Index: cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c =================================================================== --- cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c +++ cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c @@ -1640,9 +1640,6 @@ osname = spn.pn_path; #else /* !illumos */ - if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_ZFS)) - return (SET_ERROR(EPERM)); - if (vfs_getopt(vfsp->mnt_optnew, "from", (void **)&osname, NULL)) return (SET_ERROR(EINVAL)); Index: compat/linprocfs/linprocfs.c =================================================================== --- compat/linprocfs/linprocfs.c +++ compat/linprocfs/linprocfs.c @@ -1652,7 +1652,7 @@ return (0); } -PSEUDOFS(linprocfs, 1, PR_ALLOW_MOUNT_LINPROCFS); +PSEUDOFS(linprocfs, 1, VFCF_JAIL); #if defined(__amd64__) MODULE_DEPEND(linprocfs, linux_common, 1, 1, 1); #else Index: compat/linsysfs/linsysfs.c =================================================================== --- compat/linsysfs/linsysfs.c +++ compat/linsysfs/linsysfs.c @@ -556,7 +556,7 @@ return (0); } -PSEUDOFS(linsysfs, 1, PR_ALLOW_MOUNT_LINSYSFS); +PSEUDOFS(linsysfs, 1, VFCF_JAIL); #if defined(__amd64__) MODULE_DEPEND(linsysfs, linux_common, 1, 1, 1); #else Index: fs/devfs/devfs_vfsops.c =================================================================== --- fs/devfs/devfs_vfsops.c +++ fs/devfs/devfs_vfsops.c @@ -83,9 +83,6 @@ if (mp->mnt_flag & MNT_ROOTFS) return (EOPNOTSUPP); - if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_DEVFS)) - return (EPERM); - rsnum = 0; injail = jailed(td->td_ucred); Index: fs/fdescfs/fdesc_vfsops.c =================================================================== --- fs/fdescfs/fdesc_vfsops.c +++ fs/fdescfs/fdesc_vfsops.c @@ -81,13 +81,9 @@ fdesc_mount(struct mount *mp) { struct fdescmount *fmp; - struct thread *td = curthread; struct vnode *rvp; int error; - if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS)) - return (EPERM); - /* * Update is a no-op */ Index: fs/nullfs/null_vfsops.c =================================================================== --- fs/nullfs/null_vfsops.c +++ fs/nullfs/null_vfsops.c @@ -78,7 +78,6 @@ struct vnode *lowerrootvp, *vp; struct vnode *nullm_rootvp; struct null_mount *xmp; - struct thread *td = curthread; char *target; int isvnunlocked = 0, len; struct nameidata nd, *ndp = &nd; @@ -85,8 +84,6 @@ NULLFSDEBUG("nullfs_mount(mp = %p)\n", (void *)mp); - if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_NULLFS)) - return (EPERM); if (mp->mnt_flag & MNT_ROOTFS) return (EOPNOTSUPP); Index: fs/procfs/procfs.c =================================================================== --- fs/procfs/procfs.c +++ fs/procfs/procfs.c @@ -208,4 +208,4 @@ return (0); } -PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS); +PSEUDOFS(procfs, 1, VFCF_JAIL); Index: fs/pseudofs/pseudofs.h =================================================================== --- fs/pseudofs/pseudofs.h +++ fs/pseudofs/pseudofs.h @@ -272,7 +272,7 @@ /* * Now for some initialization magic... */ -#define PSEUDOFS(name, version, jflag) \ +#define PSEUDOFS(name, version, flags) \ \ static struct pfs_info name##_info = { \ #name, \ @@ -282,8 +282,6 @@ \ static int \ _##name##_mount(struct mount *mp) { \ - if (jflag && !prison_allow(curthread->td_ucred, jflag)) \ - return (EPERM); \ return (pfs_mount(&name##_info, mp)); \ } \ \ @@ -306,7 +304,7 @@ .vfs_uninit = _##name##_uninit, \ .vfs_unmount = pfs_unmount, \ }; \ -VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0)); \ +VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | flags); \ MODULE_VERSION(name, version); \ MODULE_DEPEND(name, pseudofs, 1, 1, 1); Index: fs/tmpfs/tmpfs_vfsops.c =================================================================== --- fs/tmpfs/tmpfs_vfsops.c +++ fs/tmpfs/tmpfs_vfsops.c @@ -141,7 +141,6 @@ sizeof(struct tmpfs_dirent) + sizeof(struct tmpfs_node)); struct tmpfs_mount *tmp; struct tmpfs_node *root; - struct thread *td = curthread; int error; bool nonc; /* Size counters. */ @@ -155,9 +154,6 @@ struct vattr va; - if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_TMPFS)) - return (EPERM); - if (vfs_filteropt(mp->mnt_optnew, tmpfs_opts)) return (EINVAL); Index: kern/kern_jail.c =================================================================== --- kern/kern_jail.c +++ kern/kern_jail.c @@ -111,7 +111,7 @@ #else .pr_flags = PR_HOST|_PR_IP_SADDRSEL, #endif - .pr_allow = PR_ALLOW_ALL, + .pr_allow = PR_ALLOW_ALL_STATIC, }; MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); @@ -185,7 +185,7 @@ }; const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys); -static char *pr_allow_names[] = { +static char *pr_allow_names[NBBY * NBPW] = { "allow.set_hostname", "allow.sysvipc", "allow.raw_sockets", @@ -193,19 +193,11 @@ "allow.mount", "allow.quotas", "allow.socket_af", - "allow.mount.devfs", - "allow.mount.nullfs", - "allow.mount.zfs", - "allow.mount.procfs", - "allow.mount.tmpfs", - "allow.mount.fdescfs", - "allow.mount.linprocfs", - "allow.mount.linsysfs", - "allow.reserved_ports", + [15] = "allow.reserved_ports", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); -static char *pr_allow_nonames[] = { +static char *pr_allow_nonames[NBBY * NBPW] = { "allow.noset_hostname", "allow.nosysvipc", "allow.noraw_sockets", @@ -213,15 +205,7 @@ "allow.nomount", "allow.noquotas", "allow.nosocket_af", - "allow.mount.nodevfs", - "allow.mount.nonullfs", - "allow.mount.nozfs", - "allow.mount.noprocfs", - "allow.mount.notmpfs", - "allow.mount.nofdescfs", - "allow.mount.nolinprocfs", - "allow.mount.nolinsysfs", - "allow.noreserved_ports", + [15] = "allow.noreserved_ports", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -337,6 +321,8 @@ /* Set permissions for top-level jails from sysctls. */ if (!jailed(td->td_ucred)) { for (fi = 0; fi < nitems(pr_allow_names); fi++) { + if (pr_allow_names[fi] == NULL) + continue; optiov[opt.uio_iovcnt].iov_base = (jail_default_allow & (1 << fi)) ? pr_allow_names[fi] : pr_allow_nonames[fi]; @@ -669,6 +655,8 @@ pr_allow = ch_allow = 0; for (fi = 0; fi < nitems(pr_allow_names); fi++) { + if (pr_allow_names[fi] == NULL) + continue; vfs_flagopt(opts, pr_allow_names[fi], &pr_allow, 1 << fi); vfs_flagopt(opts, pr_allow_nonames[fi], &ch_allow, 1 << fi); } @@ -3621,38 +3609,6 @@ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", "Processes in jail can mount/unmount jail-friendly file systems (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the devfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the fdescfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the nullfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the procfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the linprocfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the linsysfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the tmpfs file system (deprecated)"); -SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", - "Processes in jail can mount the zfs file system (deprecated)"); static int sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) @@ -3805,23 +3761,101 @@ SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount/unmount jail-friendly file systems in general"); -SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the devfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the fdescfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the nullfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the procfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the linprocfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the linsysfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the tmpfs file system"); -SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may mount the zfs file system"); +/* + * The VFS system will register jail-aware filesystems here. They each get + * a parameter allow.mount.xxxfs and a flag to check when a jailed user + * attempts to mount. + */ +void +prison_add_vfs(struct vfsconf *vfsp) +{ + char *allow_name, *allow_noname, *mount_allowed; +#ifndef NO_SYSCTL_DESCR + char *descr; +#endif + int fi; + unsigned flag; + + if (asprintf(&allow_name, M_PRISON, "allow.mount.%s", vfsp->vfc_name) < + 0 || asprintf(&allow_noname, M_PRISON, "allow.mount.no%s", + vfsp->vfc_name) < 0) { + free(allow_name, M_PRISON); + return; + } + + /* + * See if this parameter has already beed added, i.e. if the filesystem + * was previously loaded/unloaded. + */ + mtx_lock(&prison0.pr_mtx); + for (fi = 0; fi < nitems(pr_allow_names); fi++) { + if (pr_allow_names[fi] != NULL && + strcmp(pr_allow_names[fi], allow_name) == 0) { + vfsp->vfc_prison_flag = 1 << fi; + goto no_add; + } + } + + /* + * Find a free bit in prison0's pr_allow, failing if there are none + * (which shouldn't happen as long as we keep track of how many + * filesystems are jail-aware). + */ + for (fi = 0, flag = 1;; fi++, flag <<= 1) { + if (flag == 0) + goto no_add; + if ((prison0.pr_allow & flag) == 0) + break; + } + prison0.pr_allow |= flag; + vfsp->vfc_prison_flag = flag; + /* Set pr_allow_nonames first so code that checks pr_allow_names can + * do so without locking. + */ + pr_allow_nonames[fi] = allow_noname; + pr_allow_names[fi] = allow_name; + mtx_unlock(&prison0.pr_mtx); + + /* + * Create sysctls for the paramter, and the back-compat global + * permission. + */ +#ifndef NO_SYSCTL_DESCR + (void)asprintf(&descr, M_TEMP, "Jail may mount the %s file system", + vfsp->vfc_name); +#endif + (void)SYSCTL_ADD_PROC(NULL, + SYSCTL_CHILDREN(&sysctl___security_jail_param_allow_mount), + OID_AUTO, vfsp->vfc_name, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, 0, sysctl_jail_param, "B", descr); +#ifndef NO_SYSCTL_DESCR + free(descr, M_TEMP); +#endif + if (asprintf(&mount_allowed, M_TEMP, "mount_%s_allowed", + vfsp->vfc_name) >= 0) { +#ifndef NO_SYSCTL_DESCR + (void)asprintf(&descr, M_TEMP, + "Processes in jail can mount the %s file system (deprecated)", + vfsp->vfc_name); +#endif + (void)SYSCTL_ADD_PROC(NULL, + SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO, + mount_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, flag, sysctl_jail_default_allow, "I", descr); +#ifndef NO_SYSCTL_DESCR + free(descr, M_TEMP); +#endif + free(mount_allowed, M_TEMP); + } + return; + + no_add: + mtx_unlock(&prison0.pr_mtx); + free(allow_name, M_PRISON); + free(allow_noname, M_PRISON); +} + #ifdef RACCT void prison_racct_foreach(void (*callback)(struct racct *racct, Index: kern/vfs_init.c =================================================================== --- kern/vfs_init.c +++ kern/vfs_init.c @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -276,7 +277,10 @@ vfsops->vfs_extattrctl = vfs_stdextattrctl; if (vfsops->vfs_sysctl == NULL) vfsops->vfs_sysctl = vfs_stdsysctl; - + + if (vfc->vfc_flags & VFCF_JAIL) + prison_add_vfs(vfc); + /* * Call init function for this VFS... */ Index: kern/vfs_mount.c =================================================================== --- kern/vfs_mount.c +++ kern/vfs_mount.c @@ -788,6 +788,16 @@ KASSERT((fsflags & MNT_UPDATE) == 0, ("MNT_UPDATE shouldn't be here")); /* + * If the jail of the calling thread lacks permission for this type of + * file system, deny immediately. + */ + if (jailed(td->td_ucred) && !prison_allow(td->td_ucred, + vfsp->vfc_prison_flag)) { + vput(vp); + return (EPERM); + } + + /* * If the user is not root, ensure that they own the directory * onto which we are attempting to mount. */ @@ -1094,8 +1104,6 @@ vfsp = vfs_byname_kld(fstype, td, &error); if (vfsp == NULL) return (ENODEV); - if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL)) - return (EPERM); } /* Index: kern/vfs_subr.c =================================================================== --- kern/vfs_subr.c +++ kern/vfs_subr.c @@ -684,19 +684,21 @@ { int error; - /* - * If the thread is jailed, but this is not a jail-friendly file - * system, deny immediately. - */ - if (!(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred)) - return (EPERM); + if (jailed(td->td_ucred)) { + /* + * If the jail of the calling thread lacks permission for + * this type of file system, deny immediately. + */ + if (!prison_allow(td->td_ucred, mp->mnt_vfc->vfc_prison_flag)) + return (EPERM); - /* - * If the file system was mounted outside the jail of the calling - * thread, deny immediately. - */ - if (prison_check(td->td_ucred, mp->mnt_cred) != 0) - return (EPERM); + /* + * If the file system was mounted outside the jail of the + * calling thread, deny immediately. + */ + if (prison_check(td->td_ucred, mp->mnt_cred) != 0) + return (EPERM); + } /* * If file system supports delegated administration, we don't check Index: sys/jail.h =================================================================== --- sys/jail.h +++ sys/jail.h @@ -216,7 +216,10 @@ #define PR_IP6 0x04000000 /* IPv6 restricted or disabled */ /* by this jail or an ancestor */ -/* Flags for pr_allow */ +/* + * Flags for pr_allow + * Bits not noted here may be used for dynamic allow.mount.xxxfs. + */ #define PR_ALLOW_SET_HOSTNAME 0x00000001 #define PR_ALLOW_SYSVIPC 0x00000002 #define PR_ALLOW_RAW_SOCKETS 0x00000004 @@ -224,17 +227,9 @@ #define PR_ALLOW_MOUNT 0x00000010 #define PR_ALLOW_QUOTAS 0x00000020 #define PR_ALLOW_SOCKET_AF 0x00000040 -#define PR_ALLOW_MOUNT_DEVFS 0x00000080 -#define PR_ALLOW_MOUNT_NULLFS 0x00000100 -#define PR_ALLOW_MOUNT_ZFS 0x00000200 -#define PR_ALLOW_MOUNT_PROCFS 0x00000400 -#define PR_ALLOW_MOUNT_TMPFS 0x00000800 -#define PR_ALLOW_MOUNT_FDESCFS 0x00001000 -#define PR_ALLOW_MOUNT_LINPROCFS 0x00002000 -#define PR_ALLOW_MOUNT_LINSYSFS 0x00004000 #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ -#define PR_ALLOW_ALL 0x0001ffff +#define PR_ALLOW_ALL_STATIC 0x0001807f /* * OSD methods @@ -364,6 +359,7 @@ struct mount; struct sockaddr; struct statfs; +struct vfsconf; int jailed(struct ucred *cred); int jailed_without_vnet(struct ucred *); void getcredhostname(struct ucred *, char *, size_t); @@ -413,6 +409,7 @@ char *prison_name(struct prison *, struct prison *); int prison_priv_check(struct ucred *cred, int priv); int sysctl_jail_param(SYSCTL_HANDLER_ARGS); +void prison_add_vfs(struct vfsconf *vfsp); void prison_racct_foreach(void (*callback)(struct racct *racct, void *arg2, void *arg3), void (*pre)(void), void (*post)(void), void *arg2, void *arg3); Index: sys/mount.h =================================================================== --- sys/mount.h +++ sys/mount.h @@ -516,6 +516,7 @@ int vfc_typenum; /* historic filesystem type number */ int vfc_refcount; /* number mounted of this type */ int vfc_flags; /* permanent flags */ + int vfc_prison_flag; /* prison allow.mount.* flag */ struct vfsoptdecl *vfc_opts; /* mount options */ TAILQ_ENTRY(vfsconf) vfc_list; /* list of vfscons */ }; Index: sys/param.h =================================================================== --- sys/param.h +++ sys/param.h @@ -60,7 +60,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1200060 /* Master, propagated to newvers */ +#define __FreeBSD_version 1200061 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,