From owner-freebsd-current@FreeBSD.ORG Tue Mar 9 14:47:27 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A50716A4CE for ; Tue, 9 Mar 2004 14:47:27 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8881943D2F for ; Tue, 9 Mar 2004 14:47:26 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id BB9C11FFDC1 for ; Tue, 9 Mar 2004 23:47:24 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id D00D21FF90C; Tue, 9 Mar 2004 23:47:22 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id B084515582; Tue, 9 Mar 2004 22:47:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id A554C1538C for ; Tue, 9 Mar 2004 22:47:04 +0000 (UTC) Date: Tue, 9 Mar 2004 22:47:04 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: FreeBSD current mailing list Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Subject: jail & getfsstat et al X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 22:47:27 -0000 Hi, I would like to get some comments on this: I am not really lucky with the enhancement from the commit (commit message attached) though it is far better than nothing. It * still leaks the full path of the filesystem the jail is mounted on, p.ex.: /dev/ad0s3d 13G 210M 12G 2% /u2/jails * I could not see p.ex. free disk space of partitions mounted to somewhere under /u2/jails/var/mailboxen from within the jail * ... I am at the point to either update my patch[1] for HEAD or entirely forget about it. [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/49085 (see the PR for descriptions of more fine grained restrictions and link to further information) If people would be interested in the more fine grained control option I would get the patch updated and -if possible- simplified and post the result for review ? Thanks for _any_ feedback. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ ---------- Forwarded message ---------- rwatson 2004/02/14 10:31:12 PST FreeBSD src repository Modified files: sys/sys jail.h sys/kern kern_jail.c vfs_syscalls.c Log: By default, when a process in jail calls getfsstat(), only return the data for the file system on which the jail's root vnode is located. Previous behavior (show data for all mountpoints) can be restored by setting security.jail.getfsstatroot_only to 0. Note: this also has the effect of hiding other mounts inside a jail, such as /dev, /tmp, and /proc, but errs on the side of leaking less information. Revision Changes Path 1.36 +20 -0 src/sys/kern/kern_jail.c 1.337 +8 -0 src/sys/kern/vfs_syscalls.c 1.20 +3 -0 src/sys/sys/jail.h