Date: Wed, 29 Feb 2012 00:30:18 +0000 (UTC) From: Martin Matuska <mm@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r232278 - in head: sys/compat/linprocfs sys/compat/linsysfs sys/fs/procfs sys/fs/pseudofs sys/kern sys/sys usr.sbin/jail Message-ID: <201202290030.q1T0UItT098971@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mm Date: Wed Feb 29 00:30:18 2012 New Revision: 232278 URL: http://svn.freebsd.org/changeset/base/232278 Log: Add procfs to jail-mountable filesystems. Reviewed by: jamie MFC after: 1 week Modified: head/sys/compat/linprocfs/linprocfs.c head/sys/compat/linsysfs/linsysfs.c head/sys/fs/procfs/procfs.c head/sys/fs/pseudofs/pseudofs.h head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/sys/compat/linprocfs/linprocfs.c ============================================================================== --- head/sys/compat/linprocfs/linprocfs.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/compat/linprocfs/linprocfs.c Wed Feb 29 00:30:18 2012 (r232278) @@ -1460,7 +1460,7 @@ linprocfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linprocfs, 1); +PSEUDOFS(linprocfs, 1, 0); MODULE_DEPEND(linprocfs, linux, 1, 1, 1); MODULE_DEPEND(linprocfs, procfs, 1, 1, 1); MODULE_DEPEND(linprocfs, sysvmsg, 1, 1, 1); Modified: head/sys/compat/linsysfs/linsysfs.c ============================================================================== --- head/sys/compat/linsysfs/linsysfs.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/compat/linsysfs/linsysfs.c Wed Feb 29 00:30:18 2012 (r232278) @@ -280,5 +280,5 @@ linsysfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(linsysfs, 1); +PSEUDOFS(linsysfs, 1, 0); MODULE_DEPEND(linsysfs, linux, 1, 1, 1); Modified: head/sys/fs/procfs/procfs.c ============================================================================== --- head/sys/fs/procfs/procfs.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/fs/procfs/procfs.c Wed Feb 29 00:30:18 2012 (r232278) @@ -209,4 +209,4 @@ procfs_uninit(PFS_INIT_ARGS) return (0); } -PSEUDOFS(procfs, 1); +PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS); Modified: head/sys/fs/pseudofs/pseudofs.h ============================================================================== --- head/sys/fs/pseudofs/pseudofs.h Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/fs/pseudofs/pseudofs.h Wed Feb 29 00:30:18 2012 (r232278) @@ -31,6 +31,8 @@ #ifndef _PSEUDOFS_H_INCLUDED #define _PSEUDOFS_H_INCLUDED +#include <sys/jail.h> + /* * Opaque structures */ @@ -271,7 +273,7 @@ int pfs_destroy (struct pfs_node *pn); /* * Now for some initialization magic... */ -#define PSEUDOFS(name, version) \ +#define PSEUDOFS(name, version, jflag) \ \ static struct pfs_info name##_info = { \ #name, \ @@ -281,6 +283,8 @@ static struct pfs_info name##_info = { \ static int \ _##name##_mount(struct mount *mp) { \ + if (jflag && !prison_allow(curthread->td_ucred, jflag)) \ + return (EPERM); \ return pfs_mount(&name##_info, mp); \ } \ \ @@ -303,7 +307,7 @@ static struct vfsops name##_vfsops = { .vfs_uninit = _##name##_uninit, \ .vfs_unmount = pfs_unmount, \ }; \ -VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC); \ +VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0)); \ MODULE_VERSION(name, version); \ MODULE_DEPEND(name, pseudofs, 1, 1, 1); Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/kern/kern_jail.c Wed Feb 29 00:30:18 2012 (r232278) @@ -204,6 +204,7 @@ static char *pr_allow_names[] = { "allow.mount.devfs", "allow.mount.nullfs", "allow.mount.zfs", + "allow.mount.procfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -218,6 +219,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nodevfs", "allow.mount.nonullfs", "allow.mount.nozfs", + "allow.mount.noprocfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4206,6 +4208,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the nullfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the procfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", @@ -4356,6 +4362,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, devfs, C "B", "Jail may mount the devfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the procfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the zfs file system"); Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Tue Feb 28 23:30:19 2012 (r232277) +++ head/sys/sys/jail.h Wed Feb 29 00:30:18 2012 (r232278) @@ -226,7 +226,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_DEVFS 0x0080 #define PR_ALLOW_MOUNT_NULLFS 0x0100 #define PR_ALLOW_MOUNT_ZFS 0x0200 -#define PR_ALLOW_ALL 0x03ff +#define PR_ALLOW_MOUNT_PROCFS 0x0400 +#define PR_ALLOW_ALL 0x07ff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Tue Feb 28 23:30:19 2012 (r232277) +++ head/usr.sbin/jail/jail.8 Wed Feb 29 00:30:18 2012 (r232278) @@ -428,6 +428,14 @@ This permission is effective only togeth and if .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.procfs +privileged users inside the jail will be able to mount and unmount the +procfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.zfs privileged users inside the jail will be able to mount and unmount the ZFS file system.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202290030.q1T0UItT098971>