From owner-freebsd-fs@FreeBSD.ORG  Tue May 25 19:10:03 2010
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5A7DE106564A;
	Tue, 25 May 2010 19:10:03 +0000 (UTC)
	(envelope-from pjd@garage.freebsd.pl)
Received: from mail.garage.freebsd.pl (chello089077043238.chello.pl
	[89.77.43.238])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B9578FC08;
	Tue, 25 May 2010 19:10:02 +0000 (UTC)
Received: by mail.garage.freebsd.pl (Postfix, from userid 65534)
	id 9B88545DD8; Tue, 25 May 2010 21:10:00 +0200 (CEST)
Received: from localhost (pdawidek.wheel.pl [10.0.1.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.garage.freebsd.pl (Postfix) with ESMTP id AC8F445CBA;
	Tue, 25 May 2010 21:09:55 +0200 (CEST)
Date: Tue, 25 May 2010 21:09:42 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Eugene Mitrofanov <eugene@imedia.ru>
Message-ID: <20100525190942.GD1659@garage.freebsd.pl>
References: <201005251235.19833.eugene@imedia.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="0QFb0wBpEddLcDHQ"
Content-Disposition: inline
In-Reply-To: <201005251235.19833.eugene@imedia.ru>
User-Agent: Mutt/1.4.2.3i
X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc
X-OS: FreeBSD 9.0-CURRENT amd64
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on 
	mail.garage.freebsd.pl
X-Spam-Level: 
X-Spam-Status: No, score=-5.9 required=4.5 tests=ALL_TRUSTED,BAYES_00 
	autolearn=ham version=3.0.4
Cc: freebsd-fs@freebsd.org, freebsd-stable@freebsd.org
Subject: Re: FreeBSD 8.1 prerelease "security.jail.mount_allowed" is broken?
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2010 19:10:03 -0000


--0QFb0wBpEddLcDHQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 25, 2010 at 12:35:19PM +0400, Eugene Mitrofanov wrote:
> Hello
>=20
> I try to do mount from a jail but it failed. Could you advise me where is=
 my=20
> mistake?
>=20
> root@ftp:eugene# uname -mrs
> FreeBSD 8.1-PRERELEASE amd64
> root@ftp:eugene# sysctl -a | grep -E '(jailed|mount)'
> vfs.usermount: 1
> vfs.ffs.compute_summary_at_mount: 0
> security.jail.mount_allowed: 1
> security.jail.jailed: 1
> root@ftp:eugene# mount /dev/da2s2a /var/t
> mount: /dev/da2s2a : Operation not permitted
> root@ftp:eugene# mount /dev/md1 /var/t
> mount: /dev/md1 : Operation not permitted
> root@ftp:eugene# mount /dev/zvol/tank/ftp.journal /var/t
> mount: /dev/zvol/tank/ftp.journal : Operation not permitted

You can only mount jail-friendly file systems - those with 'jail'
keyword in lsvfs(1) output.

What you tried can't be safe. Imagine creating corrupted file system on
da2s2a and mounting it. It will panic entire system, not only your jail.

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--0QFb0wBpEddLcDHQ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkv8IHYACgkQForvXbEpPzSHpACeKp6iYeGd6h/zkpoZJTIx5j9I
8S8AniB9XxU4Sr3aT8NZHdii/CFLB+0N
=cdSt
-----END PGP SIGNATURE-----

--0QFb0wBpEddLcDHQ--