mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-11-17 10:01:01 +03:00
d34d4f97a8
In some environments, just making the .zfs control dir hidden from sight
might not be enough. In particular, the following scenarios might
warrant not allowing access at all:
- old snapshots with wrong permissions/ownership
- old snapshots with exploitable setuid/setgid binaries
- old snapshots with sensitive contents
Introducing a new 'disabled' value that not only hides the control dir,
but prevents access to its contents by returning ENOENT solves all of
the above.
The new property value takes advantage of 'iuv' semantics ("ignore
unknown value") to automatically fall back to the old default value when
a pool is accessed by an older version of ZFS that doesn't yet know
about 'disabled' semantics.
I think that technically the zfs_dirlook change is enough to prevent
access, but preventing lookups and dir entries in an already opened .zfs
handle might also be a good idea to prevent races when modifying the
property at runtime.
Add zfs_snapshot_no_setuid parameter to control whether automatically
mounted snapshots have the setuid mount option set or not.
this could be considered a partial fix for one of the scenarios
mentioned in desired.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Co-authored-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Closes #3963
Closes #16587
131 lines
3.6 KiB
Plaintext
131 lines
3.6 KiB
Plaintext
#
|
|
# This file and its contents are supplied under the terms of the
|
|
# Common Development and Distribution License ("CDDL"), version 1.0.
|
|
# You may only use this file in accordance with the terms of version
|
|
# 1.0 of the CDDL.
|
|
#
|
|
# A full copy of the text of the CDDL should have accompanied this
|
|
# source. A copy of the CDDL is also available via the Internet at
|
|
# http://www.illumos.org/license/CDDL.
|
|
#
|
|
|
|
#
|
|
# Copyright (c) 2012, 2016, Delphix. All rights reserved.
|
|
# Copyright (c) 2022 Hewlett Packard Enterprise Development LP.
|
|
#
|
|
|
|
. $STF_SUITE/include/libtest.shlib
|
|
|
|
typeset -a compress_prop_vals=('off' 'lzjb' 'lz4' 'gzip' 'zle' 'zstd')
|
|
typeset -a checksum_prop_vals=('on' 'off' 'fletcher2' 'fletcher4' 'sha256'
|
|
'noparity' 'sha512' 'skein' 'blake3')
|
|
if ! is_freebsd; then
|
|
checksum_prop_vals+=('edonr')
|
|
fi
|
|
typeset -a recsize_prop_vals=('512' '1024' '2048' '4096' '8192' '16384'
|
|
'32768' '65536' '131072' '262144' '524288' '1048576')
|
|
typeset -a canmount_prop_vals=('on' 'off' 'noauto')
|
|
typeset -a copies_prop_vals=('1' '2' '3')
|
|
typeset -a logbias_prop_vals=('latency' 'throughput')
|
|
typeset -a primarycache_prop_vals=('all' 'none' 'metadata')
|
|
typeset -a redundant_metadata_prop_vals=('all' 'most' 'some' 'none')
|
|
typeset -a secondarycache_prop_vals=('all' 'none' 'metadata')
|
|
typeset -a snapdir_prop_vals=('disabled' 'hidden' 'visible')
|
|
typeset -a sync_prop_vals=('standard' 'always' 'disabled')
|
|
|
|
typeset -a fs_props=('compress' 'checksum' 'recsize'
|
|
'canmount' 'copies' 'logbias' 'primarycache' 'redundant_metadata'
|
|
'secondarycache' 'snapdir' 'sync')
|
|
typeset -a vol_props=('compress' 'checksum' 'copies' 'logbias' 'primarycache'
|
|
'secondarycache' 'redundant_metadata' 'sync')
|
|
|
|
#
|
|
# Given the 'prop' passed in, return 'num_vals' elements of the corresponding
|
|
# values array to the user, excluding any elements below 'first.' This allows
|
|
# us to exclude 'off' and 'on' which can be either unwanted, or a duplicate of
|
|
# another property respectively.
|
|
#
|
|
function get_rand_prop_vals
|
|
{
|
|
typeset prop=$1
|
|
typeset -i num_vals=$2
|
|
typeset -i first=$3
|
|
|
|
[[ -z $prop || -z $num_vals || -z $first ]] && \
|
|
log_fail "get_rand_prop_vals: bad arguments"
|
|
|
|
typeset retstr=""
|
|
|
|
typeset prop_vals_var=${prop}_prop_vals
|
|
typeset -a prop_vals=($(eval echo \${${prop_vals_var}[@]}))
|
|
|
|
[[ -z $prop_vals ]] && \
|
|
log_fail "get_rand_prop_vals: bad prop $prop"
|
|
|
|
typeset -i last=$((${#prop_vals[@]} - 1))
|
|
typeset -i i
|
|
for i in $(range_shuffle $first $last | head -n $num_vals); do
|
|
retstr="${prop_vals[$i]} $retstr"
|
|
done
|
|
echo $retstr
|
|
}
|
|
|
|
#
|
|
# Functions to toggle on/off properties
|
|
#
|
|
typeset -a binary_props=('atime' 'devices' 'exec' 'readonly' 'setuid' 'xattr')
|
|
|
|
if is_freebsd; then
|
|
binary_props+=('jailed')
|
|
else
|
|
binary_props+=('zoned')
|
|
fi
|
|
|
|
# Newer Linuxes dropped non-blocking mandatory locks
|
|
if ! is_linux || [ $(linux_version) -lt $(linux_version "4.4") ]; then
|
|
binary_props+=('nbmand')
|
|
fi
|
|
|
|
function toggle_prop
|
|
{
|
|
typeset ds=$1
|
|
typeset prop=$2
|
|
|
|
typeset val=$(get_prop $prop $ds)
|
|
typeset newval='off'
|
|
|
|
[[ $val = $newval ]] && newval='on'
|
|
log_must zfs set $prop=$newval $ds
|
|
}
|
|
|
|
function toggle_binary_props
|
|
{
|
|
typeset ds=$1
|
|
typeset prop
|
|
|
|
for prop in "${binary_props[@]}"; do
|
|
toggle_prop $ds $prop
|
|
done
|
|
}
|
|
|
|
function randomize_ds_props
|
|
{
|
|
typeset ds=$1
|
|
typeset prop proplist val
|
|
|
|
if ds_is_volume $ds; then
|
|
toggle_prop $ds readonly
|
|
proplist="${vol_props[@]}"
|
|
elif ds_is_filesystem $ds; then
|
|
toggle_binary_props $ds
|
|
proplist="${fs_props[@]}"
|
|
else
|
|
log_fail "$ds is neither a volume nor a file system"
|
|
fi
|
|
|
|
for prop in $proplist; do
|
|
typeset val=$(get_rand_prop_vals $prop 1 0)
|
|
log_must zfs set $prop=$val $ds
|
|
done
|
|
}
|