PERFORCE change 205412 for review

Mon Jan 30 18:37:18 UTC 2012

http://p4web.freebsd.org/@@205412?ac=10

Change 205412 by peter at peter_daintree on 2012/01/30 18:36:56

	Bypass sysctl for mounts in jails, damn it.

Affected files ...

.. //depot/projects/hammer/sys/kern/kern_jail.c#62 edit
.. //depot/projects/hammer/sys/kern/vfs_mount.c#118 edit
.. //depot/projects/hammer/sys/kern/vfs_subr.c#158 edit

Differences ...

==== //depot/projects/hammer/sys/kern/kern_jail.c#62 (text+ko) ====

@@ -3965,8 +3965,7 @@
 /*
  * Jail-related sysctls.
  */
-static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
-    "Jails");
+SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, "Jails");
 
 static int
 sysctl_jail_list(SYSCTL_HANDLER_ARGS)

==== //depot/projects/hammer/sys/kern/vfs_mount.c#118 (text+ko) ====

@@ -80,6 +80,12 @@
 SYSCTL_INT(_vfs, OID_AUTO, usermount, CTLFLAG_RW, &usermount, 0,
     "Unprivileged users may mount and unmount file systems");
 
+SYSCTL_DECL(_security_jail);
+int     jail_allow_mount_all = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_mount_all, CTLFLAG_RW,
+    &jail_allow_mount_all, 0,
+	"Prison root can mount all filesystems");
+
 MALLOC_DEFINE(M_MOUNT, "mount", "vfs mount structure");
 static MALLOC_DEFINE(M_VNODE_MARKER, "vnodemarker", "vnode marker");
 static uma_zone_t mount_zone;
@@ -1085,7 +1091,7 @@
 			vfsp = vfs_byname_kld(fstype, td, &error);
 		if (vfsp == NULL)
 			return (ENODEV);
-		if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL))
+		if (!jail_allow_mount_all && jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL))
 			return (EPERM);
 	}
 

==== //depot/projects/hammer/sys/kern/vfs_subr.c#158 (text+ko) ====

@@ -497,6 +497,7 @@
 	return ((struct mount *) 0);
 }
 
+extern int jail_allow_mount_all;
 /*
  * Check if a user can access privileged mount options.
  */
@@ -509,7 +510,7 @@
 	 * If the thread is jailed, but this is not a jail-friendly file
 	 * system, deny immediately.
 	 */
-	if (!(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred))
+	if (!jail_allow_mount_all && !(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred))
 		return (EPERM);
 
 	/*
