From owner-svn-src-head@FreeBSD.ORG Wed Feb 29 00:30:19 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 336F41065673; Wed, 29 Feb 2012 00:30:19 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 20B528FC18; Wed, 29 Feb 2012 00:30:19 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q1T0UIS2098979; Wed, 29 Feb 2012 00:30:18 GMT (envelope-from mm@svn.freebsd.org) Received: (from mm@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q1T0UItT098971; Wed, 29 Feb 2012 00:30:18 GMT (envelope-from mm@svn.freebsd.org) Message-Id: <201202290030.q1T0UItT098971@svn.freebsd.org> From: Martin Matuska Date: Wed, 29 Feb 2012 00:30:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r232278 - in head: sys/compat/linprocfs sys/compat/linsysfs sys/fs/procfs sys/fs/pseudofs sys/kern sys/sys usr.sbin/jail X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 00:30:19 -0000 Author: mm Date: Wed Feb 29 00:30:18 2012 New Revision: 232278 URL: http://svn.freebsd.org/changeset/base/232278 Log: Add procfs to jail-mountable filesystems. Reviewed by: jamie MFC after: 1 week Modified: head/sys/compat/linprocfs/linprocfs.c head/sys/compat/linsysfs/linsysfs.c head/sys/fs/procfs/procfs.c head/sys/fs/pseudofs/pseudofs.h head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/sys/compat/linprocfs/linprocfs.c ============================================================================== --- head/sys/compat/linprocfs/linprocfs.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/compat/linprocfs/linprocfs.c Wed Feb 29 00:30:18 2012 (r232278) @@ -1460,7 +1460,7 @@ linprocfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linprocfs, 1); +PSEUDOFS(linprocfs, 1, 0); MODULE_DEPEND(linprocfs, linux, 1, 1, 1); MODULE_DEPEND(linprocfs, procfs, 1, 1, 1); MODULE_DEPEND(linprocfs, sysvmsg, 1, 1, 1); Modified: head/sys/compat/linsysfs/linsysfs.c ============================================================================== --- head/sys/compat/linsysfs/linsysfs.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/compat/linsysfs/linsysfs.c Wed Feb 29 00:30:18 2012 (r232278) @@ -280,5 +280,5 @@ linsysfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linsysfs, 1); +PSEUDOFS(linsysfs, 1, 0); MODULE_DEPEND(linsysfs, linux, 1, 1, 1); Modified: head/sys/fs/procfs/procfs.c ============================================================================== --- head/sys/fs/procfs/procfs.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/fs/procfs/procfs.c Wed Feb 29 00:30:18 2012 (r232278) @@ -209,4 +209,4 @@ procfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(procfs, 1); +PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS); Modified: head/sys/fs/pseudofs/pseudofs.h ============================================================================== --- head/sys/fs/pseudofs/pseudofs.h Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/fs/pseudofs/pseudofs.h Wed Feb 29 00:30:18 2012 (r232278) @@ -31,6 +31,8 @@ #ifndef _PSEUDOFS_H_INCLUDED #define _PSEUDOFS_H_INCLUDED +#include + /* * Opaque structures */ @@ -271,7 +273,7 @@ int pfs_destroy (struct pfs_node *pn); /* * Now for some initialization magic... */ -#define PSEUDOFS(name, version) \ +#define PSEUDOFS(name, version, jflag) \ \ static struct pfs_info name##_info = { \ #name, \ @@ -281,6 +283,8 @@ static struct pfs_info name##_info = { \ static int \ _##name##_mount(struct mount *mp) { \ + if (jflag && !prison_allow(curthread->td_ucred, jflag)) \ + return (EPERM); \ return pfs_mount(&name##_info, mp); \ } \ \ @@ -303,7 +307,7 @@ static struct vfsops name##_vfsops = { .vfs_uninit = _##name##_uninit, \ .vfs_unmount = pfs_unmount, \ }; \ -VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC); \ +VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0)); \ MODULE_VERSION(name, version); \ MODULE_DEPEND(name, pseudofs, 1, 1, 1); Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/kern/kern_jail.c Wed Feb 29 00:30:18 2012 (r232278) @@ -204,6 +204,7 @@ static char *pr_allow_names[] = { "allow.mount.devfs", "allow.mount.nullfs", "allow.mount.zfs", + "allow.mount.procfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -218,6 +219,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nodevfs", "allow.mount.nonullfs", "allow.mount.nozfs", + "allow.mount.noprocfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4206,6 +4208,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the nullfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the procfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", @@ -4356,6 +4362,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, devfs, C "B", "Jail may mount the devfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the procfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the zfs file system"); Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/sys/jail.h Wed Feb 29 00:30:18 2012 (r232278) @@ -226,7 +226,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_DEVFS 0x0080 #define PR_ALLOW_MOUNT_NULLFS 0x0100 #define PR_ALLOW_MOUNT_ZFS 0x0200 -#define PR_ALLOW_ALL 0x03ff +#define PR_ALLOW_MOUNT_PROCFS 0x0400 +#define PR_ALLOW_ALL 0x07ff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Tue Feb 28 23:30:19 2012 (r232277) +++ head/usr.sbin/jail/jail.8 Wed Feb 29 00:30:18 2012 (r232278) @@ -428,6 +428,14 @@ This permission is effective only togeth and if .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.procfs +privileged users inside the jail will be able to mount and unmount the +procfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.zfs privileged users inside the jail will be able to mount and unmount the ZFS file system.