From owner-p4-projects@FreeBSD.ORG Mon Jan 30 18:37:18 2012 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2E94F1065674; Mon, 30 Jan 2012 18:37:18 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4B57106566B for ; Mon, 30 Jan 2012 18:37:17 +0000 (UTC) (envelope-from peter@wemm.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id B75188FC13 for ; Mon, 30 Jan 2012 18:37:17 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id q0UIbHo4080141 for ; Mon, 30 Jan 2012 18:37:17 GMT (envelope-from peter@wemm.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id q0UIbHdW080138 for perforce@freebsd.org; Mon, 30 Jan 2012 18:37:17 GMT (envelope-from peter@wemm.org) Date: Mon, 30 Jan 2012 18:37:17 GMT Message-Id: <201201301837.q0UIbHdW080138@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to peter@wemm.org using -f From: Peter Wemm To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 205412 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 18:37:18 -0000 http://p4web.freebsd.org/@@205412?ac=10 Change 205412 by peter@peter_daintree on 2012/01/30 18:36:56 Bypass sysctl for mounts in jails, damn it. Affected files ... .. //depot/projects/hammer/sys/kern/kern_jail.c#62 edit .. //depot/projects/hammer/sys/kern/vfs_mount.c#118 edit .. //depot/projects/hammer/sys/kern/vfs_subr.c#158 edit Differences ... ==== //depot/projects/hammer/sys/kern/kern_jail.c#62 (text+ko) ==== @@ -3965,8 +3965,7 @@ /* * Jail-related sysctls. */ -static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, - "Jails"); +SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, "Jails"); static int sysctl_jail_list(SYSCTL_HANDLER_ARGS) ==== //depot/projects/hammer/sys/kern/vfs_mount.c#118 (text+ko) ==== @@ -80,6 +80,12 @@ SYSCTL_INT(_vfs, OID_AUTO, usermount, CTLFLAG_RW, &usermount, 0, "Unprivileged users may mount and unmount file systems"); +SYSCTL_DECL(_security_jail); +int jail_allow_mount_all = 0; +SYSCTL_INT(_security_jail, OID_AUTO, allow_mount_all, CTLFLAG_RW, + &jail_allow_mount_all, 0, + "Prison root can mount all filesystems"); + MALLOC_DEFINE(M_MOUNT, "mount", "vfs mount structure"); static MALLOC_DEFINE(M_VNODE_MARKER, "vnodemarker", "vnode marker"); static uma_zone_t mount_zone; @@ -1085,7 +1091,7 @@ vfsp = vfs_byname_kld(fstype, td, &error); if (vfsp == NULL) return (ENODEV); - if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL)) + if (!jail_allow_mount_all && jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL)) return (EPERM); } ==== //depot/projects/hammer/sys/kern/vfs_subr.c#158 (text+ko) ==== @@ -497,6 +497,7 @@ return ((struct mount *) 0); } +extern int jail_allow_mount_all; /* * Check if a user can access privileged mount options. */ @@ -509,7 +510,7 @@ * If the thread is jailed, but this is not a jail-friendly file * system, deny immediately. */ - if (!(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred)) + if (!jail_allow_mount_all && !(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred)) return (EPERM); /*