kern/146543: securelevel does not affect mount (duplicate of kern/22142)

[Sebastian Baberowski]

>Number:         146543
>Category:       kern
>Synopsis:       securelevel does not affect mount (duplicate of kern/22142)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 13 11:30:07 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Sebastian Baberowski
>Release:        8.0-RELEASE-p2
>Organization:
>Environment:
FreeBSD dwarf-fbsd 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #7: Wed May 12 23:11:36 CEST 2010     root at dwarf-fbsd:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Securelevel doesn't affect mount at all, so ro filesystem can be remounted to rw or unmounted in any securelevel.

It will be very convenient if mount -uw and unmount can be forbidden in higher (>=2) securelevels. With that it will be possible to protect the whole system by just read-only mount without dealing with immutable flags.
>How-To-Repeat:
mount -o ro /dev/da1 /mnt
sysctl kern.securelevel=2
mount -uw /mnt
>Fix:
Somebody may want to be still able to mount/unmount/update in any secure level, so IMHO it would be the best if we can mark particular mount as protected/locked. To do that new mount option can be added.

Initial patch attached.

TODO/known bugs:
- code review/check (I'm not an FreeBSD expert/developer)
- decide if securelevel=1 should be considered
- update manuals (mount(8), mount(2), security(7), any other?)
- update handbook
- "-u -o locked" is not working
- check/implement with other fs'es than ufs2
- implement patch for mount_* commands

Patch attached with submission follows:

diff -ru sbin.orig/mount/mntopts.h sbin/mount/mntopts.h
--- sbin.orig/mount/mntopts.h	2010-05-13 12:53:52.000000000 +0200
+++ sbin/mount/mntopts.h	2010-05-12 17:45:14.000000000 +0200
@@ -54,6 +54,7 @@
 #define MOPT_SNAPSHOT		{ "snapshot",	0, MNT_SNAPSHOT, 0 }
 #define MOPT_MULTILABEL		{ "multilabel",	0, MNT_MULTILABEL, 0 }
 #define MOPT_ACLS		{ "acls",	0, MNT_ACLS, 0 }
+#define MOPT_LOCKED		{ "locked",	0, MNT_LOCKED, 0 }
 
 /* Control flags. */
 #define MOPT_FORCE		{ "force",	0, MNT_FORCE, 0 }
@@ -87,6 +88,7 @@
 	MOPT_NOCLUSTERR,						\
 	MOPT_NOCLUSTERW,						\
 	MOPT_MULTILABEL,						\
+  MOPT_LOCKED,               \
 	MOPT_ACLS
 
 void getmntopts(const char *, const struct mntopt *, int *, int *);
diff -ru sbin.orig/mount/mount.c sbin/mount/mount.c
--- sbin.orig/mount/mount.c	2010-05-13 12:53:15.000000000 +0200
+++ sbin/mount/mount.c	2010-05-12 18:00:02.000000000 +0200
@@ -111,6 +111,7 @@
 	{ MNT_SOFTDEP,		"soft-updates" },
 	{ MNT_MULTILABEL,	"multilabel" },
 	{ MNT_ACLS,		"acls" },
+	{ MNT_LOCKED,		"locked" },
 	{ MNT_GJOURNAL,		"gjournal" },
 	{ 0, NULL }
 };
@@ -918,6 +921,7 @@
 	if (flags & MNT_SUIDDIR)	res = catopt(res, "suiddir");
 	if (flags & MNT_MULTILABEL)	res = catopt(res, "multilabel");
 	if (flags & MNT_ACLS)		res = catopt(res, "acls");
+	if (flags & MNT_LOCKED)		res = catopt(res, "locked");
 
 	return (res);
 }
diff -ru sys.orig/kern/vfs_mount.c sys/kern/vfs_mount.c
--- sys.orig/kern/vfs_mount.c	2010-05-13 12:55:02.000000000 +0200
+++ sys/kern/vfs_mount.c	2010-05-12 23:11:01.000000000 +0200
@@ -126,6 +126,7 @@
 	"rw",
 	"nosuid",
 	"noexec",
+  "locked",
 	NULL
 };
 
@@ -878,6 +894,15 @@
 		mp = vp->v_mount;
 		MNT_ILOCK(mp);
 		flag = mp->mnt_flag;
+
+		/* Do not allow any update in securelevel>1 if locked flag is set */
+		if ((mp->mnt_flag & MNT_LOCKED) &&
+			(error = securelevel_gt(td->td_ucred,1)) )
+		{
+			MNT_IUNLOCK(mp);
+			vput(vp);
+			return (error);
+		}
 		/*
 		 * We only allow the filesystem to be reloaded if it
 		 * is currently mounted read-only.
@@ -1220,6 +1245,19 @@
 		return (error);
 	}
 
+	/*
+	 * Do not allow unmounting locked filesystem
+	 * if securelevel>1
+	 */
+	if ( (mp->mnt_flag & MNT_LOCKED) &&
+		(error = securelevel_gt(td->td_ucred,1)) )
+	{
+		if (coveredvp)
+			VOP_UNLOCK(coveredvp, 0);
+
+		return (error);
+	}
+
 	MNT_ILOCK(mp);
 	if (mp->mnt_kern_flag & MNTK_UNMOUNT) {
 		MNT_IUNLOCK(mp);
diff -ru sys.orig/sys/mount.h sys/sys/mount.h
--- sys.orig/sys/mount.h	2010-05-13 12:54:40.000000000 +0200
+++ sys/sys/mount.h	2010-05-12 17:42:01.000000000 +0200
@@ -233,6 +233,7 @@
 #define	MNT_SUIDDIR	0x00100000	/* special handling of SUID on dirs */
 #define	MNT_SOFTDEP	0x00200000	/* soft updates being done */
 #define	MNT_NOSYMFOLLOW	0x00400000	/* do not follow symlinks */
+#define	MNT_LOCKED	0x01000000 /* locked, cannot be changed in securelevel>1 */
 #define	MNT_GJOURNAL	0x02000000	/* GEOM journal support enabled */
 #define	MNT_MULTILABEL	0x04000000	/* MAC support for individual objects */
 #define	MNT_ACLS	0x08000000	/* ACL support enabled */
@@ -274,7 +275,8 @@
 			MNT_ROOTFS	| MNT_NOATIME	| MNT_NOCLUSTERR| \
 			MNT_NOCLUSTERW	| MNT_SUIDDIR	| MNT_SOFTDEP	| \
 			MNT_IGNORE	| MNT_EXPUBLIC	| MNT_NOSYMFOLLOW | \
-			MNT_GJOURNAL	| MNT_MULTILABEL | MNT_ACLS)
+			MNT_LOCKED | MNT_GJOURNAL	| MNT_MULTILABEL | \
+      MNT_ACLS)
 
 /* Mask of flags that can be updated. */
 #define	MNT_UPDATEMASK (MNT_NOSUID	| MNT_NOEXEC	| \
@@ -282,7 +284,7 @@
 			MNT_NOATIME | \
 			MNT_NOSYMFOLLOW	| MNT_IGNORE	| \
 			MNT_NOCLUSTERR	| MNT_NOCLUSTERW | MNT_SUIDDIR	| \
-			MNT_ACLS	| MNT_USER)
+			MNT_ACLS	| MNT_USER | MNT_LOCKED)
 
 /*
  * External filesystem command modifier flags.


>Release-Note:
>Audit-Trail:
>Unformatted: