DARWIN: On macOS 12, mount afs on user's directory

Currently, /afs is mounted/unmounted by a LaunchDaemon. In order to
unmount /afs on restart/shutdown, this daemon runs umount -force /afs.
Unfortunately, SIP (System Integrity Protection) is not allowing the
LaunchDaemon in question to run this command successfully on macOS 12
(exclusively on restart/shutdown):

  umount: Operation not permitted

In this situation, afs can't be turned off correctly, leaving many
unkillable afsd processes lingering around. As a result, the
restart/shutdown process gets stuck indefinitely.

Fortunately, this problem doesn't happen if /afs is mounted on an user's
directory. That said, avoid this issue by mounting /afs on the current
user's directory (/Users/$USER/OpenAFS/afs). Notice that afs is still
accessible (including for other users) through a synthetic link added in
the root directory (/afs -> /Users/$USER/OpenAFS/afs).

Change-Id: Id05d811e785057a82b73d0946154d9be8b5d772a
Reviewed-on: https://gerrit.openafs.org/14925
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>

diff --git a/src/packaging/MacOS/OpenAFS.post_install b/src/packaging/MacOS/OpenAFS.post_install
index ad6e704..6e7e706 100644 (file)
--- a/src/packaging/MacOS/OpenAFS.post_install
+++ b/src/packaging/MacOS/OpenAFS.post_install
@@ -8,7 +8,17 @@ if [ $majorvers -ge 19 ]; then
   # Root mount point is read-only. To workaround this restriction, add a
   # synthetic entity for afs into /etc/synthetic.conf. For more information,
   # please read man synthetic.conf(5).
-  grep -qs '^afs$' /etc/synthetic.conf || echo 'afs' >> /etc/synthetic.conf
+  if [ $majorvers -ge 21 ]; then
+    # On macOS 12, SIP is not allowing our LaunchDaemon to unmount /afs on
+    # restart/shutdown. If /afs is mounted on the user's directory, this problem
+    # doesn't happen.
+    sed -i "" "/OpenAFS\/afs/d" /etc/synthetic.conf &> /dev/null
+    sed -i "" "/^afs$/d" /etc/synthetic.conf &> /dev/null
+    echo "afs\tUsers/$USER/OpenAFS/afs" >> /etc/synthetic.conf
+    mkdir -p /Users/$USER/OpenAFS/afs
+  else
+    grep -qs '^afs$' /etc/synthetic.conf || echo 'afs' >> /etc/synthetic.conf
+  fi
 elif [ $majorvers -ge 7 ]; then
   # /Network is now readonly, so put AFS in /afs; make sure /afs is a directory
   if [ -e /afs ]; then
@@ -37,6 +47,10 @@ if [ `grep /Network/afs cacheinfo` ]; then
     mv cacheinfo.new cacheinfo
 fi
 
+if [ $majorvers -ge 21 ]; then
+    sed -i "" "s/\/afs:/\/Users\/$USER\/OpenAFS\/afs:/" cacheinfo
+fi
+
 # if the installer plugin generated ThisCell and/or CellAlias
 # files, copy them in here
 tmpthiscell=/private/tmp/org.OpenAFS.Install.ThisCell.$USER