diff options
author | pjd <pjd@FreeBSD.org> | 2007-04-05 21:03:05 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2007-04-05 21:03:05 +0000 |
commit | 7e73da14eb8410d6878c1e60cdb665d8a8c74c47 (patch) | |
tree | 608077732ab03acb392e93cd02387b0b39403bf6 /sys/kern | |
parent | a4513e9da8410de9807fcc5d2c2387629787ca6d (diff) | |
download | FreeBSD-src-7e73da14eb8410d6878c1e60cdb665d8a8c74c47.zip FreeBSD-src-7e73da14eb8410d6878c1e60cdb665d8a8c74c47.tar.gz |
Add security.jail.mount_allowed sysctl, which allows to mount and
unmount jail-friendly file systems from within a jail.
Precisely it grants PRIV_VFS_MOUNT, PRIV_VFS_UNMOUNT and
PRIV_VFS_MOUNT_NONUSER privileges for a jailed super-user.
It is turned off by default.
A jail-friendly file system is a file system which driver registers
itself with VFCF_JAIL flag via VFS_SET(9) API.
The lsvfs(1) command can be used to see which file systems are
jail-friendly ones.
There currently no jail-friendly file systems, ZFS will be the first one.
In the future we may consider marking file systems like nullfs as
jail-friendly.
Reviewed by: rwatson
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_jail.c | 17 | ||||
-rw-r--r-- | sys/kern/vfs_mount.c | 7 |
2 files changed, 24 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 5406ffe..4170bfe 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -72,6 +72,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, &jail_chflags_allowed, 0, "Processes in jail can alter system file flags"); +int jail_mount_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, mount_allowed, CTLFLAG_RW, + &jail_mount_allowed, 0, + "Processes in jail can mount/unmount jail-friendly file systems"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; @@ -652,6 +657,18 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* + * Depending on the global setting, allow privilege of + * mounting/unmounting file systems. + */ + case PRIV_VFS_MOUNT: + case PRIV_VFS_UNMOUNT: + case PRIV_VFS_MOUNT_NONUSER: + if (jail_mount_allowed) + return (0); + else + return (EPERM); + + /* * Allow jailed root to bind reserved ports. */ case PRIV_NETINET_RESERVEDPORT: diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index 08879fd..cb556a2 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -847,6 +847,8 @@ vfs_domount( vfsp = vfs_byname_kld(fstype, td, &error); if (vfsp == NULL) return (ENODEV); + if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL)) + return (EPERM); } /* * Get vnode to be covered @@ -863,6 +865,11 @@ vfs_domount( return (EINVAL); } mp = vp->v_mount; + vfsp = mp->mnt_vfc; + if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL)) { + vput(vp); + return (EPERM); + } MNT_ILOCK(mp); flag = mp->mnt_flag; /* |