svn commit: r349589 - in head: sbin/mount sys/sys sys/ufs/ffs

Conrad Meyer cem at freebsd.org
Tue Jul 2 06:34:51 UTC 2019 

Hi,

Maybe the sense of the flag should be reversed? Ie, add a “trusted” flag
and default to untrusted.

I have two reasons in mind. The first is that a new default-off option is
easy to forget, and a missed security feature may be worse than a missed
mount-time performance enhancement.

The second is just the basic idea of preferring  to avoid double negatives
in flag names.

Thanks,
Conrad

On Tue, Jul 2, 2019 at 04:21 Kirk McKusick <mckusick at freebsd.org> wrote:

> Author: mckusick
> Date: Mon Jul  1 23:22:26 2019
> New Revision: 349589
> URL: https://svnweb.freebsd.org/changeset/base/349589
>
> Log:
>   Add a new "untrusted" option to the mount command. Its purpose
>   is to notify the kernel that the file system is untrusted and it
>   should use more extensive checks on the file-system's metadata
>   before using it. This option is intended to be used when mounting
>   file systems from untrusted media such as USB memory sticks or other
>   externally-provided media.
>
>   It will initially be used by the UFS/FFS file system, but should
>   likely be expanded to be used by other file systems that may appear
>   on external media like msdosfs, exfat, and ext2fs.
>
>   Reviewed by:  kib
>   Sponsored by: Netflix
>   Differential Revision: https://reviews.freebsd.org/D20786
>
> Modified:
>   head/sbin/mount/mntopts.h
>   head/sbin/mount/mount.8
>   head/sbin/mount/mount.c
>   head/sys/sys/mount.h
>   head/sys/ufs/ffs/ffs_vfsops.c
>
> Modified: head/sbin/mount/mntopts.h
>
> ==============================================================================
> --- head/sbin/mount/mntopts.h   Mon Jul  1 22:11:56 2019        (r349588)
> +++ head/sbin/mount/mntopts.h   Mon Jul  1 23:22:26 2019        (r349589)
> @@ -58,6 +58,7 @@ struct mntopt {
>  #define MOPT_ACLS              { "acls",       0, MNT_ACLS, 0 }
>  #define MOPT_NFS4ACLS          { "nfsv4acls",  0, MNT_NFS4ACLS, 0 }
>  #define MOPT_AUTOMOUNTED       { "automounted",0, MNT_AUTOMOUNTED, 0 }
> +#define MOPT_UNTRUSTED         { "untrusted",  0, MNT_UNTRUSTED, 0 }
>
>  /* Control flags. */
>  #define MOPT_FORCE             { "force",      0, MNT_FORCE, 0 }
> @@ -93,7 +94,8 @@ struct mntopt {
>         MOPT_MULTILABEL,                                                \
>         MOPT_ACLS,                                                      \
>         MOPT_NFS4ACLS,                                                  \
> -       MOPT_AUTOMOUNTED
> +       MOPT_AUTOMOUNTED,                                               \
> +       MOPT_UNTRUSTED
>
>  void getmntopts(const char *, const struct mntopt *, int *, int *);
>  void rmslashes(char *, char *);
>
> Modified: head/sbin/mount/mount.8
>
> ==============================================================================
> --- head/sbin/mount/mount.8     Mon Jul  1 22:11:56 2019        (r349588)
> +++ head/sbin/mount/mount.8     Mon Jul  1 23:22:26 2019        (r349589)
> @@ -355,6 +355,12 @@ Lookups will be done in the mounted file system first.
>  If those operations fail due to a non-existent file the underlying
>  directory is then accessed.
>  All creates are done in the mounted file system.
> +.It Cm untrusted
> +The file system is untrusted and the kernel should use more
> +extensive checks on the file-system's metadata before using it.
> +This option is intended to be used when mounting file systems
> +from untrusted media such as USB memory sticks or other
> +externally-provided media.
>  .El
>  .Pp
>  Any additional options specific to a file system type that is not
>
> Modified: head/sbin/mount/mount.c
>
> ==============================================================================
> --- head/sbin/mount/mount.c     Mon Jul  1 22:11:56 2019        (r349588)
> +++ head/sbin/mount/mount.c     Mon Jul  1 23:22:26 2019        (r349589)
> @@ -118,6 +118,7 @@ static struct opt {
>         { MNT_GJOURNAL,         "gjournal" },
>         { MNT_AUTOMOUNTED,      "automounted" },
>         { MNT_VERIFIED,         "verified" },
> +       { MNT_UNTRUSTED,        "untrusted" },
>         { 0, NULL }
>  };
>
> @@ -972,6 +973,7 @@ flags2opts(int flags)
>         if (flags & MNT_MULTILABEL)     res = catopt(res, "multilabel");
>         if (flags & MNT_ACLS)           res = catopt(res, "acls");
>         if (flags & MNT_NFS4ACLS)       res = catopt(res, "nfsv4acls");
> +       if (flags & MNT_UNTRUSTED)      res = catopt(res, "untrusted");
>
>         return (res);
>  }
>
> Modified: head/sys/sys/mount.h
>
> ==============================================================================
> --- head/sys/sys/mount.h        Mon Jul  1 22:11:56 2019        (r349588)
> +++ head/sys/sys/mount.h        Mon Jul  1 23:22:26 2019        (r349589)
> @@ -296,6 +296,7 @@ void          __mnt_vnode_markerfree_active(struct vno
>  #define        MNT_NOCLUSTERW  0x0000000080000000ULL /* disable cluster
> write */
>  #define        MNT_SUJ         0x0000000100000000ULL /* using journaled
> soft updates */
>  #define        MNT_AUTOMOUNTED 0x0000000200000000ULL /* mounted by
> automountd(8) */
> +#define        MNT_UNTRUSTED   0x0000000800000000ULL /* filesys metadata
> untrusted */
>
>  /*
>   * NFS export related mount flags.
> @@ -333,7 +334,8 @@ void          __mnt_vnode_markerfree_active(struct vno
>                         MNT_NOCLUSTERW  | MNT_SUIDDIR   | MNT_SOFTDEP   | \
>                         MNT_IGNORE      | MNT_EXPUBLIC  | MNT_NOSYMFOLLOW
> | \
>                         MNT_GJOURNAL    | MNT_MULTILABEL | MNT_ACLS     | \
> -                       MNT_NFS4ACLS    | MNT_AUTOMOUNTED | MNT_VERIFIED)
> +                       MNT_NFS4ACLS    | MNT_AUTOMOUNTED | MNT_VERIFIED |
> \
> +                       MNT_UNTRUSTED)
>
>  /* Mask of flags that can be updated. */
>  #define        MNT_UPDATEMASK (MNT_NOSUID      | MNT_NOEXEC    | \
> @@ -342,7 +344,7 @@ void          __mnt_vnode_markerfree_active(struct vno
>                         MNT_NOSYMFOLLOW | MNT_IGNORE    | \
>                         MNT_NOCLUSTERR  | MNT_NOCLUSTERW | MNT_SUIDDIR  | \
>                         MNT_ACLS        | MNT_USER      | MNT_NFS4ACLS  | \
> -                       MNT_AUTOMOUNTED)
> +                       MNT_AUTOMOUNTED | MNT_UNTRUSTED)
>
>  /*
>   * External filesystem command modifier flags.
>
> Modified: head/sys/ufs/ffs/ffs_vfsops.c
>
> ==============================================================================
> --- head/sys/ufs/ffs/ffs_vfsops.c       Mon Jul  1 22:11:56 2019
> (r349588)
> +++ head/sys/ufs/ffs/ffs_vfsops.c       Mon Jul  1 23:22:26 2019
> (r349589)
> @@ -145,7 +145,7 @@ static struct buf_ops ffs_ops = {
>  static const char *ffs_opts[] = { "acls", "async", "noatime",
> "noclusterr",
>      "noclusterw", "noexec", "export", "force", "from", "groupquota",
>      "multilabel", "nfsv4acls", "fsckpid", "snapshot", "nosuid", "suiddir",
> -    "nosymfollow", "sync", "union", "userquota", NULL };
> +    "nosymfollow", "sync", "union", "userquota", "untrusted", NULL };
>
>  static int
>  ffs_mount(struct mount *mp)
> @@ -184,6 +184,9 @@ ffs_mount(struct mount *mp)
>                 return (error);
>
>         mntorflags = 0;
> +       if (vfs_getopt(mp->mnt_optnew, "untrusted", NULL, NULL) == 0)
> +               mntorflags |= MNT_UNTRUSTED;
> +
>         if (vfs_getopt(mp->mnt_optnew, "acls", NULL, NULL) == 0)
>                 mntorflags |= MNT_ACLS;
>
>
>

More information about the svn-src-all mailing list