Re: how to get nodev for zfs?

[Brad Spencer <brad%anduin.eldar.org@localhost>]

Greg Troxel <gdt%lexort.com@localhost> writes:

> I'm contemplating using zfs over NFS for domU package builders, and I'm
> basically allergic to NFS for security reasons but it should be
> confined.
>
> So I'm trying to reduce exposure, and have set setuid=off on
> zfs filesystems.  That successfully prevented a suid binary from working.
>
> The other usual thing is "nodev", and zfs has a devices property on or
> off.  So I went to set it to off and got an error that FreeBSD doesn't
> support that.
>
> I made a device node (just with mknod) for wd0d and I was able to dd
> from it.
>
> Is there any good approach to avoiding this?   Why doesn't devices=off
> just lead to the nodev mount option and work, similar to setuid=off
> leads to nosuid?


Not speaking for the total bug, but part of it exists in:

src/external/cddl/osnet/dist/lib/libzfs/common/libzfs_dataset.c

where there is a specific check to disallow the setting of the devices
property and has the FreeBSD text.  It would be a start to allow the
property to be set.  Once that is possible a "zfs set devices=off
<pool>" should work (or panic??).  Then the fileset may need to be
umounted and remounted on NetBSD (zfs umount / zfs mount sort of thing).
The second problem is that the mount may not pick up the property.  That
would be looking for zfs_mount(), zmount(), zfs_domount() and that ilk
(probably zfs_main() in the zfs command itself too).  I took a very
brief look and did not see anything that would exclude the devices
property, but did not have a great deal of time to sift though the code.
There may be a translation missing somewhere too.




-- 
Brad Spencer - brad%anduin.eldar.org@localhost - KC8VKS - http://anduin.eldar.org