From owner-freebsd-hackers@FreeBSD.ORG  Tue May 17 19:57:07 2011
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AFDC6106566B
	for <freebsd-hackers@freebsd.org>; Tue, 17 May 2011 19:57:07 +0000 (UTC)
	(envelope-from seanbru@yahoo-inc.com)
Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172])
	by mx1.freebsd.org (Postfix) with ESMTP id 9A0CC8FC1B
	for <freebsd-hackers@freebsd.org>; Tue, 17 May 2011 19:57:07 +0000 (UTC)
Received: from [127.0.0.1] (proxy8.corp.yahoo.com [216.145.48.13])
	by mrout2.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id p4HJuffI070274
	for <freebsd-hackers@freebsd.org>; Tue, 17 May 2011 12:56:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=yahoo-inc.com;
	s=cobra; t=1305662201;
	bh=ubsMDKY9S8ukGwVJJYdMEIsGOOynKgnEEi8xhv9Zb/Y=;
	h=Subject:From:Reply-To:To:Content-Type:Date:Message-ID:
	Mime-Version:Content-Transfer-Encoding;
	b=VgRu6gHcPspEvrpFOm3fqTWfst0jVgOzDORx/cYZNCnLidiyvx9vZXq9HEEkjnaKG
	sAR5cc9PqFMEqWkolm6iKyNntedLYuOOIwIro2rXT5ObYMH/PP8gSMQKaq4CMemQ/X
	fRrf2nf/xpNAZ8RlcCpBPPEO86VVf3G1rHGMuS1c=
From: Sean Bruno <seanbru@yahoo-inc.com>
To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 17 May 2011 12:56:40 -0700
Message-ID: <1305662200.2633.11.camel@hitfishpass-lx.corp.yahoo.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2 (2.32.2-1.fc14) 
Content-Transfer-Encoding: 7bit
Subject: NFS mount inside jail fails
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: sbruno@freebsd.org
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2011 19:57:07 -0000

Silly thing I ran into today.  User wanted to NFS mount a dir inside a
jail.  After I groaned about the security implication of this, I noted
that there is a sysctl that looks like it should allow this.  Namely,
security.jail.mount_allowed.  I noted that setting this follows a path
that *should* have allowed this silly thing to happen, except that the
credentials in the nfsclient were not setup correctly.

e.g.  VFS_SET(nfs_vfsops, oldnfs, VFCF_NETWORK);
------
I changed this to:
VFS_SET(nfs_vfsops, oldnfs, VFCF_NETWORK|VFCF_JAIL);

This seems to allow the user's desired effect after setting
security.jail.mount_allowed=1

I *think* this is the correct behavior, if a bit silly when taking into
account the purpose of a jail.

Thoughts?

Sean