From nobody Wed Dec 14 22:04:12 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NXTt52LhSz4kgvJ for ; Wed, 14 Dec 2022 22:04:29 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NXTt50LJ3z4GX9 for ; Wed, 14 Dec 2022 22:04:29 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pl1-x631.google.com with SMTP id g10so4814285plo.11 for ; Wed, 14 Dec 2022 14:04:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o3UIUFfrWJ/E6HRwkThNEl8XnU/EDOT7LIZHL+HunHg=; b=LurmaW9Uli4TlKxIbS+j7o0BR89ioKuu65H24GCdTtARXz65dWZW3fVHX4QBzmiEcc 4xt9eWml7sg7MUZ4lHAVMfz0fh2jIcbr96VEcUdQnsUEcZ6ocaCsludjJc90I+874Xou 8BBZJMGLyMSjiam3cpwdk4H45Yawy0YAIJgY866AdVPcY0Vg1t1er5DLCsftPvbGzw9H gaZbPZop/1l5e1MvwS/oy4bCNUeGoK7BHGh3M+60Y7poLEJ9PD7Q/M8xcvObFenbPrLH KUR4OowLz4oIe77SnNeRB2BXVT+JUqWar6m8Tyi2sE0E0+1h6z9j+ZpbFccCK5ZHZgMQ rrMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o3UIUFfrWJ/E6HRwkThNEl8XnU/EDOT7LIZHL+HunHg=; b=fHzS9fL+ihIoSUM5483c5JCZco2ohn7uC6jEIshHEZpjDyDzwX1Zd/wrnBneo+XQG/ 74qB1GDZugiyEzda113s2lGjajGFCb0hUyUFeSK+rWBJAmNOUp9pm9NiYXoVxO9PHrQr 4F3r2q+khHEjMS3jC8laASNKN3X6F/ZvdGK/DbJVVrgwC+ELIzJC0zUPaGwUBSNYj4K7 cm25mimxgELfpV30mKu7MGWPPrS/0eVr3xwYyndvObjEw2wYcU4cmQbBpK31LYV06WKE kZ4qhxcTP7JliBtjJjJ+3U+1i846yJnlYZRsh8sVZVve7x2SICbFLGXPksXJGioOHMSZ ibNg== X-Gm-Message-State: ANoB5pllfw2xRy1COrsuzg8kxtai5GNe6FDMPIOq3na3/IuW4za+QSMR LE3j0KQDnEc53y/fWN39DydSfOCtXvVUqoeXvedEjhQY5g== X-Google-Smtp-Source: AA0mqf70yjZkfeY8dQfPieVdzsrOmqj2jo9PvdUDeTGDml1+NbDafZhNV4fqdKiMO00KM3+bPmVSyGXC7kNAi3nYGD0= X-Received: by 2002:a17:90a:ad09:b0:219:5079:7aa3 with SMTP id r9-20020a17090aad0900b0021950797aa3mr356744pjq.183.1671055466959; Wed, 14 Dec 2022 14:04:26 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <20221215021431.d190e55ee911f5e94799f953@dec.sakura.ne.jp> In-Reply-To: <20221215021431.d190e55ee911f5e94799f953@dec.sakura.ne.jp> From: Rick Macklem Date: Wed, 14 Dec 2022 14:04:12 -0800 Message-ID: Subject: Re: What to do about a few lines in vfs_domount() never executed? To: Tomoaki AOKI Cc: freebsd-current@freebsd.org Content-Type: multipart/alternative; boundary="0000000000008216dc05efd0eb0b" X-Rspamd-Queue-Id: 4NXTt50LJ3z4GX9 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --0000000000008216dc05efd0eb0b Content-Type: text/plain; charset="UTF-8" On Wed, Dec 14, 2022 at 9:15 AM Tomoaki AOKI wrote: > Tracking the commits, it was originally introduced to > sys/kern/vfs_syscalls.c at r22521 [1][2] (Mon Feb 10 02:22:35 1997 by > dyson, submitted by hsu@freebsd.org) and later centralized into > sys/kern/vfs_mount.c at r99264 [2]. > > But according to the comment above the codes, maybe it would be > intended to block userland programs or ports FS modules setting > MNT_EXPORTED. > > If I'm not mis-understanding, it can be the case when > *vfs.usermount sysctl is non-zero, > *underlying FS (to be exported) allows it, and > *non-root user tries to mount the FS via NFS. > It does appear that ancient code restricted doing NFS exports to root only. I don't think that restriction is exactly enforced now, since vfs_suser() allows a non-root owner to do the update (which would include updating exports). (As I noted, MNT_EXPORTED never gets set in fsflags. The variable is local to one of the functions in vfs_mount.c and a search shows it never gets set.) I suppose you could argue that priv_check(td, PRIV_VFS_MOUNT_EXPORTED) should check for caller being root, since that is what ancient code did. Or, you could argue that, if a non-root user is allowed to mount a file system that they should also be allowed to export it, which is what I think the current code allows (and has for at least a decade). Admittedly, allowing a non-root user to do a mount and also add exports to it could cause confusion, since the system basically assumes that mountd will manage all exports. Do others think adding code to check that cr_uid == 0 for PRIV_VFS_MOUNT_EXPORTED to be allowed makes sense? rick > > [1] > > https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?revision=22521&view=markup&pathrev=99264 > > [2] > > https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?r1=22520&r2=22521&pathrev=99264& > > [3] > > https://cgit.freebsd.org/src/commit/sys/kern/vfs_mount.c?id=2b4edb69f1ef62fc38b02ac22b0a3ac09e43fa77 > > > On Tue, 13 Dec 2022 14:19:39 -0800 > Rick Macklem wrote: > > > Hi, > > > > While working on getting mountd/nfsd to run in a vnet > > prison, I came across the following lines near the > > beginning of vfs_domount() in sys/kern/vfs_mount.c: > > > > if (fsflags & MNT_EXPORTED) { > > error = priv_check(td, PRIV_VFS_MOUNT_EXPORTED); > > if (error) > > return (error); > > } > > > > #1 - Since MNT_EXPORTED is never set in fsflags, this code never > > gets executed. > > --> I am asking what to do with the above code, since that > > changes for the patch that allows mountd to run in a vnet > > prison. > > #2 - priv_check(td, PRIV_VFS_MOUNT_EXPORTED) always returns 0 > > because nothing in sys/kern/kern_priv.c checks > > PRIV_VFS_MOUNT_EXPORTED. > > > > I don't know what the original author's thinking was w.r.t. this. > > Setting exports already checks that the mount operation can be > > done by the requestor. > > > > So, what do you think should be done with the above code snippet? > > - Consider it cruft and delete it. > > - Try and figure out what PRIV_VFS_MOUNT_EXPORTED should check? > > - Leave it as is. After the patch that allows mountd to run in > > a vnet prison, MNT_EXPORTED will be set in fsflags, but the > > priv_check() call will just return 0. (A little overhead, > > but otherwise no semantics change.) > > > > rick > > > -- > Tomoaki AOKI > > --0000000000008216dc05efd0eb0b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Wed, Dec 14, 2022 at 9:15 AM Tomoaki AOKI = <junchoon@dec.sakura.ne.jp<= /a>> wrote:
T= racking the commits, it was originally introduced to
sys/kern/vfs_syscalls.c at r22521 [1][2] (Mon Feb 10 02:22:35 1997 by
dyson, submitted by hs= u@freebsd.org) and later centralized into
sys/kern/vfs_mount.c at r99264 [2].

But according to the comment above the codes, maybe it would be
intended to block userland programs or ports FS modules setting
MNT_EXPORTED.

If I'm not mis-understanding, it can be the case when
=C2=A0*vfs.usermount sysctl is non-zero,
=C2=A0*underlying FS (to be exported) allows it, and
=C2=A0*non-root user tries to mount the FS via NFS.
It does appear = that ancient code restricted doing NFS exports
to root only.
I don&= #39;t think that restriction is exactly enforced now, since
vfs_suser()= allows a non-root owner to do the update (which
would include updating= exports).
(As I noted, MNT_EXPORTED never gets set in fsflags. The var= iable
=C2=A0is local to one of the functions in vfs_mount.c and a searc= h shows
=C2=A0it never gets set.)

I suppose you could argu= e that priv_check(td, =C2=A0PRIV_VFS_MOUNT_EXPORTED)
should check for caller = being root, since that is what ancient code did.
Or, you could argue th= at, if a non-root user is allowed to mount a file
system that they shou= ld also be allowed to export it, which is what I
think the current code= allows (and has for at least a decade).

Admittedly, allowing = a non-root user to do a mount and also add exports
to it could cause co= nfusion, since the system basically assumes that
mountd will manage all= exports.

Do others think adding code to check that cr_uid =3D= =3D 0 for
PRIV_VFS_MOUNT_EXPORTED to be allowed makes sense?

rick




[1]
https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c= ?revision=3D22521&view=3Dmarkup&pathrev=3D99264

[2]
https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?r1= =3D22520&r2=3D22521&pathrev=3D99264&

[3]
https://cgit.freebsd.org/src/commit/sys/kern/vfs_mount.c?id=3D2b4edb69f1e= f62fc38b02ac22b0a3ac09e43fa77


On Tue, 13 Dec 2022 14:19:39 -0800
Rick Macklem <rick.macklem@gmail.com> wrote:

> Hi,
>
> While working on getting mountd/nfsd to run in a vnet
> prison, I came across the following lines near the
> beginning of vfs_domount() in sys/kern/vfs_mount.c:
>
> if (fsflags & MNT_EXPORTED) {
>=C2=A0 =C2=A0 =C2=A0 error =3D priv_check(td, PRIV_VFS_MOUNT_EXPORTED);=
>=C2=A0 =C2=A0 =C2=A0 if (error)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return (error);
> }
>
> #1 - Since MNT_EXPORTED is never set in fsflags, this code never
>=C2=A0 =C2=A0 =C2=A0 gets executed.
>=C2=A0 =C2=A0 =C2=A0 --> I am asking what to do with the above code,= since that
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 changes for the patch that allows mo= untd to run in a vnet
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 prison.
> #2 - priv_check(td, PRIV_VFS_MOUNT_EXPORTED) always returns 0
>=C2=A0 =C2=A0 =C2=A0 because nothing in sys/kern/kern_priv.c checks
>=C2=A0 =C2=A0 =C2=A0 PRIV_VFS_MOUNT_EXPORTED.
>
> I don't know what the original author's thinking was w.r.t. th= is.
> Setting exports already checks that the mount operation can be
> done by the requestor.
>
> So, what do you think should be done with the above code snippet?
> - Consider it cruft and delete it.
> - Try and figure out what PRIV_VFS_MOUNT_EXPORTED should check?
> - Leave it as is. After the patch that allows mountd to run in
>=C2=A0 =C2=A0a vnet prison, MNT_EXPORTED will be set in fsflags, but th= e
>=C2=A0 =C2=A0priv_check() call will just return 0. (A little overhead,<= br> >=C2=A0 =C2=A0but otherwise no semantics change.)
>
> rick


--
Tomoaki AOKI=C2=A0 =C2=A0 <junchoon@dec.sakura.ne.jp>

--0000000000008216dc05efd0eb0b--