mount / unmount and mountcheckdirs()

Mateusz Guzik mjguzik at gmail.com
Sun May 15 16:53:37 UTC 2016


On Sun, May 15, 2016 at 04:37:05PM +0300, Andriy Gapon wrote:
> 
> I am curious about the purpose of mountcheckdirs() called when mounting and
> unmounting a filesystem.
> 
> The function is described as such:
> /*
>  * Scan all active processes and prisons to see if any of them have a current
>  * or root directory of `olddp'. If so, replace them with the new mount point.
>  */
> and it seems to be used to "lift" processes and jails to a root of a new
> filesystem when it is mounted and to "lower" them onto a covered vnode (if any)
> when a filesystem is unmounted.
> 
> What's the purpose of those actions?
> It's strange that the machinations are done at all, but it is stranger that they
> are applied only to processes and jails at exactly a covered vnode and a root
> vnode.  Anything below in a filesystem's tree is left alone.  Is there anything
> so very special about being at exactly those points?
> 
> IMO, the machinations can have unexpected security consequences.
> 

I don't know why this was implemented. It is also being done in NetBSD.
It is not done in Solaris nor Linux.

Replacement is buggy in at least 2 ways:
1. the process vs jail vnode replacement leaves a time window where
these 2 don't match, which screws up with the look up
2. on fork we can have a 'struct filedesc' object copied but not
assigned to the new process yet, so it ends up with the old vnode

And indeed, interested parties still have access to old vnodes by means
of having a file descriptor.

That said, this likely needs to be simply changed to /deny/ mount
operations which would alter jail roots.

-- 
Mateusz Guzik <mjguzik gmail.com>


More information about the freebsd-arch mailing list