svn commit: r224615 - in head: sys/kern usr.sbin/jail

Martin Matuska mm at FreeBSD.org
Tue Aug 2 19:44:41 UTC 2011 

Author: mm
Date: Tue Aug  2 19:44:40 2011
New Revision: 224615
URL: http://svn.freebsd.org/changeset/base/224615

Log:
  Always disable mount and unmount for jails with enforce_statfs==2.
  A working statfs(2) is required for umount(8) in jail.
  
  Reviewed by:	pjd, kib
  Approved by:	re (kib)
  MFC after:	2 weeks

Modified:
  head/sys/kern/kern_jail.c
  head/usr.sbin/jail/jail.8

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c	Tue Aug  2 19:13:56 2011	(r224614)
+++ head/sys/kern/kern_jail.c	Tue Aug  2 19:44:40 2011	(r224615)
@@ -3858,7 +3858,8 @@ prison_priv_check(struct ucred *cred, in
 	case PRIV_VFS_UNMOUNT:
 	case PRIV_VFS_MOUNT_NONUSER:
 	case PRIV_VFS_MOUNT_OWNER:
-		if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT)
+		if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT &&
+		    cred->cr_prison->pr_enforce_statfs < 2)
 			return (0);
 		else
 			return (EPERM);

Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8	Tue Aug  2 19:13:56 2011	(r224614)
+++ head/usr.sbin/jail/jail.8	Tue Aug  2 19:44:40 2011	(r224615)
@@ -393,6 +393,9 @@ The
 .Xr lsvfs 1
 command can be used to find file system types available for mount from
 within a jail.
+This permission is effective only if
+.Va enforce_statfs
+is set to a value lower than 2.
 .It Va allow.quotas
 The prison root may administer quotas on the jail's filesystem(s).
 This includes filesystems that the jail may share with other jails or
@@ -746,9 +749,11 @@ It is not possible to
 or
 .Xr umount 8
 any file system inside a jail unless the file system is marked
-jail-friendly and the jail's
+jail-friendly, the jail's
 .Va allow.mount
-parameter is set.
+parameter is set and the jail's
+.Va enforce_statfs
+parameter is lower than 2.
 .Pp
 Multiple jails sharing the same file system can influence each other.
 For example a user in one jail can fill the file system also

More information about the svn-src-all mailing list