From owner-svn-src-head@FreeBSD.ORG Tue Aug 2 19:44:40 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB153106566C; Tue, 2 Aug 2011 19:44:40 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id C084D8FC15; Tue, 2 Aug 2011 19:44:40 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p72JieQ8065881; Tue, 2 Aug 2011 19:44:40 GMT (envelope-from mm@svn.freebsd.org) Received: (from mm@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p72JiesA065878; Tue, 2 Aug 2011 19:44:40 GMT (envelope-from mm@svn.freebsd.org) Message-Id: <201108021944.p72JiesA065878@svn.freebsd.org> From: Martin Matuska Date: Tue, 2 Aug 2011 19:44:40 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r224615 - in head: sys/kern usr.sbin/jail X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2011 19:44:41 -0000 Author: mm Date: Tue Aug 2 19:44:40 2011 New Revision: 224615 URL: http://svn.freebsd.org/changeset/base/224615 Log: Always disable mount and unmount for jails with enforce_statfs==2. A working statfs(2) is required for umount(8) in jail. Reviewed by: pjd, kib Approved by: re (kib) MFC after: 2 weeks Modified: head/sys/kern/kern_jail.c head/usr.sbin/jail/jail.8 Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Tue Aug 2 19:13:56 2011 (r224614) +++ head/sys/kern/kern_jail.c Tue Aug 2 19:44:40 2011 (r224615) @@ -3858,7 +3858,8 @@ prison_priv_check(struct ucred *cred, in case PRIV_VFS_UNMOUNT: case PRIV_VFS_MOUNT_NONUSER: case PRIV_VFS_MOUNT_OWNER: - if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT) + if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && + cred->cr_prison->pr_enforce_statfs < 2) return (0); else return (EPERM); Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Tue Aug 2 19:13:56 2011 (r224614) +++ head/usr.sbin/jail/jail.8 Tue Aug 2 19:44:40 2011 (r224615) @@ -393,6 +393,9 @@ The .Xr lsvfs 1 command can be used to find file system types available for mount from within a jail. +This permission is effective only if +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.quotas The prison root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or @@ -746,9 +749,11 @@ It is not possible to or .Xr umount 8 any file system inside a jail unless the file system is marked -jail-friendly and the jail's +jail-friendly, the jail's .Va allow.mount -parameter is set. +parameter is set and the jail's +.Va enforce_statfs +parameter is lower than 2. .Pp Multiple jails sharing the same file system can influence each other. For example a user in one jail can fill the file system also