From owner-svn-src-head@freebsd.org Tue Jul 2 06:34:51 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1683C15C965D; Tue, 2 Jul 2019 06:34:51 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 991B57052A; Tue, 2 Jul 2019 06:34:50 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-io1-f54.google.com with SMTP id e5so34514616iok.4; Mon, 01 Jul 2019 23:34:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=hc43m5vfc3g7H/2pClkIFNTGKTi7Hc3pq2/pVcVZee4=; b=uPRY0oSsJohtbRRTXdtpIOLElk2b+fGl3oc8otJowKAsIPX2de9to2Se1dcqrJvOOx b59RM2PdLD8zNq1I7HpouWpCjLVL5zFmC4HP7mC27pKIzB+H3VIfsDCx5wn67Y23LVR8 73Fme/ci41cgRErcM7EBpGs1lOcoxcNAkwkWwdEEAdBzfAnJ1R7K7OTskyzV19xx30/Z VMtOz4pgjjvkvgRySsVuXSC/AzK4LtsA1hhCjRsZRtXubjFhlj1V6NV0yY92dy1hI0wY jnrIBpXDzdw2dHFmBjazSiBh99ht2uhrO1tdDtGpPrzzcaiJvhzHGBsNQwaEXKkbjjpF I5Mw== X-Gm-Message-State: APjAAAVddn0DBox1YTPSvy9ntAvH2uBwtcCkE2x1HZex4Orb6KYQewpP UFmBDnhcM1daXcEJS01sBzWQCvVmTr8= X-Google-Smtp-Source: APXvYqzH7PMSu72jAb1pWYf7iRR7GdZTjClJ8qfEmRKS7Yhu60Drl4bxPGzcqDoR2FxIjS2tjaC1qQ== X-Received: by 2002:a5d:8ad0:: with SMTP id e16mr1957717iot.262.1562049283672; Mon, 01 Jul 2019 23:34:43 -0700 (PDT) Received: from mail-io1-f42.google.com (mail-io1-f42.google.com. [209.85.166.42]) by smtp.gmail.com with ESMTPSA id c1sm10252815ioc.43.2019.07.01.23.34.42 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 01 Jul 2019 23:34:43 -0700 (PDT) Received: by mail-io1-f42.google.com with SMTP id e5so34514467iok.4; Mon, 01 Jul 2019 23:34:42 -0700 (PDT) X-Received: by 2002:a02:710f:: with SMTP id n15mr32571502jac.119.1562049282596; Mon, 01 Jul 2019 23:34:42 -0700 (PDT) MIME-Version: 1.0 References: <201907012322.x61NMRGS078268@repo.freebsd.org> In-Reply-To: <201907012322.x61NMRGS078268@repo.freebsd.org> Reply-To: cem@freebsd.org From: Conrad Meyer Date: Tue, 2 Jul 2019 08:34:32 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r349589 - in head: sbin/mount sys/sys sys/ufs/ffs To: Kirk McKusick Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-Rspamd-Queue-Id: 991B57052A X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.97)[-0.973,0]; TAGGED_FROM(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jul 2019 06:34:51 -0000 Hi, Maybe the sense of the flag should be reversed? Ie, add a =E2=80=9Ctrusted= =E2=80=9D flag and default to untrusted. I have two reasons in mind. The first is that a new default-off option is easy to forget, and a missed security feature may be worse than a missed mount-time performance enhancement. The second is just the basic idea of preferring to avoid double negatives in flag names. Thanks, Conrad On Tue, Jul 2, 2019 at 04:21 Kirk McKusick wrote: > Author: mckusick > Date: Mon Jul 1 23:22:26 2019 > New Revision: 349589 > URL: https://svnweb.freebsd.org/changeset/base/349589 > > Log: > Add a new "untrusted" option to the mount command. Its purpose > is to notify the kernel that the file system is untrusted and it > should use more extensive checks on the file-system's metadata > before using it. This option is intended to be used when mounting > file systems from untrusted media such as USB memory sticks or other > externally-provided media. > > It will initially be used by the UFS/FFS file system, but should > likely be expanded to be used by other file systems that may appear > on external media like msdosfs, exfat, and ext2fs. > > Reviewed by: kib > Sponsored by: Netflix > Differential Revision: https://reviews.freebsd.org/D20786 > > Modified: > head/sbin/mount/mntopts.h > head/sbin/mount/mount.8 > head/sbin/mount/mount.c > head/sys/sys/mount.h > head/sys/ufs/ffs/ffs_vfsops.c > > Modified: head/sbin/mount/mntopts.h > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sbin/mount/mntopts.h Mon Jul 1 22:11:56 2019 (r349588) > +++ head/sbin/mount/mntopts.h Mon Jul 1 23:22:26 2019 (r349589) > @@ -58,6 +58,7 @@ struct mntopt { > #define MOPT_ACLS { "acls", 0, MNT_ACLS, 0 } > #define MOPT_NFS4ACLS { "nfsv4acls", 0, MNT_NFS4ACLS, 0 } > #define MOPT_AUTOMOUNTED { "automounted",0, MNT_AUTOMOUNTED, 0 } > +#define MOPT_UNTRUSTED { "untrusted", 0, MNT_UNTRUSTED, 0 } > > /* Control flags. */ > #define MOPT_FORCE { "force", 0, MNT_FORCE, 0 } > @@ -93,7 +94,8 @@ struct mntopt { > MOPT_MULTILABEL, \ > MOPT_ACLS, \ > MOPT_NFS4ACLS, \ > - MOPT_AUTOMOUNTED > + MOPT_AUTOMOUNTED, \ > + MOPT_UNTRUSTED > > void getmntopts(const char *, const struct mntopt *, int *, int *); > void rmslashes(char *, char *); > > Modified: head/sbin/mount/mount.8 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sbin/mount/mount.8 Mon Jul 1 22:11:56 2019 (r349588) > +++ head/sbin/mount/mount.8 Mon Jul 1 23:22:26 2019 (r349589) > @@ -355,6 +355,12 @@ Lookups will be done in the mounted file system firs= t. > If those operations fail due to a non-existent file the underlying > directory is then accessed. > All creates are done in the mounted file system. > +.It Cm untrusted > +The file system is untrusted and the kernel should use more > +extensive checks on the file-system's metadata before using it. > +This option is intended to be used when mounting file systems > +from untrusted media such as USB memory sticks or other > +externally-provided media. > .El > .Pp > Any additional options specific to a file system type that is not > > Modified: head/sbin/mount/mount.c > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sbin/mount/mount.c Mon Jul 1 22:11:56 2019 (r349588) > +++ head/sbin/mount/mount.c Mon Jul 1 23:22:26 2019 (r349589) > @@ -118,6 +118,7 @@ static struct opt { > { MNT_GJOURNAL, "gjournal" }, > { MNT_AUTOMOUNTED, "automounted" }, > { MNT_VERIFIED, "verified" }, > + { MNT_UNTRUSTED, "untrusted" }, > { 0, NULL } > }; > > @@ -972,6 +973,7 @@ flags2opts(int flags) > if (flags & MNT_MULTILABEL) res =3D catopt(res, "multilabel")= ; > if (flags & MNT_ACLS) res =3D catopt(res, "acls"); > if (flags & MNT_NFS4ACLS) res =3D catopt(res, "nfsv4acls"); > + if (flags & MNT_UNTRUSTED) res =3D catopt(res, "untrusted"); > > return (res); > } > > Modified: head/sys/sys/mount.h > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/sys/mount.h Mon Jul 1 22:11:56 2019 (r349588) > +++ head/sys/sys/mount.h Mon Jul 1 23:22:26 2019 (r349589) > @@ -296,6 +296,7 @@ void __mnt_vnode_markerfree_active(struct vn= o > #define MNT_NOCLUSTERW 0x0000000080000000ULL /* disable cluster > write */ > #define MNT_SUJ 0x0000000100000000ULL /* using journaled > soft updates */ > #define MNT_AUTOMOUNTED 0x0000000200000000ULL /* mounted by > automountd(8) */ > +#define MNT_UNTRUSTED 0x0000000800000000ULL /* filesys metadata > untrusted */ > > /* > * NFS export related mount flags. > @@ -333,7 +334,8 @@ void __mnt_vnode_markerfree_active(struct vn= o > MNT_NOCLUSTERW | MNT_SUIDDIR | MNT_SOFTDEP |= \ > MNT_IGNORE | MNT_EXPUBLIC | MNT_NOSYMFOLLOW > | \ > MNT_GJOURNAL | MNT_MULTILABEL | MNT_ACLS |= \ > - MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED) > + MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED = | > \ > + MNT_UNTRUSTED) > > /* Mask of flags that can be updated. */ > #define MNT_UPDATEMASK (MNT_NOSUID | MNT_NOEXEC | \ > @@ -342,7 +344,7 @@ void __mnt_vnode_markerfree_active(struct vn= o > MNT_NOSYMFOLLOW | MNT_IGNORE | \ > MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR |= \ > MNT_ACLS | MNT_USER | MNT_NFS4ACLS |= \ > - MNT_AUTOMOUNTED) > + MNT_AUTOMOUNTED | MNT_UNTRUSTED) > > /* > * External filesystem command modifier flags. > > Modified: head/sys/ufs/ffs/ffs_vfsops.c > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/ufs/ffs/ffs_vfsops.c Mon Jul 1 22:11:56 2019 > (r349588) > +++ head/sys/ufs/ffs/ffs_vfsops.c Mon Jul 1 23:22:26 2019 > (r349589) > @@ -145,7 +145,7 @@ static struct buf_ops ffs_ops =3D { > static const char *ffs_opts[] =3D { "acls", "async", "noatime", > "noclusterr", > "noclusterw", "noexec", "export", "force", "from", "groupquota", > "multilabel", "nfsv4acls", "fsckpid", "snapshot", "nosuid", "suiddir= ", > - "nosymfollow", "sync", "union", "userquota", NULL }; > + "nosymfollow", "sync", "union", "userquota", "untrusted", NULL }; > > static int > ffs_mount(struct mount *mp) > @@ -184,6 +184,9 @@ ffs_mount(struct mount *mp) > return (error); > > mntorflags =3D 0; > + if (vfs_getopt(mp->mnt_optnew, "untrusted", NULL, NULL) =3D=3D 0) > + mntorflags |=3D MNT_UNTRUSTED; > + > if (vfs_getopt(mp->mnt_optnew, "acls", NULL, NULL) =3D=3D 0) > mntorflags |=3D MNT_ACLS; > > >