From nobody Sat Jan 20 15:47:47 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4THLVC29njz57NYX for ; Sat, 20 Jan 2024 15:48:03 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4THLV93dd2z43h1 for ; Sat, 20 Jan 2024 15:48:00 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=Ud477yJV; dmarc=pass (policy=quarantine) header.from=plan-b.pwste.edu.pl; spf=pass (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl designates 2001:678:618::40 as permitted sender) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl Received: from plan-b.pwste.edu.pl (zarychtam@localhost [127.0.0.1]) by plan-b.pwste.edu.pl (8.17.2/8.17.2) with ESMTPS id 40KFlomJ057056 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sat, 20 Jan 2024 16:47:51 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1705765674; bh=9Du6yITgU9ZG2+M3x+HD8a7TPeFoRHXnGHIqs5x0EQg=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Ud477yJV4+jsFTQbQAwG8MfSA/t7R5krl2MsyvRhUFtCHSo1juRuqjJqVexocW4zX m8m+Et2iJsHYE3KjjE0koA9mUaDe+y9hRkPy+q4MKZgi54TJTdGNStHN+Y+rWuWVEX PowHT30nKFNqVQdmkTlx/r+H1XHUmkiTtN+FkMef9at4ZnWC+2CJoFf6bwL+Z7zJ18 3ct/bFfD2IDoOzdqbGxlmTnIuzUgM88hpihge8XuqVsVDRvQ/WU8ojyvM5hNlmFH1b crluPLhCNyKeMbAQraj/aOsdVU5m/8Cjg8yPqBi5E42Qcq66P8qDLOTs/1PiR0gVTO Zw7t174QjLalA== Received: (from zarychtam@localhost) by plan-b.pwste.edu.pl (8.17.2/8.17.2/Submit) id 40KFll6U057055; Sat, 20 Jan 2024 16:47:47 +0100 (CET) (envelope-from zarychtam) Date: Sat, 20 Jan 2024 16:47:47 +0100 From: Marek Zarychta To: Rick Macklem Cc: freeBSd-stable@freebsd.org Subject: Re: mounting NFS share from the jail Message-ID: References: List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.994]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,quarantine]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; MIME_GOOD(-0.10)[text/plain]; TAGGED_RCPT(0.00)[]; MIME_TRACE(0.00)[0:+]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freeBSd-stable@freebsd.org]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+] X-Rspamd-Queue-Id: 4THLV93dd2z43h1 Dnia Sat, Jan 20, 2024 at 07:09:40AM -0800, Rick Macklem napisał(a): > On Sat, Jan 20, 2024 at 6:48 AM Marek Zarychta > wrote: > > > > Dear List, > > > > there were some efforts to allow running nfsd(8) inside the jail, but is > > mounting an NFS share from the jail allowed? Inside the jail > > "security.jail.mount_allowed" is set to 1, I also added "add path net > > unhide" to the ruleset in devfs.rules but when trying to mount the NFS > > share I get only the error: > > > > mount_nfs: nmount: /usr/src: Operation not permitted > > > > It's not a big deal, the shares can be mounted from the jail host, but I > > am surprised that one can run NFSD inside the jail while mounting NFS > > shares is still denied. > > > > Am I missing anything or is mounting NFS from inside the jail still > > unsupported? The tests were done on the recent stable/14 from the vnet > > jail. Any clues h will be appreciated. > You are correct. Mounting from inside a jail is not supported. > After doing the vnet conversion for nfsd, I tried doing it for the NFS client. > There were a moderate # of global variables that needed to be vnet'd, > which I did. The hard/messy part was having the threads (anything that > calls an NFS VFS/VOP call) set to the proper vnet. > It would have required a massive # of CURVET_SET()/CURVET_RESTORE() > macros and I decided that it was just too messy. > > If it becomes a necessary feature, it is ugly but doable. > Thank you for the clarification and for giving some insight into the problem. Marek Zarychta > rick > > > > > Cheers > > > > -- > > Marek Zarychta > >