FreeBSD 8.1 prerelease "security.jail.mount_allowed" is broken?

Pawel Jakub Dawidek pjd at FreeBSD.org
Tue May 25 19:10:03 UTC 2010


On Tue, May 25, 2010 at 12:35:19PM +0400, Eugene Mitrofanov wrote:
> Hello
> 
> I try to do mount from a jail but it failed. Could you advise me where is my 
> mistake?
> 
> root at ftp:eugene# uname -mrs
> FreeBSD 8.1-PRERELEASE amd64
> root at ftp:eugene# sysctl -a | grep -E '(jailed|mount)'
> vfs.usermount: 1
> vfs.ffs.compute_summary_at_mount: 0
> security.jail.mount_allowed: 1
> security.jail.jailed: 1
> root at ftp:eugene# mount /dev/da2s2a /var/t
> mount: /dev/da2s2a : Operation not permitted
> root at ftp:eugene# mount /dev/md1 /var/t
> mount: /dev/md1 : Operation not permitted
> root at ftp:eugene# mount /dev/zvol/tank/ftp.journal /var/t
> mount: /dev/zvol/tank/ftp.journal : Operation not permitted

You can only mount jail-friendly file systems - those with 'jail'
keyword in lsvfs(1) output.

What you tried can't be safe. Imagine creating corrupted file system on
da2s2a and mounting it. It will panic entire system, not only your jail.

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20100525/a7622e84/attachment.pgp


More information about the freebsd-fs mailing list