Author: mckusick Date: Mon Jul 1 23:22:26 2019 New Revision: 349589 URL: https://svnweb.freebsd.org/changeset/base/349589
Log: Add a new "untrusted" option to the mount command. Its purpose is to notify the kernel that the file system is untrusted and it should use more extensive checks on the file-system's metadata before using it. This option is intended to be used when mounting file systems from untrusted media such as USB memory sticks or other externally-provided media. It will initially be used by the UFS/FFS file system, but should likely be expanded to be used by other file systems that may appear on external media like msdosfs, exfat, and ext2fs. Reviewed by: kib Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D20786 Modified: head/sbin/mount/mntopts.h head/sbin/mount/mount.8 head/sbin/mount/mount.c head/sys/sys/mount.h head/sys/ufs/ffs/ffs_vfsops.c Modified: head/sbin/mount/mntopts.h ============================================================================== --- head/sbin/mount/mntopts.h Mon Jul 1 22:11:56 2019 (r349588) +++ head/sbin/mount/mntopts.h Mon Jul 1 23:22:26 2019 (r349589) @@ -58,6 +58,7 @@ struct mntopt { #define MOPT_ACLS { "acls", 0, MNT_ACLS, 0 } #define MOPT_NFS4ACLS { "nfsv4acls", 0, MNT_NFS4ACLS, 0 } #define MOPT_AUTOMOUNTED { "automounted",0, MNT_AUTOMOUNTED, 0 } +#define MOPT_UNTRUSTED { "untrusted", 0, MNT_UNTRUSTED, 0 } /* Control flags. */ #define MOPT_FORCE { "force", 0, MNT_FORCE, 0 } @@ -93,7 +94,8 @@ struct mntopt { MOPT_MULTILABEL, \ MOPT_ACLS, \ MOPT_NFS4ACLS, \ - MOPT_AUTOMOUNTED + MOPT_AUTOMOUNTED, \ + MOPT_UNTRUSTED void getmntopts(const char *, const struct mntopt *, int *, int *); void rmslashes(char *, char *); Modified: head/sbin/mount/mount.8 ============================================================================== --- head/sbin/mount/mount.8 Mon Jul 1 22:11:56 2019 (r349588) +++ head/sbin/mount/mount.8 Mon Jul 1 23:22:26 2019 (r349589) @@ -355,6 +355,12 @@ Lookups will be done in the mounted file system first. If those operations fail due to a non-existent file the underlying directory is then accessed. All creates are done in the mounted file system. +.It Cm untrusted +The file system is untrusted and the kernel should use more +extensive checks on the file-system's metadata before using it. +This option is intended to be used when mounting file systems +from untrusted media such as USB memory sticks or other +externally-provided media. .El .Pp Any additional options specific to a file system type that is not Modified: head/sbin/mount/mount.c ============================================================================== --- head/sbin/mount/mount.c Mon Jul 1 22:11:56 2019 (r349588) +++ head/sbin/mount/mount.c Mon Jul 1 23:22:26 2019 (r349589) @@ -118,6 +118,7 @@ static struct opt { { MNT_GJOURNAL, "gjournal" }, { MNT_AUTOMOUNTED, "automounted" }, { MNT_VERIFIED, "verified" }, + { MNT_UNTRUSTED, "untrusted" }, { 0, NULL } }; @@ -972,6 +973,7 @@ flags2opts(int flags) if (flags & MNT_MULTILABEL) res = catopt(res, "multilabel"); if (flags & MNT_ACLS) res = catopt(res, "acls"); if (flags & MNT_NFS4ACLS) res = catopt(res, "nfsv4acls"); + if (flags & MNT_UNTRUSTED) res = catopt(res, "untrusted"); return (res); } Modified: head/sys/sys/mount.h ============================================================================== --- head/sys/sys/mount.h Mon Jul 1 22:11:56 2019 (r349588) +++ head/sys/sys/mount.h Mon Jul 1 23:22:26 2019 (r349589) @@ -296,6 +296,7 @@ void __mnt_vnode_markerfree_active(struct vno #define MNT_NOCLUSTERW 0x0000000080000000ULL /* disable cluster write */ #define MNT_SUJ 0x0000000100000000ULL /* using journaled soft updates */ #define MNT_AUTOMOUNTED 0x0000000200000000ULL /* mounted by automountd(8) */ +#define MNT_UNTRUSTED 0x0000000800000000ULL /* filesys metadata untrusted */ /* * NFS export related mount flags. @@ -333,7 +334,8 @@ void __mnt_vnode_markerfree_active(struct vno MNT_NOCLUSTERW | MNT_SUIDDIR | MNT_SOFTDEP | \ MNT_IGNORE | MNT_EXPUBLIC | MNT_NOSYMFOLLOW | \ MNT_GJOURNAL | MNT_MULTILABEL | MNT_ACLS | \ - MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED) + MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED | \ + MNT_UNTRUSTED) /* Mask of flags that can be updated. */ #define MNT_UPDATEMASK (MNT_NOSUID | MNT_NOEXEC | \ @@ -342,7 +344,7 @@ void __mnt_vnode_markerfree_active(struct vno MNT_NOSYMFOLLOW | MNT_IGNORE | \ MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR | \ MNT_ACLS | MNT_USER | MNT_NFS4ACLS | \ - MNT_AUTOMOUNTED) + MNT_AUTOMOUNTED | MNT_UNTRUSTED) /* * External filesystem command modifier flags. Modified: head/sys/ufs/ffs/ffs_vfsops.c ============================================================================== --- head/sys/ufs/ffs/ffs_vfsops.c Mon Jul 1 22:11:56 2019 (r349588) +++ head/sys/ufs/ffs/ffs_vfsops.c Mon Jul 1 23:22:26 2019 (r349589) @@ -145,7 +145,7 @@ static struct buf_ops ffs_ops = { static const char *ffs_opts[] = { "acls", "async", "noatime", "noclusterr", "noclusterw", "noexec", "export", "force", "from", "groupquota", "multilabel", "nfsv4acls", "fsckpid", "snapshot", "nosuid", "suiddir", - "nosymfollow", "sync", "union", "userquota", NULL }; + "nosymfollow", "sync", "union", "userquota", "untrusted", NULL }; static int ffs_mount(struct mount *mp) @@ -184,6 +184,9 @@ ffs_mount(struct mount *mp) return (error); mntorflags = 0; + if (vfs_getopt(mp->mnt_optnew, "untrusted", NULL, NULL) == 0) + mntorflags |= MNT_UNTRUSTED; + if (vfs_getopt(mp->mnt_optnew, "acls", NULL, NULL) == 0) mntorflags |= MNT_ACLS; _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
