From owner-freebsd-hackers@FreeBSD.ORG Tue May 17 21:43:28 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F9FB16A4CE for ; Tue, 17 May 2005 21:43:28 +0000 (GMT) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6030343DA9 for ; Tue, 17 May 2005 21:43:27 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 8373631C608; Tue, 17 May 2005 23:43:22 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id E8C2E4080; Tue, 17 May 2005 23:43:24 +0200 (CEST) Date: Tue, 17 May 2005 23:43:24 +0200 From: Jeremie Le Hen To: Juergen Unger Message-ID: <20050517214324.GA1021@obiwan.tataz.chchile.org> References: <20050516162456.GC69167@crow.addict.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050516162456.GC69167@crow.addict.de> User-Agent: Mutt/1.5.9i cc: freebsd-hackers@freebsd.org Subject: Re: jails and output of df/mount [PATCH] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2005 21:43:28 -0000 Hi Juergen, > within a jail there are at this time two possibilities > of operation for the syscall getfsstat (which is used e.g. > for the commands 'df' and 'mount'): > > security.jail.getfsstatroot_only = 0: > getfsstat return all filesystems mounted anywhere at the machine > > security.jail.getfsstatroot_only = 1: > getfsstat returns the filesystem where the jail-root is in > and nothing more (mountpoints within the jails fs-tree are not > returned) > > IMHO is this 2nd one not what is really needed: If we > have additional filesystems mounted within the jails tree > they should be visible too so that they are shown with > a simple 'df' or 'mount'. > > I made a small patch for this which is available at > > and should work against CURRENT and RELENG_5_4 > > Any comments ? I am not sure if there is locking needed > (mtx_lock, mtx_unlock) around this new piece of code, at this > time ot works for me without locking... > Any other opinions ? This works fine on a recent RELENG_5 UP kernel. Given that this exposes some host configuration inside jail, it might be worth adding a sysctl to disable this. However, I'm not really sure this kind of information could really be an attack vector or ramp. There seems to be one small bug in your patch : once applied, we don't see informations about / any longer inside jails. Thanks for your work. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >