From nobody Wed May 17 14:38:41 2023
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QLwhd6dHMz4BCRp;
	Wed, 17 May 2023 14:38:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QLwhd5pY1z3hvd;
	Wed, 17 May 2023 14:38:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1684334321;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mPNym5hrFvZSMkdZu2fu/EIxBYKE6XfmiXmtDmoNNOs=;
	b=I2Hrz3J/6bnsk4ynpBeZjVfAJvicfo/Tkyi9YYpZZI3Y+HFTkx/TjyBeCTq3H+6lnL9G3r
	YcvOhHasmdX0QiSQdMo7q6wAB6RK1ZoIixMxmkusY7fZAPjRa+JWGEFnEP173j3uC2k9bm
	AvsJxJK/EvENOnU4i/xifD8oYR027Qo03VKMj/6VW8NbaxieLi6qntLbV2bLBgApB1T5Rw
	rXoZQpNH2KTPx+a/Zb7cboJUN7ELoRJOvKWtjWhKX4j2YmYuVp8GgVKreYA0/JQT+nBnyJ
	zGPbGH9KbE/qnT9785+yQ/1KXBjUHHwOXqQZ0Q8BG3/5nZEnrKsXIqzu4azYxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1684334321;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=mPNym5hrFvZSMkdZu2fu/EIxBYKE6XfmiXmtDmoNNOs=;
	b=qPWzx+Gn5FXEidGRYa2eHr5hcbQgSfgQt5wDdKQjejLDPqAmUpeKzjvAGjZIoBveVUWZvk
	kusCw1GtvSBhZXaiv1wgft1jI6pxyPjGgRaJOLNgKYQQjgEoIcu1p2j7FqWtaecsnIqg6U
	LJEhslQkzg+GpLdVzW91GPCmv02mC1qmpto4y9dA9AdxdzBSEYdaJI30MnsX/WRjlQxhhA
	XM4WqV9cuA7y7EbIeFmxJaz5NzMY3rYQkhYUKZ1B0BIM0lod42EvwtsG8MIdhf0BXId2hD
	xL8D6gti/DfHGDr34UQkuPc09sFi9PfE8chg9S08QW03IKZcxc7ynwyOJ3HV0A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1684334321; a=rsa-sha256; cv=none;
	b=UUvQwlBvPOqitngOppJnGUO0ymxo3vrxBsDHCFL2M+pHLa1HrRZxvpxXLmWv2UcVWxPlOs
	LZkDDSc/eOzvYyfu8KFqqi0QEbLaZr+W92Oq4Q1uzHyBIAXBLdcDimoA72zlUO3zL1+ARV
	dlWg+K/5FhNS2jCldBFTB7/hFm1OxqYSvsgcv3chpmIYcGOTdidgLAssdkku2+dfsaDW21
	jOwHRY/mIeQje9iC4qRbT3hwaaafNgIhvsbzY6MNfWOHJq39iOhaODqpr0z8jbu++AtzGS
	n4QPN77WOYl9XioItY6siFDUobB3LkaRNi+V36fHJ07Qt4vKZP8TPQgHNSGEGw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QLwhd4w8Fz16VR;
	Wed, 17 May 2023 14:38:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 34HEcfs2000945;
	Wed, 17 May 2023 14:38:41 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 34HEcfJd000944;
	Wed, 17 May 2023 14:38:41 GMT
	(envelope-from git)
Date: Wed, 17 May 2023 14:38:41 GMT
Message-Id: <202305171438.34HEcfJd000944@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: ddaa27909a92 - stable/13 - kern_jail.c: Allow mountd/nfsd to optionally run in a jail
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: ddaa27909a9214f59eb6ee3682482b02e94b8dab
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=ddaa27909a9214f59eb6ee3682482b02e94b8dab

commit ddaa27909a9214f59eb6ee3682482b02e94b8dab
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-12-17 21:43:49 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-05-17 14:37:31 +0000

    kern_jail.c: Allow mountd/nfsd to optionally run in a jail
    
    This patch adds "allow.nfsd" to the jail code based on a
    new kernel build option VNET_NFSD.  This will not work
    until future patches fix nmount(2) to allow mountd to
    run in a vnet prison and the NFS server code is patched
    so that global variables are in a vnet.
    
    The jail(8) man page will be patched in a future commit.
    
    (cherry picked from commit bba7a2e89602e6745bb2ec474f5ab714aef49f42)
---
 sys/kern/kern_jail.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 sys/sys/jail.h       |  4 +++-
 2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 1dfdb30a463c..0a9d311eeafd 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$");
 #include "opt_ddb.h"
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_nfs.h"
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -215,6 +216,9 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
 	{"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug",
 	 PR_ALLOW_UNPRIV_DEBUG},
 	{"allow.suser", "allow.nosuser", PR_ALLOW_SUSER},
+#if defined(VNET_NFSD) && defined(VIMAGE) && defined(NFSD)
+	{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
+#endif
 };
 static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
 const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -1884,6 +1888,13 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 	}
 #endif
 
+#ifdef VNET_NFSD
+	if (born && pr != &prison0 && (pr->pr_allow & PR_ALLOW_NFSD) != 0 &&
+	    (pr->pr_root->v_vflag & VV_ROOT) == 0)
+		printf("Warning jail jid=%d: mountd/nfsd requires a separate"
+		   " file system\n", pr->pr_id);
+#endif
+
 	drflags &= ~PD_KILL;
 	td->td_retval[0] = pr->pr_id;
 
@@ -3176,6 +3187,27 @@ prison_check(struct ucred *cred1, struct ucred *cred2)
 	    prison_ischild(cred1->cr_prison, cred2->cr_prison)) ? 0 : ESRCH);
 }
 
+/*
+ * For mountd/nfsd to run within a prison, it must be:
+ * - A vnet prison.
+ * - PR_ALLOW_NFSD must be set on it.
+ * - The root directory (pr_root) of the prison must be
+ *   a file system mount point, so the mountd can hang
+ *   export information on it.
+ */
+bool
+prison_check_nfsd(struct ucred *cred)
+{
+
+	if (jailed_without_vnet(cred))
+		return (false);
+	if (!prison_allow(cred, PR_ALLOW_NFSD))
+		return (false);
+	if ((cred->cr_prison->pr_root->v_vflag & VV_ROOT) == 0)
+		return (false);
+	return (true);
+}
+
 /*
  * Return 1 if p2 is a child of p1, otherwise 0.
  */
@@ -3430,11 +3462,20 @@ prison_priv_check(struct ucred *cred, int priv)
 	 * is only granted conditionally in the legacy jail case.
 	 */
 	switch (priv) {
-#ifdef notyet
 		/*
 		 * NFS-specific privileges.
 		 */
 	case PRIV_NFS_DAEMON:
+	case PRIV_VFS_GETFH:
+	case PRIV_VFS_MOUNT_EXPORTED:
+#ifdef VNET_NFSD
+		if (!prison_check_nfsd(cred))
+#else
+		printf("running nfsd in a prison requires a kernel "
+		    "built with ''options VNET_NFSD''\n");
+#endif
+			return (EPERM);
+#ifdef notyet
 	case PRIV_NFS_LOCKD:
 #endif
 		/*
@@ -4184,6 +4225,10 @@ SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Unprivileged processes may use process debugging facilities");
 SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Processes in jail with uid 0 have privilege");
+#if defined(VNET_NFSD) && defined(VIMAGE) && defined(NFSD)
+SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Mountd/nfsd may run in the jail");
+#endif
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index b0183d404352..f4d4e521d7de 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -247,7 +247,8 @@ struct prison_racct {
 #define	PR_ALLOW_SUSER			0x00000400
 #define	PR_ALLOW_RESERVED_PORTS		0x00008000
 #define	PR_ALLOW_KMEM_ACCESS		0x00010000	/* reserved, not used yet */
-#define	PR_ALLOW_ALL_STATIC		0x000187ff
+#define	PR_ALLOW_NFSD			0x00020000
+#define	PR_ALLOW_ALL_STATIC		0x000387ff
 
 /*
  * PR_ALLOW_DIFFERENCES determines which flags are able to be
@@ -414,6 +415,7 @@ void getjailname(struct ucred *cred, char *name, size_t len);
 void prison0_init(void);
 int prison_allow(struct ucred *, unsigned);
 int prison_check(struct ucred *cred1, struct ucred *cred2);
+bool prison_check_nfsd(struct ucred *cred);
 int prison_owns_vnet(struct ucred *);
 int prison_canseemount(struct ucred *cred, struct mount *mp);
 void prison_enforce_statfs(struct ucred *cred, struct mount *mp,