git: fddac96ca559 - stable/13 - krpc: Allow mountd/nfsd to optionally run in a jail

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Wed, 17 May 2023 22:15:17 UTC 
The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=fddac96ca55968f42156e6286547de513f980a52

commit fddac96ca55968f42156e6286547de513f980a52
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-12-18 20:40:48 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-05-17 22:14:07 +0000

    krpc: Allow mountd/nfsd to optionally run in a jail
    
    This patch modifies the kernel RPC so that it will allow
    mountd/nfsd to run inside of a vnet jail.  Running mountd/nfsd
    inside a vnet jail will be enabled via a new kernel build
    option called VNET_NFSD, which will be implemented in future
    commits.
    
    Although I suspect cr_prison can be set from the credentials
    of the current thread unconditionally, I #ifdef'd the code
    VNET_NFSD and only did this for the jailed case mainly to
    document that it is only needed for use in a jail.
    
    The TLS support code has not yet been modified to work in
    a jail.  That is planned as future development after the
    basic VNET_NFSD support is in the kernel.
    
    This patch should not result in any semantics change until
    VNET_NFSD is implemented and used in a kernel configuration.
    
    (cherry picked from commit 6a76d35cac8e1549f74bd4cdceccc2ee52c8e556)
---
 sys/rpc/svc.c      |  3 ++-
 sys/rpc/svc_auth.c | 15 +++++++++++++--
 sys/rpc/svc_dg.c   |  4 ++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/sys/rpc/svc.c b/sys/rpc/svc.c
index be0f08ebca9d..065da0cc23a4 100644
--- a/sys/rpc/svc.c
+++ b/sys/rpc/svc.c
@@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$");
  */
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/lock.h>
 #include <sys/kernel.h>
 #include <sys/kthread.h>
@@ -126,7 +127,7 @@ svcpool_create(const char *name, struct sysctl_oid_list *sysctl_base)
 	pool->sp_space_low = (pool->sp_space_high / 3) * 2;
 
 	sysctl_ctx_init(&pool->sp_sysctl);
-	if (sysctl_base) {
+	if (!jailed(curthread->td_ucred) && sysctl_base) {
 		SYSCTL_ADD_PROC(&pool->sp_sysctl, sysctl_base, OID_AUTO,
 		    "minthreads", CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
 		    pool, 0, svcpool_minthread_sysctl, "I",
diff --git a/sys/rpc/svc_auth.c b/sys/rpc/svc_auth.c
index 21149139b5a5..a5c9753c4fde 100644
--- a/sys/rpc/svc_auth.c
+++ b/sys/rpc/svc_auth.c
@@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
+#include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/jail.h>
 #include <sys/ucred.h>
@@ -197,7 +198,12 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, int *flavorp)
 		cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xprt->xp_uid;
 		crsetgroups(cr, xprt->xp_ngrps, xprt->xp_gidp);
 		cr->cr_rgid = cr->cr_svgid = xprt->xp_gidp[0];
-		cr->cr_prison = &prison0;
+#ifdef VNET_NFSD
+		if (jailed(curthread->td_ucred))
+			cr->cr_prison = curthread->td_ucred->cr_prison;
+		else
+#endif
+			cr->cr_prison = &prison0;
 		prison_hold(cr->cr_prison);
 		*crp = cr;
 		return (TRUE);
@@ -210,7 +216,12 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, int *flavorp)
 		cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xcr->cr_uid;
 		crsetgroups(cr, xcr->cr_ngroups, xcr->cr_groups);
 		cr->cr_rgid = cr->cr_svgid = cr->cr_groups[0];
-		cr->cr_prison = &prison0;
+#ifdef VNET_NFSD
+		if (jailed(curthread->td_ucred))
+			cr->cr_prison = curthread->td_ucred->cr_prison;
+		else
+#endif
+			cr->cr_prison = &prison0;
 		prison_hold(cr->cr_prison);
 		*crp = cr;
 		return (TRUE);
diff --git a/sys/rpc/svc_dg.c b/sys/rpc/svc_dg.c
index 36724ed07b98..e4cf0d8c45e3 100644
--- a/sys/rpc/svc_dg.c
+++ b/sys/rpc/svc_dg.c
@@ -45,11 +45,13 @@ __FBSDID("$FreeBSD$");
  */
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/lock.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
+#include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/queue.h>
 #include <sys/socket.h>
@@ -104,6 +106,8 @@ svc_dg_create(SVCPOOL *pool, struct socket *so, size_t sendsize,
 	struct sockaddr* sa;
 	int error;
 
+	if (jailed(curthread->td_ucred))
+		return (NULL);
 	if (!__rpc_socket2sockinfo(so, &si)) {
 		printf(svc_dg_str, svc_dg_err1);
 		return (NULL);