> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Xin Li > Sent: Friday, 23 August 2013 5:15 AM > To: [email protected] > Cc: [email protected]; [email protected] > Subject: Allowing tmpfs to be mounted in jail? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > Do anybody have concerns if I would commit this? > > Index: sys/fs/tmpfs/tmpfs_vfsops.c > =================================================================== > - --- sys/fs/tmpfs/tmpfs_vfsops.c (revision 254663) > +++ sys/fs/tmpfs/tmpfs_vfsops.c (working copy) > @@ -420,4 +420,4 @@ struct vfsops tmpfs_vfsops = { > .vfs_statfs = tmpfs_statfs, > .vfs_fhtovp = tmpfs_fhtovp, > }; > - -VFS_SET(tmpfs_vfsops, tmpfs, 0); > +VFS_SET(tmpfs_vfsops, tmpfs, VFCF_JAIL); > > Cheers, > - -- > Xin LI <[email protected]> https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.21 (FreeBSD) > > iQEcBAEBCgAGBQJSFmNRAAoJEG80Jeu8UPuzhFMH/2jligxAHwhYCbaYe43d8XXd > 8ljxmusiVWLTwsjhcZRs0Pg56BSPFR2yMbf1rLgQQCc1HpIK82N9zd3hfDoSZTM3 > fhY+gB+M3aMfQ3A0lGzpCckFdj7Dlyr+drXuVeKsTCEdM7U82/GRBq/wkI8OGft4 > kCd9kmpiupFL5WmboBJNjC1wSgn0TYeGXazkTY9K4n0HmZP+306xf6ABHEkPO5XI > nJuGsq8u2MhBmet4Cm38dGJGXym5mWRkU/i+YmgDTCVWbdKwILtEHQyq55krSPkP > p85ntduffcAwcy8Yl8facveYq+pybQKO9pEP8hUMZIN0bLPCM01FQl5x4vbyFzc= > =w8tX > -----END PGP SIGNATURE----- > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "[email protected]"
Xin Li, I can envision the use of tmpfs without providing access to mounting other devices within a jail context. It would be better if this feature had its own sysctl to control the jail's state, particularly as a DOS could "inadvertently" be introduced, per Kib's earlier point. Other devices-types have additional mitigation strategies, such as exclusion via dev.rules which tmpfs doesn't have. Regards, Dewayne. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
