From nobody Wed Dec 14 17:14:31 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NXMRk3DDfz4k5wn
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Wed, 14 Dec 2022 17:14:42 +0000 (UTC)
	(envelope-from junchoon@dec.sakura.ne.jp)
Received: from www121.sakura.ne.jp (www121.sakura.ne.jp [153.125.133.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NXMRh71Czz3QCq
	for <freebsd-current@freebsd.org>; Wed, 14 Dec 2022 17:14:40 +0000 (UTC)
	(envelope-from junchoon@dec.sakura.ne.jp)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=none (mx1.freebsd.org: domain of junchoon@dec.sakura.ne.jp has no SPF policy when checking 153.125.133.21) smtp.mailfrom=junchoon@dec.sakura.ne.jp;
	dmarc=none
Received: from kalamity.joker.local (123-1-88-210.area1b.commufa.jp [123.1.88.210])
	(authenticated bits=0)
	by www121.sakura.ne.jp (8.16.1/8.16.1/[SAKURA-WEB]/20201212) with ESMTPA id 2BEHEVaD014329
	for <freebsd-current@freebsd.org>; Thu, 15 Dec 2022 02:14:31 +0900 (JST)
	(envelope-from junchoon@dec.sakura.ne.jp)
Date: Thu, 15 Dec 2022 02:14:31 +0900
From: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
To: freebsd-current@freebsd.org
Subject: Re: What to do about a few lines in vfs_domount() never executed?
Message-Id: <20221215021431.d190e55ee911f5e94799f953@dec.sakura.ne.jp>
In-Reply-To: <CAM5tNy7DM__tj4CQ0L_-ugo5krmEvLJgbU-WFLs47MrRBuGaNQ@mail.gmail.com>
References: <CAM5tNy7DM__tj4CQ0L_-ugo5krmEvLJgbU-WFLs47MrRBuGaNQ@mail.gmail.com>
Organization: Junchoon corps
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd13.0)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-0.35 / 15.00];
	SUBJECT_ENDS_QUESTION(1.00)[];
	AUTH_NA(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.75)[-0.752];
	MV_CASE(0.50)[];
	MIME_GOOD(-0.10)[text/plain];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	R_SPF_NA(0.00)[no SPF record];
	ASN(0.00)[asn:7684, ipnet:153.125.128.0/18, country:JP];
	RCVD_TLS_LAST(0.00)[];
	DMARC_NA(0.00)[sakura.ne.jp];
	HAS_ORG_HEADER(0.00)[];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4NXMRh71Czz3QCq
X-Spamd-Bar: /
X-ThisMailContainsUnwantedMimeParts: N

Tracking the commits, it was originally introduced to
sys/kern/vfs_syscalls.c at r22521 [1][2] (Mon Feb 10 02:22:35 1997 by
dyson, submitted by hsu@freebsd.org) and later centralized into
sys/kern/vfs_mount.c at r99264 [2].

But according to the comment above the codes, maybe it would be
intended to block userland programs or ports FS modules setting 
MNT_EXPORTED.

If I'm not mis-understanding, it can be the case when
 *vfs.usermount sysctl is non-zero,
 *underlying FS (to be exported) allows it, and
 *non-root user tries to mount the FS via NFS.


[1]
https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?revision=22521&view=markup&pathrev=99264

[2]
https://svnweb.freebsd.org/base/head/sys/kern/vfs_syscalls.c?r1=22520&r2=22521&pathrev=99264&

[3]
https://cgit.freebsd.org/src/commit/sys/kern/vfs_mount.c?id=2b4edb69f1ef62fc38b02ac22b0a3ac09e43fa77


On Tue, 13 Dec 2022 14:19:39 -0800
Rick Macklem <rick.macklem@gmail.com> wrote:

> Hi,
> 
> While working on getting mountd/nfsd to run in a vnet
> prison, I came across the following lines near the
> beginning of vfs_domount() in sys/kern/vfs_mount.c:
> 
> if (fsflags & MNT_EXPORTED) {
>      error = priv_check(td, PRIV_VFS_MOUNT_EXPORTED);
>      if (error)
>            return (error);
> }
> 
> #1 - Since MNT_EXPORTED is never set in fsflags, this code never
>      gets executed.
>      --> I am asking what to do with the above code, since that
>          changes for the patch that allows mountd to run in a vnet
>          prison.
> #2 - priv_check(td, PRIV_VFS_MOUNT_EXPORTED) always returns 0
>      because nothing in sys/kern/kern_priv.c checks
>      PRIV_VFS_MOUNT_EXPORTED.
> 
> I don't know what the original author's thinking was w.r.t. this.
> Setting exports already checks that the mount operation can be
> done by the requestor.
> 
> So, what do you think should be done with the above code snippet?
> - Consider it cruft and delete it.
> - Try and figure out what PRIV_VFS_MOUNT_EXPORTED should check?
> - Leave it as is. After the patch that allows mountd to run in
>   a vnet prison, MNT_EXPORTED will be set in fsflags, but the
>   priv_check() call will just return 0. (A little overhead,
>   but otherwise no semantics change.)
> 
> rick


-- 
Tomoaki AOKI    <junchoon@dec.sakura.ne.jp>