100644 |
| --- a/source3/Makefile.in |
| +++ b/source3/Makefile.in |
| @@ -848,6 +848,7 @@ VFS_SCANNEDONLY_OBJ = modules/vfs_scannedonly.o |
| VFS_CROSSRENAME_OBJ = modules/vfs_crossrename.o |
| VFS_LINUX_XFS_SGID_OBJ = modules/vfs_linux_xfs_sgid.o |
| VFS_TIME_AUDIT_OBJ = modules/vfs_time_audit.o |
| +VFS_NO_NEW_FILES_OBJ = modules/vfs_no_new_files.o |
| |
| PAM_ERRORS_OBJ = ../libcli/auth/pam_errors.o |
| PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o $(PAM_ERRORS_OBJ) |
| @@ -3191,6 +3192,10 @@ bin/time_audit.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_TIME_AUDIT_OBJ) |
| @echo "Building plugin $@" |
| @$(SHLD_MODULE) $(VFS_TIME_AUDIT_OBJ) |
| |
| +bin/no_new_files.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_NO_NEW_FILES_OBJ) |
| + @echo "Building plugin $@" |
| + @$(SHLD_MODULE) $(VFS_NO_NEW_FILES_OBJ) |
| + |
| ######################################################### |
| ## IdMap NSS plugins |
| |
| diff --git a/source3/configure b/source3/configure |
| index 5ab687b..ced1973 100755 |
| --- a/source3/configure |
| +++ b/source3/configure |
| @@ -8430,6 +8430,7 @@ default_shared_modules="$default_shared_modules vfs_crossrename" |
| default_shared_modules="$default_shared_modules vfs_linux_xfs_sgid" |
| default_shared_modules="$default_shared_modules vfs_time_audit" |
| default_shared_modules="$default_shared_modules idmap_autorid" |
| +default_shared_modules="$default_shared_modules vfs_no_new_files" |
| |
| if test "x$developer" = xyes; then |
| default_static_modules="$default_static_modules rpc_rpcecho pdb_ads" |
| @@ -40125,6 +40126,41 @@ $as_echo "not" >&6; } |
| fi |
| |
| |
| + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to build vfs_no_new_files" >&5 |
| +$as_echo_n "checking how to build vfs_no_new_files... " >&6; } |
| + if test "$MODULE_vfs_no_new_files"; then |
| + DEST=$MODULE_vfs_no_new_files |
| + elif test "$MODULE_vfs" -a "$MODULE_DEFAULT_vfs_no_new_files"; then |
| + DEST=$MODULE_vfs |
| + else |
| + DEST=$MODULE_DEFAULT_vfs_no_new_files |
| + fi |
| + |
| + if test x"$DEST" = xSHARED; then |
| + |
| +$as_echo "#define vfs_no_new_files_init init_samba_module" >>confdefs.h |
| + |
| + VFS_MODULES="$VFS_MODULES "bin/no_new_files.$SHLIBEXT"" |
| + { $as_echo "$as_me:${as_lineno-$LINENO}: result: shared" >&5 |
| +$as_echo "shared" >&6; } |
| + |
| + string_shared_modules="$string_shared_modules vfs_no_new_files" |
| + elif test x"$DEST" = xSTATIC; then |
| + init_static_modules_vfs="$init_static_modules_vfs vfs_no_new_files_init();" |
| + decl_static_modules_vfs="$decl_static_modules_vfs extern NTSTATUS vfs_no_new_files_init(void);" |
| + string_static_modules="$string_static_modules vfs_no_new_files" |
| + VFS_STATIC="$VFS_STATIC \$(VFS_NO_NEW_FILES_OBJ)" |
| + |
| + |
| + { $as_echo "$as_me:${as_lineno-$LINENO}: result: static" >&5 |
| +$as_echo "static" >&6; } |
| + else |
| + string_ignored_modules="$string_ignored_modules vfs_no_new_files" |
| + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not" >&5 |
| +$as_echo "not" >&6; } |
| + fi |
| + |
| + |
| |
| |
| |
| diff --git a/source3/configure.in b/source3/configure.in |
| index 42c23e3..6b0b859 100644 |
| --- a/source3/configure.in |
| +++ b/source3/configure.in |
| @@ -463,6 +463,7 @@ default_shared_modules="$default_shared_modules vfs_crossrename" |
| default_shared_modules="$default_shared_modules vfs_linux_xfs_sgid" |
| default_shared_modules="$default_shared_modules vfs_time_audit" |
| default_shared_modules="$default_shared_modules idmap_autorid" |
| +default_shared_modules="$default_shared_modules vfs_no_new_files" |
| |
| if test "x$developer" = xyes; then |
| default_static_modules="$default_static_modules rpc_rpcecho pdb_ads" |
| @@ -7007,6 +7008,7 @@ SMB_MODULE(vfs_scannedonly, \$(VFS_SCANNEDONLY_OBJ), "bin/scannedonly.$SHLIBEXT" |
| SMB_MODULE(vfs_crossrename, \$(VFS_CROSSRENAME_OBJ), "bin/crossrename.$SHLIBEXT", VFS) |
| SMB_MODULE(vfs_linux_xfs_sgid, \$(VFS_LINUX_XFS_SGID_OBJ), "bin/linux_xfs_sgid.$SHLIBEXT", VFS) |
| SMB_MODULE(vfs_time_audit, \$(VFS_TIME_AUDIT_OBJ), "bin/time_audit.$SHLIBEXT", VFS) |
| +SMB_MODULE(vfs_no_new_files, \$(VFS_NO_NEW_FILES_OBJ), "bin/no_new_files.$SHLIBEXT", VFS) |
| |
| SMB_SUBSYSTEM(VFS,smbd/vfs.o) |
| |
| diff --git a/source3/include/config.in.h b/source3/include/config.in.h |
| index 63f0cf0..5b6b9b3 100644 |
| --- a/source3/include/config.h.in |
| +++ b/source3/include/config.h.in |
| @@ -3473,6 +3473,9 @@ |
| /* Whether to build vfs_notify_fam as shared module */ |
| #undef vfs_notify_fam_init |
| |
| +/* Whether to build vfs_no_new_files as shared module */ |
| +#undef vfs_no_new_files_init |
| + |
| /* Whether to build vfs_onefs as shared module */ |
| #undef vfs_onefs_init |
| |
| diff --git a/source3/modules/vfs_no_new_files.c b/source3/modules/vfs_no_new_files.c |
| new file mode 100644 |
| index 0000000..3a73363 |
| --- /dev/null |
| +++ b/source3/modules/vfs_no_new_files.c |
| @@ -0,0 +1,181 @@ |
| +/* |
| + * Copyright (c) Jeremy Allison 2015. |
| + * |
| + * This program is free software; you can redistribute it and/or modify |
| + * it under the terms of the GNU General Public License as published by |
| + * the Free Software Foundation; either version 3 of the License, or |
| + * (at your option) any later version. |
| + * |
| + * This program is distributed in the hope that it will be useful, |
| + * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| + * GNU General Public License for more details. |
| + * |
| + * You should have received a copy of the GNU General Public License |
| + * along with this program; if not, see <http://www.gnu.org/licenses/>. |
| + */ |
| + |
| +#include "includes.h" |
| +#include "system/filesys.h" |
| +#include "smbd/smbd.h" |
| + |
| +static int nnf_mkdir(vfs_handle_struct *handle, const char *path, mode_t mode) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static int nnf_open_fn(vfs_handle_struct *handle, |
| + struct smb_filename *smb_fname, |
| + files_struct *fsp, |
| + int flags, |
| + mode_t mode) |
| +{ |
| + if (flags & O_CREAT) { |
| + errno = EACCES; |
| + return -1; |
| + } |
| + return SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode); |
| +} |
| + |
| +static NTSTATUS nnf_create_file(vfs_handle_struct *handle, |
| + struct smb_request *req, |
| + uint16_t root_dir_fid, |
| + struct smb_filename *smb_fname, |
| + uint32_t access_mask, |
| + uint32_t share_access, |
| + uint32_t create_disposition, |
| + uint32_t create_options, |
| + uint32_t file_attributes, |
| + uint32_t oplock_request, |
| + uint64_t allocation_size, |
| + uint32_t private_flags, |
| + struct security_descriptor *sd, |
| + struct ea_list *ea_list, |
| + files_struct **result_fsp, |
| + int *pinfo) |
| +{ |
| + switch (create_disposition) { |
| + case FILE_OPEN: |
| + case FILE_OVERWRITE: |
| + break; |
| + default: |
| + errno = EACCES; |
| + return NT_STATUS_ACCESS_DENIED; |
| + } |
| + |
| + return SMB_VFS_NEXT_CREATE_FILE( |
| + handle, /* handle */ |
| + req, /* req */ |
| + root_dir_fid, /* root_dir_fid */ |
| + smb_fname, /* fname */ |
| + access_mask, /* access_mask */ |
| + share_access, /* share_access */ |
| + create_disposition, /* create_disposition*/ |
| + create_options, /* create_options */ |
| + file_attributes, /* file_attributes */ |
| + oplock_request, /* oplock_request */ |
| + allocation_size, /* allocation_size */ |
| + private_flags, |
| + sd, /* sd */ |
| + ea_list, /* ea_list */ |
| + result_fsp, /* result */ |
| + pinfo); /* pinfo */ |
| +} |
| + |
| +static int nnf_rename(vfs_handle_struct *handle, |
| + const struct smb_filename *smb_fname_src, |
| + const struct smb_filename *smb_fname_dst) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static ssize_t nnf_pwrite(vfs_handle_struct *handle, |
| + files_struct *fsp, |
| + const void *data, |
| + size_t n, |
| + SMB_OFF_T offset) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static ssize_t nnf_write(vfs_handle_struct *handle, |
| + files_struct *fsp, |
| + const void *data, |
| + size_t n) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static int nnf_fallocate(vfs_handle_struct *handle, |
| + files_struct *fsp, |
| + enum vfs_fallocate_mode mode, |
| + SMB_OFF_T offset, |
| + SMB_OFF_T len) |
| +{ |
| + if (mode == VFS_FALLOCATE_EXTEND_SIZE) { |
| + errno = ENOSPC; |
| + return -1; |
| + } |
| + return SMB_VFS_NEXT_FALLOCATE(handle, fsp, mode, offset, len); |
| +} |
| + |
| +static int nnf_symlink(vfs_handle_struct *handle, |
| + const char *oldpath, |
| + const char *newpath) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static int nnf_link(vfs_handle_struct *handle, |
| + const char *oldpath, |
| + const char *newpath) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static int nnf_mknod(vfs_handle_struct *handle, |
| + const char *pathname, |
| + mode_t mode, |
| + SMB_DEV_T dev) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static int nnf_aio_write(struct vfs_handle_struct *handle, |
| + struct files_struct *fsp, |
| + SMB_STRUCT_AIOCB *aiocb) |
| +{ |
| + errno = EACCES; |
| + return -1; |
| +} |
| + |
| +static struct vfs_fn_pointers vfs_no_new_files_fns = { |
| + .mkdir = nnf_mkdir, |
| + .open_fn = nnf_open_fn, |
| + .create_file = nnf_create_file, |
| + .rename = nnf_rename, |
| + .pwrite = nnf_pwrite, |
| + .write = nnf_write, |
| + .fallocate = nnf_fallocate, |
| + .symlink = nnf_symlink, |
| + .link = nnf_link, |
| + .mknod = nnf_mknod, |
| + .aio_write = nnf_aio_write |
| +}; |
| + |
| +/******************************************************************* |
| + Module initialization boilerplate. |
| +*******************************************************************/ |
| + |
| +NTSTATUS vfs_no_new_files_init(void) |
| +{ |
| + return smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "no_new_files", |
| + &vfs_no_new_files_fns); |
| +} |
| diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build |
| index ff7163f..12aa86e 100644 |
| --- a/source3/modules/wscript_build |
| +++ b/source3/modules/wscript_build |
| @@ -50,6 +50,7 @@ VFS_SCANNEDONLY_SRC = 'vfs_scannedonly.c' |
| VFS_CROSSRENAME_SRC = 'vfs_crossrename.c' |
| VFS_LINUX_XFS_SGID_SRC = 'vfs_linux_xfs_sgid.c' |
| VFS_TIME_AUDIT_SRC = 'vfs_time_audit.c' |
| +VFS_NO_NEW_FILES_SRC = 'vfs_no_new_files.c' |
| |
| |
| bld.SAMBA3_SUBSYSTEM('NFS4_ACLS', |
| @@ -408,6 +409,13 @@ bld.SAMBA3_MODULE('vfs_time_audit', |
| internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_time_audit'), |
| enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_time_audit')) |
| |
| +bld.SAMBA3_MODULE('vfs_no_new_files', |
| + subsystem='vfs', |
| + source=VFS_NO_NEW_FILES_SRC, |
| + init_function='', |
| + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_no_new_files'), |
| + enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_no_new_files')) |
| + |
| |
| |
| CHARSET_WEIRD_SRC = 'weird.c' |
| diff --git a/source3/wscript b/source3/wscript |
| index bcc6ce1..afbc358 100644 |
| --- a/source3/wscript |
| +++ b/source3/wscript |
| @@ -1764,7 +1764,7 @@ main() { |
| vfs_streams_xattr vfs_streams_depot vfs_acl_xattr vfs_acl_tdb |
| vfs_smb_traffic_analyzer vfs_preopen vfs_catia vfs_scannedonly |
| vfs_crossrename vfs_linux_xfs_sgid |
| - vfs_time_audit idmap_autorid''') |
| + vfs_time_audit vfs_no_new_files idmap_autorid''') |
| |
| if Options.options.developer: |
| default_static_modules.extend(TO_LIST('pdb_ads auth_netlogond')) |
| -- |
| 1.9.1 |
| |