Fixed incompleteness that would allow dirty filesystems to get mounted

when the single user shell was terminated. These changes disallow mounting
or R/W upgrading filesystems that are dirty unless "-f" (force) option
is used with mount. /etc/rc has been modified to abort the startup if
one or more non-nfs partitions fail to mount.

Reviewed by:	Poul-Henning Kamp, Rod Grimes

etc/rc

@@ -1,5 +1,5 @@
 #!/bin/sh
-#	$Id: rc,v 1.63 1995/04/11 18:36:10 ache Exp $
+#	$Id: rc,v 1.64 1995/05/11 21:11:17 jkh Exp $
 #	From: @(#)rc	5.27 (Berkeley) 6/5/91
 
 # System startup script run by init on autoboot
@@ -65,9 +65,18 @@ trap "echo 'Reboot interrupted'; exit 1" 3
 # root must be read/write both for NFS diskless and for VFS LKMs before
 # proceeding any further.
 mount -u -o rw /
+if [ $? != 0 ]; then
+	echo "Filesystem mount failed, startup aborted"
+	exit 1
+fi
 
 umount -a >/dev/null 2>&1
+
 mount -a -t nonfs
+if [ $? != 0 ]; then
+	echo "Filesystem mount failed, startup aborted"
+	exit 1
+fi
 
 # If the machine runs wall CMOS clock (compatible with MSDOS),
 # activate following line by creating empty file /etc/wall_cmos_clock

sbin/mount/mount.8

@@ -84,7 +84,9 @@ determine what the
 command is trying to do.
 .It Fl f
 Forces the revocation of write access when trying to downgrade
-a filesystem mount status from read-write to read-only.
+a filesystem mount status from read-write to read-only. Also
+forces the R/W mount of an unclean filesystem (dangerous; use with
+caution).
 .It Fl o
 Options are specified with a
 .Fl o
@@ -104,7 +106,8 @@ system should your system crash.
 The same as
 .Fl f ;
 forces the revocation of write access when trying to downgrade
-a filesystem mount status from read-write to read-only.
+a filesystem mount status from read-write to read-only. Also
+forces the R/W mount of an unclean filesystem (dangerous; use with caution).
 .It nodev
 Do not interpret character or block special devices on the file system.
 This option is useful for a server that has file systems containing

sbin/mount_ifs/mount.8

@@ -84,7 +84,9 @@ determine what the
 command is trying to do.
 .It Fl f
 Forces the revocation of write access when trying to downgrade
-a filesystem mount status from read-write to read-only.
+a filesystem mount status from read-write to read-only. Also
+forces the R/W mount of an unclean filesystem (dangerous; use with
+caution).
 .It Fl o
 Options are specified with a
 .Fl o
@@ -104,7 +106,8 @@ system should your system crash.
 The same as
 .Fl f ;
 forces the revocation of write access when trying to downgrade
-a filesystem mount status from read-write to read-only.
+a filesystem mount status from read-write to read-only. Also
+forces the R/W mount of an unclean filesystem (dangerous; use with caution).
 .It nodev
 Do not interpret character or block special devices on the file system.
 This option is useful for a server that has file systems containing

sys/kern/vfs_extattr.c

@@ -36,7 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)vfs_syscalls.c	8.13 (Berkeley) 4/15/94
- * $Id: vfs_syscalls.c,v 1.22 1995/05/02 08:44:31 davidg Exp $
+ * $Id: vfs_syscalls.c,v 1.23 1995/05/02 09:06:04 davidg Exp $
  */
 
 #include <sys/param.h>
@@ -170,7 +170,7 @@ mount(p, uap, retval)
 	mp->mnt_flag &=~ (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV |
 	    MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC);
 	mp->mnt_flag |= uap->flags & (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV |
-	    MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC);
+	    MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE);
 	/*
 	 * Mount the filesystem.
 	 */

sys/kern/vfs_syscalls.c

@@ -36,7 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)vfs_syscalls.c	8.13 (Berkeley) 4/15/94
- * $Id: vfs_syscalls.c,v 1.22 1995/05/02 08:44:31 davidg Exp $
+ * $Id: vfs_syscalls.c,v 1.23 1995/05/02 09:06:04 davidg Exp $
  */
 
 #include <sys/param.h>
@@ -170,7 +170,7 @@ mount(p, uap, retval)
 	mp->mnt_flag &=~ (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV |
 	    MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC);
 	mp->mnt_flag |= uap->flags & (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV |
-	    MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC);
+	    MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE);
 	/*
 	 * Mount the filesystem.
 	 */

sys/ufs/ffs/ffs_vfsops.c

@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ffs_vfsops.c	8.8 (Berkeley) 4/18/94
- * $Id: ffs_vfsops.c,v 1.17 1995/04/11 04:23:47 davidg Exp $
+ * $Id: ffs_vfsops.c,v 1.18 1995/05/01 23:20:24 dyson Exp $
  */
 
 #include <sys/param.h>
@@ -187,8 +187,18 @@ ffs_mount(mp, path, data, ndp, p)
 			error = ffs_reload(mp, ndp->ni_cnd.cn_cred, p);
 		if (error)
 			return (error);
-		if (fs->fs_ronly && (mp->mnt_flag & MNT_WANTRDWR))
+		if (fs->fs_ronly && (mp->mnt_flag & MNT_WANTRDWR)) {
+			if (!fs->fs_clean) {
+				if (mp->mnt_flag & MNT_FORCE) {
+					printf("WARNING: %s was not properly dismounted.\n",fs->fs_fsmnt);
+				} else {
+					printf("WARNING: R/W mount of %s denied. Filesystem is not clean - run fsck.\n",
+					    fs->fs_fsmnt);
+					return (EPERM);
+				}
+			}
 			fs->fs_ronly = 0;
+		}
 		if (fs->fs_ronly == 0) {
 			fs->fs_clean = 0;
 			ffs_sbupdate(ump, MNT_WAIT);
@@ -408,6 +418,15 @@ ffs_mountfs(devvp, mp, p)
 		error = EINVAL;		/* XXX needs translation */
 		goto out;
 	}
+	if (!fs->fs_clean) {
+		if (ronly || (mp->mnt_flag & MNT_FORCE)) {
+			printf("WARNING: %s was not properly dismounted.\n",fs->fs_fsmnt);
+		} else {
+			printf("WARNING: R/W mount of %s denied. Filesystem is not clean - run fsck.\n",fs->fs_fsmnt);
+			error = EPERM;
+			goto out;
+		}
+	}
 	ump = malloc(sizeof *ump, M_UFSMNT, M_WAITOK);
 	bzero((caddr_t)ump, sizeof *ump);
 	ump->um_fs = malloc((u_long)fs->fs_sbsize, M_UFSMNT,
@@ -419,9 +438,6 @@ ffs_mountfs(devvp, mp, p)
 	bp = NULL;
 	fs = ump->um_fs;
 	fs->fs_ronly = ronly;
-	if (!fs->fs_clean) {
-		printf("WARNING: %s was not properly dismounted\n",fs->fs_fsmnt);
-	}
 	if (ronly == 0) {
 		fs->fs_fmod = 1;
 		fs->fs_clean = 0;