summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_jail.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/kern/kern_jail.c')
-rw-r--r--sys/kern/kern_jail.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 79be249..8d19dcb 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -54,6 +54,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
&jail_sysvipc_allowed, 0,
"Processes in jail can use System V IPC primitives");
+int jail_getfsstatroot_only = 1;
+SYSCTL_INT(_security_jail, OID_AUTO, getfsstate_getfsstatroot_only, CTLFLAG_RW,
+ &jail_getfsstatroot_only, 0,
+ "Processes see only their root file system in getfsstat()");
+
/* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
struct prisonlist allprison;
struct mtx allprison_mtx;
@@ -418,6 +423,21 @@ getcredhostname(struct ucred *cred, char *buf, size_t size)
strlcpy(buf, hostname, size);
}
+/*
+ * Return 1 if the passed credential can "see" the passed mountpoint
+ * when performing a getfsstat(); otherwise, 0.
+ */
+int
+prison_check_mount(struct ucred *cred, struct mount *mp)
+{
+
+ if (jail_getfsstatroot_only) {
+ if (cred->cr_prison->pr_root->v_mount != mp)
+ return (0);
+ }
+ return (1);
+}
+
static int
sysctl_jail_list(SYSCTL_HANDLER_ARGS)
{
OpenPOWER on IntegriCloud