Attachment 147927 Details for Bug 192951 – patch that introduces allow.mount.fdescfs

[patch] patch that introduces allow.mount.fdescfs

allow_mount_fdescfs.patch (text/plain), 3.34 KB, created by ruben on 2014-10-03 08:41:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: ruben

Created: 2014-10-03 08:41:00 UTC

Size: 3.34 KB

patch

obsolete

>diff --git a/sys/fs/fdescfs/fdesc_vfsops.c b/sys/fs/fdescfs/fdesc_vfsops.c
>index cb5e3c0..7193809 100644
>--- a/sys/fs/fdescfs/fdesc_vfsops.c
>+++ b/sys/fs/fdescfs/fdesc_vfsops.c
>@@ -50,6 +50,7 @@
> #include <sys/racct.h>
> #include <sys/resourcevar.h>
> #include <sys/vnode.h>
>+#include <sys/jail.h>
> 
> #include <fs/fdescfs/fdesc.h>
> 
>@@ -78,8 +79,11 @@ fdesc_mount(struct mount *mp)
> {
> 	int error = 0;
> 	struct fdescmount *fmp;
>+	struct thread *td = curthread;
> 	struct vnode *rvp;
> 
>+	if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS))
>+		return (EPERM);
> 	/*
> 	 * Update is a no-op
> 	 */
>@@ -237,4 +241,4 @@ static struct vfsops fdesc_vfsops = {
> 	.vfs_unmount =		fdesc_unmount,
> };
> 
>-VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC);
>+VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL);
>diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
>index 2d35a1a..408ae85 100644
>--- a/sys/kern/kern_jail.c
>+++ b/sys/kern/kern_jail.c
>@@ -207,6 +207,7 @@ static char *pr_allow_names[] = {
> 	"allow.mount.zfs",
> 	"allow.mount.procfs",
> 	"allow.mount.tmpfs",
>+	"allow.mount.fdescfs",
> };
> const size_t pr_allow_names_size = sizeof(pr_allow_names);
> 
>@@ -223,6 +224,7 @@ static char *pr_allow_nonames[] = {
> 	"allow.mount.nozfs",
> 	"allow.mount.noprocfs",
> 	"allow.mount.notmpfs",
>+	"allow.mount.nofdescfs",
> };
> const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
> 
>@@ -4247,6 +4249,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
>     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>     NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
>     "Processes in jail can mount the zfs file system");
>+SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
>+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
>+    NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
>+    "Processes in jail can mount the fdescfs file system");
> 
> static int
> sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
>@@ -4399,6 +4405,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
>     "B", "Jail may mount the tmpfs file system");
> SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
>     "B", "Jail may mount the zfs file system");
>+SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
>+    "B", "Jail may mount the fdescfs file system");
> 
> void
> prison_racct_foreach(void (*callback)(struct racct *racct,
>diff --git a/sys/sys/jail.h b/sys/sys/jail.h
>index a82a499..08b5f4b 100644
>--- a/sys/sys/jail.h
>+++ b/sys/sys/jail.h
>@@ -228,7 +228,8 @@ struct prison_racct {
> #define	PR_ALLOW_MOUNT_ZFS		0x0200
> #define	PR_ALLOW_MOUNT_PROCFS		0x0400
> #define	PR_ALLOW_MOUNT_TMPFS		0x0800
>-#define	PR_ALLOW_ALL			0x0fff
>+#define	PR_ALLOW_MOUNT_FDESCFS		0x1000
>+#define	PR_ALLOW_ALL			0x1fff
> 
> /*
>  * OSD methods
>diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
>index ee646e6..1af3de6 100644
>--- a/usr.sbin/jail/jail.8
>+++ b/usr.sbin/jail/jail.8
>@@ -547,6 +547,14 @@ This permission is effective only together with
> and only when
> .Va enforce_statfs
> is set to a value lower than 2.
>+.It Va allow.mount.fdescfs
>+privileged users inside the jail will be able to mount and unmount the
>+fdescfs file system.
>+This permission is effective only together with
>+.Va allow.mount
>+and only when
>+.Va enforce_statfs
>+is set to a value lower than 2.
> .It Va allow.mount.tmpfs
> privileged users inside the jail will be able to mount and unmount the
> tmpfs file system.

Actions: View | Diff

Attachments on bug 192951: 146188 | 147927