From owner-svn-src-stable-10@freebsd.org  Wed Feb 24 02:34:14 2016
Return-Path: <owner-svn-src-stable-10@freebsd.org>
Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB200AB291C;
 Wed, 24 Feb 2016 02:34:13 +0000 (UTC)
 (envelope-from araujo@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 98C1FA25;
 Wed, 24 Feb 2016 02:34:13 +0000 (UTC)
 (envelope-from araujo@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u1O2YCBv032487;
 Wed, 24 Feb 2016 02:34:12 GMT (envelope-from araujo@FreeBSD.org)
Received: (from araujo@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u1O2YCEx032482;
 Wed, 24 Feb 2016 02:34:12 GMT (envelope-from araujo@FreeBSD.org)
Message-Id: <201602240234.u1O2YCEx032482@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: araujo set sender to
 araujo@FreeBSD.org using -f
From: Marcelo Araujo <araujo@FreeBSD.org>
Date: Wed, 24 Feb 2016 02:34:12 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r295951 - in stable/10: sys/compat/linprocfs
 sys/compat/linsysfs sys/kern sys/sys usr.sbin/jail
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-10@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for only the 10-stable src tree
 <svn-src-stable-10.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-10>, 
 <mailto:svn-src-stable-10-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-10/>
List-Post: <mailto:svn-src-stable-10@freebsd.org>
List-Help: <mailto:svn-src-stable-10-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10>, 
 <mailto:svn-src-stable-10-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 02:34:14 -0000

Author: araujo
Date: Wed Feb 24 02:34:11 2016
New Revision: 295951
URL: https://svnweb.freebsd.org/changeset/base/295951

Log:
  MFH: 285685
  Add support to the jail framework to be able to mount linsysfs(5) and linprocfs(5).
  
  PR:		207179
  Requested by:	thomas@gibfest.dk
  Reviewed by:	jamie, bapt
  Approved by:	re (gjb)
  Sponsored by:	gandi.net
  Differential Revision:	https://reviews.freebsd.org/D5390

Modified:
  stable/10/sys/compat/linprocfs/linprocfs.c
  stable/10/sys/compat/linsysfs/linsysfs.c
  stable/10/sys/kern/kern_jail.c
  stable/10/sys/sys/jail.h
  stable/10/usr.sbin/jail/jail.8

Modified: stable/10/sys/compat/linprocfs/linprocfs.c
==============================================================================
--- stable/10/sys/compat/linprocfs/linprocfs.c	Wed Feb 24 01:58:40 2016	(r295950)
+++ stable/10/sys/compat/linprocfs/linprocfs.c	Wed Feb 24 02:34:11 2016	(r295951)
@@ -1514,7 +1514,7 @@ linprocfs_uninit(PFS_INIT_ARGS)
 	return (0);
 }
 
-PSEUDOFS(linprocfs, 1, 0);
+PSEUDOFS(linprocfs, 1, PR_ALLOW_MOUNT_LINPROCFS);
 #if defined(__amd64__)
 MODULE_DEPEND(linprocfs, linux_common, 1, 1, 1);
 #else

Modified: stable/10/sys/compat/linsysfs/linsysfs.c
==============================================================================
--- stable/10/sys/compat/linsysfs/linsysfs.c	Wed Feb 24 01:58:40 2016	(r295950)
+++ stable/10/sys/compat/linsysfs/linsysfs.c	Wed Feb 24 02:34:11 2016	(r295951)
@@ -274,7 +274,7 @@ linsysfs_uninit(PFS_INIT_ARGS)
 	return (0);
 }
 
-PSEUDOFS(linsysfs, 1, 0);
+PSEUDOFS(linsysfs, 1, PR_ALLOW_MOUNT_LINSYSFS);
 #if defined(__amd64__)
 MODULE_DEPEND(linsysfs, linux_common, 1, 1, 1);
 #else

Modified: stable/10/sys/kern/kern_jail.c
==============================================================================
--- stable/10/sys/kern/kern_jail.c	Wed Feb 24 01:58:40 2016	(r295950)
+++ stable/10/sys/kern/kern_jail.c	Wed Feb 24 02:34:11 2016	(r295951)
@@ -208,6 +208,8 @@ static char *pr_allow_names[] = {
 	"allow.mount.procfs",
 	"allow.mount.tmpfs",
 	"allow.mount.fdescfs",
+	"allow.mount.linprocfs",
+	"allow.mount.linsysfs",
 };
 const size_t pr_allow_names_size = sizeof(pr_allow_names);
 
@@ -225,6 +227,8 @@ static char *pr_allow_nonames[] = {
 	"allow.mount.noprocfs",
 	"allow.mount.notmpfs",
 	"allow.mount.nofdescfs",
+	"allow.mount.nolinprocfs",
+	"allow.mount.nolinsysfs",
 };
 const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
 
@@ -4315,6 +4319,14 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
     "Processes in jail can mount the procfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I",
+    "Processes in jail can mount the linprocfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I",
+    "Processes in jail can mount the linsysfs file system");
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed,
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I",
@@ -4481,6 +4493,10 @@ SYSCTL_JAIL_PARAM(_allow_mount, nullfs, 
     "B", "Jail may mount the nullfs file system");
 SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may mount the procfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may mount the linprocfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may mount the linsysfs file system");
 SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may mount the tmpfs file system");
 SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,

Modified: stable/10/sys/sys/jail.h
==============================================================================
--- stable/10/sys/sys/jail.h	Wed Feb 24 01:58:40 2016	(r295950)
+++ stable/10/sys/sys/jail.h	Wed Feb 24 02:34:11 2016	(r295951)
@@ -232,7 +232,9 @@ struct prison_racct {
 #define	PR_ALLOW_MOUNT_PROCFS		0x0400
 #define	PR_ALLOW_MOUNT_TMPFS		0x0800
 #define	PR_ALLOW_MOUNT_FDESCFS		0x1000
-#define	PR_ALLOW_ALL			0x1fff
+#define	PR_ALLOW_MOUNT_LINPROCFS	0x2000
+#define	PR_ALLOW_MOUNT_LINSYSFS		0x4000
+#define	PR_ALLOW_ALL			0x7fff
 
 /*
  * OSD methods

Modified: stable/10/usr.sbin/jail/jail.8
==============================================================================
--- stable/10/usr.sbin/jail/jail.8	Wed Feb 24 01:58:40 2016	(r295950)
+++ stable/10/usr.sbin/jail/jail.8	Wed Feb 24 02:34:11 2016	(r295951)
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 25, 2015
+.Dd July 6, 2015
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -563,6 +563,22 @@ This permission is effective only togeth
 and only when
 .Va enforce_statfs
 is set to a value lower than 2.
+.It Va allow.mount.linprocfs
+privileged users inside the jail will be able to mount and unmount the
+linprocfs file system.
+This permission is effective only together with
+.Va allow.mount
+and only when
+.Va enforce_statfs
+is set to a value lower than 2.
+.It Va allow.mount.linsysfs
+privileged users inside the jail will be able to mount and unmount the
+linsysfs file system.
+This permission is effective only together with
+.Va allow.mount
+and only when
+.Va enforce_statfs
+is set to a value lower than 2.
 .It Va allow.mount.tmpfs
 privileged users inside the jail will be able to mount and unmount the
 tmpfs file system.
@@ -1210,6 +1226,8 @@ environment of the first jail.
 .Xr fdescfs 5 ,
 .Xr jail.conf 5 ,
 .Xr procfs 5 ,
+.Xr linprocfs 5 ,
+.Xr linsysfs 5 ,
 .Xr rc.conf 5 ,
 .Xr sysctl.conf 5 ,
 .Xr chroot 8 ,