Attachment #146188 for bug #192951

Lines 50-55 Link Here

(-)b/sys/fs/fdescfs/fdesc_vfsops.c (-1 / +5 lines)
50	#include <sys/racct.h>	50	#include <sys/racct.h>
51	#include <sys/resourcevar.h>	51	#include <sys/resourcevar.h>
52	#include <sys/vnode.h>	52	#include <sys/vnode.h>
		53	#include <sys/jail.h>
53		54
54	#include <fs/fdescfs/fdesc.h>	55	#include <fs/fdescfs/fdesc.h>
55		56
Lines 78-85 fdesc_mount(struct mount *mp) Link Here
78	{	79	{
79	int error = 0;	80	int error = 0;
80	struct fdescmount *fmp;	81	struct fdescmount *fmp;
		82	struct thread *td = curthread;
81	struct vnode *rvp;	83	struct vnode *rvp;
82		84
		85	if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS))
		86	return (EPERM);
83	/*	87	/*
84	* Update is a no-op	88	* Update is a no-op
85	*/	89	*/
Lines 237-240 static struct vfsops fdesc_vfsops = { Link Here
237	.vfs_unmount = fdesc_unmount,	241	.vfs_unmount = fdesc_unmount,
238	};	242	};
239		243
240	VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC);	244	VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC \| VFCF_JAIL);

Lines 207-212 static char *pr_allow_names[] = { Link Here

(-)b/sys/kern/kern_jail.c (+8 lines)
207	"allow.mount.zfs",	207	"allow.mount.zfs",
208	"allow.mount.procfs",	208	"allow.mount.procfs",
209	"allow.mount.tmpfs",	209	"allow.mount.tmpfs",
		210	"allow.mount.fdescfs",
210	};	211	};
211	const size_t pr_allow_names_size = sizeof(pr_allow_names);	212	const size_t pr_allow_names_size = sizeof(pr_allow_names);
212		213
Lines 223-228 static char *pr_allow_nonames[] = { Link Here
223	"allow.mount.nozfs",	224	"allow.mount.nozfs",
224	"allow.mount.noprocfs",	225	"allow.mount.noprocfs",
225	"allow.mount.notmpfs",	226	"allow.mount.notmpfs",
		227	"allow.mount.nofdescfs",
226	};	228	};
227	const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);	229	const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
228		230
Lines 4245-4250 SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, Link Here
4245	CTLTYPE_INT \| CTLFLAG_RW \| CTLFLAG_MPSAFE,	4247	CTLTYPE_INT \| CTLFLAG_RW \| CTLFLAG_MPSAFE,
4246	NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",	4248	NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
4247	"Processes in jail can mount the zfs file system");	4249	"Processes in jail can mount the zfs file system");
		4250	SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
		4251	CTLTYPE_INT \| CTLFLAG_RW \| CTLFLAG_MPSAFE,
		4252	NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
		4253	"Processes in jail can mount the fdescfs file system");
4248		4254
4249	static int	4255	static int
4250	sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)	4256	sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
Lines 4397-4402 SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT \| CTLFLAG_RW, Link Here
4397	"B", "Jail may mount the tmpfs file system");	4403	"B", "Jail may mount the tmpfs file system");
4398	SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT \| CTLFLAG_RW,	4404	SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT \| CTLFLAG_RW,
4399	"B", "Jail may mount the zfs file system");	4405	"B", "Jail may mount the zfs file system");
		4406	SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT \| CTLFLAG_RW,
		4407	"B", "Jail may mount the fdescfs file system");
4400		4408
4401	void	4409	void
4402	prison_racct_foreach(void (callback)(struct racct racct,	4410	prison_racct_foreach(void (callback)(struct racct racct,

Lines 228-234 struct prison_racct { Link Here

(-)b/sys/sys/jail.h (-1 / +2 lines)
228	#define PR_ALLOW_MOUNT_ZFS 0x0200	228	#define PR_ALLOW_MOUNT_ZFS 0x0200
229	#define PR_ALLOW_MOUNT_PROCFS 0x0400	229	#define PR_ALLOW_MOUNT_PROCFS 0x0400
230	#define PR_ALLOW_MOUNT_TMPFS 0x0800	230	#define PR_ALLOW_MOUNT_TMPFS 0x0800
231	#define PR_ALLOW_ALL 0x0fff	231	#define PR_ALLOW_MOUNT_FDESCFS 0x1000
		232	#define PR_ALLOW_ALL 0xffff
232		233
233	/*	234	/*
234	* OSD methods	235	* OSD methods

Lines 547-552 This permission is effective only together with Link Here

(-)b/usr.sbin/jail/jail.8 (+8 lines)
547	and only when	547	and only when
548	.Va enforce_statfs	548	.Va enforce_statfs
549	is set to a value lower than 2.	549	is set to a value lower than 2.
		550	.It Va allow.mount.fdescfs
		551	privileged users inside the jail will be able to mount and unmount the
		552	fdescfs file system.
		553	This permission is effective only together with
		554	.Va allow.mount
		555	and only when
		556	.Va enforce_statfs
		557	is set to a value lower than 2.
550	.It Va allow.mount.tmpfs	558	.It Va allow.mount.tmpfs
551	privileged users inside the jail will be able to mount and unmount the	559	privileged users inside the jail will be able to mount and unmount the
552	tmpfs file system.	560	tmpfs file system.

Return to bug 192951