summaryrefslogtreecommitdiffstats
path: root/usr.sbin/jail/jail.8
diff options
context:
space:
mode:
authormm <mm@FreeBSD.org>2012-02-23 18:51:24 +0000
committermm <mm@FreeBSD.org>2012-02-23 18:51:24 +0000
commit4825085ea4c115cda3f658f509ee7eac649d4267 (patch)
tree9a2a88cb10722db25dcb45d3c1ae2c34dec88614 /usr.sbin/jail/jail.8
parentda3a5506b851a2db73c9386b1ec92a3eb991e0fd (diff)
downloadFreeBSD-src-4825085ea4c115cda3f658f509ee7eac649d4267.zip
FreeBSD-src-4825085ea4c115cda3f658f509ee7eac649d4267.tar.gz
To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters: allow.mount.devfs: allow mounting the devfs filesystem inside a jail allow.mount.nullfs: allow mounting the nullfs filesystem inside a jail Both parameters are disabled by default (equals the behavior before devfs and nullfs in jails). Administrators have to explicitly allow mounting devfs and nullfs for each jail. The value "-1" of the devfs_ruleset parameter is removed in favor of the new allow setting. Reviewed by: jamie Suggested by: pjd MFC after: 2 weeks
Diffstat (limited to 'usr.sbin/jail/jail.8')
-rw-r--r--usr.sbin/jail/jail.836
1 files changed, 28 insertions, 8 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 5cd77fc..e1d3b2d 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -34,7 +34,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 9, 2012
+.Dd February 23, 2012
.Dt JAIL 8
.Os
.Sh NAME
@@ -303,15 +303,16 @@ If the system securelevel is changed, any jail securelevels will be at
least as secure.
.It Va devfs_ruleset
The number of the devfs ruleset that is enforced for mounting devfs in
-this jail and its descendants. A value of zero means no ruleset is enforced
-or if set inside a jail for a descendant jail, the parent jails's devfs
-ruleset enforcement is inherited. A value of -1 (default) means mounting a
-devfs filesystem is not allowed. Mounting devfs inside a jail is possible
-only if the
+this jail. A value of zero (default) means no ruleset is enforced. Descendant
+jails inherit the parent jail's devfs ruleset enforcement. Mounting devfs
+inside a jail is possible only if the
.Va allow.mount
-permission is effective and
+and
+.Va allow.mount.devfs
+permissions are effective and
.Va enforce_statfs
-is set to a value lower than 2.
+is set to a value lower than 2. Devfs rules and rulesets cannot be viewed or
+modified from inside a jail.
.It Va children.max
The number of child jails allowed to be created by this jail (or by
other jails under this jail).
@@ -407,6 +408,25 @@ within a jail.
This permission is effective only if
.Va enforce_statfs
is set to a value lower than 2.
+.It Va allow.mount.devfs
+privileged users inside the jail will be able to mount and unmount the
+devfs file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2. Please consider restricting the devfs ruleset
+with the
+.Va devfs_ruleset
+option.
+.It Va allow.mount.nullfs
+privileged users inside the jail will be able to mount and unmount the
+nullfs file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2.
.It Va allow.quotas
The prison root may administer quotas on the jail's filesystem(s).
This includes filesystems that the jail may share with other jails or
OpenPOWER on IntegriCloud