jail & getfsstat et al
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Mar 9 14:47:27 PST 2004
Hi,
I would like to get some comments on this:
I am not really lucky with the enhancement from the commit (commit
message attached) though it is far better than nothing. It
* still leaks the full path of the filesystem the jail is mounted on,
p.ex.: /dev/ad0s3d 13G 210M 12G 2% /u2/jails
* I could not see p.ex. free disk space of partitions mounted to
somewhere under /u2/jails/var/mailboxen from within the jail
* ...
I am at the point to either update my patch[1] for HEAD or entirely
forget about it.
[1] http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/49085
(see the PR for descriptions of more fine grained restrictions
and link to further information)
If people would be interested in the more fine grained control option
I would get the patch updated and -if possible- simplified and
post the result for review ?
Thanks for _any_ feedback.
--
Greetings
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
56 69 73 69 74 http://www.zabbadoz.net/
---------- Forwarded message ----------
rwatson 2004/02/14 10:31:12 PST
FreeBSD src repository
Modified files:
sys/sys jail.h
sys/kern kern_jail.c vfs_syscalls.c
Log:
By default, when a process in jail calls getfsstat(), only return the
data for the file system on which the jail's root vnode is located.
Previous behavior (show data for all mountpoints) can be restored
by setting security.jail.getfsstatroot_only to 0. Note: this also
has the effect of hiding other mounts inside a jail, such as /dev,
/tmp, and /proc, but errs on the side of leaking less information.
Revision Changes Path
1.36 +20 -0 src/sys/kern/kern_jail.c
1.337 +8 -0 src/sys/kern/vfs_syscalls.c
1.20 +3 -0 src/sys/sys/jail.h
More information about the freebsd-current
mailing list