Re: when is VFCF_JAIL allowed?

Reply: Chuck Tuffli: "Re: when is VFCF_JAIL allowed?"
In reply to: Chuck Tuffli: "when is VFCF_JAIL allowed?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Brooks Davis <brooks_at_freebsd.org>
Date: Mon, 12 Feb 2024 18:16:35 UTC

On Mon, Feb 12, 2024 at 10:02:01AM -0800, Chuck Tuffli wrote:
> I was experimenting with a workflow and needed to allow a jail to mount an ISO image. This fails because the cd9660 file system does not set VFCF_JAIL:
>                       can be mounted from within a jail if allow.mount and
>                       allow.mount.<vfc_name> jail parameters are set
> Is there a reason jails should not be allowed to mount an ISO or is it because no one has added the support?

File systems where the kernel parses a binary disk image aren't generally
safe because a bad image can corrupt kernel state.  It should be safe
and allowed to mount an ISO via fusefs (not sure if we have a module
available in ports, but I'd guess so.)

-- Brooks