jails and output of df/mount [PATCH]
Jeremie Le Hen
jeremie at le-hen.org
Tue May 17 21:43:28 GMT 2005
Hi Juergen,
> within a jail there are at this time two possibilities
> of operation for the syscall getfsstat (which is used e.g.
> for the commands 'df' and 'mount'):
>
> security.jail.getfsstatroot_only = 0:
> getfsstat return all filesystems mounted anywhere at the machine
>
> security.jail.getfsstatroot_only = 1:
> getfsstat returns the filesystem where the jail-root is in
> and nothing more (mountpoints within the jails fs-tree are not
> returned)
>
> IMHO is this 2nd one not what is really needed: If we
> have additional filesystems mounted within the jails tree
> they should be visible too so that they are shown with
> a simple 'df' or 'mount'.
>
> I made a small patch for this which is available at
> <http://www.addict.de/unger/fbsd/patch-20050516/>
> and should work against CURRENT and RELENG_5_4
>
> Any comments ? I am not sure if there is locking needed
> (mtx_lock, mtx_unlock) around this new piece of code, at this
> time ot works for me without locking...
> Any other opinions ?
This works fine on a recent RELENG_5 UP kernel. Given that this
exposes some host configuration inside jail, it might be worth
adding a sysctl to disable this. However, I'm not really sure
this kind of information could really be an attack vector or ramp.
There seems to be one small bug in your patch : once applied, we
don't see informations about / any longer inside jails.
Thanks for your work.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-hackers
mailing list