On 20.03.2018 22:06, Goffredo Baroncelli wrote:
> On 03/20/2018 07:45 AM, Misono, Tomohiro wrote:
>> Deletion of subvolume by non-privileged user is completely restricted
>> by default because we can delete a subvolume even if it is not empty
>> and may cause data loss. In other words, when user_subvol_rm_allowed
>> mount option is used, a user can delete a subvolume containing the
>> directory which cannot be deleted directly by the user.
>>
>> However, there should be no harm to allow users to delete empty subvolumes
>> when rmdir(2) would have been allowed if they were normal directories.
>> This patch allows deletion of empty subvolume by default.
>
> Instead of modifying the ioctl, what about allowing rmdir(2) to work for an
> _empty_ subvolume (and all the permission check are satisfied) ?
I'm inclined to agree with Goffredo. user_subvol_rm_allowed flag really
looks like a hack ontop of the ioctl. I'd rather we modify the generic
behavior.
>
>
>
>>
>> Note that user_subvol_rm_allowed option requires write+exec permission
>> of the subvolume to be deleted, but they are not required for empty
>> subvolume.
>>
>> The comment in the code is also updated accordingly.
>>
>> Signed-off-by: Tomohiro Misono <misono.tomoh...@jp.fujitsu.com>
>> ---
>> fs/btrfs/ioctl.c | 55
>> +++++++++++++++++++++++++++++++------------------------
>> 1 file changed, 31 insertions(+), 24 deletions(-)
>>
>> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
>> index 111ee282b777..838406a7a7f5 100644
>> --- a/fs/btrfs/ioctl.c
>> +++ b/fs/btrfs/ioctl.c
>> @@ -2366,36 +2366,43 @@ static noinline int btrfs_ioctl_snap_destroy(struct
>> file *file,
>> dest = BTRFS_I(inode)->root;
>> if (!capable(CAP_SYS_ADMIN)) {
>> /*
>> - * Regular user. Only allow this with a special mount
>> - * option, when the user has write+exec access to the
>> - * subvol root, and when rmdir(2) would have been
>> - * allowed.
>> + * By default, regular user is only allowed to delete
>> + * empty subvols when rmdir(2) would have been allowed
>> + * if they were normal directories.
>> *
>> - * Note that this is _not_ check that the subvol is
>> - * empty or doesn't contain data that we wouldn't
>> + * If the mount option 'user_subvol_rm_allowed' is set,
>> + * it allows users to delete non-empty subvols when the
>> + * user has write+exec access to the subvol root and when
>> + * rmdir(2) would have been allowed (except the emptiness
>> + * check).
>> + *
>> + * Note that this option does _not_ check that if the subvol
>> + * is empty or doesn't contain data that the user wouldn't
>> * otherwise be able to delete.
>> *
>> - * Users who want to delete empty subvols should try
>> - * rmdir(2).
>> + * Users who want to delete empty subvols created by
>> + * snapshot (ino number == 2) can use rmdir(2).
>> */
>> - err = -EPERM;
>> - if (!btrfs_test_opt(fs_info, USER_SUBVOL_RM_ALLOWED))
>> - goto out_dput;
>> + err = -ENOTEMPTY;
>> + if (inode->i_size != BTRFS_EMPTY_DIR_SIZE) {
>> + if (!btrfs_test_opt(fs_info, USER_SUBVOL_RM_ALLOWED))
>> + goto out_dput;
>>
>> - /*
>> - * Do not allow deletion if the parent dir is the same
>> - * as the dir to be deleted. That means the ioctl
>> - * must be called on the dentry referencing the root
>> - * of the subvol, not a random directory contained
>> - * within it.
>> - */
>> - err = -EINVAL;
>> - if (root == dest)
>> - goto out_dput;
>> + /*
>> + * Do not allow deletion if the parent dir is the same
>> + * as the dir to be deleted. That means the ioctl
>> + * must be called on the dentry referencing the root
>> + * of the subvol, not a random directory contained
>> + * within it.
>> + */
>> + err = -EINVAL;
>> + if (root == dest)
>> + goto out_dput;
>>
>> - err = inode_permission(inode, MAY_WRITE | MAY_EXEC);
>> - if (err)
>> - goto out_dput;
>> + err = inode_permission(inode, MAY_WRITE | MAY_EXEC);
>> + if (err)
>> + goto out_dput;
>> + }
>> }
>>
>> /* check if subvolume may be deleted by a user */
>>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
