[PATCH 1/3] ext2/3/4: enable "undeletable" file attribute.

[PATCH 1/3] ext2/3/4: enable "undeletable" file attribute.

[James Hunt]

Currently, although you can mark a file as undeletable with 'chattr'...

  > touch /tmp/wibble
  > ls -l /tmp/wibble
  -rw-rw-r-- 1 james james 0 Nov 16 20:00 /tmp/wibble
  > chattr +u /tmp/wibble      # mark file as undeletable
  > lsattr /tmp/wibble
  -u----------- /tmp/wibble

... it's not honoured by the kernel:

  > rm /tmp/wibble             # yikes! this should fail!!

This patch makes ext3 aware of the undeletable attribute such that
attempting to delete a file marked as undeltable works as expected:

  > chattr +u /tmp/wibble      # mark file as undeletable
  > lsattr /tmp/wibble
  -u----------- /tmp/wibble
  > rm /tmp/wibble
  rm: cannot remove `/tmp/wibble': Operation not permitted
  > chattr -u /tmp/wibble      # remove undeletable attribute
  > lsattr /tmp/wibble
  ------------- /tmp/wibble
  > rm /tmp/wibble             # works as expected this time

Tested with e2fsprogs-1.38-12 (FC5).

Signed-off-by: James Hunt <james@jameshunt.org.uk>
---
 fs/ext3/inode.c    |    4 +++-
 fs/namei.c         |    6 +++---
 include/linux/fs.h |    3 +++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c
index 03ba5bc..dd1428e 100644
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -2568,11 +2568,13 @@ void ext3_set_inode_flags(struct inode *
 {
 	unsigned int flags = EXT3_I(inode)->i_flags;
 
-	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC);
+	inode->i_flags &= ~(S_SYNC|S_APPEND|S_IMMUTABLE|S_NOATIME|S_DIRSYNC|S_UNRM);
 	if (flags & EXT3_SYNC_FL)
 		inode->i_flags |= S_SYNC;
 	if (flags & EXT3_APPEND_FL)
 		inode->i_flags |= S_APPEND;
+	if (flags & EXT3_UNRM_FL)
+		inode->i_flags |= S_UNRM;
 	if (flags & EXT3_IMMUTABLE_FL)
 		inode->i_flags |= S_IMMUTABLE;
 	if (flags & EXT3_NOATIME_FL)
diff --git a/fs/namei.c b/fs/namei.c
index 28d49b3..d845d4d 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1376,8 +1376,8 @@ static inline int check_sticky(struct in
  *	a. be owner of dir, or
  *	b. be owner of victim, or
  *	c. have CAP_FOWNER capability
- *  6. If the victim is append-only or immutable we can't do antyhing with
- *     links pointing to it.
+ *	6. If the victim is append-only or immutable or undeletable, we can't do
+ *	   anthying with links pointing to it.
  *  7. If we were asked to remove a directory and victim isn't one - ENOTDIR.
  *  8. If we were asked to remove a non-directory and victim isn't one - EISDIR.
  *  9. We can't remove a root or mountpoint.
@@ -1400,7 +1400,7 @@ static int may_delete(struct inode *dir,
 	if (IS_APPEND(dir))
 		return -EPERM;
 	if (check_sticky(dir, victim->d_inode)||IS_APPEND(victim->d_inode)||
-	    IS_IMMUTABLE(victim->d_inode))
+	    IS_IMMUTABLE(victim->d_inode)||IS_UNRM(victim->d_inode))
 		return -EPERM;
 	if (isdir) {
 		if (!S_ISDIR(victim->d_inode->i_mode))
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 2fe6e3f..725d35d 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -146,6 +146,8 @@ #define S_DIRSYNC	64	/* Directory modifi
 #define S_NOCMTIME	128	/* Do not update file c/mtime */
 #define S_SWAPFILE	256	/* Do not truncate: swapon got its bmaps */
 #define S_PRIVATE	512	/* Inode is fs-internal */
+#define S_UNRM		1024	/* Inode is undeletable */
+
 
 /*
  * Note that nosuid etc flags are inode-specific: setting some file-system
@@ -178,6 +180,7 @@ #define IS_DEADDIR(inode)	((inode)->i_fl
 #define IS_NOCMTIME(inode)	((inode)->i_flags & S_NOCMTIME)
 #define IS_SWAPFILE(inode)	((inode)->i_flags & S_SWAPFILE)
 #define IS_PRIVATE(inode)	((inode)->i_flags & S_PRIVATE)
+#define IS_UNRM(inode)		((inode)->i_flags & S_UNRM)
 
 /* the read-only stuff doesn't really belong here, but any other place is
    probably as bad and I don't want to create yet another include file. */
-- 
1.4.1

-- 
JaMeS

Re: [PATCH 1/3] ext2/3/4: enable "undeletable" file attribute.

[Arnd Bergmann]

On Tuesday 21 November 2006 23:16, James Hunt wrote:
> ... it's not honoured by the kernel:
> 
>   > rm /tmp/wibble             # yikes! this should fail!!
> 
I always thought of the term 'undeletable' to mean that you can undelete
the file (restore it) after it has been deleted. Of course, this is
not implemented either, but it means something very different than
what your patch does.

	Arnd <><

Re: [PATCH 1/3] ext2/3/4: enable "undeletable" file attribute.

[Dagfinn Ilmari Mannsåker]

Arnd Bergmann <arnd@arndb.de> writes:
> On Tuesday 21 November 2006 23:16, James Hunt wrote:
> > ... it's not honoured by the kernel:
> > 
> >   > rm /tmp/wibble             # yikes! this should fail!!
>
> I always thought of the term 'undeletable' to mean that you can
> undelete the file (restore it) after it has been deleted. Of course,
> this is not implemented either, but it means something very different
> than what your patch does.

That is indeed what the documented (but not implemented) meaning is.
>From chattr(1):

|       When a file with the ‘u’ attribute set is deleted, its contents
|       are saved. This allows the user to ask for its undeletion.

So the meaning is undelete-able, not un-deletable.

-- 
ilmari
"A disappointingly low fraction of the human race is,
 at any given time, on fire." - Stig Sandbeck Mathisen

Re: [PATCH 1/3] ext2/3/4: enable "undeletable" file attribute.

[Jan Engelhardt]

>Currently, although you can mark a file as undeletable with 'chattr'...
>
>  > touch /tmp/wibble
>  > ls -l /tmp/wibble
>  -rw-rw-r-- 1 james james 0 Nov 16 20:00 /tmp/wibble
>  > chattr +u /tmp/wibble      # mark file as undeletable
>  > lsattr /tmp/wibble
>  -u----------- /tmp/wibble
>
>... it's not honoured by the kernel:
>
>  > rm /tmp/wibble             # yikes! this should fail!!

Currently, the immutable flag controls the behavior to forbid deletion.


	-`J'
--