From nobody Fri Dec 16 21:07:20 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NYhWT2zR4zZddr
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Fri, 16 Dec 2022 21:07:33 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NYhWS48YBz3xtV
	for <freebsd-current@freebsd.org>; Fri, 16 Dec 2022 21:07:32 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b="Mm/89ufI";
	spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2607:f8b0:4864:20::629 as permitted sender) smtp.mailfrom=rick.macklem@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-pl1-x629.google.com with SMTP id l10so3496087plb.8
        for <freebsd-current@freebsd.org>; Fri, 16 Dec 2022 13:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=CfAUDc7pHuMEMfDvij+TeDql4BbKQLaKyaccqSIGRVY=;
        b=Mm/89ufI/fGjqRNF04JlmFqAw/PFn0JSGwEy9s2PZqy25l0QcjK9NwB+hu4Hgopzrw
         u0JvhzOttifr0VrfL2avn3AAC+GDBYGQEbXKQ7RBL/+SsGlPgcYHh6vUyltiWM0VGr+b
         6oZ7MwiPazLIgUOF7bTAY8bIISbTyyEr2uU72zWdivnX2kDDO+r+YTTA6YoRdlJlS6y0
         lKL2IOv47IRmaubp+T41s/rTGk2uao7juHwgS7SX+5O6JQgBklcPM7UooFu5BUlHohfG
         aK4hFBqwo2ULLtrIJ8mexOtvy1NMFidUYB5CYIzV9o5U3QYID8P3v3Ue+t7a3va90hM8
         TbuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CfAUDc7pHuMEMfDvij+TeDql4BbKQLaKyaccqSIGRVY=;
        b=4nmTC4w6vi/xYfqS6IjB67dMxBpSKwYMtc2Nv1e9VHWAtyIkx2BC2xRExkPcjE/4+q
         7bah0PmMtxGuQbwRZD4l+SmFZqbN+PnZTrs8ecUhFRgWxuRII2t8WtFbIHpX82fwfIhi
         ErDYfcvEISfxmfp//gZ9MbZOaiZKIYZ1qK4o7buskHAJbUNOYO7fPvdnVWRX9uZad4ut
         a21s3xgbzbubRZfQMJKl+e8EPZ5BAOlBhytBFH3ZTbiTTpnpYbrhJDB6wBNEPKOkOKD/
         6k9/8PxKqmUV0Oy0fbxpRBol6sTI8nKRg6P85wHk0BodixOCWSxOoiJapn4G6I6Xllf/
         QM4A==
X-Gm-Message-State: AFqh2koH7yKfinpgr7AzZvKvQ3Mj8HMfwqctzkuUiiL4XgZ2cRWMXx3M
	WOTqsUxT9Xsr2lmnHSaWHf8nhnR2Ck+VoKRGiW5lkvGzCg==
X-Google-Smtp-Source: AA0mqf5/pQcoEic58w7X8xBFgfeQgH7UDpEdjWek44EmSwOC7pr3YJ2t4QzI/6yvyo0o4vjRGPfQcF3DIhX5JHkULDw=
X-Received: by 2002:a17:90a:7e0a:b0:219:661f:9916 with SMTP id
 i10-20020a17090a7e0a00b00219661f9916mr1367132pjl.200.1671224851196; Fri, 16
 Dec 2022 13:07:31 -0800 (PST)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
References: <CAM5tNy7DM__tj4CQ0L_-ugo5krmEvLJgbU-WFLs47MrRBuGaNQ@mail.gmail.com>
 <20221215021431.d190e55ee911f5e94799f953@dec.sakura.ne.jp>
In-Reply-To: <20221215021431.d190e55ee911f5e94799f953@dec.sakura.ne.jp>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 16 Dec 2022 13:07:20 -0800
Message-ID: <CAM5tNy7RdfSMBOxRtkYrtPKfxsN8TZK0Cz4bCwVO_RSGOUQnHg@mail.gmail.com>
Subject: Re: What to do about a few lines in vfs_domount() never executed?
To: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Cc: freebsd-current@freebsd.org
Content-Type: multipart/alternative; boundary="00000000000098712405eff85bb9"
X-Spamd-Result: default: False [-3.00 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org];
	ARC_NA(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::629:from];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	TAGGED_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	DKIM_TRACE(0.00)[gmail.com:+];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	RCPT_COUNT_TWO(0.00)[2];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FROM_EQ_ENVFROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4NYhWS48YBz3xtV
X-Spamd-Bar: --
X-ThisMailContainsUnwantedMimeParts: N

--00000000000098712405eff85bb9
Content-Type: text/plain; charset="UTF-8"

Just to provide closure on this, I just committed a patch to
main (that will be MFC'd in 2 weeks) that sets MNT_EXPORTED
when the "export" option is specified to nmount(2).

This restores the "only root can do exports" semantics that
appear to have been the case pre-r158857.

Thanks everyone for your comments, rick


On Wed, Dec 14, 2022 at 9:15 AM Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
wrote:

> Tracking the commits, it was originally introduced to
> sys/kern/vfs_syscalls.c at r22521 [1][2] (Mon Feb 10 02:22:35 1997 by
> dyson, submitted by hsu@freebsd.org) and later centralized into
> sys/kern/vfs_mount.c at r99264 [2].
>
> But according to the comment above the codes, maybe it would be
> intended to block userland programs or ports FS modules setting
> MNT_EXPORTED.
>
> If I'm not mis-understanding, it can be the case when
>  *vfs.usermount sysctl is non-zero,
>  *underlying FS (to be exported) allows it, and
>  *non-root user tries to mount the FS via NFS.
>
>
> [1]
>
> https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?revision=22521&view=markup&pathrev=99264
>
> [2]
>
> https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?r1=22520&r2=22521&pathrev=99264&
>
> [3]
>
> https://cgit.freebsd.org/src/commit/sys/kern/vfs_mount.c?id=2b4edb69f1ef62fc38b02ac22b0a3ac09e43fa77
>
>
> On Tue, 13 Dec 2022 14:19:39 -0800
> Rick Macklem <rick.macklem@gmail.com> wrote:
>
> > Hi,
> >
> > While working on getting mountd/nfsd to run in a vnet
> > prison, I came across the following lines near the
> > beginning of vfs_domount() in sys/kern/vfs_mount.c:
> >
> > if (fsflags & MNT_EXPORTED) {
> >      error = priv_check(td, PRIV_VFS_MOUNT_EXPORTED);
> >      if (error)
> >            return (error);
> > }
> >
> > #1 - Since MNT_EXPORTED is never set in fsflags, this code never
> >      gets executed.
> >      --> I am asking what to do with the above code, since that
> >          changes for the patch that allows mountd to run in a vnet
> >          prison.
> > #2 - priv_check(td, PRIV_VFS_MOUNT_EXPORTED) always returns 0
> >      because nothing in sys/kern/kern_priv.c checks
> >      PRIV_VFS_MOUNT_EXPORTED.
> >
> > I don't know what the original author's thinking was w.r.t. this.
> > Setting exports already checks that the mount operation can be
> > done by the requestor.
> >
> > So, what do you think should be done with the above code snippet?
> > - Consider it cruft and delete it.
> > - Try and figure out what PRIV_VFS_MOUNT_EXPORTED should check?
> > - Leave it as is. After the patch that allows mountd to run in
> >   a vnet prison, MNT_EXPORTED will be set in fsflags, but the
> >   priv_check() call will just return 0. (A little overhead,
> >   but otherwise no semantics change.)
> >
> > rick
>
>
> --
> Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>
>
>

--00000000000098712405eff85bb9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:monospac=
e">Just to provide closure on this, I just committed a patch to</div><div c=
lass=3D"gmail_default" style=3D"font-family:monospace">main (that will be M=
FC&#39;d in 2 weeks) that sets MNT_EXPORTED</div><div class=3D"gmail_defaul=
t" style=3D"font-family:monospace">when the &quot;export&quot; option is sp=
ecified to nmount(2).</div><div class=3D"gmail_default" style=3D"font-famil=
y:monospace"><br></div><div class=3D"gmail_default" style=3D"font-family:mo=
nospace">This restores the &quot;only root can do exports&quot; semantics t=
hat</div><div class=3D"gmail_default" style=3D"font-family:monospace">appea=
r to have been the case pre-r158857.</div><div class=3D"gmail_default" styl=
e=3D"font-family:monospace"><br></div><div class=3D"gmail_default" style=3D=
"font-family:monospace">Thanks everyone for your comments, rick</div><div c=
lass=3D"gmail_default" style=3D"font-family:monospace"><br></div></div><br>=
<div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, De=
c 14, 2022 at 9:15 AM Tomoaki AOKI &lt;<a href=3D"mailto:junchoon@dec.sakur=
a.ne.jp">junchoon@dec.sakura.ne.jp</a>&gt; wrote:<br></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">Tracking the commits, it was originally i=
ntroduced to<br>
sys/kern/vfs_syscalls.c at r22521 [1][2] (Mon Feb 10 02:22:35 1997 by<br>
dyson, submitted by <a href=3D"mailto:hsu@freebsd.org" target=3D"_blank">hs=
u@freebsd.org</a>) and later centralized into<br>
sys/kern/vfs_mount.c at r99264 [2].<br>
<br>
But according to the comment above the codes, maybe it would be<br>
intended to block userland programs or ports FS modules setting <br>
MNT_EXPORTED.<br>
<br>
If I&#39;m not mis-understanding, it can be the case when<br>
=C2=A0*vfs.usermount sysctl is non-zero,<br>
=C2=A0*underlying FS (to be exported) allows it, and<br>
=C2=A0*non-root user tries to mount the FS via NFS.<br>
<br>
<br>
[1]<br>
<a href=3D"https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?rev=
ision=3D22521&amp;view=3Dmarkup&amp;pathrev=3D99264" rel=3D"noreferrer" tar=
get=3D"_blank">https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c=
?revision=3D22521&amp;view=3Dmarkup&amp;pathrev=3D99264</a><br>
<br>
[2]<br>
<a href=3D"https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?r1=
=3D22520&amp;r2=3D22521&amp;pathrev=3D99264&amp;" rel=3D"noreferrer" target=
=3D"_blank">https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?r1=
=3D22520&amp;r2=3D22521&amp;pathrev=3D99264&amp;</a><br>
<br>
[3]<br>
<a href=3D"https://cgit.freebsd.org/src/commit/sys/kern/vfs_mount.c?id=3D2b=
4edb69f1ef62fc38b02ac22b0a3ac09e43fa77" rel=3D"noreferrer" target=3D"_blank=
">https://cgit.freebsd.org/src/commit/sys/kern/vfs_mount.c?id=3D2b4edb69f1e=
f62fc38b02ac22b0a3ac09e43fa77</a><br>
<br>
<br>
On Tue, 13 Dec 2022 14:19:39 -0800<br>
Rick Macklem &lt;<a href=3D"mailto:rick.macklem@gmail.com" target=3D"_blank=
">rick.macklem@gmail.com</a>&gt; wrote:<br>
<br>
&gt; Hi,<br>
&gt; <br>
&gt; While working on getting mountd/nfsd to run in a vnet<br>
&gt; prison, I came across the following lines near the<br>
&gt; beginning of vfs_domount() in sys/kern/vfs_mount.c:<br>
&gt; <br>
&gt; if (fsflags &amp; MNT_EXPORTED) {<br>
&gt;=C2=A0 =C2=A0 =C2=A0 error =3D priv_check(td, PRIV_VFS_MOUNT_EXPORTED);=
<br>
&gt;=C2=A0 =C2=A0 =C2=A0 if (error)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return (error);<br>
&gt; }<br>
&gt; <br>
&gt; #1 - Since MNT_EXPORTED is never set in fsflags, this code never<br>
&gt;=C2=A0 =C2=A0 =C2=A0 gets executed.<br>
&gt;=C2=A0 =C2=A0 =C2=A0 --&gt; I am asking what to do with the above code,=
 since that<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 changes for the patch that allows mo=
untd to run in a vnet<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 prison.<br>
&gt; #2 - priv_check(td, PRIV_VFS_MOUNT_EXPORTED) always returns 0<br>
&gt;=C2=A0 =C2=A0 =C2=A0 because nothing in sys/kern/kern_priv.c checks<br>
&gt;=C2=A0 =C2=A0 =C2=A0 PRIV_VFS_MOUNT_EXPORTED.<br>
&gt; <br>
&gt; I don&#39;t know what the original author&#39;s thinking was w.r.t. th=
is.<br>
&gt; Setting exports already checks that the mount operation can be<br>
&gt; done by the requestor.<br>
&gt; <br>
&gt; So, what do you think should be done with the above code snippet?<br>
&gt; - Consider it cruft and delete it.<br>
&gt; - Try and figure out what PRIV_VFS_MOUNT_EXPORTED should check?<br>
&gt; - Leave it as is. After the patch that allows mountd to run in<br>
&gt;=C2=A0 =C2=A0a vnet prison, MNT_EXPORTED will be set in fsflags, but th=
e<br>
&gt;=C2=A0 =C2=A0priv_check() call will just return 0. (A little overhead,<=
br>
&gt;=C2=A0 =C2=A0but otherwise no semantics change.)<br>
&gt; <br>
&gt; rick<br>
<br>
<br>
-- <br>
Tomoaki AOKI=C2=A0 =C2=A0 &lt;<a href=3D"mailto:junchoon@dec.sakura.ne.jp" =
target=3D"_blank">junchoon@dec.sakura.ne.jp</a>&gt;<br>
<br>
</blockquote></div>

--00000000000098712405eff85bb9--