Date: Sat, 31 Jan 2015 17:35:54 +0000 (UTC) From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r277985 - in stable/10: sys/fs/fdescfs sys/kern sys/sys usr.sbin/jail Message-ID: <201501311735.t0VHZsXb096173@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jamie Date: Sat Jan 31 17:35:53 2015 New Revision: 277985 URL: https://svnweb.freebsd.org/changeset/base/277985 Log: MFC r277855: Add allow.mount.fdescfs jail flag. PR: 192951 Submitted by: ruben@verweg.com Modified: stable/10/sys/fs/fdescfs/fdesc_vfsops.c stable/10/sys/kern/kern_jail.c stable/10/sys/sys/jail.h stable/10/usr.sbin/jail/jail.8 Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/fs/fdescfs/fdesc_vfsops.c ============================================================================== --- stable/10/sys/fs/fdescfs/fdesc_vfsops.c Sat Jan 31 17:08:02 2015 (r277984) +++ stable/10/sys/fs/fdescfs/fdesc_vfsops.c Sat Jan 31 17:35:53 2015 (r277985) @@ -42,6 +42,7 @@ #include <sys/systm.h> #include <sys/filedesc.h> #include <sys/kernel.h> +#include <sys/jail.h> #include <sys/lock.h> #include <sys/mutex.h> #include <sys/malloc.h> @@ -78,8 +79,12 @@ fdesc_mount(struct mount *mp) { int error = 0; struct fdescmount *fmp; + struct thread *td = curthread; struct vnode *rvp; + if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS)) + return (EPERM); + /* * Update is a no-op */ @@ -237,4 +242,4 @@ static struct vfsops fdesc_vfsops = { .vfs_unmount = fdesc_unmount, }; -VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC); +VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL); Modified: stable/10/sys/kern/kern_jail.c ============================================================================== --- stable/10/sys/kern/kern_jail.c Sat Jan 31 17:08:02 2015 (r277984) +++ stable/10/sys/kern/kern_jail.c Sat Jan 31 17:35:53 2015 (r277985) @@ -207,6 +207,7 @@ static char *pr_allow_names[] = { "allow.mount.zfs", "allow.mount.procfs", "allow.mount.tmpfs", + "allow.mount.fdescfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -223,6 +224,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nozfs", "allow.mount.noprocfs", "allow.mount.notmpfs", + "allow.mount.nofdescfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4231,6 +4233,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the devfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the fdescfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", @@ -4391,6 +4397,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYP "B", "Jail may mount/unmount jail-friendly file systems in general"); SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the devfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the fdescfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, Modified: stable/10/sys/sys/jail.h ============================================================================== --- stable/10/sys/sys/jail.h Sat Jan 31 17:08:02 2015 (r277984) +++ stable/10/sys/sys/jail.h Sat Jan 31 17:35:53 2015 (r277985) @@ -228,7 +228,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_ZFS 0x0200 #define PR_ALLOW_MOUNT_PROCFS 0x0400 #define PR_ALLOW_MOUNT_TMPFS 0x0800 -#define PR_ALLOW_ALL 0x0fff +#define PR_ALLOW_MOUNT_FDESCFS 0x1000 +#define PR_ALLOW_ALL 0x1fff /* * OSD methods Modified: stable/10/usr.sbin/jail/jail.8 ============================================================================== --- stable/10/usr.sbin/jail/jail.8 Sat Jan 31 17:08:02 2015 (r277984) +++ stable/10/usr.sbin/jail/jail.8 Sat Jan 31 17:35:53 2015 (r277985) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 4, 2014 +.Dd January 28, 2015 .Dt JAIL 8 .Os .Sh NAME @@ -362,7 +362,7 @@ A set of IPv6 options for the jail, the and .Va ip4 above. -.It vnet +.It Va vnet Create the jail with its own virtual network stack, with its own network interfaces, addresses, routing table, etc. The kernel must have been compiled with the @@ -531,6 +531,14 @@ is set to a value lower than 2. The devfs ruleset should be restricted from the default by using the .Va devfs_ruleset option. +.It Va allow.mount.fdescfs +privileged users inside the jail will be able to mount and unmount the +fdescfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.nullfs privileged users inside the jail will be able to mount and unmount the nullfs file system.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501311735.t0VHZsXb096173>