mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-26 19:19:32 +03:00
d34d4f97a8
In some environments, just making the .zfs control dir hidden from sight
might not be enough. In particular, the following scenarios might
warrant not allowing access at all:
- old snapshots with wrong permissions/ownership
- old snapshots with exploitable setuid/setgid binaries
- old snapshots with sensitive contents
Introducing a new 'disabled' value that not only hides the control dir,
but prevents access to its contents by returning ENOENT solves all of
the above.
The new property value takes advantage of 'iuv' semantics ("ignore
unknown value") to automatically fall back to the old default value when
a pool is accessed by an older version of ZFS that doesn't yet know
about 'disabled' semantics.
I think that technically the zfs_dirlook change is enough to prevent
access, but preventing lookups and dir entries in an already opened .zfs
handle might also be a good idea to prevent races when modifying the
property at runtime.
Add zfs_snapshot_no_setuid parameter to control whether automatically
mounted snapshots have the setuid mount option set or not.
this could be considered a partial fix for one of the scenarios
mentioned in desired.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Co-authored-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Closes #3963
Closes #16587
66 lines
1.9 KiB
C
66 lines
1.9 KiB
C
/*
|
|
* CDDL HEADER START
|
|
*
|
|
* The contents of this file are subject to the terms of the
|
|
* Common Development and Distribution License (the "License").
|
|
* You may not use this file except in compliance with the License.
|
|
*
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
* or https://opensource.org/licenses/CDDL-1.0.
|
|
* See the License for the specific language governing permissions
|
|
* and limitations under the License.
|
|
*
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
*
|
|
* CDDL HEADER END
|
|
*/
|
|
/*
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
|
*/
|
|
|
|
#ifndef _ZFS_CTLDIR_H
|
|
#define _ZFS_CTLDIR_H
|
|
|
|
#include <sys/vnode.h>
|
|
#include <sys/zfs_vfsops.h>
|
|
#include <sys/zfs_znode.h>
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
#define ZFS_CTLDIR_NAME ".zfs"
|
|
|
|
#define zfs_has_ctldir(zdp) \
|
|
((zdp)->z_id == (zdp)->z_zfsvfs->z_root && \
|
|
((zdp)->z_zfsvfs->z_ctldir != NULL))
|
|
#define zfs_show_ctldir(zdp) \
|
|
(zfs_has_ctldir(zdp) && \
|
|
((zdp)->z_zfsvfs->z_show_ctldir == ZFS_SNAPDIR_VISIBLE))
|
|
|
|
void zfsctl_create(zfsvfs_t *);
|
|
void zfsctl_destroy(zfsvfs_t *);
|
|
int zfsctl_root(zfsvfs_t *, int, vnode_t **);
|
|
void zfsctl_init(void);
|
|
void zfsctl_fini(void);
|
|
boolean_t zfsctl_is_node(vnode_t *);
|
|
int zfsctl_snapshot_unmount(const char *snapname, int flags);
|
|
int zfsctl_rename_snapshot(const char *from, const char *to);
|
|
int zfsctl_destroy_snapshot(const char *snapname, int force);
|
|
int zfsctl_umount_snapshots(vfs_t *, int, cred_t *);
|
|
|
|
int zfsctl_lookup_objset(vfs_t *vfsp, uint64_t objsetid, zfsvfs_t **zfsvfsp);
|
|
|
|
#define ZFSCTL_INO_ROOT 0x1
|
|
#define ZFSCTL_INO_SNAPDIR 0x2
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* _ZFS_CTLDIR_H */
|