From fc9167c193b824c884e14549e879fd91b194649f Mon Sep 17 00:00:00 2001
From: arr <arr@FreeBSD.org>
Date: Wed, 20 Mar 2002 16:03:42 +0000
Subject: - Change a check of securelevel to securelevel_gt() call in order to
 help   against users within a jail attempting to load kernel modules. - Add a
 check of securelevel_gt() to vfs_mount() in order to chop some   low hanging
 fruit for the repair of securelevel checking of linking and   unlinking files
 from within jails.  There is more to be done here.

Reviewed by: rwatson
---
 sys/kern/vfs_extattr.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'sys/kern/vfs_extattr.c')

diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index 915e26a..8247f8d 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -307,6 +307,11 @@ vfs_mount(td, fstype, fspath, fsflags, fsdata)
 			vput(vp);
 			return error;
 		}
+		error = securelevel_gt(td->td_ucred, 0);
+		if (error == 0) {
+			vput(vp);
+			return (EPERM);
+		}
 		error = linker_load_file(fstype, &lf);
 		if (error || lf == NULL) {
 			vput(vp);
-- 
cgit v1.1