Date: Tue, 17 May 2005 23:43:24 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Juergen Unger <j.unger@addict.de> Cc: freebsd-hackers@freebsd.org Subject: Re: jails and output of df/mount [PATCH] Message-ID: <20050517214324.GA1021@obiwan.tataz.chchile.org> In-Reply-To: <20050516162456.GC69167@crow.addict.de> References: <20050516162456.GC69167@crow.addict.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Juergen, > within a jail there are at this time two possibilities > of operation for the syscall getfsstat (which is used e.g. > for the commands 'df' and 'mount'): > > security.jail.getfsstatroot_only = 0: > getfsstat return all filesystems mounted anywhere at the machine > > security.jail.getfsstatroot_only = 1: > getfsstat returns the filesystem where the jail-root is in > and nothing more (mountpoints within the jails fs-tree are not > returned) > > IMHO is this 2nd one not what is really needed: If we > have additional filesystems mounted within the jails tree > they should be visible too so that they are shown with > a simple 'df' or 'mount'. > > I made a small patch for this which is available at > <http://www.addict.de/unger/fbsd/patch-20050516/>; > and should work against CURRENT and RELENG_5_4 > > Any comments ? I am not sure if there is locking needed > (mtx_lock, mtx_unlock) around this new piece of code, at this > time ot works for me without locking... > Any other opinions ? This works fine on a recent RELENG_5 UP kernel. Given that this exposes some host configuration inside jail, it might be worth adding a sysctl to disable this. However, I'm not really sure this kind of information could really be an attack vector or ramp. There seems to be one small bug in your patch : once applied, we don't see informations about / any longer inside jails. Thanks for your work. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050517214324.GA1021>