Page MenuHomeFreeBSD
Files F151671658

D37637.id114022.diff
No OneTemporary
Actions

D37637.id114022.diff
View Options

diff --git a/sys/kern/kern_jail.c.vnet b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c.vnet
+++ b/sys/kern/kern_jail.c
@@ -218,6 +218,7 @@
{"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug",
PR_ALLOW_UNPRIV_DEBUG},
{"allow.suser", "allow.nosuser", PR_ALLOW_SUSER},
+ {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -3464,6 +3465,29 @@
}
/*
+ * For mountd/nfsd to run within a prison, it must be:
+ * - A vnet prison.
+ * - PR_ALLOW_NFSD must be set on it.
+ * - The root directory (pr_root) of the prison must be
+ * a file system mount point, so the mountd can hang
+ * export information on it.
+ */
+bool
+prison_check_nfsd(struct ucred *cred)
+{
+
+ if (!jailed(cred))
+ return (false);
+ if (jailed_without_vnet(cred))
+ return (false);
+ if (!prison_allow(cred, PR_ALLOW_NFSD))
+ return (false);
+ if ((cred->cr_prison->pr_root->v_vflag & VV_ROOT) == 0)
+ return (false);
+ return (true);
+}
+
+/*
* Return 1 if p2 is a child of p1, otherwise 0.
*/
int
@@ -3717,11 +3741,20 @@
* is only granted conditionally in the legacy jail case.
*/
switch (priv) {
-#ifdef notyet
/*
* NFS-specific privileges.
*/
case PRIV_NFS_DAEMON:
+ case PRIV_VFS_GETFH:
+#ifdef VNET_NFSD
+ if (!prison_allow(cred, PR_ALLOW_NFSD) ||
+ (cred->cr_prison->pr_root->v_vflag & VV_ROOT) == 0)
+#else
+ printf("running nfsd in a prison requires a kernel "
+ "built with ''options VNET_NFSD''\n");
+#endif
+ return (EPERM);
+#ifdef notyet
case PRIV_NFS_LOCKD:
#endif
/*
@@ -4472,6 +4505,8 @@
"B", "Unprivileged processes may use process debugging facilities");
SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
"B", "Processes in jail with uid 0 have privilege");
+SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Mountd/nfsd may run in the jail");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/sys/jail.h.vnet b/sys/sys/jail.h
--- a/sys/sys/jail.h.vnet
+++ b/sys/sys/jail.h
@@ -253,7 +253,8 @@
#define PR_ALLOW_SUSER 0x00000400
#define PR_ALLOW_RESERVED_PORTS 0x00008000
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
-#define PR_ALLOW_ALL_STATIC 0x000187ff
+#define PR_ALLOW_NFSD 0x00020000
+#define PR_ALLOW_ALL_STATIC 0x000387ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
@@ -420,6 +421,7 @@
void prison0_init(void);
int prison_allow(struct ucred *, unsigned);
int prison_check(struct ucred *cred1, struct ucred *cred2);
+bool prison_check_nfsd(struct ucred *cred);
int prison_owns_vnet(struct ucred *);
int prison_canseemount(struct ucred *cred, struct mount *mp);
void prison_enforce_statfs(struct ucred *cred, struct mount *mp,

File Metadata

Mime Type
text/plain
Expires
Fri, Apr 10, 10:18 PM (11 m, 39 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31249533
Default Alt Text
D37637.id114022.diff (2 KB)

Event Timeline