Date: Sun, 26 Feb 2012 16:30:39 +0000 (UTC) From: Martin Matuska <mm@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r232186 - in head: cddl/contrib/opensolaris/cmd/zfs sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/kern sys/sys usr.sbin/jail Message-ID: <201202261630.q1QGUdIZ073536@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mm Date: Sun Feb 26 16:30:39 2012 New Revision: 232186 URL: http://svn.freebsd.org/changeset/base/232186 Log: Analogous to r232059, add a parameter for the ZFS file system: allow.mount.zfs: allow mounting the zfs filesystem inside a jail This way the permssions for mounting all current VFCF_JAIL filesystems inside a jail are controlled wia allow.mount.* jail parameters. Update sysctl descriptions. Update jail(8) and zfs(8) manpages. TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel developers MFC after: 10 days Modified: head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 ============================================================================== --- head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Sun Feb 26 16:05:20 2012 (r232185) +++ head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Sun Feb 26 16:30:39 2012 (r232186) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 26, 2011 +.Dd February 26, 2012 .Dt ZFS 8 .Os .Sh NAME @@ -413,9 +413,15 @@ subcommand. You cannot attach a dataset same dataset to another jails. To allow management of the dataset from within a jail, the .Sy jailed -property has to be set. The +property has to be set and the jail needs access to the +.Pa /dev/zfs +device. The .Sy quota -property cannot be changed from within a jail. +property cannot be changed from within a jail. See +.Xr jail 8 +for information on how to allow mounting +.Tn ZFS +datasets from within a jail. .Pp .No A Tn ZFS dataset can be detached from a jail using the @@ -2715,13 +2721,12 @@ to the jail identified by JID From now on this file system tree can be managed from within a jail if the .Sy jailed property has been set. To use this functionality, the jail needs the -.Va enforce_statfs -parameter set to -.Sy 0 -and the .Va allow.mount -parameter set to -.Sy 1 . +and +.Va allow.mount.zfs +parameters set to 1 and the +.Va enforce_statfs +parameter set to a value lower than 2. .Pp See .Xr jail 8 Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c ============================================================================== --- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c Sun Feb 26 16:05:20 2012 (r232185) +++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c Sun Feb 26 16:30:39 2012 (r232186) @@ -60,6 +60,7 @@ #include <sys/dmu_objset.h> #include <sys/spa_boot.h> #include <sys/sa.h> +#include <sys/jail.h> #include "zfs_comutil.h" struct mtx zfs_debug_mtx; @@ -1533,6 +1534,9 @@ zfs_mount(vfs_t *vfsp) int error = 0; int canwrite; + if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_ZFS)) + return (EPERM); + if (vfs_getopt(vfsp->mnt_optnew, "from", (void **)&osname, NULL)) return (EINVAL); Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Sun Feb 26 16:05:20 2012 (r232185) +++ head/sys/kern/kern_jail.c Sun Feb 26 16:30:39 2012 (r232186) @@ -203,6 +203,7 @@ static char *pr_allow_names[] = { "allow.socket_af", "allow.mount.devfs", "allow.mount.nullfs", + "allow.mount.zfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -216,6 +217,7 @@ static char *pr_allow_nonames[] = { "allow.nosocket_af", "allow.mount.nodevfs", "allow.mount.nonullfs", + "allow.mount.nozfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4199,11 +4201,15 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount/unmount the devfs file system"); + "Processes in jail can mount the devfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount/unmount the nullfs file system"); + "Processes in jail can mount the nullfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the zfs file system"); static int sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) @@ -4347,9 +4353,11 @@ SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount/unmount jail-friendly file systems in general"); SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount/unmount the devfs file system"); + "B", "Jail may mount the devfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount/unmount the nullfs file system"); + "B", "Jail may mount the nullfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the zfs file system"); void prison_racct_foreach(void (*callback)(struct racct *racct, Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Sun Feb 26 16:05:20 2012 (r232185) +++ head/sys/sys/jail.h Sun Feb 26 16:30:39 2012 (r232186) @@ -225,7 +225,8 @@ struct prison_racct { #define PR_ALLOW_SOCKET_AF 0x0040 #define PR_ALLOW_MOUNT_DEVFS 0x0080 #define PR_ALLOW_MOUNT_NULLFS 0x0100 -#define PR_ALLOW_ALL 0x01ff +#define PR_ALLOW_MOUNT_ZFS 0x0200 +#define PR_ALLOW_ALL 0x03ff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun Feb 26 16:05:20 2012 (r232185) +++ head/usr.sbin/jail/jail.8 Sun Feb 26 16:30:39 2012 (r232186) @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 23, 2012 +.Dd February 26, 2012 .Dt JAIL 8 .Os .Sh NAME @@ -427,6 +427,17 @@ This permission is effective only togeth and if .Va enforce_statfs is set to a value lower than 2. +.It Va allow.mount.zfs +privileged users inside the jail will be able to mount and unmount the +ZFS file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. See +.Xr zfs 8 +for information on how to configure the ZFS filesystem to operate from +within a jail. .It Va allow.quotas The prison root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202261630.q1QGUdIZ073536>