Site Navigation

Date:      Mon, 30 Jan 2012 18:37:17 GMT
From:      Peter Wemm <peter@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 205412 for review
Message-ID:  <201201301837.q0UIbHdW080138@skunkworks.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

http://p4web.freebsd.org/@@205412?ac=10

Change 205412 by peter@peter_daintree on 2012/01/30 18:36:56

	Bypass sysctl for mounts in jails, damn it.

Affected files ...

.. //depot/projects/hammer/sys/kern/kern_jail.c#62 edit
.. //depot/projects/hammer/sys/kern/vfs_mount.c#118 edit
.. //depot/projects/hammer/sys/kern/vfs_subr.c#158 edit

Differences ...

==== //depot/projects/hammer/sys/kern/kern_jail.c#62 (text+ko) ====

@@ -3965,8 +3965,7 @@
 /*
  * Jail-related sysctls.
  */
-static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
-    "Jails");
+SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, "Jails");
 
 static int
 sysctl_jail_list(SYSCTL_HANDLER_ARGS)

==== //depot/projects/hammer/sys/kern/vfs_mount.c#118 (text+ko) ====

@@ -80,6 +80,12 @@
 SYSCTL_INT(_vfs, OID_AUTO, usermount, CTLFLAG_RW, &usermount, 0,
     "Unprivileged users may mount and unmount file systems");
 
+SYSCTL_DECL(_security_jail);
+int     jail_allow_mount_all = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_mount_all, CTLFLAG_RW,
+    &jail_allow_mount_all, 0,
+	"Prison root can mount all filesystems");
+
 MALLOC_DEFINE(M_MOUNT, "mount", "vfs mount structure");
 static MALLOC_DEFINE(M_VNODE_MARKER, "vnodemarker", "vnode marker");
 static uma_zone_t mount_zone;
@@ -1085,7 +1091,7 @@
 			vfsp = vfs_byname_kld(fstype, td, &error);
 		if (vfsp == NULL)
 			return (ENODEV);
-		if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL))
+		if (!jail_allow_mount_all && jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL))
 			return (EPERM);
 	}
 

==== //depot/projects/hammer/sys/kern/vfs_subr.c#158 (text+ko) ====

@@ -497,6 +497,7 @@
 	return ((struct mount *) 0);
 }
 
+extern int jail_allow_mount_all;
 /*
  * Check if a user can access privileged mount options.
  */
@@ -509,7 +510,7 @@
 	 * If the thread is jailed, but this is not a jail-friendly file
 	 * system, deny immediately.
 	 */
-	if (!(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred))
+	if (!jail_allow_mount_all && !(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred))
 		return (EPERM);
 
 	/*

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201301837.q0UIbHdW080138>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact