mirror_zfs/module/zfs
Brian Behlendorf d34d4f97a8
snapdir: add 'disabled' value to make .zfs inaccessible
In some environments, just making the .zfs control dir hidden from sight
might not be enough. In particular, the following scenarios might
warrant not allowing access at all:
- old snapshots with wrong permissions/ownership
- old snapshots with exploitable setuid/setgid binaries
- old snapshots with sensitive contents

Introducing a new 'disabled' value that not only hides the control dir,
but prevents access to its contents by returning ENOENT solves all of
the above.

The new property value takes advantage of 'iuv' semantics ("ignore
unknown value") to automatically fall back to the old default value when
a pool is accessed by an older version of ZFS that doesn't yet know
about 'disabled' semantics.

I think that technically the zfs_dirlook change is enough to prevent
access, but preventing lookups and dir entries in an already opened .zfs
handle might also be a good idea to prevent races when modifying the
property at runtime.

Add zfs_snapshot_no_setuid parameter to control whether automatically
mounted snapshots have the setuid mount option set or not.

this could be considered a partial fix for one of the scenarios
mentioned in desired.

Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Co-authored-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Closes #3963
Closes #16587
2024-10-02 09:12:02 -07:00
..
abd.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
aggsum.c Remove bcopy(), bzero(), bcmp() 2022-03-15 15:13:42 -07:00
arc.c Evicting too many bytes from MFU metadata 2024-09-23 22:12:56 -07:00
blake3_zfs.c blake3: fix up bogus checksums in face of cpu migration 2023-05-01 17:21:27 -07:00
blkptr.c compress: change zio_compress API to use ABDs 2024-08-22 16:22:24 -07:00
bplist.c Use list_remove_head() where possible. 2023-06-09 10:12:52 -07:00
bpobj.c Provide macros for setting and getting blkptr birth times 2024-03-25 15:01:54 -07:00
bptree.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
bqueue.c Batch enqueue/dequeue for bqueue 2023-01-10 13:39:22 -08:00
brt.c BRT: Skip getting length in brt_entry_lookup() 2024-03-25 17:13:45 -07:00
btree.c Replace P2ALIGN with P2ALIGN_TYPED and delete P2ALIGN. 2024-05-10 08:47:21 -07:00
dataset_kstats.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
dbuf_stats.c Consider dnode_t allocations in dbuf cache size accounting 2023-11-17 13:25:53 -08:00
dbuf.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
ddt_log.c Add DDT prune command 2024-09-04 14:17:02 -07:00
ddt_stats.c ddt: dedup log 2024-08-16 12:03:35 -07:00
ddt_zap.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
ddt.c Remove set but not used variable in ddt.c (#16522) 2024-09-10 12:46:50 -07:00
dmu_diff.c Simplify issig(). 2024-05-29 10:49:11 -07:00
dmu_direct.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
dmu_object.c Replace P2ALIGN with P2ALIGN_TYPED and delete P2ALIGN. 2024-05-10 08:47:21 -07:00
dmu_objset.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dmu_recv.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
dmu_redact.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dmu_send.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
dmu_traverse.c Provide macros for setting and getting blkptr birth times 2024-03-25 15:01:54 -07:00
dmu_tx.c Cleanup DB_DNODE() macros usage 2024-07-29 14:47:01 -07:00
dmu_zfetch.c Small fix to prefetch ranges aggregation 2024-04-09 16:14:04 -07:00
dmu.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
dnode_sync.c For db_marker inherit the db pointer for AVL comparision. 2023-12-11 14:42:06 -08:00
dnode.c Linux: Report reclaimable memory to kernel as such (#16385) 2024-07-30 11:40:47 -07:00
dsl_bookmark.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_crypt.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_dataset.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
dsl_deadlist.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_deleg.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_destroy.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_dir.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
dsl_pool.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_prop.c snapdir: add 'disabled' value to make .zfs inaccessible 2024-10-02 09:12:02 -07:00
dsl_scan.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
dsl_synctask.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
dsl_userhold.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
edonr_zfs.c Remove unused Edon-R variants 2023-03-14 15:59:58 -07:00
fm.c Use list_remove_head() where possible. 2023-06-09 10:12:52 -07:00
gzip.c compress: change compression providers API to use ABDs 2024-08-22 16:22:24 -07:00
hkdf.c Remove bcopy(), bzero(), bcmp() 2022-03-15 15:13:42 -07:00
lz4_zfs.c compress: change compression providers API to use ABDs 2024-08-22 16:22:24 -07:00
lz4.c lz4: Cherrypick fix for CVE-2021-3520 2022-01-12 16:14:36 -08:00
lzjb.c compress: change compression providers API to use ABDs 2024-08-22 16:22:24 -07:00
metaslab.c Remove extra newline from spa_set_allocator(). 2024-09-17 13:15:42 -07:00
mmp.c vdev probe to slow disk can stall mmp write checker 2024-04-29 14:35:53 -07:00
multilist.c L2ARC: Relax locking during write 2024-04-09 16:23:19 -07:00
objlist.c Implement Redacted Send/Receive 2019-06-19 09:48:12 -07:00
pathname.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
range_tree.c btree: Implement faster binary search algorithm 2023-05-26 10:03:12 -07:00
refcount.c Switch refcount tracking from lists to AVL-trees. 2023-06-14 08:02:27 -07:00
rrwlock.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
sa.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
sha2_zfs.c Add generic implementation handling and SHA2 impl 2023-03-02 13:52:21 -08:00
skein_zfs.c Remove bcopy(), bzero(), bcmp() 2022-03-15 15:13:42 -07:00
spa_checkpoint.c RAID-Z expansion feature 2023-11-08 10:19:41 -08:00
spa_config.c Add mutex_enter_interruptible() for interruptible sleeping IOCTLs 2023-10-26 09:17:40 -07:00
spa_errlog.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
spa_history.c nvpair: Constify string functions 2023-03-14 15:25:50 -07:00
spa_log_spacemap.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
spa_misc.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
spa_stats.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
spa.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
space_map.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
space_reftree.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
THIRDPARTYLICENSE.cityhash
THIRDPARTYLICENSE.cityhash.descrip
txg.c vdev probe to slow disk can stall mmp write checker 2024-04-29 14:35:53 -07:00
uberblock.c Provide macros for setting and getting blkptr birth times 2024-03-25 15:01:54 -07:00
unique.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_draid_rand.c Distributed Spare (dRAID) Feature 2020-11-13 13:51:51 -08:00
vdev_draid.c zio: rename ZIO_TYPE_IOCTL to ZIO_TYPE_FLUSH 2024-04-11 17:17:23 -07:00
vdev_indirect_births.c Remove bcopy(), bzero(), bcmp() 2022-03-15 15:13:42 -07:00
vdev_indirect_mapping.c Remove bcopy(), bzero(), bcmp() 2022-03-15 15:13:42 -07:00
vdev_indirect.c Don't emit cksum_{actual_expected} in ereport.fs.zfs.checksum events 2023-07-21 11:49:26 -07:00
vdev_initialize.c Add support for parallel pool exports 2024-05-14 08:57:41 -07:00
vdev_label.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
vdev_mirror.c Provide macros for setting and getting blkptr birth times 2024-03-25 15:01:54 -07:00
vdev_missing.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_queue.c Fix accounting error for pending sync IO ops in zpool iostat 2023-11-07 09:06:14 -08:00
vdev_raidz_math_aarch64_neon_common.h Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_aarch64_neon.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_aarch64_neonx2.c Fix Clang 15 compilation errors 2022-11-30 13:46:26 -08:00
vdev_raidz_math_avx2.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_avx512bw.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_avx512f.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_impl.h RAIDZ: Use cache blocking during parity math 2023-10-30 14:54:27 -07:00
vdev_raidz_math_powerpc_altivec_common.h Linux ppc64le ieee128 compat: Do not redefine __asm on external headers 2023-01-13 10:58:58 -08:00
vdev_raidz_math_powerpc_altivec.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_scalar.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_sse2.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math_ssse3.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_raidz_math.c Miscellaneous FreBSD compilation bugfixes 2023-04-06 10:35:02 -07:00
vdev_raidz.c Replace P2ALIGN with P2ALIGN_TYPED and delete P2ALIGN. 2024-05-10 08:47:21 -07:00
vdev_rebuild.c Add support for parallel pool exports 2024-05-14 08:57:41 -07:00
vdev_removal.c nvpair: Constify string functions 2023-03-14 15:25:50 -07:00
vdev_root.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
vdev_trim.c Add support for parallel pool exports 2024-05-14 08:57:41 -07:00
vdev.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
zap_leaf.c ZAP: Some cleanups/micro-optimizations 2024-03-21 16:43:53 -07:00
zap_micro.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
zap.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
zcp_get.c nvpair: Constify string functions 2023-03-14 15:25:50 -07:00
zcp_global.c
zcp_iter.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
zcp_set.c Support setting user properties in a channel program 2020-02-14 13:41:42 -08:00
zcp_synctask.c Add zfs.sync.snapshot_rename 2022-09-02 13:31:19 -07:00
zcp.c Simplify issig(). 2024-05-29 10:49:11 -07:00
zfeature.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
zfs_byteswap.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
zfs_chksum.c Add generic implementation handling and SHA2 impl 2023-03-02 13:52:21 -08:00
zfs_fm.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
zfs_fuid.c Use list_remove_head() where possible. 2023-06-09 10:12:52 -07:00
zfs_impl.c Add generic implementation handling and SHA2 impl 2023-03-02 13:52:21 -08:00
zfs_ioctl.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
zfs_log.c zfs_log: add flex array fields to log record structs 2024-09-27 09:18:11 -07:00
zfs_onexit.c Use list_remove_head() where possible. 2023-06-09 10:12:52 -07:00
zfs_quota.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00
zfs_ratelimit.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
zfs_replay.c zfs_log: add flex array fields to log record structs 2024-09-27 09:18:11 -07:00
zfs_rlock.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
zfs_sa.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
zfs_vnops.c Adding Direct IO Support 2024-09-14 13:47:59 -07:00
zfs_znode.c Support for longnames for files/directories (Linux part) 2024-10-01 13:40:27 -07:00
zil.c zfs: add bounds checking to zil_parse (#16308) 2024-07-31 17:17:04 -07:00
zio_checksum.c Provide macros for setting and getting blkptr birth times 2024-03-25 15:01:54 -07:00
zio_compress.c zio_compress: introduce max size threshold 2024-09-19 17:23:58 -07:00
zio_inject.c vdev probe to slow disk can stall mmp write checker 2024-04-29 14:35:53 -07:00
zio.c ZLE compression: don't use BPE_PAYLOAD_SIZE 2024-09-19 17:24:51 -07:00
zle.c compress: change compression providers API to use ABDs 2024-08-22 16:22:24 -07:00
zrlock.c Micro-optimize zrl_remove() 2022-11-29 09:26:03 -08:00
zthr.c Switch from _Noreturn to __attribute__((noreturn)) 2022-03-23 08:51:00 -07:00
zvol.c Allocate zap_attribute_t from kmem instead of stack 2024-10-01 13:39:08 -07:00