On 02/14/13 06:27, Baptiste Daroussin wrote:
On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
On 02/12/13 12:40, Baptiste Daroussin wrote:
I would like to mark some filesystem as jailable, here is the one I need:
linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
allow.mount.${fs} for each one.
Anyone has an objection?
Would it make sense for linprocfs to use the existing allow.mount.procfs
flag?
Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
It also addd a new allow.mount.tmpfs to allow tmpfs.
It seems to work here, can anyone confirm this is the right way to do it?
I'll commit in 2 parts: first lin*fs, second tmpfs related things
http://people.freebsd.org/~bapt/jail-fs.diff
There are some problems. The usage on the mount side of things looks
correct, but it needs more on the jail side. I'm including a patch just
of that part, with a correction in jail.h and further changes in kern_jail.c
- Jamie
Index: sys/jail.h
===================================================================
--- sys/jail.h (revision 246791)
+++ sys/jail.h (working copy)
@@ -227,7 +227,8 @@
#define PR_ALLOW_MOUNT_NULLFS 0x0100
#define PR_ALLOW_MOUNT_ZFS 0x0200
#define PR_ALLOW_MOUNT_PROCFS 0x0400
-#define PR_ALLOW_ALL 0x07ff
+#define PR_ALLOW_MOUNT_TMPFS 0x0800
+#define PR_ALLOW_ALL 0x0fff
/*
* OSD methods
Index: kern/kern_jail.c
===================================================================
--- kern/kern_jail.c (revision 246791)
+++ kern/kern_jail.c (working copy)
@@ -206,6 +206,7 @@
"allow.mount.nullfs",
"allow.mount.zfs",
"allow.mount.procfs",
+ "allow.mount.tmpfs",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -221,6 +222,7 @@
"allow.mount.nonullfs",
"allow.mount.nozfs",
"allow.mount.noprocfs",
+ "allow.mount.notmpfs",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@@ -4208,6 +4210,10 @@
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the procfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed,
+ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+ NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I",
+ "Processes in jail can mount the tmpfs file system");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
@@ -4360,6 +4366,8 @@
"B", "Jail may mount the nullfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the procfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may mount the tmpfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the zfs file system");
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"
