Page MenuHomeFreeBSD

Apply default security policy in vfs_export
ClosedPublic

Authored by freqlabs on Jun 16 2020, 8:56 PM.
Tags
None
Referenced Files
F101965701: D25300.diff
Tue, Nov 5, 9:44 PM
Unknown Object (File)
Mon, Oct 28, 11:30 AM
Unknown Object (File)
Oct 3 2024, 10:51 PM
Unknown Object (File)
Oct 1 2024, 2:22 AM
Unknown Object (File)
Oct 1 2024, 12:15 AM
Unknown Object (File)
Sep 19 2024, 8:17 PM
Unknown Object (File)
Sep 4 2024, 6:42 AM
Unknown Object (File)
Sep 1 2024, 9:21 AM
Subscribers

Details

Summary

In rS360900 we were mistaken about where the default sec=sys came from. I was under the impression mountd ensured the default security flavor, but that is clearly not the case.

Set the default security flavor in vfs_export if none is given, and remove the workaround for oexport compat.

Reported by: npn
Sponsored by: iXsystems, Inc.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

So, someone had an old version of mountd that did not fill in
the default security flavor, although it was using a "struct export_args"
that had that field in it?

This change is fine to me, although I looked at old mountd.c code and
thought I saw it filled in.

Maybe there was a window in which mountd.c hadn't been updated,
but was build with what is now called "struct o2export_args" in head.

Anyhow, moving setting the default into vfs_export() seems fine to me.

This revision is now accepted and ready to land.Jun 16 2020, 9:08 PM

Sheesh, when I saw this reported I looked at parsesec in mountd.c and saw it wasn't falling back to a default, but missed where that actually happens in do_mount. I do feel a lot better now being reassured it wasn't by some miracle that we had managed to have a default working before. Not sure how npn managed to hit the edge case but the belt and suspenders approach should take care of it. 😅

This revision was automatically updated to reflect the committed changes.