diff options
author | araujo <araujo@FreeBSD.org> | 2015-07-19 08:52:35 +0000 |
---|---|---|
committer | araujo <araujo@FreeBSD.org> | 2015-07-19 08:52:35 +0000 |
commit | 61ced0e48d315a8b265712d5f6c61496403cfbec (patch) | |
tree | 901ad3403995bdc3808b712dd26e3e3765a1e1a2 | |
parent | b0e42f970b67a44933a52ec7916aded034a86b2c (diff) | |
download | FreeBSD-src-61ced0e48d315a8b265712d5f6c61496403cfbec.zip FreeBSD-src-61ced0e48d315a8b265712d5f6c61496403cfbec.tar.gz |
Add support to the jail framework to be able to mount linsysfs(5) and
linprocfs(5).
Differential Revision: D2846
Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com>
Reviewed by: jamie
-rw-r--r-- | sys/compat/linprocfs/linprocfs.c | 2 | ||||
-rw-r--r-- | sys/compat/linsysfs/linsysfs.c | 2 | ||||
-rw-r--r-- | sys/kern/kern_jail.c | 16 | ||||
-rw-r--r-- | sys/sys/jail.h | 4 | ||||
-rw-r--r-- | usr.sbin/jail/jail.8 | 20 |
5 files changed, 40 insertions, 4 deletions
diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 2c28aa2..496afba 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -1548,7 +1548,7 @@ linprocfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linprocfs, 1, 0); +PSEUDOFS(linprocfs, 1, PR_ALLOW_MOUNT_LINPROCFS); #if defined(__amd64__) MODULE_DEPEND(linprocfs, linux_common, 1, 1, 1); #else diff --git a/sys/compat/linsysfs/linsysfs.c b/sys/compat/linsysfs/linsysfs.c index bc85ac3..0d5273c 100644 --- a/sys/compat/linsysfs/linsysfs.c +++ b/sys/compat/linsysfs/linsysfs.c @@ -275,7 +275,7 @@ linsysfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linsysfs, 1, 0); +PSEUDOFS(linsysfs, 1, PR_ALLOW_MOUNT_LINSYSFS); #if defined(__amd64__) MODULE_DEPEND(linsysfs, linux_common, 1, 1, 1); #else diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 6bdddd7..05a5632 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -205,6 +205,8 @@ static char *pr_allow_names[] = { "allow.mount.procfs", "allow.mount.tmpfs", "allow.mount.fdescfs", + "allow.mount.linprocfs", + "allow.mount.linsysfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -222,6 +224,8 @@ static char *pr_allow_nonames[] = { "allow.mount.noprocfs", "allow.mount.notmpfs", "allow.mount.nofdescfs", + "allow.mount.nolinprocfs", + "allow.mount.nolinsysfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4290,6 +4294,14 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the procfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the linprocfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the linsysfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I", @@ -4456,6 +4468,10 @@ SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the procfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the linprocfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the linsysfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the tmpfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 916bd59..70e7085 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -230,7 +230,9 @@ struct prison_racct { #define PR_ALLOW_MOUNT_PROCFS 0x0400 #define PR_ALLOW_MOUNT_TMPFS 0x0800 #define PR_ALLOW_MOUNT_FDESCFS 0x1000 -#define PR_ALLOW_ALL 0x1fff +#define PR_ALLOW_MOUNT_LINPROCFS 0x2000 +#define PR_ALLOW_MOUNT_LINSYSFS 0x4000 +#define PR_ALLOW_ALL 0x7fff /* * OSD methods diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 189fa36..5122e0f 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 25, 2015 +.Dd July 20, 2015 .Dt JAIL 8 .Os .Sh NAME @@ -563,6 +563,22 @@ This permission is effective only together with and only when .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.linprocfs +privileged users inside the jail will be able to mount and unmount the +linprocfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. +.It Va allow.mount.linsysfs +privileged users inside the jail will be able to mount and unmount the +linsysfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.tmpfs privileged users inside the jail will be able to mount and unmount the tmpfs file system. @@ -1209,6 +1225,8 @@ environment of the first jail. .Xr devfs 5 , .Xr fdescfs 5 , .Xr jail.conf 5 , +.Xr linprocfs 5 , +.Xr linsysfs 5 , .Xr procfs 5 , .Xr rc.conf 5 , .Xr sysctl.conf 5 , |