From nobody Wed May 17 14:46:22 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QLwsW16gpz4BD5r; Wed, 17 May 2023 14:46:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QLwsW0cCqz3l4N; Wed, 17 May 2023 14:46:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1684334783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QNkKLenGc1j23JHgH8tn1F+I2iyit59eR7OwUzIl7Qw=; b=C+d1TVApZuLmS1Oas6GbMinVOImlPVO03s2bI97WdXxG/3jz164WT8Kq+uRXUQfT74ibZy OejAlV/x1ALXHSYk07WGh2GRAN+wY7ycWfziKFFGfCL62GlIP91JRfNh0vA9QibczlZACJ IrQeQ2eRKS/U7OsqVbXUxEZDYmdigzb0wvlmnretJiCHmjo5W2eSwi/3s0uVU5LCbq3YMZ 05bSz+lSupiUjI3izEyQwDutK0g6SKfRDyA+nKy4+uWwbvQSRXVuoM94pzr5ZxuXuIJrnA eOQ/ri+KUoFzYDh+Ka7YvrkvKBXmd+iwOg54dT15O37527MR8qpgwBOKKSZCng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1684334783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QNkKLenGc1j23JHgH8tn1F+I2iyit59eR7OwUzIl7Qw=; b=JUzIs4NAFs+Du+WIKZ3rieObzBfV8GcVpIsB7qn/Dwg8S163ZHPMw+VUWVFPlQorvhm64X q1tigDQ/uM1ZwfTn0r38GSHIeOZp/gGzO7jKQ73cqvDSN+wjhR+NhxazwkaTlDZdIGl4Rx Xm4ZxxkE3gc2Srx0DhvmOMyw0s86aAI9pN056bGhZdVzT3DzN51N9YR0iTidJTFPw666fD FTAI7azfvfRQ2msetDfMJbQjtnI/lcZJOYAPP4z1K283eOwM7CQWtET5LpH2MDfm6mi+U7 6MsUfNxYtGJbvpgPCzFuRjQgPLhrn6A75RP+KRqgL+rHyauzoD21eujnbpV50g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1684334783; a=rsa-sha256; cv=none; b=irPwxnatn3trQ6kTdlt++Pb9DhvLT/297DCQryGgkIOXm9gQTGpPEHOv+UMApFXI2DDX/7 KOwAObF4xf1VuT3qYmvRG49+5Lhqu/O3gLxrZT+/ikO9mJU/9UuuREjHYDmuPm64LMltxW 2IiiN3g8Zogx1cHMhcHix02Bp/BY487eCaCuTvYiVPTycWPV1r4HuLcgvjfwP7f8BUQskm KrmV++yzd45/4ezqq6a6lYJLl5g8p5zbLMzmEII6CqVxOYxnUSyy2b7fBO3tuZRp8iD01d sI52KzWKHBgFQNjoYhx6h7avojkh2QojqIDAu7igVQZ6uUNeVtD3mGNmQrbJcg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QLwsV6MnVz17DV; Wed, 17 May 2023 14:46:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 34HEkMuP017102; Wed, 17 May 2023 14:46:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 34HEkMRI017101; Wed, 17 May 2023 14:46:22 GMT (envelope-from git) Date: Wed, 17 May 2023 14:46:22 GMT Message-Id: <202305171446.34HEkMRI017101@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: 1d88734798c2 - stable/13 - krpc: Add macros so that rpc.tlsservd can run in vnet prison List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 1d88734798c252a749764e9ee314f46ce9fd2b3f Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=1d88734798c252a749764e9ee314f46ce9fd2b3f commit 1d88734798c252a749764e9ee314f46ce9fd2b3f Author: Rick Macklem AuthorDate: 2023-02-15 13:58:21 +0000 Commit: Rick Macklem CommitDate: 2023-05-17 14:41:53 +0000 krpc: Add macros so that rpc.tlsservd can run in vnet prison Commit 7344856e3a6d added a lot of macros that will front end vnet macros so that nfsd(8) can run in vnet prison. This patch adds similar macros named KRPC_VNETxxx so that the rpc.tlsservd(8) daemon can run in a vnet prison, once the macros front end the vnet ones. For now, they are null macros. (cherry picked from commit 6444662a563ba714fed8563645764262c6f5e90f) --- sys/rpc/rpcsec_tls.h | 18 ++++++++++ sys/rpc/rpcsec_tls/rpctls_impl.c | 77 ++++++++++++++++++++++++++-------------- 2 files changed, 68 insertions(+), 27 deletions(-) diff --git a/sys/rpc/rpcsec_tls.h b/sys/rpc/rpcsec_tls.h index 49a7e71b7514..5781424a6180 100644 --- a/sys/rpc/rpcsec_tls.h +++ b/sys/rpc/rpcsec_tls.h @@ -72,6 +72,9 @@ enum clnt_stat rpctls_srv_disconnect(uint64_t sec, uint64_t usec, /* Initialization function for rpcsec_tls. */ int rpctls_init(void); +/* Cleanup function for rpcsec_tls. */ +void rpctls_cleanup(void); + /* Get TLS information function. */ bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run, bool rpctlssd_run); @@ -82,6 +85,21 @@ bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run, /* ssl refno value to indicate TLS handshake being done. */ #define RPCTLS_REFNO_HANDSHAKE 0xFFFFFFFFFFFFFFFFULL +/* Macros for VIMAGE. */ +/* Define the KRPC_VNET macros similar to !VIMAGE. */ +#define KRPC_VNET_NAME(n) n +#define KRPC_VNET_DECLARE(t, n) extern t n +#define KRPC_VNET_DEFINE(t, n) t n +#define KRPC_VNET_DEFINE_STATIC(t, n) static t n +#define KRPC_VNET(n) (n) + +#define CTLFLAG_KRPC_VNET 0 + +#define KRPC_CURVNET_SET(n) +#define KRPC_CURVNET_SET_QUIET(n) +#define KRPC_CURVNET_RESTORE() +#define KRPC_TD_TO_VNET(n) NULL + #endif /* _KERNEL */ #endif /* _RPC_RPCSEC_TLS_H_ */ diff --git a/sys/rpc/rpcsec_tls/rpctls_impl.c b/sys/rpc/rpcsec_tls/rpctls_impl.c index c495213b08e2..3b3452a8b624 100644 --- a/sys/rpc/rpcsec_tls/rpctls_impl.c +++ b/sys/rpc/rpcsec_tls/rpctls_impl.c @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -51,6 +52,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include + #include #include #include @@ -74,12 +77,14 @@ static CLIENT *rpctls_connect_handle; static struct mtx rpctls_connect_lock; static struct socket *rpctls_connect_so = NULL; static CLIENT *rpctls_connect_cl = NULL; -static CLIENT *rpctls_server_handle; static struct mtx rpctls_server_lock; -static struct socket *rpctls_server_so = NULL; -static SVCXPRT *rpctls_server_xprt = NULL; static struct opaque_auth rpctls_null_verf; +KRPC_VNET_DEFINE_STATIC(CLIENT *, rpctls_server_handle) = NULL; +KRPC_VNET_DEFINE_STATIC(struct socket *, rpctls_server_so) = NULL; +KRPC_VNET_DEFINE_STATIC(SVCXPRT *, rpctls_server_xprt) = NULL; +KRPC_VNET_DEFINE_STATIC(bool, rpctls_server_busy) = false; + static CLIENT *rpctls_connect_client(void); static CLIENT *rpctls_server_client(void); static enum clnt_stat rpctls_server(SVCXPRT *xprt, struct socket *so, @@ -127,9 +132,13 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) if (error != 0) return (error); + KRPC_CURVNET_SET(KRPC_TD_TO_VNET(td)); switch (uap->op) { case RPCTLS_SYSC_CLSETPATH: - error = copyinstr(uap->path, path, sizeof(path), NULL); + if (jailed(curthread->td_ucred)) + error = EPERM; + if (error == 0) + error = copyinstr(uap->path, path, sizeof(path), NULL); if (error == 0) { error = ENXIO; #ifdef KERN_TLS @@ -185,7 +194,11 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) } break; case RPCTLS_SYSC_SRVSETPATH: - error = copyinstr(uap->path, path, sizeof(path), NULL); + if (jailed(curthread->td_ucred) && + !prison_check_nfsd(curthread->td_ucred)) + error = EPERM; + if (error == 0) + error = copyinstr(uap->path, path, sizeof(path), NULL); if (error == 0) { error = ENXIO; #ifdef KERN_TLS @@ -228,8 +241,8 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) } mtx_lock(&rpctls_server_lock); - oldcl = rpctls_server_handle; - rpctls_server_handle = cl; + oldcl = KRPC_VNET(rpctls_server_handle); + KRPC_VNET(rpctls_server_handle) = cl; mtx_unlock(&rpctls_server_lock); if (oldcl != NULL) { @@ -250,8 +263,8 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) break; case RPCTLS_SYSC_SRVSHUTDOWN: mtx_lock(&rpctls_server_lock); - oldcl = rpctls_server_handle; - rpctls_server_handle = NULL; + oldcl = KRPC_VNET(rpctls_server_handle); + KRPC_VNET(rpctls_server_handle) = NULL; mtx_unlock(&rpctls_server_lock); if (oldcl != NULL) { @@ -288,10 +301,10 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) break; case RPCTLS_SYSC_SRVSOCKET: mtx_lock(&rpctls_server_lock); - so = rpctls_server_so; - rpctls_server_so = NULL; - xprt = rpctls_server_xprt; - rpctls_server_xprt = NULL; + so = KRPC_VNET(rpctls_server_so); + KRPC_VNET(rpctls_server_so) = NULL; + xprt = KRPC_VNET(rpctls_server_xprt); + KRPC_VNET(rpctls_server_xprt) = NULL; mtx_unlock(&rpctls_server_lock); if (so != NULL) { error = falloc(td, &fp, &fd, 0); @@ -316,6 +329,7 @@ sys_rpctls_syscall(struct thread *td, struct rpctls_syscall_args *uap) default: error = EINVAL; } + KRPC_CURVNET_RESTORE(); return (error); } @@ -346,11 +360,13 @@ rpctls_server_client(void) { CLIENT *cl; + KRPC_CURVNET_SET_QUIET(KRPC_TD_TO_VNET(curthread)); mtx_lock(&rpctls_server_lock); - cl = rpctls_server_handle; + cl = KRPC_VNET(rpctls_server_handle); if (cl != NULL) CLNT_ACQUIRE(cl); mtx_unlock(&rpctls_server_lock); + KRPC_CURVNET_RESTORE(); return (cl); } @@ -556,20 +572,22 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp, gid_t *gidp; uint32_t *gidv; int i; - static bool rpctls_server_busy = false; + KRPC_CURVNET_SET_QUIET(KRPC_TD_TO_VNET(curthread)); cl = rpctls_server_client(); - if (cl == NULL) + if (cl == NULL) { + KRPC_CURVNET_RESTORE(); return (RPC_SYSTEMERROR); + } /* Serialize the server upcalls. */ mtx_lock(&rpctls_server_lock); - while (rpctls_server_busy) - msleep(&rpctls_server_busy, &rpctls_server_lock, PVFS, - "rtlssn", 0); - rpctls_server_busy = true; - rpctls_server_so = so; - rpctls_server_xprt = xprt; + while (KRPC_VNET(rpctls_server_busy)) + msleep(&KRPC_VNET(rpctls_server_busy), + &rpctls_server_lock, PVFS, "rtlssn", 0); + KRPC_VNET(rpctls_server_busy) = true; + KRPC_VNET(rpctls_server_so) = so; + KRPC_VNET(rpctls_server_xprt) = xprt; mtx_unlock(&rpctls_server_lock); /* Do the server upcall. */ @@ -603,11 +621,12 @@ rpctls_server(SVCXPRT *xprt, struct socket *so, uint32_t *flags, uint64_t *sslp, /* Once the upcall is done, the daemon is done with the fp and so. */ mtx_lock(&rpctls_server_lock); - rpctls_server_so = NULL; - rpctls_server_xprt = NULL; - rpctls_server_busy = false; - wakeup(&rpctls_server_busy); + KRPC_VNET(rpctls_server_so) = NULL; + KRPC_VNET(rpctls_server_xprt) = NULL; + KRPC_VNET(rpctls_server_busy) = false; + wakeup(&KRPC_VNET(rpctls_server_busy)); mtx_unlock(&rpctls_server_lock); + KRPC_CURVNET_RESTORE(); return (stat); } @@ -725,8 +744,12 @@ rpctls_getinfo(u_int *maxlenp, bool rpctlscd_run, bool rpctlssd_run) return (false); if (rpctlscd_run && rpctls_connect_handle == NULL) return (false); - if (rpctlssd_run && rpctls_server_handle == NULL) + KRPC_CURVNET_SET_QUIET(KRPC_TD_TO_VNET(curthread)); + if (rpctlssd_run && KRPC_VNET(rpctls_server_handle) == NULL) { + KRPC_CURVNET_RESTORE(); return (false); + } + KRPC_CURVNET_RESTORE(); *maxlenp = maxlen; return (enable); }