From owner-svn-src-head@freebsd.org Tue Jul 2 02:15:22 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C9B715E61BE; Tue, 2 Jul 2019 02:15:22 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 627DB682C0; Mon, 1 Jul 2019 23:22:28 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 22C441BF3A; Mon, 1 Jul 2019 23:22:28 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x61NMSD3078272; Mon, 1 Jul 2019 23:22:28 GMT (envelope-from mckusick@FreeBSD.org) Received: (from mckusick@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x61NMRGS078268; Mon, 1 Jul 2019 23:22:27 GMT (envelope-from mckusick@FreeBSD.org) Message-Id: <201907012322.x61NMRGS078268@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mckusick set sender to mckusick@FreeBSD.org using -f From: Kirk McKusick Date: Mon, 1 Jul 2019 23:22:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349589 - in head: sbin/mount sys/sys sys/ufs/ffs X-SVN-Group: head X-SVN-Commit-Author: mckusick X-SVN-Commit-Paths: in head: sbin/mount sys/sys sys/ufs/ffs X-SVN-Commit-Revision: 349589 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 627DB682C0 X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.96)[-0.964,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jul 2019 02:15:22 -0000 Author: mckusick Date: Mon Jul 1 23:22:26 2019 New Revision: 349589 URL: https://svnweb.freebsd.org/changeset/base/349589 Log: Add a new "untrusted" option to the mount command. Its purpose is to notify the kernel that the file system is untrusted and it should use more extensive checks on the file-system's metadata before using it. This option is intended to be used when mounting file systems from untrusted media such as USB memory sticks or other externally-provided media. It will initially be used by the UFS/FFS file system, but should likely be expanded to be used by other file systems that may appear on external media like msdosfs, exfat, and ext2fs. Reviewed by: kib Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D20786 Modified: head/sbin/mount/mntopts.h head/sbin/mount/mount.8 head/sbin/mount/mount.c head/sys/sys/mount.h head/sys/ufs/ffs/ffs_vfsops.c Modified: head/sbin/mount/mntopts.h ============================================================================== --- head/sbin/mount/mntopts.h Mon Jul 1 22:11:56 2019 (r349588) +++ head/sbin/mount/mntopts.h Mon Jul 1 23:22:26 2019 (r349589) @@ -58,6 +58,7 @@ struct mntopt { #define MOPT_ACLS { "acls", 0, MNT_ACLS, 0 } #define MOPT_NFS4ACLS { "nfsv4acls", 0, MNT_NFS4ACLS, 0 } #define MOPT_AUTOMOUNTED { "automounted",0, MNT_AUTOMOUNTED, 0 } +#define MOPT_UNTRUSTED { "untrusted", 0, MNT_UNTRUSTED, 0 } /* Control flags. */ #define MOPT_FORCE { "force", 0, MNT_FORCE, 0 } @@ -93,7 +94,8 @@ struct mntopt { MOPT_MULTILABEL, \ MOPT_ACLS, \ MOPT_NFS4ACLS, \ - MOPT_AUTOMOUNTED + MOPT_AUTOMOUNTED, \ + MOPT_UNTRUSTED void getmntopts(const char *, const struct mntopt *, int *, int *); void rmslashes(char *, char *); Modified: head/sbin/mount/mount.8 ============================================================================== --- head/sbin/mount/mount.8 Mon Jul 1 22:11:56 2019 (r349588) +++ head/sbin/mount/mount.8 Mon Jul 1 23:22:26 2019 (r349589) @@ -355,6 +355,12 @@ Lookups will be done in the mounted file system first. If those operations fail due to a non-existent file the underlying directory is then accessed. All creates are done in the mounted file system. +.It Cm untrusted +The file system is untrusted and the kernel should use more +extensive checks on the file-system's metadata before using it. +This option is intended to be used when mounting file systems +from untrusted media such as USB memory sticks or other +externally-provided media. .El .Pp Any additional options specific to a file system type that is not Modified: head/sbin/mount/mount.c ============================================================================== --- head/sbin/mount/mount.c Mon Jul 1 22:11:56 2019 (r349588) +++ head/sbin/mount/mount.c Mon Jul 1 23:22:26 2019 (r349589) @@ -118,6 +118,7 @@ static struct opt { { MNT_GJOURNAL, "gjournal" }, { MNT_AUTOMOUNTED, "automounted" }, { MNT_VERIFIED, "verified" }, + { MNT_UNTRUSTED, "untrusted" }, { 0, NULL } }; @@ -972,6 +973,7 @@ flags2opts(int flags) if (flags & MNT_MULTILABEL) res = catopt(res, "multilabel"); if (flags & MNT_ACLS) res = catopt(res, "acls"); if (flags & MNT_NFS4ACLS) res = catopt(res, "nfsv4acls"); + if (flags & MNT_UNTRUSTED) res = catopt(res, "untrusted"); return (res); } Modified: head/sys/sys/mount.h ============================================================================== --- head/sys/sys/mount.h Mon Jul 1 22:11:56 2019 (r349588) +++ head/sys/sys/mount.h Mon Jul 1 23:22:26 2019 (r349589) @@ -296,6 +296,7 @@ void __mnt_vnode_markerfree_active(struct vno #define MNT_NOCLUSTERW 0x0000000080000000ULL /* disable cluster write */ #define MNT_SUJ 0x0000000100000000ULL /* using journaled soft updates */ #define MNT_AUTOMOUNTED 0x0000000200000000ULL /* mounted by automountd(8) */ +#define MNT_UNTRUSTED 0x0000000800000000ULL /* filesys metadata untrusted */ /* * NFS export related mount flags. @@ -333,7 +334,8 @@ void __mnt_vnode_markerfree_active(struct vno MNT_NOCLUSTERW | MNT_SUIDDIR | MNT_SOFTDEP | \ MNT_IGNORE | MNT_EXPUBLIC | MNT_NOSYMFOLLOW | \ MNT_GJOURNAL | MNT_MULTILABEL | MNT_ACLS | \ - MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED) + MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED | \ + MNT_UNTRUSTED) /* Mask of flags that can be updated. */ #define MNT_UPDATEMASK (MNT_NOSUID | MNT_NOEXEC | \ @@ -342,7 +344,7 @@ void __mnt_vnode_markerfree_active(struct vno MNT_NOSYMFOLLOW | MNT_IGNORE | \ MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR | \ MNT_ACLS | MNT_USER | MNT_NFS4ACLS | \ - MNT_AUTOMOUNTED) + MNT_AUTOMOUNTED | MNT_UNTRUSTED) /* * External filesystem command modifier flags. Modified: head/sys/ufs/ffs/ffs_vfsops.c ============================================================================== --- head/sys/ufs/ffs/ffs_vfsops.c Mon Jul 1 22:11:56 2019 (r349588) +++ head/sys/ufs/ffs/ffs_vfsops.c Mon Jul 1 23:22:26 2019 (r349589) @@ -145,7 +145,7 @@ static struct buf_ops ffs_ops = { static const char *ffs_opts[] = { "acls", "async", "noatime", "noclusterr", "noclusterw", "noexec", "export", "force", "from", "groupquota", "multilabel", "nfsv4acls", "fsckpid", "snapshot", "nosuid", "suiddir", - "nosymfollow", "sync", "union", "userquota", NULL }; + "nosymfollow", "sync", "union", "userquota", "untrusted", NULL }; static int ffs_mount(struct mount *mp) @@ -184,6 +184,9 @@ ffs_mount(struct mount *mp) return (error); mntorflags = 0; + if (vfs_getopt(mp->mnt_optnew, "untrusted", NULL, NULL) == 0) + mntorflags |= MNT_UNTRUSTED; + if (vfs_getopt(mp->mnt_optnew, "acls", NULL, NULL) == 0) mntorflags |= MNT_ACLS;