diff options
author | jamie <jamie@FreeBSD.org> | 2015-01-28 21:08:09 +0000 |
---|---|---|
committer | jamie <jamie@FreeBSD.org> | 2015-01-28 21:08:09 +0000 |
commit | c7d0935d11cf5759953f63cca51149aa15dcb848 (patch) | |
tree | 8fb9bb7bfb5ce6fd9121894060e6bd8e6379ed85 | |
parent | 4c0192c35b4a231b0d12674f53cfe8ab5f88acf8 (diff) | |
download | FreeBSD-src-c7d0935d11cf5759953f63cca51149aa15dcb848.zip FreeBSD-src-c7d0935d11cf5759953f63cca51149aa15dcb848.tar.gz |
Add allow.mount.fdescfs jail flag.
PR: 192951
Submitted by: ruben@verweg.com
MFC after: 3 days
-rw-r--r-- | sys/fs/fdescfs/fdesc_vfsops.c | 7 | ||||
-rw-r--r-- | sys/kern/kern_jail.c | 8 | ||||
-rw-r--r-- | sys/sys/jail.h | 3 | ||||
-rw-r--r-- | usr.sbin/jail/jail.8 | 12 |
4 files changed, 26 insertions, 4 deletions
diff --git a/sys/fs/fdescfs/fdesc_vfsops.c b/sys/fs/fdescfs/fdesc_vfsops.c index cb5e3c0..d3d8ce0 100644 --- a/sys/fs/fdescfs/fdesc_vfsops.c +++ b/sys/fs/fdescfs/fdesc_vfsops.c @@ -42,6 +42,7 @@ #include <sys/systm.h> #include <sys/filedesc.h> #include <sys/kernel.h> +#include <sys/jail.h> #include <sys/lock.h> #include <sys/mutex.h> #include <sys/malloc.h> @@ -78,8 +79,12 @@ fdesc_mount(struct mount *mp) { int error = 0; struct fdescmount *fmp; + struct thread *td = curthread; struct vnode *rvp; + if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS)) + return (EPERM); + /* * Update is a no-op */ @@ -237,4 +242,4 @@ static struct vfsops fdesc_vfsops = { .vfs_unmount = fdesc_unmount, }; -VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC); +VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL); diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 468eaaf..269c87e 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -208,6 +208,7 @@ static char *pr_allow_names[] = { "allow.mount.zfs", "allow.mount.procfs", "allow.mount.tmpfs", + "allow.mount.fdescfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -224,6 +225,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nozfs", "allow.mount.noprocfs", "allow.mount.notmpfs", + "allow.mount.nofdescfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4213,6 +4215,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the devfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the fdescfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", @@ -4373,6 +4379,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount/unmount jail-friendly file systems in general"); SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the devfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the fdescfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 4605f88..b1d8b01 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -226,7 +226,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_ZFS 0x0200 #define PR_ALLOW_MOUNT_PROCFS 0x0400 #define PR_ALLOW_MOUNT_TMPFS 0x0800 -#define PR_ALLOW_ALL 0x0fff +#define PR_ALLOW_MOUNT_FDESCFS 0x1000 +#define PR_ALLOW_ALL 0x1fff /* * OSD methods diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 9719854..d580c25 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 4, 2014 +.Dd January 28, 2015 .Dt JAIL 8 .Os .Sh NAME @@ -362,7 +362,7 @@ A set of IPv6 options for the jail, the counterparts to and .Va ip4 above. -.It vnet +.It Va vnet Create the jail with its own virtual network stack, with its own network interfaces, addresses, routing table, etc. The kernel must have been compiled with the @@ -531,6 +531,14 @@ is set to a value lower than 2. The devfs ruleset should be restricted from the default by using the .Va devfs_ruleset option. +.It Va allow.mount.fdescfs +privileged users inside the jail will be able to mount and unmount the +fdescfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.nullfs privileged users inside the jail will be able to mount and unmount the nullfs file system. |