Date: Sun, 19 Jul 2015 08:52:35 +0000 (UTC) From: Marcelo Araujo <araujo@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r285685 - in head: sys/compat/linprocfs sys/compat/linsysfs sys/kern sys/sys usr.sbin/jail Message-ID: <201507190852.t6J8qZbP064359@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: araujo (ports committer) Date: Sun Jul 19 08:52:35 2015 New Revision: 285685 URL: https://svnweb.freebsd.org/changeset/base/285685 Log: Add support to the jail framework to be able to mount linsysfs(5) and linprocfs(5). Differential Revision: D2846 Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com> Reviewed by: jamie Modified: head/sys/compat/linprocfs/linprocfs.c head/sys/compat/linsysfs/linsysfs.c head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/sys/compat/linprocfs/linprocfs.c ============================================================================== --- head/sys/compat/linprocfs/linprocfs.c Sun Jul 19 00:38:19 2015 (r285684) +++ head/sys/compat/linprocfs/linprocfs.c Sun Jul 19 08:52:35 2015 (r285685) @@ -1548,7 +1548,7 @@ linprocfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linprocfs, 1, 0); +PSEUDOFS(linprocfs, 1, PR_ALLOW_MOUNT_LINPROCFS); #if defined(__amd64__) MODULE_DEPEND(linprocfs, linux_common, 1, 1, 1); #else Modified: head/sys/compat/linsysfs/linsysfs.c ============================================================================== --- head/sys/compat/linsysfs/linsysfs.c Sun Jul 19 00:38:19 2015 (r285684) +++ head/sys/compat/linsysfs/linsysfs.c Sun Jul 19 08:52:35 2015 (r285685) @@ -275,7 +275,7 @@ linsysfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linsysfs, 1, 0); +PSEUDOFS(linsysfs, 1, PR_ALLOW_MOUNT_LINSYSFS); #if defined(__amd64__) MODULE_DEPEND(linsysfs, linux_common, 1, 1, 1); #else Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Sun Jul 19 00:38:19 2015 (r285684) +++ head/sys/kern/kern_jail.c Sun Jul 19 08:52:35 2015 (r285685) @@ -205,6 +205,8 @@ static char *pr_allow_names[] = { "allow.mount.procfs", "allow.mount.tmpfs", "allow.mount.fdescfs", + "allow.mount.linprocfs", + "allow.mount.linsysfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -222,6 +224,8 @@ static char *pr_allow_nonames[] = { "allow.mount.noprocfs", "allow.mount.notmpfs", "allow.mount.nofdescfs", + "allow.mount.nolinprocfs", + "allow.mount.nolinsysfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4290,6 +4294,14 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the procfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the linprocfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the linsysfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I", @@ -4456,6 +4468,10 @@ SYSCTL_JAIL_PARAM(_allow_mount, nullfs, "B", "Jail may mount the nullfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the procfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the linprocfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the linsysfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the tmpfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Sun Jul 19 00:38:19 2015 (r285684) +++ head/sys/sys/jail.h Sun Jul 19 08:52:35 2015 (r285685) @@ -230,7 +230,9 @@ struct prison_racct { #define PR_ALLOW_MOUNT_PROCFS 0x0400 #define PR_ALLOW_MOUNT_TMPFS 0x0800 #define PR_ALLOW_MOUNT_FDESCFS 0x1000 -#define PR_ALLOW_ALL 0x1fff +#define PR_ALLOW_MOUNT_LINPROCFS 0x2000 +#define PR_ALLOW_MOUNT_LINSYSFS 0x4000 +#define PR_ALLOW_ALL 0x7fff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun Jul 19 00:38:19 2015 (r285684) +++ head/usr.sbin/jail/jail.8 Sun Jul 19 08:52:35 2015 (r285685) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 25, 2015 +.Dd July 20, 2015 .Dt JAIL 8 .Os .Sh NAME @@ -563,6 +563,22 @@ This permission is effective only togeth and only when .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.linprocfs +privileged users inside the jail will be able to mount and unmount the +linprocfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. +.It Va allow.mount.linsysfs +privileged users inside the jail will be able to mount and unmount the +linsysfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.tmpfs privileged users inside the jail will be able to mount and unmount the tmpfs file system. @@ -1209,6 +1225,8 @@ environment of the first jail. .Xr devfs 5 , .Xr fdescfs 5 , .Xr jail.conf 5 , +.Xr linprocfs 5 , +.Xr linsysfs 5 , .Xr procfs 5 , .Xr rc.conf 5 , .Xr sysctl.conf 5 ,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507190852.t6J8qZbP064359>