Page MenuHomeFreeBSD
Files F152826973

D14681.id40400.diff
No OneTemporary
Actions

D14681.id40400.diff
View Options

Index: cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
===================================================================
--- cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
+++ cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
@@ -1640,9 +1640,6 @@
osname = spn.pn_path;
#else /* !illumos */
- if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_ZFS))
- return (SET_ERROR(EPERM));
-
if (vfs_getopt(vfsp->mnt_optnew, "from", (void **)&osname, NULL))
return (SET_ERROR(EINVAL));
Index: compat/linprocfs/linprocfs.c
===================================================================
--- compat/linprocfs/linprocfs.c
+++ compat/linprocfs/linprocfs.c
@@ -1652,7 +1652,7 @@
return (0);
}
-PSEUDOFS(linprocfs, 1, PR_ALLOW_MOUNT_LINPROCFS);
+PSEUDOFS(linprocfs, 1, VFCF_JAIL);
#if defined(__amd64__)
MODULE_DEPEND(linprocfs, linux_common, 1, 1, 1);
#else
Index: compat/linsysfs/linsysfs.c
===================================================================
--- compat/linsysfs/linsysfs.c
+++ compat/linsysfs/linsysfs.c
@@ -556,7 +556,7 @@
return (0);
}
-PSEUDOFS(linsysfs, 1, PR_ALLOW_MOUNT_LINSYSFS);
+PSEUDOFS(linsysfs, 1, VFCF_JAIL);
#if defined(__amd64__)
MODULE_DEPEND(linsysfs, linux_common, 1, 1, 1);
#else
Index: fs/devfs/devfs_vfsops.c
===================================================================
--- fs/devfs/devfs_vfsops.c
+++ fs/devfs/devfs_vfsops.c
@@ -83,9 +83,6 @@
if (mp->mnt_flag & MNT_ROOTFS)
return (EOPNOTSUPP);
- if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_DEVFS))
- return (EPERM);
-
rsnum = 0;
injail = jailed(td->td_ucred);
Index: fs/fdescfs/fdesc_vfsops.c
===================================================================
--- fs/fdescfs/fdesc_vfsops.c
+++ fs/fdescfs/fdesc_vfsops.c
@@ -81,13 +81,9 @@
fdesc_mount(struct mount *mp)
{
struct fdescmount *fmp;
- struct thread *td = curthread;
struct vnode *rvp;
int error;
- if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS))
- return (EPERM);
-
/*
* Update is a no-op
*/
Index: fs/nullfs/null_vfsops.c
===================================================================
--- fs/nullfs/null_vfsops.c
+++ fs/nullfs/null_vfsops.c
@@ -78,7 +78,6 @@
struct vnode *lowerrootvp, *vp;
struct vnode *nullm_rootvp;
struct null_mount *xmp;
- struct thread *td = curthread;
char *target;
int isvnunlocked = 0, len;
struct nameidata nd, *ndp = &nd;
@@ -85,8 +84,6 @@
NULLFSDEBUG("nullfs_mount(mp = %p)\n", (void *)mp);
- if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_NULLFS))
- return (EPERM);
if (mp->mnt_flag & MNT_ROOTFS)
return (EOPNOTSUPP);
Index: fs/procfs/procfs.c
===================================================================
--- fs/procfs/procfs.c
+++ fs/procfs/procfs.c
@@ -208,4 +208,4 @@
return (0);
}
-PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS);
+PSEUDOFS(procfs, 1, VFCF_JAIL);
Index: fs/pseudofs/pseudofs.h
===================================================================
--- fs/pseudofs/pseudofs.h
+++ fs/pseudofs/pseudofs.h
@@ -272,7 +272,7 @@
/*
* Now for some initialization magic...
*/
-#define PSEUDOFS(name, version, jflag) \
+#define PSEUDOFS(name, version, flags) \
\
static struct pfs_info name##_info = { \
#name, \
@@ -282,8 +282,6 @@
\
static int \
_##name##_mount(struct mount *mp) { \
- if (jflag && !prison_allow(curthread->td_ucred, jflag)) \
- return (EPERM); \
return (pfs_mount(&name##_info, mp)); \
} \
\
@@ -306,7 +304,7 @@
.vfs_uninit = _##name##_uninit, \
.vfs_unmount = pfs_unmount, \
}; \
-VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0)); \
+VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | flags); \
MODULE_VERSION(name, version); \
MODULE_DEPEND(name, pseudofs, 1, 1, 1);
Index: fs/tmpfs/tmpfs_vfsops.c
===================================================================
--- fs/tmpfs/tmpfs_vfsops.c
+++ fs/tmpfs/tmpfs_vfsops.c
@@ -141,7 +141,6 @@
sizeof(struct tmpfs_dirent) + sizeof(struct tmpfs_node));
struct tmpfs_mount *tmp;
struct tmpfs_node *root;
- struct thread *td = curthread;
int error;
bool nonc;
/* Size counters. */
@@ -155,9 +154,6 @@
struct vattr va;
- if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_TMPFS))
- return (EPERM);
-
if (vfs_filteropt(mp->mnt_optnew, tmpfs_opts))
return (EINVAL);
Index: kern/kern_jail.c
===================================================================
--- kern/kern_jail.c
+++ kern/kern_jail.c
@@ -111,7 +111,7 @@
#else
.pr_flags = PR_HOST|_PR_IP_SADDRSEL,
#endif
- .pr_allow = PR_ALLOW_ALL,
+ .pr_allow = PR_ALLOW_ALL_STATIC,
};
MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);
@@ -185,7 +185,7 @@
};
const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys);
-static char *pr_allow_names[] = {
+static char *pr_allow_names[NBBY * NBPW] = {
"allow.set_hostname",
"allow.sysvipc",
"allow.raw_sockets",
@@ -193,19 +193,11 @@
"allow.mount",
"allow.quotas",
"allow.socket_af",
- "allow.mount.devfs",
- "allow.mount.nullfs",
- "allow.mount.zfs",
- "allow.mount.procfs",
- "allow.mount.tmpfs",
- "allow.mount.fdescfs",
- "allow.mount.linprocfs",
- "allow.mount.linsysfs",
- "allow.reserved_ports",
+ [15] = "allow.reserved_ports",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
-static char *pr_allow_nonames[] = {
+static char *pr_allow_nonames[NBBY * NBPW] = {
"allow.noset_hostname",
"allow.nosysvipc",
"allow.noraw_sockets",
@@ -213,15 +205,7 @@
"allow.nomount",
"allow.noquotas",
"allow.nosocket_af",
- "allow.mount.nodevfs",
- "allow.mount.nonullfs",
- "allow.mount.nozfs",
- "allow.mount.noprocfs",
- "allow.mount.notmpfs",
- "allow.mount.nofdescfs",
- "allow.mount.nolinprocfs",
- "allow.mount.nolinsysfs",
- "allow.noreserved_ports",
+ [15] = "allow.noreserved_ports",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@@ -337,6 +321,8 @@
/* Set permissions for top-level jails from sysctls. */
if (!jailed(td->td_ucred)) {
for (fi = 0; fi < nitems(pr_allow_names); fi++) {
+ if (pr_allow_names[fi] == NULL)
+ continue;
optiov[opt.uio_iovcnt].iov_base =
(jail_default_allow & (1 << fi))
? pr_allow_names[fi] : pr_allow_nonames[fi];
@@ -669,6 +655,8 @@
pr_allow = ch_allow = 0;
for (fi = 0; fi < nitems(pr_allow_names); fi++) {
+ if (pr_allow_names[fi] == NULL)
+ continue;
vfs_flagopt(opts, pr_allow_names[fi], &pr_allow, 1 << fi);
vfs_flagopt(opts, pr_allow_nonames[fi], &ch_allow, 1 << fi);
}
@@ -3621,38 +3609,6 @@
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
"Processes in jail can mount/unmount jail-friendly file systems (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the devfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the fdescfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the nullfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the procfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the linprocfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the linsysfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the tmpfs file system (deprecated)");
-SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the zfs file system (deprecated)");
static int
sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
@@ -3805,23 +3761,101 @@
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount/unmount jail-friendly file systems in general");
-SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the devfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the fdescfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the nullfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the procfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the linprocfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the linsysfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the tmpfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the zfs file system");
+/*
+ * The VFS system will register jail-aware filesystems here. They each get
+ * a parameter allow.mount.xxxfs and a flag to check when a jailed user
+ * attempts to mount.
+ */
+void
+prison_add_vfs(struct vfsconf *vfsp)
+{
+ char *allow_name, *allow_noname, *mount_allowed;
+#ifndef NO_SYSCTL_DESCR
+ char *descr;
+#endif
+ int fi;
+ unsigned flag;
+
+ if (asprintf(&allow_name, M_PRISON, "allow.mount.%s", vfsp->vfc_name) <
+ 0 || asprintf(&allow_noname, M_PRISON, "allow.mount.no%s",
+ vfsp->vfc_name) < 0) {
+ free(allow_name, M_PRISON);
+ return;
+ }
+
+ /*
+ * See if this parameter has already beed added, i.e. if the filesystem
+ * was previously loaded/unloaded.
+ */
+ mtx_lock(&prison0.pr_mtx);
+ for (fi = 0; fi < nitems(pr_allow_names); fi++) {
+ if (pr_allow_names[fi] != NULL &&
+ strcmp(pr_allow_names[fi], allow_name) == 0) {
+ vfsp->vfc_prison_flag = 1 << fi;
+ goto no_add;
+ }
+ }
+
+ /*
+ * Find a free bit in prison0's pr_allow, failing if there are none
+ * (which shouldn't happen as long as we keep track of how many
+ * filesystems are jail-aware).
+ */
+ for (fi = 0, flag = 1;; fi++, flag <<= 1) {
+ if (flag == 0)
+ goto no_add;
+ if ((prison0.pr_allow & flag) == 0)
+ break;
+ }
+ prison0.pr_allow |= flag;
+ vfsp->vfc_prison_flag = flag;
+ /* Set pr_allow_nonames first so code that checks pr_allow_names can
+ * do so without locking.
+ */
+ pr_allow_nonames[fi] = allow_noname;
+ pr_allow_names[fi] = allow_name;
+ mtx_unlock(&prison0.pr_mtx);
+
+ /*
+ * Create sysctls for the paramter, and the back-compat global
+ * permission.
+ */
+#ifndef NO_SYSCTL_DESCR
+ (void)asprintf(&descr, M_TEMP, "Jail may mount the %s file system",
+ vfsp->vfc_name);
+#endif
+ (void)SYSCTL_ADD_PROC(NULL,
+ SYSCTL_CHILDREN(&sysctl___security_jail_param_allow_mount),
+ OID_AUTO, vfsp->vfc_name, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+ NULL, 0, sysctl_jail_param, "B", descr);
+#ifndef NO_SYSCTL_DESCR
+ free(descr, M_TEMP);
+#endif
+ if (asprintf(&mount_allowed, M_TEMP, "mount_%s_allowed",
+ vfsp->vfc_name) >= 0) {
+#ifndef NO_SYSCTL_DESCR
+ (void)asprintf(&descr, M_TEMP,
+ "Processes in jail can mount the %s file system (deprecated)",
+ vfsp->vfc_name);
+#endif
+ (void)SYSCTL_ADD_PROC(NULL,
+ SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO,
+ mount_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+ NULL, flag, sysctl_jail_default_allow, "I", descr);
+#ifndef NO_SYSCTL_DESCR
+ free(descr, M_TEMP);
+#endif
+ free(mount_allowed, M_TEMP);
+ }
+ return;
+
+ no_add:
+ mtx_unlock(&prison0.pr_mtx);
+ free(allow_name, M_PRISON);
+ free(allow_noname, M_PRISON);
+}
+
#ifdef RACCT
void
prison_racct_foreach(void (*callback)(struct racct *racct,
Index: kern/vfs_init.c
===================================================================
--- kern/vfs_init.c
+++ kern/vfs_init.c
@@ -42,6 +42,7 @@
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/fnv_hash.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/linker.h>
#include <sys/mount.h>
@@ -276,7 +277,10 @@
vfsops->vfs_extattrctl = vfs_stdextattrctl;
if (vfsops->vfs_sysctl == NULL)
vfsops->vfs_sysctl = vfs_stdsysctl;
-
+
+ if (vfc->vfc_flags & VFCF_JAIL)
+ prison_add_vfs(vfc);
+
/*
* Call init function for this VFS...
*/
Index: kern/vfs_mount.c
===================================================================
--- kern/vfs_mount.c
+++ kern/vfs_mount.c
@@ -788,6 +788,16 @@
KASSERT((fsflags & MNT_UPDATE) == 0, ("MNT_UPDATE shouldn't be here"));
/*
+ * If the jail of the calling thread lacks permission for this type of
+ * file system, deny immediately.
+ */
+ if (jailed(td->td_ucred) && !prison_allow(td->td_ucred,
+ vfsp->vfc_prison_flag)) {
+ vput(vp);
+ return (EPERM);
+ }
+
+ /*
* If the user is not root, ensure that they own the directory
* onto which we are attempting to mount.
*/
@@ -1094,8 +1104,6 @@
vfsp = vfs_byname_kld(fstype, td, &error);
if (vfsp == NULL)
return (ENODEV);
- if (jailed(td->td_ucred) && !(vfsp->vfc_flags & VFCF_JAIL))
- return (EPERM);
}
/*
Index: kern/vfs_subr.c
===================================================================
--- kern/vfs_subr.c
+++ kern/vfs_subr.c
@@ -684,19 +684,21 @@
{
int error;
- /*
- * If the thread is jailed, but this is not a jail-friendly file
- * system, deny immediately.
- */
- if (!(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred))
- return (EPERM);
+ if (jailed(td->td_ucred)) {
+ /*
+ * If the jail of the calling thread lacks permission for
+ * this type of file system, deny immediately.
+ */
+ if (!prison_allow(td->td_ucred, mp->mnt_vfc->vfc_prison_flag))
+ return (EPERM);
- /*
- * If the file system was mounted outside the jail of the calling
- * thread, deny immediately.
- */
- if (prison_check(td->td_ucred, mp->mnt_cred) != 0)
- return (EPERM);
+ /*
+ * If the file system was mounted outside the jail of the
+ * calling thread, deny immediately.
+ */
+ if (prison_check(td->td_ucred, mp->mnt_cred) != 0)
+ return (EPERM);
+ }
/*
* If file system supports delegated administration, we don't check
Index: sys/jail.h
===================================================================
--- sys/jail.h
+++ sys/jail.h
@@ -216,7 +216,10 @@
#define PR_IP6 0x04000000 /* IPv6 restricted or disabled */
/* by this jail or an ancestor */
-/* Flags for pr_allow */
+/*
+ * Flags for pr_allow
+ * Bits not noted here may be used for dynamic allow.mount.xxxfs.
+ */
#define PR_ALLOW_SET_HOSTNAME 0x00000001
#define PR_ALLOW_SYSVIPC 0x00000002
#define PR_ALLOW_RAW_SOCKETS 0x00000004
@@ -224,17 +227,9 @@
#define PR_ALLOW_MOUNT 0x00000010
#define PR_ALLOW_QUOTAS 0x00000020
#define PR_ALLOW_SOCKET_AF 0x00000040
-#define PR_ALLOW_MOUNT_DEVFS 0x00000080
-#define PR_ALLOW_MOUNT_NULLFS 0x00000100
-#define PR_ALLOW_MOUNT_ZFS 0x00000200
-#define PR_ALLOW_MOUNT_PROCFS 0x00000400
-#define PR_ALLOW_MOUNT_TMPFS 0x00000800
-#define PR_ALLOW_MOUNT_FDESCFS 0x00001000
-#define PR_ALLOW_MOUNT_LINPROCFS 0x00002000
-#define PR_ALLOW_MOUNT_LINSYSFS 0x00004000
#define PR_ALLOW_RESERVED_PORTS 0x00008000
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
-#define PR_ALLOW_ALL 0x0001ffff
+#define PR_ALLOW_ALL_STATIC 0x0001807f
/*
* OSD methods
@@ -364,6 +359,7 @@
struct mount;
struct sockaddr;
struct statfs;
+struct vfsconf;
int jailed(struct ucred *cred);
int jailed_without_vnet(struct ucred *);
void getcredhostname(struct ucred *, char *, size_t);
@@ -413,6 +409,7 @@
char *prison_name(struct prison *, struct prison *);
int prison_priv_check(struct ucred *cred, int priv);
int sysctl_jail_param(SYSCTL_HANDLER_ARGS);
+void prison_add_vfs(struct vfsconf *vfsp);
void prison_racct_foreach(void (*callback)(struct racct *racct,
void *arg2, void *arg3), void (*pre)(void), void (*post)(void),
void *arg2, void *arg3);
Index: sys/mount.h
===================================================================
--- sys/mount.h
+++ sys/mount.h
@@ -516,6 +516,7 @@
int vfc_typenum; /* historic filesystem type number */
int vfc_refcount; /* number mounted of this type */
int vfc_flags; /* permanent flags */
+ int vfc_prison_flag; /* prison allow.mount.* flag */
struct vfsoptdecl *vfc_opts; /* mount options */
TAILQ_ENTRY(vfsconf) vfc_list; /* list of vfscons */
};
Index: sys/param.h
===================================================================
--- sys/param.h
+++ sys/param.h
@@ -60,7 +60,7 @@
* in the range 5 to 9.
*/
#undef __FreeBSD_version
-#define __FreeBSD_version 1200060 /* Master, propagated to newvers */
+#define __FreeBSD_version 1200061 /* Master, propagated to newvers */
/*
* __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,

File Metadata

Mime Type
text/plain
Expires
Sat, Apr 18, 9:12 AM (9 h, 10 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31710230
Default Alt Text
D14681.id40400.diff (17 KB)

Event Timeline