Re: Kernel panic when accessing ZFS-Filesystem via NFS

From: Robert Watson <rwatson_at_FreeBSD.org>
Date: Thu, 4 Jun 2009 11:51:30 +0100 (BST)
On Thu, 4 Jun 2009, Robert Watson wrote:

>> The NFS server is creating a ucred which describes the privileges to be 
>> given to the remote user. What is the correct way to do this and where can 
>> I read the documentation?
>
> In practice, all credentials in the system are (often quite indirectly) 
> derived from one of two root credentials, those belong to swapper and init. 
> Typical practice, on initializing a kernel service, is to take an additional 
> reference on the credential that configured the service and derive future 
> credentials from it.  I think this is what the old NFS code did, presumably 
> either directly borrowing a proc 0 credential, or from the syscall turning 
> on the NFS server.

Thinking more formally about this, I guess the question is whether or not the 
NFS server should really be a "third" credential root.  If so, we should 
provide a more formal mechanism for it to be set up so that it carries the 
proper extended credential state, such as Jail state, MAC state, audit stat, 
etc.  Notice that similar code for proc0 and proc1 has explicit hooks for 
that:

   452         /* Create credentials. */
   453         p->p_ucred = crget();
   454         p->p_ucred->cr_ngroups = 1;     /* group 0 */
   455         p->p_ucred->cr_uidinfo = uifind(0);
   456         p->p_ucred->cr_ruidinfo = uifind(0);
   457         p->p_ucred->cr_prison = &prison0;
   458 #ifdef VIMAGE
   459         KASSERT(LIST_FIRST(&vimage_head) != NULL, ("vimage_head 
empty"));
   460         P_TO_VIMAGE(p) =  LIST_FIRST(&vimage_head); /* set 
ucred->cr_vimage */
   461         refcount_acquire(&P_TO_VIMAGE(p)->vi_ucredrefc);
   462         LIST_FIRST(&vprocg_head)->nprocs++;
   463 #endif
   464 #ifdef AUDIT
   465         audit_cred_kproc0(p->p_ucred);
   466 #endif
   467 #ifdef MAC
   468         mac_cred_create_swapper(p->p_ucred);
   469 #endif

And for proc 1:

   742         newcred = crget();
   743         PROC_LOCK(initproc);
   744         initproc->p_flag |= P_SYSTEM | P_INMEM;
   745         oldcred = initproc->p_ucred;
   746         crcopy(newcred, oldcred);
   747 #ifdef MAC
   748         mac_cred_create_init(newcred);
   749 #endif
   750 #ifdef AUDIT
   751         audit_cred_proc1(newcred);
   752 #endif
   753         initproc->p_ucred = newcred;

Possibly we should actually add MAC and audit functions along similar lines, 
and initialize cr_prison to &prison0 for the NFS creds?  On the other hand, if 
they may be used for network I/O, perhaps cr_prison and the others should be 
initialized based on the context in which nfsd is started, so that it takes on 
those security attributes.

Robert N M Watson
Computer Laboratory
University of Cambridge
Received on Thu Jun 04 2009 - 08:51:31 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:49 UTC