freebsd-skq/sys/fs/nfsserver
Konstantin Belousov 7359fdcf5f Allow some dotdot lookups in capability mode.
If dotdot lookup does not escape from the file descriptor passed as
the lookup root, we can allow the component traversal.  Track the
directories traversed, and check the result of dotdot lookup against
the recorded list of the directory vnodes.

Dotdot lookups are enabled by sysctl vfs.lookup_cap_dotdot, currently
disabled by default until more verification of the approach is done.

Disallow non-local filesystems for dotdot, since remote server might
conspire with the local process to allow it to escape the namespace.
This might be too cautious, provide the knob
vfs.lookup_cap_dotdot_nonlocal to override as well.

Idea by:	rwatson
Discussed with:	emaste, jonathan, rwatson
Reviewed by:	mjg (previous version)
Tested by:	pho (previous version)
Sponsored by:	The FreeBSD Foundation
MFC after:	2 week
Differential revision:	https://reviews.freebsd.org/D8110
2016-11-02 12:43:15 +00:00
..
nfs_fha_new.c
nfs_fha_new.h
nfs_nfsdcache.c Update the nfsstats structure to include the changes needed by 2016-08-12 22:44:59 +00:00
nfs_nfsdkrpc.c nfsserver: minor spelling fix in comment. 2016-05-06 23:40:37 +00:00
nfs_nfsdport.c Allow some dotdot lookups in capability mode. 2016-11-02 12:43:15 +00:00
nfs_nfsdserv.c nfsd: Fix use-after-free in NFS4 lock test service 2016-05-12 05:03:12 +00:00
nfs_nfsdsocket.c Update the nfsstats structure to include the changes needed by 2016-08-12 22:44:59 +00:00
nfs_nfsdstate.c A problem w.r.t. interoperation between the FreeBSD NFSv4.1 server with 2016-10-20 23:53:16 +00:00
nfs_nfsdsubs.c Allow the NFSv4 server to reply NFSERR_WRONGSEC for the SetClientID operation. 2016-04-23 21:18:45 +00:00