From 27cf3e0ac8576841106b3fcbd58fd5d7d419197d Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Tue, 5 Mar 2024 14:43:02 +0100 Subject: [PATCH] LU-17609 sec: nodemap readonly_mount for remount The readonly_mount property on nodemaps forces read-only mount from clients. Clients trying rw remount (via mount -o remount,rw) should also be forced to read-only. Also improve sanity-sec test_61 to exercise client remount. Fixes: e7ce67de92 ("LU-15451 sec: read-only nodemap flag") Signed-off-by: Sebastien Buisson Change-Id: I61f8141001d2ff9e832e5c93d8f5997479af98a6 Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/54282 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Andreas Dilger Reviewed-by: Arshad Hussain Reviewed-by: Oleg Drokin --- lustre/mdt/mdt_handler.c | 16 ++++++++++++++++ lustre/tests/sanity-sec.sh | 18 +++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/lustre/mdt/mdt_handler.c b/lustre/mdt/mdt_handler.c index b512006..7a8e853 100644 --- a/lustre/mdt/mdt_handler.c +++ b/lustre/mdt/mdt_handler.c @@ -2852,6 +2852,22 @@ static int mdt_set_info(struct tgt_session_info *tsi) /* Swab any part of val you need to here */ if (KEY_IS(KEY_READ_ONLY)) { + /* If client wants rw, make sure nodemap does not enforce ro. */ + if (!*(__u32 *)val) { + struct lu_nodemap *nm = NULL; + bool readonly = false; + + if (req->rq_export) + nm = nodemap_get_from_exp(req->rq_export); + + if (!IS_ERR_OR_NULL(nm)) { + readonly = nm->nmf_readonly_mount; + nodemap_putref(nm); + } + + if (unlikely(readonly)) + RETURN(-EROFS); + } spin_lock(&req->rq_export->exp_lock); if (*(__u32 *)val) *exp_connect_flags_ptr(req->rq_export) |= diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index 77f8db0..0459195 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -5467,13 +5467,17 @@ test_61() { do_facet mgs $LCTL nodemap_modify --name c0 \ --property readonly_mount --value 1 wait_nm_sync c0 readonly_mount + + # mount without option should turn into ro zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} || - error "mount failed" + error "mount failed (1)" findmnt $MOUNT --output=options -n -f | grep -q "ro," || error "mount should have been turned into ro" cat $testfile || error "read $testfile failed (1)" echo b > $testfile && error "write $testfile should fail (1)" umount_client $MOUNT || error "umount $MOUNT failed (3)" + + # mount rw should turn into ro zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},rw || error "mount '-o rw' failed" findmnt $MOUNT --output=options -n -f | grep -q "ro," || @@ -5481,12 +5485,24 @@ test_61() { cat $testfile || error "read $testfile failed (2)" echo b > $testfile && error "write $testfile should fail (2)" umount_client $MOUNT || error "umount $MOUNT failed (4)" + + # mount ro should work as expected zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS},ro || error "mount '-o ro' failed" wait_ssk cat $testfile || error "read $testfile failed (3)" echo b > $testfile && error "write $testfile should fail (3)" umount_client $MOUNT || error "umount $MOUNT failed (5)" + + # remount rw should not work + zconf_mount_clients $HOSTNAME $MOUNT ${MOUNT_OPTS} || + error "mount failed (2)" + mount_client $MOUNT remount,rw || error "remount failed" + findmnt $MOUNT --output=options -n -f | grep -q "ro," || + error "remount rw should have been turned into ro" + cat $testfile || error "read $testfile failed (4)" + echo b > $testfile && error "write $testfile should fail (4)" + umount_client $MOUNT || error "umount $MOUNT failed (6)" } run_test 61 "Nodemap enforces read-only mount" -- 1.8.3.1