int
domount(kthread_t *td, vnode_t *vp, const char *fstype, char *fspath,
char *fspec, int fsflags)
{
struct mount *mp;
struct vfsconf *vfsp;
struct ucred *newcr, *oldcr;
int error;
/*
* Be ultra-paranoid about making sure the type and fspath
* variables will fit in our mp buffers, including the
* terminating NUL.
*/
if (strlen(fstype) >= MFSNAMELEN || strlen(fspath) >= MNAMELEN)
return (ENAMETOOLONG);
vfsp = vfs_byname_kld(fstype, td, &error);
if (vfsp == NULL)
return (ENODEV);
if (vp->v_type != VDIR)
return (ENOTDIR);
simple_lock(&vp->v_interlock);
if ((vp->v_iflag & VI_MOUNT) != 0 ||
vp->v_mountedhere != NULL) {
simple_unlock(&vp->v_interlock);
return (EBUSY);
}
vp->v_iflag |= VI_MOUNT;
simple_unlock(&vp->v_interlock);
/*
* Allocate and initialize the filesystem.
*/
vn_lock(vp, LK_SHARED | LK_RETRY);
mp = vfs_mount_alloc(vp, vfsp, fspath, td);
VOP_UNLOCK(vp);
mp->mnt_optnew = NULL;
vfs_setmntopt(mp, "from", fspec, 0);
mp->mnt_optnew = mp->mnt_opt;
mp->mnt_opt = NULL;
/*
* Set the mount level flags.
* crdup() can sleep, so do it before acquiring a mutex.
*/
newcr = crdup(kcred);
MNT_ILOCK(mp);
if (fsflags & MNT_RDONLY)
mp->mnt_flag |= MNT_RDONLY;
mp->mnt_flag &=~ MNT_UPDATEMASK;
mp->mnt_flag |= fsflags & (MNT_UPDATEMASK | MNT_FORCE | MNT_ROOTFS);
/*
* Unprivileged user can trigger mounting a snapshot, but we don't want
* him to unmount it, so we switch to privileged credentials.
*/
oldcr = mp->mnt_cred;
mp->mnt_cred = newcr;
mp->mnt_stat.f_owner = mp->mnt_cred->cr_uid;
MNT_IUNLOCK(mp);
crfree(oldcr);
/*
* Mount the filesystem.
* XXX The final recipients of VFS_MOUNT just overwrite the ndp they
* get. No freeing of cn_pnbuf.
*/
error = VFS_MOUNT(mp, td);
if (!error) {
if (mp->mnt_opt != NULL)
vfs_freeopts(mp->mnt_opt);
mp->mnt_opt = mp->mnt_optnew;
(void)VFS_STATFS(mp, &mp->mnt_stat, td);
}
/*
* Prevent external consumers of mount options from reading
* mnt_optnew.
*/
mp->mnt_optnew = NULL;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
/*
* Put the new filesystem on the mount list after root.
*/
#ifdef FREEBSD_NAMECACHE
cache_purge(vp);
#endif
if (!error) {
vnode_t *mvp;
simple_lock(&vp->v_interlock);
vp->v_iflag &= ~VI_MOUNT;
simple_unlock(&vp->v_interlock);
vp->v_mountedhere = mp;
mountlist_append(mp);
vfs_event_signal(NULL, VQ_MOUNT, 0);
if (VFS_ROOT(mp, LK_EXCLUSIVE, &mvp, td))
panic("mount: lost mount");
mountcheckdirs(vp, mvp);
vput(mvp);
VOP_UNLOCK(vp);
if ((mp->mnt_flag & MNT_RDONLY) == 0)
vfs_syncer_add_to_worklist(mp);
vfs_unbusy(mp, td);
vfs_mountedfrom(mp, fspec);
} else {
simple_lock(&vp->v_interlock);
vp->v_iflag &= ~VI_MOUNT;
simple_unlock(&vp->v_interlock);
VOP_UNLOCK(vp);
vfs_unbusy(mp, td);
vfs_mount_destroy(mp);
}
return (error);
}
int
mount_snapshot(kthread_t *td, vnode_t **vpp, const char *fstype, char *fspath,
char *fspec, int fsflags)
{
struct vfsconf *vfsp;
struct mount *mp;
vnode_t *vp, *mvp;
struct ucred *cr;
int error;
/*
* Be ultra-paranoid about making sure the type and fspath
* variables will fit in our mp buffers, including the
* terminating NUL.
*/
if (strlen(fstype) >= MFSNAMELEN || strlen(fspath) >= MNAMELEN)
return (ENAMETOOLONG);
vfsp = vfs_byname_kld(fstype, td, &error);
if (vfsp == NULL)
return (ENODEV);
vp = *vpp;
if (vp->v_type != VDIR)
return (ENOTDIR);
/*
* We need vnode lock to protect v_mountedhere and vnode interlock
* to protect v_iflag.
*/
vn_lock(vp, LK_SHARED | LK_RETRY);
VI_LOCK(vp);
if ((vp->v_iflag & VI_MOUNT) != 0 || vp->v_mountedhere != NULL) {
VI_UNLOCK(vp);
VOP_UNLOCK(vp, 0);
return (EBUSY);
}
vp->v_iflag |= VI_MOUNT;
VI_UNLOCK(vp);
VOP_UNLOCK(vp, 0);
/*
* Allocate and initialize the filesystem.
* We don't want regular user that triggered snapshot mount to be able
* to unmount it, so pass credentials of the parent mount.
*/
mp = vfs_mount_alloc(vp, vfsp, fspath, vp->v_mount->mnt_cred);
mp->mnt_optnew = NULL;
vfs_setmntopt(mp, "from", fspec, 0);
mp->mnt_optnew = mp->mnt_opt;
mp->mnt_opt = NULL;
/*
* Set the mount level flags.
*/
mp->mnt_flag = fsflags & MNT_UPDATEMASK;
/*
* Snapshots are always read-only.
*/
mp->mnt_flag |= MNT_RDONLY;
/*
* We don't want snapshots to allow access to vulnerable setuid
* programs, so we turn off setuid when mounting snapshots.
*/
mp->mnt_flag |= MNT_NOSUID;
/*
* We don't want snapshots to be visible in regular
* mount(8) and df(1) output.
*/
mp->mnt_flag |= MNT_IGNORE;
/*
* XXX: This is evil, but we can't mount a snapshot as a regular user.
* XXX: Is is safe when snapshot is mounted from within a jail?
*/
cr = td->td_ucred;
td->td_ucred = kcred;
error = VFS_MOUNT(mp);
td->td_ucred = cr;
if (error != 0) {
VI_LOCK(vp);
vp->v_iflag &= ~VI_MOUNT;
VI_UNLOCK(vp);
vrele(vp);
vfs_unbusy(mp);
vfs_mount_destroy(mp);
*vpp = NULL;
return (error);
}
if (mp->mnt_opt != NULL)
vfs_freeopts(mp->mnt_opt);
mp->mnt_opt = mp->mnt_optnew;
(void)VFS_STATFS(mp, &mp->mnt_stat);
/*
* Prevent external consumers of mount options from reading
* mnt_optnew.
*/
mp->mnt_optnew = NULL;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
#ifdef FREEBSD_NAMECACHE
cache_purge(vp);
#endif
VI_LOCK(vp);
vp->v_iflag &= ~VI_MOUNT;
VI_UNLOCK(vp);
vp->v_mountedhere = mp;
/* Put the new filesystem on the mount list. */
mtx_lock(&mountlist_mtx);
TAILQ_INSERT_TAIL(&mountlist, mp, mnt_list);
mtx_unlock(&mountlist_mtx);
vfs_event_signal(NULL, VQ_MOUNT, 0);
if (VFS_ROOT(mp, LK_EXCLUSIVE, &mvp))
panic("mount: lost mount");
vput(vp);
vfs_unbusy(mp);
*vpp = mvp;
return (0);
}