diff options
author | mm <mm@FreeBSD.org> | 2012-02-23 18:51:24 +0000 |
---|---|---|
committer | mm <mm@FreeBSD.org> | 2012-02-23 18:51:24 +0000 |
commit | 4825085ea4c115cda3f658f509ee7eac649d4267 (patch) | |
tree | 9a2a88cb10722db25dcb45d3c1ae2c34dec88614 /usr.sbin/jail/jail.8 | |
parent | da3a5506b851a2db73c9386b1ec92a3eb991e0fd (diff) | |
download | FreeBSD-src-4825085ea4c115cda3f658f509ee7eac649d4267.zip FreeBSD-src-4825085ea4c115cda3f658f509ee7eac649d4267.tar.gz |
To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:
allow.mount.devfs:
allow mounting the devfs filesystem inside a jail
allow.mount.nullfs:
allow mounting the nullfs filesystem inside a jail
Both parameters are disabled by default (equals the behavior before
devfs and nullfs in jails). Administrators have to explicitly allow
mounting devfs and nullfs for each jail. The value "-1" of the
devfs_ruleset parameter is removed in favor of the new allow setting.
Reviewed by: jamie
Suggested by: pjd
MFC after: 2 weeks
Diffstat (limited to 'usr.sbin/jail/jail.8')
-rw-r--r-- | usr.sbin/jail/jail.8 | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 5cd77fc..e1d3b2d 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 9, 2012 +.Dd February 23, 2012 .Dt JAIL 8 .Os .Sh NAME @@ -303,15 +303,16 @@ If the system securelevel is changed, any jail securelevels will be at least as secure. .It Va devfs_ruleset The number of the devfs ruleset that is enforced for mounting devfs in -this jail and its descendants. A value of zero means no ruleset is enforced -or if set inside a jail for a descendant jail, the parent jails's devfs -ruleset enforcement is inherited. A value of -1 (default) means mounting a -devfs filesystem is not allowed. Mounting devfs inside a jail is possible -only if the +this jail. A value of zero (default) means no ruleset is enforced. Descendant +jails inherit the parent jail's devfs ruleset enforcement. Mounting devfs +inside a jail is possible only if the .Va allow.mount -permission is effective and +and +.Va allow.mount.devfs +permissions are effective and .Va enforce_statfs -is set to a value lower than 2. +is set to a value lower than 2. Devfs rules and rulesets cannot be viewed or +modified from inside a jail. .It Va children.max The number of child jails allowed to be created by this jail (or by other jails under this jail). @@ -407,6 +408,25 @@ within a jail. This permission is effective only if .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.devfs +privileged users inside the jail will be able to mount and unmount the +devfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. Please consider restricting the devfs ruleset +with the +.Va devfs_ruleset +option. +.It Va allow.mount.nullfs +privileged users inside the jail will be able to mount and unmount the +nullfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.quotas The prison root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or |