Darren J Moffat wrote:
>
> Zones do not support lofi(7d). This case doesn't change that.
>
Is there any fundamental reason why zones can't support lofi at some
point in the future. I can see this being useful to zone administrators
(though presumably they would only be able to lofi mount portions of the
filesystem they could already access.)
>
> 3. VFS interface
>
> This feature requires explicit filesystem support in the relevant
> VFS_MOUNT() routine.
>
> In particular, a filesystem can call the following helper:
>
> int vfs_get_lofi(vfs_t *, vnode_t **);
>
> This returns the vnode for a lofi minor node corresponding to the
> mounted file. A filesystem would then use this vnode as the device
> to actually mount.
>
> For this to work, such a filesystem needs to skip the block device
> security check for the lofi node, as it could fail. However, the
> VOP_ACCESS() check on the mount source (which is a file for the lofi
> case) is still needed to ensure that the mount is secure.
>
> For example, a process with PRIV_SYS_MOUNT and
> PRIV_FILE_DAC_READ/WRITE would fail an explicit check to open the
> lofi node, but succeed in the mount source check (unless the file is
> root-owned, preserving standard semantics for least privilege).
>
> Currently, filesystem support exists for ufs, pcfs, hsfs, and udfs.
> ZFS support is unlikely to happen as it doesn't support traditional
> mounting in this manner.
>
Hmmm... I didn't realize that ZFS doesn't support lofi. That seems like
a fairly severe shortcoming, particularly given the push towards ZFS
root. (On a system with ZFS root, its likely there won't be *any* ufs,
etc. filesystems.)
Are there any plans afoot that you're aware of to address this shortcoming?
-- Garrett
