svn commit: r232186 - in head: cddl/contrib/opensolaris/cmd/zfs
sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/kern
sys/sys usr.sbin/jail
Martin Matuska
mm at FreeBSD.org
Sun Feb 26 16:30:40 UTC 2012
Author: mm
Date: Sun Feb 26 16:30:39 2012
New Revision: 232186
URL: http://svn.freebsd.org/changeset/base/232186
Log:
Analogous to r232059, add a parameter for the ZFS file system:
allow.mount.zfs:
allow mounting the zfs filesystem inside a jail
This way the permssions for mounting all current VFCF_JAIL filesystems
inside a jail are controlled wia allow.mount.* jail parameters.
Update sysctl descriptions.
Update jail(8) and zfs(8) manpages.
TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel
developers
MFC after: 10 days
Modified:
head/cddl/contrib/opensolaris/cmd/zfs/zfs.8
head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
head/sys/kern/kern_jail.c
head/sys/sys/jail.h
head/usr.sbin/jail/jail.8
Modified: head/cddl/contrib/opensolaris/cmd/zfs/zfs.8
==============================================================================
--- head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Sun Feb 26 16:05:20 2012 (r232185)
+++ head/cddl/contrib/opensolaris/cmd/zfs/zfs.8 Sun Feb 26 16:30:39 2012 (r232186)
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 26, 2011
+.Dd February 26, 2012
.Dt ZFS 8
.Os
.Sh NAME
@@ -413,9 +413,15 @@ subcommand. You cannot attach a dataset
same dataset to another jails. To allow management of the dataset from within
a jail, the
.Sy jailed
-property has to be set. The
+property has to be set and the jail needs access to the
+.Pa /dev/zfs
+device. The
.Sy quota
-property cannot be changed from within a jail.
+property cannot be changed from within a jail. See
+.Xr jail 8
+for information on how to allow mounting
+.Tn ZFS
+datasets from within a jail.
.Pp
.No A Tn ZFS
dataset can be detached from a jail using the
@@ -2715,13 +2721,12 @@ to the jail identified by JID
From now on this file system tree can be managed from within a jail if the
.Sy jailed
property has been set. To use this functionality, the jail needs the
-.Va enforce_statfs
-parameter set to
-.Sy 0
-and the
.Va allow.mount
-parameter set to
-.Sy 1 .
+and
+.Va allow.mount.zfs
+parameters set to 1 and the
+.Va enforce_statfs
+parameter set to a value lower than 2.
.Pp
See
.Xr jail 8
Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c Sun Feb 26 16:05:20 2012 (r232185)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c Sun Feb 26 16:30:39 2012 (r232186)
@@ -60,6 +60,7 @@
#include <sys/dmu_objset.h>
#include <sys/spa_boot.h>
#include <sys/sa.h>
+#include <sys/jail.h>
#include "zfs_comutil.h"
struct mtx zfs_debug_mtx;
@@ -1533,6 +1534,9 @@ zfs_mount(vfs_t *vfsp)
int error = 0;
int canwrite;
+ if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_ZFS))
+ return (EPERM);
+
if (vfs_getopt(vfsp->mnt_optnew, "from", (void **)&osname, NULL))
return (EINVAL);
Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c Sun Feb 26 16:05:20 2012 (r232185)
+++ head/sys/kern/kern_jail.c Sun Feb 26 16:30:39 2012 (r232186)
@@ -203,6 +203,7 @@ static char *pr_allow_names[] = {
"allow.socket_af",
"allow.mount.devfs",
"allow.mount.nullfs",
+ "allow.mount.zfs",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -216,6 +217,7 @@ static char *pr_allow_nonames[] = {
"allow.nosocket_af",
"allow.mount.nodevfs",
"allow.mount.nonullfs",
+ "allow.mount.nozfs",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@@ -4199,11 +4201,15 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo
SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount/unmount the devfs file system");
+ "Processes in jail can mount the devfs file system");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount/unmount the nullfs file system");
+ "Processes in jail can mount the nullfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
+ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+ NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
+ "Processes in jail can mount the zfs file system");
static int
sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
@@ -4347,9 +4353,11 @@ SYSCTL_JAIL_PARAM_SUBNODE(allow, mount,
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount/unmount jail-friendly file systems in general");
SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount/unmount the devfs file system");
+ "B", "Jail may mount the devfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount/unmount the nullfs file system");
+ "B", "Jail may mount the nullfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may mount the zfs file system");
void
prison_racct_foreach(void (*callback)(struct racct *racct,
Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h Sun Feb 26 16:05:20 2012 (r232185)
+++ head/sys/sys/jail.h Sun Feb 26 16:30:39 2012 (r232186)
@@ -225,7 +225,8 @@ struct prison_racct {
#define PR_ALLOW_SOCKET_AF 0x0040
#define PR_ALLOW_MOUNT_DEVFS 0x0080
#define PR_ALLOW_MOUNT_NULLFS 0x0100
-#define PR_ALLOW_ALL 0x01ff
+#define PR_ALLOW_MOUNT_ZFS 0x0200
+#define PR_ALLOW_ALL 0x03ff
/*
* OSD methods
Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8 Sun Feb 26 16:05:20 2012 (r232185)
+++ head/usr.sbin/jail/jail.8 Sun Feb 26 16:30:39 2012 (r232186)
@@ -34,7 +34,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd February 23, 2012
+.Dd February 26, 2012
.Dt JAIL 8
.Os
.Sh NAME
@@ -427,6 +427,17 @@ This permission is effective only togeth
and if
.Va enforce_statfs
is set to a value lower than 2.
+.It Va allow.mount.zfs
+privileged users inside the jail will be able to mount and unmount the
+ZFS file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2. See
+.Xr zfs 8
+for information on how to configure the ZFS filesystem to operate from
+within a jail.
.It Va allow.quotas
The prison root may administer quotas on the jail's filesystem(s).
This includes filesystems that the jail may share with other jails or
More information about the svn-src-all
mailing list