diff options
| author | pjd <pjd@FreeBSD.org> | 2005-06-09 18:49:19 +0000 |
|---|---|---|
| committer | pjd <pjd@FreeBSD.org> | 2005-06-09 18:49:19 +0000 |
| commit | 47f442bcb9bd412e8e5d053dc5bf1d4c97d93b81 (patch) | |
| tree | 4920e7fa66313114f8e377130095e6f5050c167e /sys/kern/vfs_syscalls.c | |
| parent | 45eec321507d3992b03d03933268aefd7ac48dfa (diff) | |
| download | FreeBSD-src-47f442bcb9bd412e8e5d053dc5bf1d4c97d93b81.zip FreeBSD-src-47f442bcb9bd412e8e5d053dc5bf1d4c97d93b81.tar.gz | |
Rename sysctl security.jail.getfsstatroot_only to security.jail.enforce_statfs
and extend its functionality:
value policy
0 show all mount-points without any restrictions
1 show only mount-points below jail's chroot and show only part of the
mount-point's path (if jail's chroot directory is /jails/foo and
mount-point is /jails/foo/usr/home only /usr/home will be shown)
2 show only mount-point where jail's chroot directory is placed.
Default value is 2.
Discussed with: rwatson
Diffstat (limited to 'sys/kern/vfs_syscalls.c')
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 16975cc..44ed4bf 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -257,6 +257,11 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, sp = &mp->mnt_stat; NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); + error = prison_canseemount(td->td_ucred, mp); + if (error) { + mtx_unlock(&Giant); + return (error); + } #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) { @@ -271,14 +276,17 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, sp->f_namemax = NAME_MAX; sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; error = VFS_STATFS(mp, sp, td); - mtx_unlock(&Giant); - if (error) + if (error) { + mtx_unlock(&Giant); return (error); + } if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + prison_enforce_statfs(td->td_ucred, mp, &sb); sp = &sb; } + mtx_unlock(&Giant); *buf = *sp; return (0); } @@ -327,6 +335,11 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) mtx_unlock(&Giant); return (EBADF); } + error = prison_canseemount(td->td_ucred, mp); + if (error) { + mtx_unlock(&Giant); + return (error); + } #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) { @@ -342,14 +355,17 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) sp->f_namemax = NAME_MAX; sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; error = VFS_STATFS(mp, sp, td); - mtx_unlock(&Giant); - if (error) + if (error) { + mtx_unlock(&Giant); return (error); + } if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + prison_enforce_statfs(td->td_ucred, mp, &sb); sp = &sb; } + mtx_unlock(&Giant); *buf = *sp; return (0); } @@ -393,7 +409,7 @@ kern_getfsstat(struct thread *td, struct statfs *buf, size_t bufsize, mtx_lock(&Giant); mtx_lock(&mountlist_mtx); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { - if (!prison_check_mount(td->td_ucred, mp)) { + if (prison_canseemount(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -432,6 +448,7 @@ kern_getfsstat(struct thread *td, struct statfs *buf, size_t bufsize, if (suser(td)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + prison_enforce_statfs(td->td_ucred, mp, &sb); sp = &sb; } if (bufseg == UIO_USERSPACE) { @@ -4221,6 +4238,9 @@ kern_fhstatfs(struct thread *td, fhandle_t fh, struct statfs *buf) mp = vp->v_mount; sp = &mp->mnt_stat; vput(vp); + error = prison_canseemount(td->td_ucred, mp); + if (error) + return (error); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) { |
