diff options
| author | mm <mm@FreeBSD.org> | 2012-02-26 16:30:39 +0000 |
|---|---|---|
| committer | mm <mm@FreeBSD.org> | 2012-02-26 16:30:39 +0000 |
| commit | d974ef7be1504142ccd2be94e834e3593558ab87 (patch) | |
| tree | 84f0b28d51d1352b9703ae77258c3c31d0eaf1d3 /sys/kern/kern_jail.c | |
| parent | b160a2190c63686eb12f922151a5d021ec93634d (diff) | |
| download | FreeBSD-src-d974ef7be1504142ccd2be94e834e3593558ab87.zip FreeBSD-src-d974ef7be1504142ccd2be94e834e3593558ab87.tar.gz | |
Analogous to r232059, add a parameter for the ZFS file system:
allow.mount.zfs:
allow mounting the zfs filesystem inside a jail
This way the permssions for mounting all current VFCF_JAIL filesystems
inside a jail are controlled wia allow.mount.* jail parameters.
Update sysctl descriptions.
Update jail(8) and zfs(8) manpages.
TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel
developers
MFC after: 10 days
Diffstat (limited to 'sys/kern/kern_jail.c')
| -rw-r--r-- | sys/kern/kern_jail.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 3ba565b..372e0b8 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -203,6 +203,7 @@ static char *pr_allow_names[] = { "allow.socket_af", "allow.mount.devfs", "allow.mount.nullfs", + "allow.mount.zfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -216,6 +217,7 @@ static char *pr_allow_nonames[] = { "allow.nosocket_af", "allow.mount.nodevfs", "allow.mount.nonullfs", + "allow.mount.nozfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4199,11 +4201,15 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount/unmount the devfs file system"); + "Processes in jail can mount the devfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount/unmount the nullfs file system"); + "Processes in jail can mount the nullfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the zfs file system"); static int sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) @@ -4347,9 +4353,11 @@ SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount/unmount jail-friendly file systems in general"); SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount/unmount the devfs file system"); + "B", "Jail may mount the devfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount/unmount the nullfs file system"); + "B", "Jail may mount the nullfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the zfs file system"); void prison_racct_foreach(void (*callback)(struct racct *racct, |
