Page MenuHomeFreeBSD
Differential D25300

Apply default security policy in vfs_export
ClosedPublic
Actions

Authored by freqlabs on Jun 16 2020, 8:56 PM.
Tags
None
Referenced Files
F97728372: D25300.diff
Tue, Oct 1, 12:15 AM
Unknown Object (File)
Thu, Sep 19, 8:17 PM
Unknown Object (File)
Wed, Sep 4, 6:42 AM
Unknown Object (File)
Sun, Sep 1, 9:21 AM
Unknown Object (File)
Aug 30 2024, 8:08 AM
Unknown Object (File)
Aug 30 2024, 8:08 AM
Unknown Object (File)
Aug 30 2024, 8:08 AM
Unknown Object (File)
Aug 30 2024, 8:07 AM
View All 31 Files
Subscribers
imp

Details

Reviewers
rmacklem
Commits
rS362375: MFC r362252:
rS362252: Apply default security flavor in vfs_export
Summary

In rS360900 we were mistaken about where the default sec=sys came from. I was under the impression mountd ensured the default security flavor, but that is clearly not the case.

Set the default security flavor in vfs_export if none is given, and remove the workaround for oexport compat.

Reported by: npn
Sponsored by: iXsystems, Inc.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

freqlabs created this revision.Jun 16 2020, 8:56 PM
Herald added a subscriber: imp. · View Herald TranscriptJun 16 2020, 8:56 PM
freqlabs requested review of this revision.Jun 16 2020, 8:56 PM
freqlabs edited the summary of this revision. (Show Details)Jun 16 2020, 9:02 PM
rmacklem accepted this revision.Jun 16 2020, 9:08 PM

So, someone had an old version of mountd that did not fill in
the default security flavor, although it was using a "struct export_args"
that had that field in it?

This change is fine to me, although I looked at old mountd.c code and
thought I saw it filled in.

Maybe there was a window in which mountd.c hadn't been updated,
but was build with what is now called "struct o2export_args" in head.

Anyhow, moving setting the default into vfs_export() seems fine to me.

This revision is now accepted and ready to land.Jun 16 2020, 9:08 PM
freqlabs added a comment.Jun 16 2020, 9:20 PM

Sheesh, when I saw this reported I looked at parsesec in mountd.c and saw it wasn't falling back to a default, but missed where that actually happens in do_mount. I do feel a lot better now being reassured it wasn't by some miracle that we had managed to have a default working before. Not sure how npn managed to hit the edge case but the belt and suspenders approach should take care of it. 😅

Closed by commit rS362252: Apply default security flavor in vfs_export (authored by freqlabs). · Explain WhyJun 16 2020, 9:30 PM
This revision was automatically updated to reflect the committed changes.
freqlabs added a commit: rS362252: Apply default security flavor in vfs_export.
freqlabs added a commit: rS362375: MFC r362252:.Jun 19 2020, 11:45 AM

Revision Contents
Changeset List

PathSize
sys/
kern/
9 lines
5 lines

Diff 73179

View Options

sys/kern/vfs_export.c

Loading...
View Options

sys/kern/vfs_mount.c

Loading...