D56967.diff
No OneTemporary
Actions

Size

3 KB

Referenced Files

None

Subscribers

None

D56967.diff
View Options

	diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
	--- a/sys/kern/kern_jail.c
	+++ b/sys/kern/kern_jail.c
	@@ -251,6 +251,8 @@
	#ifdef AUDIT
	{"allow.setaudit", "allow.nosetaudit", PR_ALLOW_SETAUDIT},
	#endif
	+ {"allow.mount.unsafe.all", "allow.mount.unsafe.noall",
	+ PR_ALLOW_MOUNT_UNSAFE_ANY},
	};
	static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
	const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
	@@ -5243,6 +5245,10 @@
	SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
	SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT \| CTLFLAG_RW,
	"B", "Jail may mount/unmount jail-friendly file systems in general");
	+SYSCTL_JAIL_PARAM_SUBNODE(allow_mount, unsafe,
	+ "Jail unsafe mount/unmount permission flags");
	+SYSCTL_JAIL_PARAM(_allow_mount_unsafe, all, CTLTYPE_INT \| CTLFLAG_RW,
	+ "B", "Jail may mount/unmount any file system (unsafe)");

	/*
	* Add a dynamic parameter allow.<name>, or allow.<prefix>.<name>. Return
	diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
	--- a/sys/kern/vfs_mount.c
	+++ b/sys/kern/vfs_mount.c
	@@ -1138,8 +1138,9 @@
	* If the jail of the calling thread lacks permission for this type of
	* file system, or is trying to cover its own root, deny immediately.
	*/
	- if (jailed(td->td_ucred) && (!prison_allow(td->td_ucred,
	- vfsp->vfc_prison_flag) \|\| vp == td->td_ucred->cr_prison->pr_root)) {
	+ if (jailed(td->td_ucred) && ((!prison_allow(td->td_ucred,
	+ PR_ALLOW_MOUNT_UNSAFE_ANY) && !prison_allow(td->td_ucred,
	+ vfsp->vfc_prison_flag)) \|\| vp == td->td_ucred->cr_prison->pr_root)) {
	vput(vp);
	vfs_unref_vfsconf(vfsp);
	return (EPERM);
	diff --git a/sys/sys/jail.h b/sys/sys/jail.h
	--- a/sys/sys/jail.h
	+++ b/sys/sys/jail.h
	@@ -273,6 +273,7 @@
	#define PR_ALLOW_ROUTING 0x00200000
	#define PR_ALLOW_UNPRIV_PARENT_TAMPER 0x00400000
	#define PR_ALLOW_SETAUDIT 0x00800000
	+#define PR_ALLOW_MOUNT_UNSAFE_ANY 0x01000000

	/*
	* PR_ALLOW_PRISON0 are the allow flags that we apply by default to prison0,
	@@ -280,7 +281,7 @@
	* build time. PR_ALLOW_ALL_STATIC should contain any bit above that we expect
	* to be used on the system, while PR_ALLOW_PRISON0 will be some subset of that.
	*/
	-#define PR_ALLOW_ALL_STATIC 0x00ff87ff
	+#define PR_ALLOW_ALL_STATIC 0x01ff87ff
	#define PR_ALLOW_PRISON0 \
	(PR_ALLOW_ALL_STATIC & ~(PR_ALLOW_UNPRIV_PARENT_TAMPER))

	diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
	--- a/usr.sbin/jail/jail.8
	+++ b/usr.sbin/jail/jail.8
	@@ -827,6 +827,21 @@
	.Xr zfs-jail 8
	for information on how to configure the ZFS filesystem to operate from
	within a jail.
	+.It Va allow.mount.unsafe.all
	+privileged users inside the jail will be able to mount and unmount
	+any file system, regardless of whether it is marked as jail-friendly.
	+This permission is effective only together with
	+.Va allow.mount
	+and only when
	+.Va enforce_statfs
	+is set to a value lower than 2.
	+Many file systems trust the on-disk format and are not hardened against
	+malicious input.
	+A jailed user who controls the backing image could craft a corrupted
	+file system that may trigger kernel panics or arbitrary kernel memory
	+access when mounted.
	+This option should only be used in environments where the jail's root
	+user is fully trusted, such as build jails or development environments.
	.It Va allow.vmm
	The jail may access
	.Xr vmm 4 .

File Metadata

Mime Type: text/plain
Expires: Tue, May 19, 12:15 AM (9 h, 20 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33278906
Default Alt Text: D56967.diff (3 KB)

D56967.diffNo OneTemporaryActions

D56967.diffView Options

File Metadata

Event Timeline

D56967.diff
No OneTemporary
Actions

D56967.diff
View Options