Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 May 2010 10:23:21 +0400
From:      Eugene Mitrofanov <eugene@imedia.ru>
To:        Pawel Jakub Dawidek <pjd@freebsd.org>
Cc:        freebsd-fs@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: FreeBSD 8.1 prerelease "security.jail.mount_allowed" is broken?
Message-ID:  <201005261023.22291.eugene@imedia.ru>
In-Reply-To: <20100525190942.GD1659@garage.freebsd.pl>
References:  <201005251235.19833.eugene@imedia.ru> <20100525190942.GD1659@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tuesday 25 May 2010, Pawel Jakub Dawidek wrote:
> On Tue, May 25, 2010 at 12:35:19PM +0400, Eugene Mitrofanov wrote:
> > Hello
> > 
> > I try to do mount from a jail but it failed. Could you advise me where is 
my 
> > mistake?
> > 
> > root@ftp:eugene# uname -mrs
> > FreeBSD 8.1-PRERELEASE amd64
> > root@ftp:eugene# sysctl -a | grep -E '(jailed|mount)'
> > vfs.usermount: 1
> > vfs.ffs.compute_summary_at_mount: 0
> > security.jail.mount_allowed: 1
> > security.jail.jailed: 1
> > root@ftp:eugene# mount /dev/da2s2a /var/t
> > mount: /dev/da2s2a : Operation not permitted
> > root@ftp:eugene# mount /dev/md1 /var/t
> > mount: /dev/md1 : Operation not permitted
> > root@ftp:eugene# mount /dev/zvol/tank/ftp.journal /var/t
> > mount: /dev/zvol/tank/ftp.journal : Operation not permitted
> 
> You can only mount jail-friendly file systems - those with 'jail'
> keyword in lsvfs(1) output.

Unfortunately, it seems for me that 'zfs mount' is also broken in 8.1PRE 
(zpool ver 14). "zfs jail 4 tank" is executing successfully but the 
word 'jail' does not meet in the 'man zfs' anymore and 'zfs set jailed=on 
tank' is failed with the error "property 'jailed' not supported on FreeBSD: 
permission denied". "zfs mount" from jail also failed:

root@ftp:eugene# sysctl security.jail.jailed
security.jail.jailed: 1
root@ftp:eugene# zfs mount tank/test
cannot mount 'tank/test': permission denied


> What you tried can't be safe. Imagine creating corrupted file system on
> da2s2a and mounting it. It will panic entire system, not only your jail.
 



-- 
EMIT-RIPN, EVM7-RIPE

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201005261023.22291.eugene>