diff options
Diffstat (limited to 'sys/kern/kern_jail.c')
-rw-r--r-- | sys/kern/kern_jail.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 79be249..8d19dcb 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -54,6 +54,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, &jail_sysvipc_allowed, 0, "Processes in jail can use System V IPC primitives"); +int jail_getfsstatroot_only = 1; +SYSCTL_INT(_security_jail, OID_AUTO, getfsstate_getfsstatroot_only, CTLFLAG_RW, + &jail_getfsstatroot_only, 0, + "Processes see only their root file system in getfsstat()"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; @@ -418,6 +423,21 @@ getcredhostname(struct ucred *cred, char *buf, size_t size) strlcpy(buf, hostname, size); } +/* + * Return 1 if the passed credential can "see" the passed mountpoint + * when performing a getfsstat(); otherwise, 0. + */ +int +prison_check_mount(struct ucred *cred, struct mount *mp) +{ + + if (jail_getfsstatroot_only) { + if (cred->cr_prison->pr_root->v_mount != mp) + return (0); + } + return (1); +} + static int sysctl_jail_list(SYSCTL_HANDLER_ARGS) { |