diff options
| -rw-r--r-- | sys/compat/linprocfs/linprocfs.c | 2 | ||||
| -rw-r--r-- | sys/compat/linsysfs/linsysfs.c | 2 | ||||
| -rw-r--r-- | sys/fs/procfs/procfs.c | 2 | ||||
| -rw-r--r-- | sys/fs/pseudofs/pseudofs.h | 8 | ||||
| -rw-r--r-- | sys/kern/kern_jail.c | 8 | ||||
| -rw-r--r-- | sys/sys/jail.h | 3 | ||||
| -rw-r--r-- | usr.sbin/jail/jail.8 | 8 |
7 files changed, 27 insertions, 6 deletions
diff --git a/sys/compat/linprocfs/linprocfs.c b/sys/compat/linprocfs/linprocfs.c index 8129fe8..3adbe96 100644 --- a/sys/compat/linprocfs/linprocfs.c +++ b/sys/compat/linprocfs/linprocfs.c @@ -1460,7 +1460,7 @@ linprocfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linprocfs, 1); +PSEUDOFS(linprocfs, 1, 0); MODULE_DEPEND(linprocfs, linux, 1, 1, 1); MODULE_DEPEND(linprocfs, procfs, 1, 1, 1); MODULE_DEPEND(linprocfs, sysvmsg, 1, 1, 1); diff --git a/sys/compat/linsysfs/linsysfs.c b/sys/compat/linsysfs/linsysfs.c index a64b247..45f44af 100644 --- a/sys/compat/linsysfs/linsysfs.c +++ b/sys/compat/linsysfs/linsysfs.c @@ -280,5 +280,5 @@ linsysfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linsysfs, 1); +PSEUDOFS(linsysfs, 1, 0); MODULE_DEPEND(linsysfs, linux, 1, 1, 1); diff --git a/sys/fs/procfs/procfs.c b/sys/fs/procfs/procfs.c index 3e87895..a41e7d1 100644 --- a/sys/fs/procfs/procfs.c +++ b/sys/fs/procfs/procfs.c @@ -209,4 +209,4 @@ procfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(procfs, 1); +PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS); diff --git a/sys/fs/pseudofs/pseudofs.h b/sys/fs/pseudofs/pseudofs.h index f2c29d4..e2aeed6 100644 --- a/sys/fs/pseudofs/pseudofs.h +++ b/sys/fs/pseudofs/pseudofs.h @@ -31,6 +31,8 @@ #ifndef _PSEUDOFS_H_INCLUDED #define _PSEUDOFS_H_INCLUDED +#include <sys/jail.h> + /* * Opaque structures */ @@ -271,7 +273,7 @@ int pfs_destroy (struct pfs_node *pn); /* * Now for some initialization magic... */ -#define PSEUDOFS(name, version) \ +#define PSEUDOFS(name, version, jflag) \ \ static struct pfs_info name##_info = { \ #name, \ @@ -281,6 +283,8 @@ static struct pfs_info name##_info = { \ \ static int \ _##name##_mount(struct mount *mp) { \ + if (jflag && !prison_allow(curthread->td_ucred, jflag)) \ + return (EPERM); \ return pfs_mount(&name##_info, mp); \ } \ \ @@ -303,7 +307,7 @@ static struct vfsops name##_vfsops = { \ .vfs_uninit = _##name##_uninit, \ .vfs_unmount = pfs_unmount, \ }; \ -VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC); \ +VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0)); \ MODULE_VERSION(name, version); \ MODULE_DEPEND(name, pseudofs, 1, 1, 1); diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 372e0b8..c96d271 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -204,6 +204,7 @@ static char *pr_allow_names[] = { "allow.mount.devfs", "allow.mount.nullfs", "allow.mount.zfs", + "allow.mount.procfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -218,6 +219,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nodevfs", "allow.mount.nonullfs", "allow.mount.nozfs", + "allow.mount.noprocfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4206,6 +4208,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the nullfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the procfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", @@ -4356,6 +4362,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the devfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the procfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the zfs file system"); diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 2e8edc6..a934aac 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -226,7 +226,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_DEVFS 0x0080 #define PR_ALLOW_MOUNT_NULLFS 0x0100 #define PR_ALLOW_MOUNT_ZFS 0x0200 -#define PR_ALLOW_ALL 0x03ff +#define PR_ALLOW_MOUNT_PROCFS 0x0400 +#define PR_ALLOW_ALL 0x07ff /* * OSD methods diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 69fdec5..7f08683 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -428,6 +428,14 @@ This permission is effective only together with and if .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.procfs +privileged users inside the jail will be able to mount and unmount the +procfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.zfs privileged users inside the jail will be able to mount and unmount the ZFS file system. |
