Page MenuHomeFreeBSD

Add option "untrusted" to mount(8)
ClosedPublic

Authored by mckusick on Jun 27 2019, 10:40 PM.

Details

Summary

Add a new "untrusted" option to the mount command. Its purpose is to notify the kernel that the file system is untrusted and it should use more extensive checks on the file-system's metadata before using it. This option is intended to be used when mounting file systems from untrusted media such as USB memory sticks or other externally-provided media.

It will initially be used by the UFS/FFS file system, but should likely be expanded to be used by other file systems that may appear on external media like msdosfs, exfat, and ext2fs.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

I am not sure how useful this option is.

Consider UFS. The option can only enable 'fast' checks, but then specially crafted malicious filesystem still can either panic or corrupt kernel state, or do something much worse. E.g. it might point some inode data block to metadata block, allowing user to control it. It is unfeasible to check for such stuff in kernel at all. So we cannot make a promise that 'untrusted' option allows to mount arbitrary volume as UFS and still normally use the system.

On the other hand, easy checks like that a block pointer never points outside the volume end, or even more advanced things like that data block pointer never point to inode or bitmap blocks, can be performed always with essentially zero overhead. The overhead of arithmetic would be negligible comparing with the io overhead even on NVMe or with the locking cost.

So IMO, we should add 'hardening' checks to UFS unconditionally, and only consider this option when we have some really expensive check ready. But until we have a functionality of complete fsck_ffs in kernel, the option name should be more modest, like 'expensive_consistency' or similar.

Some of the checks that I am contemplating are expensive in that they may require extra I/O operations. Another possible thing is that I may spawn a process to run a full filesystem check before proceeding with the mount. These are not things that should or need to be done in the case of a trusted filesystem. I believe that the name "untrusted" well and succinctly describes this option.

Some of the checks that I am contemplating are expensive in that they may require extra I/O operations. Another possible thing is that I may spawn a process to run a full filesystem check before proceeding with the mount. These are not things that should or need to be done in the case of a trusted filesystem. I believe that the name "untrusted" well and succinctly describes this option.

Ok.

This revision is now accepted and ready to land.Jun 30 2019, 1:31 PM