svn commit: r232186 - in head: cddl/contrib/opensolaris/cmd/zfs sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/kern sys/sys usr.sbin/jail

Martin Matuska mm at FreeBSD.org
Sun Feb 26 16:30:40 UTC 2012 

Author: mm
Date: Sun Feb 26 16:30:39 2012
New Revision: 232186
URL: http://svn.freebsd.org/changeset/base/232186

Log:
  Analogous to r232059, add a parameter for the ZFS file system:
  
  allow.mount.zfs:
  	allow mounting the zfs filesystem inside a jail
  
  This way the permssions for mounting all current VFCF_JAIL filesystems
  inside a jail are controlled wia allow.mount.* jail parameters.
  
  Update sysctl descriptions.
  Update jail(8) and zfs(8) manpages.
  
  TODO:	document the connection of allow.mount.* and VFCF_JAIL for kernel
  	developers
  
  MFC after:	10 days

Modified:
  head/cddl/contrib/opensolaris/cmd/zfs/zfs.8
  head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
  head/sys/kern/kern_jail.c
  head/sys/sys/jail.h
  head/usr.sbin/jail/jail.8

Modified: head/cddl/contrib/opensolaris/cmd/zfs/zfs.8
==============================================================================
--- head/cddl/contrib/opensolaris/cmd/zfs/zfs.8	Sun Feb 26 16:05:20 2012	(r232185)
+++ head/cddl/contrib/opensolaris/cmd/zfs/zfs.8	Sun Feb 26 16:30:39 2012	(r232186)
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 26, 2011
+.Dd February 26, 2012
 .Dt ZFS 8
 .Os
 .Sh NAME
@@ -413,9 +413,15 @@ subcommand. You cannot attach a dataset 
 same dataset to another jails. To allow management of the dataset from within
 a jail, the
 .Sy jailed
-property has to be set. The
+property has to be set and the jail needs access to the
+.Pa /dev/zfs
+device. The
 .Sy quota
-property cannot be changed from within a jail.
+property cannot be changed from within a jail. See
+.Xr jail 8
+for information on how to allow mounting
+.Tn ZFS
+datasets from within a jail.
 .Pp
 .No A Tn ZFS
 dataset can be detached from a jail using the
@@ -2715,13 +2721,12 @@ to the jail identified by JID
 From now on this file system tree can be managed from within a jail if the
 .Sy jailed
 property has been set. To use this functionality, the jail needs the
-.Va enforce_statfs
-parameter set to
-.Sy 0
-and the
 .Va allow.mount
-parameter set to
-.Sy 1 .
+and
+.Va allow.mount.zfs
+parameters set to 1 and the
+.Va enforce_statfs
+parameter set to a value lower than 2.
 .Pp
 See
 .Xr jail 8

Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c	Sun Feb 26 16:05:20 2012	(r232185)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c	Sun Feb 26 16:30:39 2012	(r232186)
@@ -60,6 +60,7 @@
 #include <sys/dmu_objset.h>
 #include <sys/spa_boot.h>
 #include <sys/sa.h>
+#include <sys/jail.h>
 #include "zfs_comutil.h"
 
 struct mtx zfs_debug_mtx;
@@ -1533,6 +1534,9 @@ zfs_mount(vfs_t *vfsp)
 	int		error = 0;
 	int		canwrite;
 
+	if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_ZFS))
+		return (EPERM);
+
 	if (vfs_getopt(vfsp->mnt_optnew, "from", (void **)&osname, NULL))
 		return (EINVAL);
 

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c	Sun Feb 26 16:05:20 2012	(r232185)
+++ head/sys/kern/kern_jail.c	Sun Feb 26 16:30:39 2012	(r232186)
@@ -203,6 +203,7 @@ static char *pr_allow_names[] = {
 	"allow.socket_af",
 	"allow.mount.devfs",
 	"allow.mount.nullfs",
+	"allow.mount.zfs",
 };
 const size_t pr_allow_names_size = sizeof(pr_allow_names);
 
@@ -216,6 +217,7 @@ static char *pr_allow_nonames[] = {
 	"allow.nosocket_af",
 	"allow.mount.nodevfs",
 	"allow.mount.nonullfs",
+	"allow.mount.nozfs",
 };
 const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
 
@@ -4199,11 +4201,15 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
-    "Processes in jail can mount/unmount the devfs file system");
+    "Processes in jail can mount the devfs file system");
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
-    "Processes in jail can mount/unmount the nullfs file system");
+    "Processes in jail can mount the nullfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
+    "Processes in jail can mount the zfs file system");
 
 static int
 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
@@ -4347,9 +4353,11 @@ SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, 
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may mount/unmount jail-friendly file systems in general");
 SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
-    "B", "Jail may mount/unmount the devfs file system");
+    "B", "Jail may mount the devfs file system");
 SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
-    "B", "Jail may mount/unmount the nullfs file system");
+    "B", "Jail may mount the nullfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may mount the zfs file system");
 
 void
 prison_racct_foreach(void (*callback)(struct racct *racct,

Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h	Sun Feb 26 16:05:20 2012	(r232185)
+++ head/sys/sys/jail.h	Sun Feb 26 16:30:39 2012	(r232186)
@@ -225,7 +225,8 @@ struct prison_racct {
 #define	PR_ALLOW_SOCKET_AF		0x0040
 #define	PR_ALLOW_MOUNT_DEVFS		0x0080
 #define	PR_ALLOW_MOUNT_NULLFS		0x0100
-#define	PR_ALLOW_ALL			0x01ff
+#define	PR_ALLOW_MOUNT_ZFS		0x0200
+#define	PR_ALLOW_ALL			0x03ff
 
 /*
  * OSD methods

Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8	Sun Feb 26 16:05:20 2012	(r232185)
+++ head/usr.sbin/jail/jail.8	Sun Feb 26 16:30:39 2012	(r232186)
@@ -34,7 +34,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 23, 2012
+.Dd February 26, 2012
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -427,6 +427,17 @@ This permission is effective only togeth
 and if
 .Va enforce_statfs
 is set to a value lower than 2.
+.It Va allow.mount.zfs
+privileged users inside the jail will be able to mount and unmount the
+ZFS file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2. See
+.Xr zfs 8
+for information on how to configure the ZFS filesystem to operate from
+within a jail.
 .It Va allow.quotas
 The prison root may administer quotas on the jail's filesystem(s).
 This includes filesystems that the jail may share with other jails or

More information about the svn-src-all mailing list