Author: mm
Date: Wed Feb 29 00:30:18 2012
New Revision: 232278
URL: http://svn.freebsd.org/changeset/base/232278
Log:
Add procfs to jail-mountable filesystems.
Reviewed by: jamie
MFC after: 1 week
Modified:
head/sys/compat/linprocfs/linprocfs.c
head/sys/compat/linsysfs/linsysfs.c
head/sys/fs/procfs/procfs.c
head/sys/fs/pseudofs/pseudofs.h
head/sys/kern/kern_jail.c
head/sys/sys/jail.h
head/usr.sbin/jail/jail.8
Modified: head/sys/compat/linprocfs/linprocfs.c
==============================================================================
--- head/sys/compat/linprocfs/linprocfs.c Tue Feb 28 23:30:19 2012
(r232277)
+++ head/sys/compat/linprocfs/linprocfs.c Wed Feb 29 00:30:18 2012
(r232278)
@@ -1460,7 +1460,7 @@ linprocfs_uninit(PFS_INIT_ARGS)
return (0);
}
-PSEUDOFS(linprocfs, 1);
+PSEUDOFS(linprocfs, 1, 0);
MODULE_DEPEND(linprocfs, linux, 1, 1, 1);
MODULE_DEPEND(linprocfs, procfs, 1, 1, 1);
MODULE_DEPEND(linprocfs, sysvmsg, 1, 1, 1);
Modified: head/sys/compat/linsysfs/linsysfs.c
==============================================================================
--- head/sys/compat/linsysfs/linsysfs.c Tue Feb 28 23:30:19 2012
(r232277)
+++ head/sys/compat/linsysfs/linsysfs.c Wed Feb 29 00:30:18 2012
(r232278)
@@ -280,5 +280,5 @@ linsysfs_uninit(PFS_INIT_ARGS)
return (0);
}
-PSEUDOFS(linsysfs, 1);
+PSEUDOFS(linsysfs, 1, 0);
MODULE_DEPEND(linsysfs, linux, 1, 1, 1);
Modified: head/sys/fs/procfs/procfs.c
==============================================================================
--- head/sys/fs/procfs/procfs.c Tue Feb 28 23:30:19 2012 (r232277)
+++ head/sys/fs/procfs/procfs.c Wed Feb 29 00:30:18 2012 (r232278)
@@ -209,4 +209,4 @@ procfs_uninit(PFS_INIT_ARGS)
return (0);
}
-PSEUDOFS(procfs, 1);
+PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS);
Modified: head/sys/fs/pseudofs/pseudofs.h
==============================================================================
--- head/sys/fs/pseudofs/pseudofs.h Tue Feb 28 23:30:19 2012
(r232277)
+++ head/sys/fs/pseudofs/pseudofs.h Wed Feb 29 00:30:18 2012
(r232278)
@@ -31,6 +31,8 @@
#ifndef _PSEUDOFS_H_INCLUDED
#define _PSEUDOFS_H_INCLUDED
+#include <sys/jail.h>
+
/*
* Opaque structures
*/
@@ -271,7 +273,7 @@ int pfs_destroy (struct pfs_node *pn);
/*
* Now for some initialization magic...
*/
-#define PSEUDOFS(name, version)
\
+#define PSEUDOFS(name, version, jflag) \
\
static struct pfs_info name##_info = { \
#name, \
@@ -281,6 +283,8 @@ static struct pfs_info name##_info = {
\
static int \
_##name##_mount(struct mount *mp) { \
+ if (jflag && !prison_allow(curthread->td_ucred, jflag))
\
+ return (EPERM);
\
return pfs_mount(&name##_info, mp); \
} \
\
@@ -303,7 +307,7 @@ static struct vfsops name##_vfsops = {
.vfs_uninit = _##name##_uninit, \
.vfs_unmount = pfs_unmount, \
}; \
-VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC); \
+VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0));
\
MODULE_VERSION(name, version); \
MODULE_DEPEND(name, pseudofs, 1, 1, 1);
Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c Tue Feb 28 23:30:19 2012 (r232277)
+++ head/sys/kern/kern_jail.c Wed Feb 29 00:30:18 2012 (r232278)
@@ -204,6 +204,7 @@ static char *pr_allow_names[] = {
"allow.mount.devfs",
"allow.mount.nullfs",
"allow.mount.zfs",
+ "allow.mount.procfs",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -218,6 +219,7 @@ static char *pr_allow_nonames[] = {
"allow.mount.nodevfs",
"allow.mount.nonullfs",
"allow.mount.nozfs",
+ "allow.mount.noprocfs",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@@ -4206,6 +4208,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the nullfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
+ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+ NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
+ "Processes in jail can mount the procfs file system");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
@@ -4356,6 +4362,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, devfs, C
"B", "Jail may mount the devfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the nullfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may mount the procfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the zfs file system");
Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h Tue Feb 28 23:30:19 2012 (r232277)
+++ head/sys/sys/jail.h Wed Feb 29 00:30:18 2012 (r232278)
@@ -226,7 +226,8 @@ struct prison_racct {
#define PR_ALLOW_MOUNT_DEVFS 0x0080
#define PR_ALLOW_MOUNT_NULLFS 0x0100
#define PR_ALLOW_MOUNT_ZFS 0x0200
-#define PR_ALLOW_ALL 0x03ff
+#define PR_ALLOW_MOUNT_PROCFS 0x0400
+#define PR_ALLOW_ALL 0x07ff
/*
* OSD methods
Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8 Tue Feb 28 23:30:19 2012 (r232277)
+++ head/usr.sbin/jail/jail.8 Wed Feb 29 00:30:18 2012 (r232278)
@@ -428,6 +428,14 @@ This permission is effective only togeth
and if
.Va enforce_statfs
is set to a value lower than 2.
+.It Va allow.mount.procfs
+privileged users inside the jail will be able to mount and unmount the
+procfs file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2.
.It Va allow.mount.zfs
privileged users inside the jail will be able to mount and unmount the
ZFS file system.
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
