src/sys/fs/unionfs, branch stable/13 FreeBSD source tree namei: Fix cn_flags width in various places 2025-11-19T20:47:50+00:00 Mark Johnston markj@FreeBSD.org 2025-05-27T13:29:14+00:00 503ab844ceced16c7e8736c0caa586ff0bab5f0e This truncation is mostly harmless today, but fix it anyway to avoid pain later down the road. Reviewed by: olce, kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D50417 (cherry picked from commit 0d224af399a66f00a5b33e5512fc018062cabf1d) 
This truncation is mostly harmless today, but fix it anyway to avoid
pain later down the road.

Reviewed by:	olce, kib
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D50417

(cherry picked from commit 0d224af399a66f00a5b33e5512fc018062cabf1d)
namei: Make stackable filesystems check harder for jail roots 2025-11-19T20:47:50+00:00 Mark Johnston markj@FreeBSD.org 2025-05-23T12:52:24+00:00 592de68e328b4edf8acdb2a0b0b66a813747b440 Suppose a process has its cwd pointing to a nullfs directory, where the lower directory is also visible in the jail's filesystem namespace. Suppose that the lower directory vnode is moved out from under the nullfs mount. The nullfs vnode still shadows the lower vnode, and dotdot lookups relative to that directory will instantiate new nullfs vnodes outside of the nullfs mountpoint, effectively shadowing the lower filesystem. This phenomenon can be abused to escape a chroot, since the nullfs vnodes instantiated by these dotdot lookups defeat the root vnode check in vfs_lookup(), which uses vnode pointer equality to test for the process root. Fix this by extending nullfs and unionfs to perform the same check, exploiting the fact that the passed componentname is embedded in a nameidata structure to avoid changing the VOP_LOOKUP interface. That is, add a flag to indicate that containerof can be used to get the full nameidata structure, and perform the root vnode check on the lower vnode when performing a dotdot lookup. PR: 262180 Reviewed by: olce, kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D50418 (cherry picked from commit 7587f6d4840f8d363e457cddc14c184cf1fe7cc1) 
Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount.  The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.

This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.

Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface.  That
is, add a flag to indicate that containerof can be used to get the full
nameidata structure, and perform the root vnode check on the lower vnode
when performing a dotdot lookup.

PR:		262180
Reviewed by:	olce, kib
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D50418

(cherry picked from commit 7587f6d4840f8d363e457cddc14c184cf1fe7cc1)
cred: proc_set_cred(), proc_unset_cred(): Update user's process count 2025-01-17T12:24:53+00:00 Olivier Certner olce@FreeBSD.org 2024-08-02T15:57:51+00:00 f872814e2d7a8841411569fc707b028463c7656b As a process really changes credentials at the moment proc_set_cred() or proc_unset_cred() is called, these functions are the proper locations to perform the update of the new and old real users' process count (using chgproccnt()). Before this change, change_ruid() instead would perform that update, although it operates only on a passed credential which is a priori not tied to the calling process (or not to any process at all). This was arguably a flaw of commit b1fc0ec1a7a49ded, r77183, based on its commit message, and in particular the portion "(...) In each case, the call now acts on a credential not a process (...)". Fixing this makes using change_ruid() more natural when building candidate credentials that in the end are not applied to a process, e.g., because of some intervening privilege check. Also, it removes a hack around this unwanted process count change in unionfs. We also introduce the new proc_set_cred_enforce_proc_lim() so that callers can respect the per-user process limit, and will use it for the upcoming setcred(). We plan to change all callers of proc_set_cred() to call this new function instead at some point. In the meantime, both proc_set_cred() and the new function will coexist. As detailed in some proc_set_cred_enforce_proc_lim()'s comment, checking against the process limit is currently flawed as the kernel doesn't really maintain the number of processes per UID (besides RLIMIT_NPROC, this in fact also applies to RLIMIT_KQUEUES, RLIMIT_NPTS, RLIMIT_SBSIZE and RLIMIT_SWAP). The applied limit is currently that of the old real UID. Root (or a process granted with PRIV_PROC_LIMIT) is not subject to this limit. Approved by: markj (mentor) Fixes: b1fc0ec1a7a49ded MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46923 (cherry picked from commit d2be7ed63affd8af5fe6203002b7cc3cbe7f7891) Additional changes for this MFC: 1. <sys/types.h> was added as an include in <sys/ucred.h>, as some of its types are necessary whether the header is included by the kernel or userland. Some later -CURRENT commits added it, but are not planned to be MFCed (mac_do(4) series, which doesn't exist in stable/13). 2. A number of files in 'lib/libprocstat' that include (indirectly) <sys/ucred.h> with _KERNEL defined were patched to include <stdbool.h> beforehand, so that 'bool', which is part of the new signature for proc_set_cred*(), is defined when <sys/ucred.h> is processed (<sys/types.h> does not define it when _KERNEL is defined). 
As a process really changes credentials at the moment proc_set_cred() or
proc_unset_cred() is called, these functions are the proper locations to
perform the update of the new and old real users' process count (using
chgproccnt()).

Before this change, change_ruid() instead would perform that update,
although it operates only on a passed credential which is a priori not
tied to the calling process (or not to any process at all).  This was
arguably a flaw of commit b1fc0ec1a7a49ded, r77183, based on its commit
message, and in particular the portion "(...) In each case, the call now
acts on a credential not a process (...)".

Fixing this makes using change_ruid() more natural when building
candidate credentials that in the end are not applied to a process,
e.g., because of some intervening privilege check.  Also, it removes
a hack around this unwanted process count change in unionfs.

We also introduce the new proc_set_cred_enforce_proc_lim() so that
callers can respect the per-user process limit, and will use it for the
upcoming setcred().  We plan to change all callers of proc_set_cred() to
call this new function instead at some point.  In the meantime, both
proc_set_cred() and the new function will coexist.

As detailed in some proc_set_cred_enforce_proc_lim()'s comment, checking
against the process limit is currently flawed as the kernel doesn't
really maintain the number of processes per UID (besides RLIMIT_NPROC,
this in fact also applies to RLIMIT_KQUEUES, RLIMIT_NPTS, RLIMIT_SBSIZE
and RLIMIT_SWAP).  The applied limit is currently that of the old real
UID.  Root (or a process granted with PRIV_PROC_LIMIT) is not subject to
this limit.

Approved by:    markj (mentor)
Fixes:          b1fc0ec1a7a49ded
MFC after:      2 weeks
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D46923

(cherry picked from commit d2be7ed63affd8af5fe6203002b7cc3cbe7f7891)

Additional changes for this MFC:
1. <sys/types.h> was added as an include in <sys/ucred.h>, as some of
   its types are necessary whether the header is included by the kernel
   or userland.  Some later -CURRENT commits added it, but are not
   planned to be MFCed (mac_do(4) series, which doesn't exist in
   stable/13).
2. A number of files in 'lib/libprocstat' that include (indirectly)
   <sys/ucred.h> with _KERNEL defined were patched to include
   <stdbool.h> beforehand, so that 'bool', which is part of the new
   signature for proc_set_cred*(), is defined when <sys/ucred.h> is
   processed (<sys/types.h> does not define it when _KERNEL is defined).
sys: Remove $FreeBSD$: one-line .h pattern 2023-08-23T17:43:22+00:00 Warner Losh imp@FreeBSD.org 2023-08-22T01:31:09+00:00 4b40a16f0d188422227478889b38cc341d50f88f Remove /^\s*\*+\s*\$FreeBSD\$.*$\n/ Similar commit in current: (cherry picked from commit 2ff63af9b88c) 
Remove /^\s*\*+\s*\$FreeBSD\$.*$\n/

Similar commit in current:
(cherry picked from commit 2ff63af9b88c)
unionfs: implement VOP_SET_TEXT/VOP_UNSET_TEXT 2023-01-09T02:31:15+00:00 Jason A. Harmening jah@FreeBSD.org 2021-12-21T23:51:51+00:00 04f8674aa7486ec2d73d60c2247fe5e33b5399c5 The implementation simply passes the text ref to the appropriate underlying vnode. Without this, the default [un]set_text implementation will only manage the text ref on the unionfs vnode, causing it to be out of sync with the underlying filesystems and potentially allowing corruption of executable file contents. On INVARIANTS kernels, it also readily produces a panic on process termination because the VM object representing the executable mapping is backed by the underlying vnode, not the unionfs vnode. PR: 251342 Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D33611 (cherry picked from commit 9e891d43f586e91541bd61fb12550de296d76fd9) 
The implementation simply passes the text ref to the appropriate
underlying vnode.  Without this, the default [un]set_text
implementation will only manage the text ref on the unionfs vnode,
causing it to be out of sync with the underlying filesystems and
potentially allowing corruption of executable file contents.
On INVARIANTS kernels, it also readily produces a panic on process
termination because the VM object representing the executable mapping
is backed by the underlying vnode, not the unionfs vnode.

PR:	251342
Reviewed by:	kib
Differential Revision: https://reviews.freebsd.org/D33611

(cherry picked from commit 9e891d43f586e91541bd61fb12550de296d76fd9)
unionfs: do not use bare struct componentname 2021-07-07T10:23:30+00:00 Konstantin Belousov kib@FreeBSD.org 2021-06-14T18:45:23+00:00 eee344ccd1420498eb7860999d115ea1de8c68e6 (cherry picked from commit 190110f2eba1551793f290a9f01e52ffe015a5da) 
(cherry picked from commit 190110f2eba1551793f290a9f01e52ffe015a5da)
Split out cwd/root/jail, cmask state from filedesc table 2020-11-17T21:14:13+00:00 Conrad Meyer cem@FreeBSD.org 2020-11-17T21:14:13+00:00 85078b8573332c2c83a79adea8a61b519fb3b6af No functional change intended. Tracking these structures separately for each proc enables future work to correctly emulate clone(2) in linux(4). __FreeBSD_version is bumped (to 1300130) for consumption by, e.g., lsof. Reviewed by: kib Discussed with: markj, mjg Differential Revision: https://reviews.freebsd.org/D27037 
No functional change intended.

Tracking these structures separately for each proc enables future work to
correctly emulate clone(2) in linux(4).

__FreeBSD_version is bumped (to 1300130) for consumption by, e.g., lsof.

Reviewed by:	kib
Discussed with:	markj, mjg
Differential Revision:	https://reviews.freebsd.org/D27037
fs: clean up empty lines in .c and .h files 2020-09-01T21:18:40+00:00 Mateusz Guzik mjg@FreeBSD.org 2020-09-01T21:18:40+00:00 586ee69f09c5060621486b34722a4a806581f93d 






vfs: remove the always-curthread td argument from VOP_RECLAIM
2020-08-19T07:28:01+00:00

Mateusz Guzik
mjg@FreeBSD.org

2020-08-19T07:28:01+00:00

8f226f4c23e6fd158ad8f3c26be8d185cc0b73a2












Fix export_args ex_flags field so that is 64bits, the same as mnt_flags.
2020-06-14T00:10:18+00:00

Rick Macklem
rmacklem@FreeBSD.org

2020-06-14T00:10:18+00:00

1f7104d7203f410f0f7055d2a8f2fe628eed8dbc

Since mnt_flags was upgraded to 64bits there has been a quirk in
"struct export_args", since it hold a copy of mnt_flags
in ex_flags, which is an "int" (32bits).
This happens to currently work, since all the flag bits used in ex_flags are
defined in the low order 32bits. However, new export flags cannot be defined.
Also, ex_anon is a "struct xucred", which limits it to 16 additional groups.
This patch revises "struct export_args" to make ex_flags 64bits and replaces
ex_anon with ex_uid, ex_ngroups and ex_groups (which points to a
groups list, so it can be malloc'd up to NGROUPS in size.
This requires that the VFS_CHECKEXP() arguments change, so I also modified the
last "secflavors" argument to be an array pointer, so that the
secflavors could be copied in VFS_CHECKEXP() while the export entry is locked.
(Without this patch VFS_CHECKEXP() returns a pointer to the secflavors
array and then it is used after being unlocked, which is potentially
a problem if the exports entry is changed.
In practice this does not occur when mountd is run with "-S",
but I think it is worth fixing.)

This patch also deleted the vfs_oexport_conv() function, since
do_mount_update() does the conversion, as required by the old vfs_cmount()
calls.

Reviewed by:	kib, freqlabs
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D25088





Since mnt_flags was upgraded to 64bits there has been a quirk in
"struct export_args", since it hold a copy of mnt_flags
in ex_flags, which is an "int" (32bits).
This happens to currently work, since all the flag bits used in ex_flags are
defined in the low order 32bits. However, new export flags cannot be defined.
Also, ex_anon is a "struct xucred", which limits it to 16 additional groups.
This patch revises "struct export_args" to make ex_flags 64bits and replaces
ex_anon with ex_uid, ex_ngroups and ex_groups (which points to a
groups list, so it can be malloc'd up to NGROUPS in size.
This requires that the VFS_CHECKEXP() arguments change, so I also modified the
last "secflavors" argument to be an array pointer, so that the
secflavors could be copied in VFS_CHECKEXP() while the export entry is locked.
(Without this patch VFS_CHECKEXP() returns a pointer to the secflavors
array and then it is used after being unlocked, which is potentially
a problem if the exports entry is changed.
In practice this does not occur when mountd is run with "-S",
but I think it is worth fixing.)

This patch also deleted the vfs_oexport_conv() function, since
do_mount_update() does the conversion, as required by the old vfs_cmount()
calls.

Reviewed by:	kib, freqlabs
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D25088