Add support for mounting devfs inside jails.

A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.

Utilizes new functions introduced in r231265.

Reviewed by:	jamie
MFC after:	1 month

1 files changed, 13 insertions, 1 deletions

diff --git a/sys/fs/devfs/devfs_vfsops.c b/sys/fs/devfs/devfs_vfsops.c
index bba4bfc..9606974 100644
--- a/sys/fs/devfs/devfs_vfsops.c
+++ b/sys/fs/devfs/devfs_vfsops.c
@@ -44,6 +44,7 @@
 #include <sys/sx.h>
 #include <sys/vnode.h>
 #include <sys/limits.h>
+#include <sys/jail.h>
 
 #include <fs/devfs/devfs.h>
 
@@ -69,6 +70,7 @@ devfs_mount(struct mount *mp)
 	int error;
 	struct devfs_mount *fmp;
 	struct vnode *rvp;
+	struct thread *td = curthread;
 	int rsnum;
 
 	if (devfs_unr == NULL)
@@ -91,6 +93,16 @@ devfs_mount(struct mount *mp)
 			error = EINVAL;
 	}
 
+	/* jails enforce their ruleset, prison0 has no restrictions */
+	if (td->td_ucred->cr_prison->pr_devfs_rsnum != 0) {
+		rsnum = td->td_ucred->cr_prison->pr_devfs_rsnum;
+		if (rsnum == -1)
+			return (EPERM);
+		/* check rsnum for sanity, devfs_rsnum is uint16_t */
+		if (rsnum < 0 || rsnum > 65535)
+			error = EINVAL;
+	}
+
 	if (error) {
 		vfs_mount_error(mp, "%s", "invalid ruleset specification");
 		return (error);
@@ -227,4 +239,4 @@ static struct vfsops devfs_vfsops = {
 	.vfs_unmount =		devfs_unmount,
 };
 
-VFS_SET(devfs_vfsops, devfs, VFCF_SYNTHETIC);
+VFS_SET(devfs_vfsops, devfs, VFCF_SYNTHETIC | VFCF_JAIL);