# HG changeset patch # User Jiri Sasek # Date 1389096271 28800 # Node ID 07878573dad3b8dc680f76c49e4f901bea5ee5b6 # Parent b83cba8960e964f0fb0244cbb32113f69744924b 15782587 SUNBT7157974 RFE: Request to include a Samba VFS module which implements WORM diff -r b83cba8960e9 -r 07878573dad3 components/samba/samba/Makefile --- a/components/samba/samba/Makefile Tue Mar 18 09:20:39 2014 -0700 +++ b/components/samba/samba/Makefile Tue Jan 07 04:04:31 2014 -0800 @@ -162,7 +162,7 @@ CONFIGURE_OPTIONS += --enable-shared=yes CONFIGURE_OPTIONS += --enable-static=no CONFIGURE_OPTIONS.32 += --with-static-modules=vfs_solarisacl -CONFIGURE_OPTIONS.32 += --with-shared-modules=vfs_zfsacl,vfs_samfs,vfs_prealloc,vfs_cacheprime,vfs_commit,idmap_ldap,idmap_tdb2,idmap_rid,idmap_ad,idmap_hash,idmap_adex +CONFIGURE_OPTIONS.32 += --with-shared-modules=vfs_worm,vfs_zfsacl,vfs_samfs,vfs_prealloc,vfs_cacheprime,vfs_commit,idmap_ldap,idmap_tdb2,idmap_rid,idmap_ad,idmap_hash,idmap_adex CONFIGURE_OPTIONS.64 += --with-static-modules= CONFIGURE_OPTIONS.64 += --with-shared-modules= CONFIGURE_OPTIONS += --with-readline diff -r b83cba8960e9 -r 07878573dad3 components/samba/samba/patches/worm.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/samba/samba/patches/worm.patch Tue Jan 07 04:04:31 2014 -0800 @@ -0,0 +1,158 @@ +Samba.org patch source is referenced below. +WiKi page is: +https://wiki.samba.org/index.php/VFS/vfs_worm +changes against the community version: + - removed support of grace time on file + - slightly modified to run on VFS rev.28 +-- Jiri Sasek + +From 2004317c09d781a4ec1275aaa4a29289e798eff3 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 20 Nov 2013 12:09:47 +0100 +Subject: [PATCH] s3-modules: add new vfs_worm module + +VFS module to disallow writes for older files. + +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/modules/vfs_worm.c | 97 ++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 97 insertions(+), 0 deletions(-) + create mode 100644 source3/modules/vfs_worm.c + +diff --git a/source3/modules/vfs_worm.c b/source3/modules/vfs_worm.c +new file mode 100644 +index 0000000..77a18ca +--- /dev/null ++++ b/source3/modules/vfs_worm.c +@@ -0,0 +1,93 @@ ++/* ++ * VFS module to disallow writes for older files ++ * ++ * Copyright (C) 2013, Volker Lendecke ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, see . ++ */ ++ ++#include "includes.h" ++#include "smbd/smbd.h" ++#include "system/filesys.h" ++#include "libcli/security/security.h" ++ ++static NTSTATUS vfs_worm_create_file(vfs_handle_struct *handle, ++ struct smb_request *req, ++ uint16_t root_dir_fid, ++ struct smb_filename *smb_fname, ++ uint32_t access_mask, ++ uint32_t share_access, ++ uint32_t create_disposition, ++ uint32_t create_options, ++ uint32_t file_attributes, ++ uint32_t oplock_request, ++ uint64_t allocation_size, ++ uint32_t private_flags, ++ struct security_descriptor *sd, ++ struct ea_list *ea_list, ++ files_struct **result, ++ int *pinfo) ++{ ++ bool readonly = false; ++ const uint32_t write_access_flags = ++ FILE_WRITE_DATA | FILE_APPEND_DATA | ++ FILE_WRITE_ATTRIBUTES | DELETE_ACCESS | ++ WRITE_DAC_ACCESS | WRITE_OWNER_ACCESS; ++ NTSTATUS status; ++ ++ if (VALID_STAT(smb_fname->st)) { ++ /* no grace_period supported */ ++ readonly = true; ++ } ++ ++ if (readonly && (access_mask & write_access_flags)) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ status = SMB_VFS_NEXT_CREATE_FILE( ++ handle, req, root_dir_fid, smb_fname, access_mask, ++ share_access, create_disposition, create_options, ++ file_attributes, oplock_request, allocation_size, ++ private_flags, sd, ea_list, result, pinfo); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ /* ++ * Access via MAXIMUM_ALLOWED_ACCESS? ++ */ ++ if (readonly && ((*result)->access_mask & write_access_flags)) { ++ close_file(req, *result, NORMAL_CLOSE); ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ return NT_STATUS_OK; ++} ++ ++static struct vfs_fn_pointers vfs_worm_fns = { ++ .create_file = vfs_worm_create_file, ++}; ++ ++NTSTATUS vfs_worm_init(void); ++NTSTATUS vfs_worm_init(void) ++{ ++ NTSTATUS ret; ++ ++ ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "worm", ++ &vfs_worm_fns); ++ if (!NT_STATUS_IS_OK(ret)) { ++ return ret; ++ } ++ ++ return ret; ++} +-- +1.7.0.4 + + Makefile.in and configure.in adds + +--- a/source3/configure.in 2013-01-17 15:54:47.194376100 -0800 ++++ b/source3/configure.in 2013-01-17 15:58:39.854303900 -0800 +@@ -6994,6 +6994,7 @@ + SMB_MODULE(vfs_preopen, \$(VFS_PREOPEN_OBJ), "bin/preopen.$SHLIBEXT", VFS) + SMB_MODULE(vfs_syncops, \$(VFS_SYNCOPS_OBJ), "bin/syncops.$SHLIBEXT", VFS) + SMB_MODULE(vfs_zfsacl, \$(VFS_ZFSACL_OBJ), "bin/zfsacl.$SHLIBEXT", VFS) ++SMB_MODULE(vfs_worm, \$(VFS_WORM_OBJ), "bin/worm.$SHLIBEXT", VFS) + AC_SUBST(SAMFS_LIBS) + SMB_MODULE(vfs_samfs, \$(VFS_SAMFS_OBJ), "bin/samfs.$SHLIBEXT", VFS) + SMB_MODULE(vfs_notify_fam, \$(VFS_NOTIFY_FAM_OBJ), "bin/notify_fam.$SHLIBEXT", VFS) +--- a/source3/Makefile.in 2013-01-17 15:55:00.777531900 -0800 ++++ b/source3/Makefile.in 2013-01-17 16:02:06.513093500 -0800 +@@ -813,6 +813,7 @@ + VFS_AIXACL2_OBJ = modules/vfs_aixacl2.o modules/vfs_aixacl_util.o modules/nfs4_acls.o + VFS_SOLARISACL_OBJ = modules/vfs_solarisacl.o + VFS_ZFSACL_OBJ = modules/vfs_zfsacl.o modules/nfs4_acls.o ++VFS_WORM_OBJ = modules/vfs_worm.o + VFS_SAMFS_OBJ = modules/vfs_samfs.o + VFS_HPUXACL_OBJ = modules/vfs_hpuxacl.o + VFS_IRIXACL_OBJ = modules/vfs_irixacl.o +@@ -2967,6 +2968,10 @@ + @echo "Building plugin $@" + @$(SHLD_MODULE) $(VFS_ZFSACL_OBJ) @ZFSACL_LIBS@ + ++bin/worm.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_WORM_OBJ) ++ @echo "Building plugin $@" ++ @$(SHLD_MODULE) $(VFS_WORM_OBJ) ++ + bin/samfs.@SHLIBEXT@: $(BINARY_PREREQS) $(VFS_SAMFS_OBJ) + @echo "Building plugin $@" + @$(SHLD_MODULE) $(VFS_SAMFS_OBJ) @SAMFS_LIBS@ diff -r b83cba8960e9 -r 07878573dad3 components/samba/samba/samba.p5m --- a/components/samba/samba/samba.p5m Tue Mar 18 09:20:39 2014 -0700 +++ b/components/samba/samba/samba.p5m Tue Jan 07 04:04:31 2014 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. # set name=pkg.fmri value=pkg:/service/network/samba@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) @@ -273,6 +273,7 @@ file path=usr/lib/samba/vfs/streams_xattr.so file path=usr/lib/samba/vfs/syncops.so file path=usr/lib/samba/vfs/time_audit.so +file path=usr/lib/samba/vfs/worm.so file path=usr/lib/samba/vfs/xattr_tdb.so file path=usr/lib/samba/vfs/zfsacl.so # PAM modules