D56967.id178802.diff
No OneTemporary
Actions

Size

3 KB

Referenced Files

None

Subscribers

None

D56967.id178802.diff
View Options

	diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
	--- a/sys/kern/kern_jail.c
	+++ b/sys/kern/kern_jail.c
	@@ -251,6 +251,7 @@
	#ifdef AUDIT
	{"allow.setaudit", "allow.nosetaudit", PR_ALLOW_SETAUDIT},
	#endif
	+ {"allow.mount.all", "allow.mount.noall", PR_ALLOW_MOUNT_ANY},
	};
	static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
	const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
	@@ -5243,6 +5244,8 @@
	SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
	SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT \| CTLFLAG_RW,
	"B", "Jail may mount/unmount jail-friendly file systems in general");
	+SYSCTL_JAIL_PARAM(_allow_mount, all, CTLTYPE_INT \| CTLFLAG_RW,
	+ "B", "Jail may mount/unmount any file system");

	/*
	* Add a dynamic parameter allow.<name>, or allow.<prefix>.<name>. Return
	diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c
	--- a/sys/kern/vfs_mount.c
	+++ b/sys/kern/vfs_mount.c
	@@ -1138,8 +1138,9 @@
	* If the jail of the calling thread lacks permission for this type of
	* file system, or is trying to cover its own root, deny immediately.
	*/
	- if (jailed(td->td_ucred) && (!prison_allow(td->td_ucred,
	- vfsp->vfc_prison_flag) \|\| vp == td->td_ucred->cr_prison->pr_root)) {
	+ if (jailed(td->td_ucred) && ((!prison_allow(td->td_ucred,
	+ PR_ALLOW_MOUNT_ANY) && !prison_allow(td->td_ucred,
	+ vfsp->vfc_prison_flag)) \|\| vp == td->td_ucred->cr_prison->pr_root)) {
	vput(vp);
	vfs_unref_vfsconf(vfsp);
	return (EPERM);
	diff --git a/sys/sys/jail.h b/sys/sys/jail.h
	--- a/sys/sys/jail.h
	+++ b/sys/sys/jail.h
	@@ -273,6 +273,7 @@
	#define PR_ALLOW_ROUTING 0x00200000
	#define PR_ALLOW_UNPRIV_PARENT_TAMPER 0x00400000
	#define PR_ALLOW_SETAUDIT 0x00800000
	+#define PR_ALLOW_MOUNT_ANY 0x01000000

	/*
	* PR_ALLOW_PRISON0 are the allow flags that we apply by default to prison0,
	@@ -287,7 +288,8 @@
	PR_ALLOW_UNPRIV_DEBUG \| PR_ALLOW_SUSER \| PR_ALLOW_RESERVED_PORTS \| \
	PR_ALLOW_KMEM_ACCESS \| PR_ALLOW_NFSD \| PR_ALLOW_EXTATTR \| \
	PR_ALLOW_ADJTIME \| PR_ALLOW_SETTIME \| PR_ALLOW_ROUTING \| \
	- PR_ALLOW_UNPRIV_PARENT_TAMPER \| PR_ALLOW_SETAUDIT)
	+ PR_ALLOW_UNPRIV_PARENT_TAMPER \| PR_ALLOW_SETAUDIT \| \
	+ PR_ALLOW_MOUNT_ANY)

	#define PR_ALLOW_PRISON0 \
	(PR_ALLOW_ALL_STATIC & ~(PR_ALLOW_UNPRIV_PARENT_TAMPER))
	diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
	--- a/usr.sbin/jail/jail.8
	+++ b/usr.sbin/jail/jail.8
	@@ -827,6 +827,21 @@
	.Xr zfs-jail 8
	for information on how to configure the ZFS filesystem to operate from
	within a jail.
	+.It Va allow.mount.all
	+privileged users inside the jail will be able to mount and unmount
	+any file system, regardless of whether it is marked as jail-friendly.
	+This permission is effective only together with
	+.Va allow.mount
	+and only when
	+.Va enforce_statfs
	+is set to a value lower than 2.
	+Many file systems trust the on-disk format and are not hardened against
	+malicious input.
	+A jailed user who controls the backing image could craft a corrupted
	+file system that may trigger kernel panics or arbitrary kernel memory
	+access when mounted.
	+This option should only be used in environments where the jail's root
	+user is fully trusted, such as build jails or development environments.
	.It Va allow.vmm
	The jail may access
	.Xr vmm 4 .

File Metadata

Mime Type: text/plain
Expires: Mon, Jun 8, 2:43 AM (7 h, 16 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33805240
Default Alt Text: D56967.id178802.diff (3 KB)

D56967.id178802.diffNo OneTemporaryActions

D56967.id178802.diffView Options

File Metadata

Event Timeline

D56967.id178802.diff
No OneTemporary
Actions

D56967.id178802.diff
View Options