git: fddac96ca559 - stable/13 - krpc: Allow mountd/nfsd to optionally run in a jail
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 May 2023 22:15:17 UTC
The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=fddac96ca55968f42156e6286547de513f980a52 commit fddac96ca55968f42156e6286547de513f980a52 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2022-12-18 20:40:48 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2023-05-17 22:14:07 +0000 krpc: Allow mountd/nfsd to optionally run in a jail This patch modifies the kernel RPC so that it will allow mountd/nfsd to run inside of a vnet jail. Running mountd/nfsd inside a vnet jail will be enabled via a new kernel build option called VNET_NFSD, which will be implemented in future commits. Although I suspect cr_prison can be set from the credentials of the current thread unconditionally, I #ifdef'd the code VNET_NFSD and only did this for the jailed case mainly to document that it is only needed for use in a jail. The TLS support code has not yet been modified to work in a jail. That is planned as future development after the basic VNET_NFSD support is in the kernel. This patch should not result in any semantics change until VNET_NFSD is implemented and used in a kernel configuration. (cherry picked from commit 6a76d35cac8e1549f74bd4cdceccc2ee52c8e556) --- sys/rpc/svc.c | 3 ++- sys/rpc/svc_auth.c | 15 +++++++++++++-- sys/rpc/svc_dg.c | 4 ++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/sys/rpc/svc.c b/sys/rpc/svc.c index be0f08ebca9d..065da0cc23a4 100644 --- a/sys/rpc/svc.c +++ b/sys/rpc/svc.c @@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$"); */ #include <sys/param.h> +#include <sys/jail.h> #include <sys/lock.h> #include <sys/kernel.h> #include <sys/kthread.h> @@ -126,7 +127,7 @@ svcpool_create(const char *name, struct sysctl_oid_list *sysctl_base) pool->sp_space_low = (pool->sp_space_high / 3) * 2; sysctl_ctx_init(&pool->sp_sysctl); - if (sysctl_base) { + if (!jailed(curthread->td_ucred) && sysctl_base) { SYSCTL_ADD_PROC(&pool->sp_sysctl, sysctl_base, OID_AUTO, "minthreads", CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, pool, 0, svcpool_minthread_sysctl, "I", diff --git a/sys/rpc/svc_auth.c b/sys/rpc/svc_auth.c index 21149139b5a5..a5c9753c4fde 100644 --- a/sys/rpc/svc_auth.c +++ b/sys/rpc/svc_auth.c @@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/lock.h> #include <sys/mutex.h> +#include <sys/proc.h> #include <sys/systm.h> #include <sys/jail.h> #include <sys/ucred.h> @@ -197,7 +198,12 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, int *flavorp) cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xprt->xp_uid; crsetgroups(cr, xprt->xp_ngrps, xprt->xp_gidp); cr->cr_rgid = cr->cr_svgid = xprt->xp_gidp[0]; - cr->cr_prison = &prison0; +#ifdef VNET_NFSD + if (jailed(curthread->td_ucred)) + cr->cr_prison = curthread->td_ucred->cr_prison; + else +#endif + cr->cr_prison = &prison0; prison_hold(cr->cr_prison); *crp = cr; return (TRUE); @@ -210,7 +216,12 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, int *flavorp) cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xcr->cr_uid; crsetgroups(cr, xcr->cr_ngroups, xcr->cr_groups); cr->cr_rgid = cr->cr_svgid = cr->cr_groups[0]; - cr->cr_prison = &prison0; +#ifdef VNET_NFSD + if (jailed(curthread->td_ucred)) + cr->cr_prison = curthread->td_ucred->cr_prison; + else +#endif + cr->cr_prison = &prison0; prison_hold(cr->cr_prison); *crp = cr; return (TRUE); diff --git a/sys/rpc/svc_dg.c b/sys/rpc/svc_dg.c index 36724ed07b98..e4cf0d8c45e3 100644 --- a/sys/rpc/svc_dg.c +++ b/sys/rpc/svc_dg.c @@ -45,11 +45,13 @@ __FBSDID("$FreeBSD$"); */ #include <sys/param.h> +#include <sys/jail.h> #include <sys/lock.h> #include <sys/kernel.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/mutex.h> +#include <sys/proc.h> #include <sys/protosw.h> #include <sys/queue.h> #include <sys/socket.h> @@ -104,6 +106,8 @@ svc_dg_create(SVCPOOL *pool, struct socket *so, size_t sendsize, struct sockaddr* sa; int error; + if (jailed(curthread->td_ucred)) + return (NULL); if (!__rpc_socket2sockinfo(so, &si)) { printf(svc_dg_str, svc_dg_err1); return (NULL);