Index: head/sbin/mount/mntopts.h =================================================================== --- head/sbin/mount/mntopts.h +++ head/sbin/mount/mntopts.h @@ -58,6 +58,7 @@ #define MOPT_ACLS { "acls", 0, MNT_ACLS, 0 } #define MOPT_NFS4ACLS { "nfsv4acls", 0, MNT_NFS4ACLS, 0 } #define MOPT_AUTOMOUNTED { "automounted",0, MNT_AUTOMOUNTED, 0 } +#define MOPT_UNTRUSTED { "untrusted", 0, MNT_UNTRUSTED, 0 } /* Control flags. */ #define MOPT_FORCE { "force", 0, MNT_FORCE, 0 } @@ -93,7 +94,8 @@ MOPT_MULTILABEL, \ MOPT_ACLS, \ MOPT_NFS4ACLS, \ - MOPT_AUTOMOUNTED + MOPT_AUTOMOUNTED, \ + MOPT_UNTRUSTED void getmntopts(const char *, const struct mntopt *, int *, int *); void rmslashes(char *, char *); Index: head/sbin/mount/mount.8 =================================================================== --- head/sbin/mount/mount.8 +++ head/sbin/mount/mount.8 @@ -355,6 +355,12 @@ If those operations fail due to a non-existent file the underlying directory is then accessed. All creates are done in the mounted file system. +.It Cm untrusted +The file system is untrusted and the kernel should use more +extensive checks on the file-system's metadata before using it. +This option is intended to be used when mounting file systems +from untrusted media such as USB memory sticks or other +externally-provided media. .El .Pp Any additional options specific to a file system type that is not Index: head/sbin/mount/mount.c =================================================================== --- head/sbin/mount/mount.c +++ head/sbin/mount/mount.c @@ -118,6 +118,7 @@ { MNT_GJOURNAL, "gjournal" }, { MNT_AUTOMOUNTED, "automounted" }, { MNT_VERIFIED, "verified" }, + { MNT_UNTRUSTED, "untrusted" }, { 0, NULL } }; @@ -972,6 +973,7 @@ if (flags & MNT_MULTILABEL) res = catopt(res, "multilabel"); if (flags & MNT_ACLS) res = catopt(res, "acls"); if (flags & MNT_NFS4ACLS) res = catopt(res, "nfsv4acls"); + if (flags & MNT_UNTRUSTED) res = catopt(res, "untrusted"); return (res); } Index: head/sys/sys/mount.h =================================================================== --- head/sys/sys/mount.h +++ head/sys/sys/mount.h @@ -296,6 +296,7 @@ #define MNT_NOCLUSTERW 0x0000000080000000ULL /* disable cluster write */ #define MNT_SUJ 0x0000000100000000ULL /* using journaled soft updates */ #define MNT_AUTOMOUNTED 0x0000000200000000ULL /* mounted by automountd(8) */ +#define MNT_UNTRUSTED 0x0000000800000000ULL /* filesys metadata untrusted */ /* * NFS export related mount flags. @@ -333,7 +334,8 @@ MNT_NOCLUSTERW | MNT_SUIDDIR | MNT_SOFTDEP | \ MNT_IGNORE | MNT_EXPUBLIC | MNT_NOSYMFOLLOW | \ MNT_GJOURNAL | MNT_MULTILABEL | MNT_ACLS | \ - MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED) + MNT_NFS4ACLS | MNT_AUTOMOUNTED | MNT_VERIFIED | \ + MNT_UNTRUSTED) /* Mask of flags that can be updated. */ #define MNT_UPDATEMASK (MNT_NOSUID | MNT_NOEXEC | \ @@ -342,7 +344,7 @@ MNT_NOSYMFOLLOW | MNT_IGNORE | \ MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR | \ MNT_ACLS | MNT_USER | MNT_NFS4ACLS | \ - MNT_AUTOMOUNTED) + MNT_AUTOMOUNTED | MNT_UNTRUSTED) /* * External filesystem command modifier flags. Index: head/sys/ufs/ffs/ffs_vfsops.c =================================================================== --- head/sys/ufs/ffs/ffs_vfsops.c +++ head/sys/ufs/ffs/ffs_vfsops.c @@ -145,7 +145,7 @@ static const char *ffs_opts[] = { "acls", "async", "noatime", "noclusterr", "noclusterw", "noexec", "export", "force", "from", "groupquota", "multilabel", "nfsv4acls", "fsckpid", "snapshot", "nosuid", "suiddir", - "nosymfollow", "sync", "union", "userquota", NULL }; + "nosymfollow", "sync", "union", "userquota", "untrusted", NULL }; static int ffs_mount(struct mount *mp) @@ -184,6 +184,9 @@ return (error); mntorflags = 0; + if (vfs_getopt(mp->mnt_optnew, "untrusted", NULL, NULL) == 0) + mntorflags |= MNT_UNTRUSTED; + if (vfs_getopt(mp->mnt_optnew, "acls", NULL, NULL) == 0) mntorflags |= MNT_ACLS;