Changeset View
Changeset View
Standalone View
Standalone View
head/sys/kern/vfs_subr.c
Show First 20 Lines • Show All 677 Lines • ▼ Show 20 Lines | |||||
/* | /* | ||||
* Check if a user can access privileged mount options. | * Check if a user can access privileged mount options. | ||||
*/ | */ | ||||
int | int | ||||
vfs_suser(struct mount *mp, struct thread *td) | vfs_suser(struct mount *mp, struct thread *td) | ||||
{ | { | ||||
int error; | int error; | ||||
if (jailed(td->td_ucred)) { | |||||
/* | /* | ||||
* If the thread is jailed, but this is not a jail-friendly file | * If the jail of the calling thread lacks permission for | ||||
* system, deny immediately. | * this type of file system, deny immediately. | ||||
*/ | */ | ||||
if (!(mp->mnt_vfc->vfc_flags & VFCF_JAIL) && jailed(td->td_ucred)) | if (!prison_allow(td->td_ucred, mp->mnt_vfc->vfc_prison_flag)) | ||||
return (EPERM); | return (EPERM); | ||||
/* | /* | ||||
* If the file system was mounted outside the jail of the calling | * If the file system was mounted outside the jail of the | ||||
* thread, deny immediately. | * calling thread, deny immediately. | ||||
*/ | */ | ||||
if (prison_check(td->td_ucred, mp->mnt_cred) != 0) | if (prison_check(td->td_ucred, mp->mnt_cred) != 0) | ||||
return (EPERM); | return (EPERM); | ||||
} | |||||
/* | /* | ||||
* If file system supports delegated administration, we don't check | * If file system supports delegated administration, we don't check | ||||
* for the PRIV_VFS_MOUNT_OWNER privilege - it will be better verified | * for the PRIV_VFS_MOUNT_OWNER privilege - it will be better verified | ||||
* by the file system itself. | * by the file system itself. | ||||
* If this is not the user that did original mount, we check for | * If this is not the user that did original mount, we check for | ||||
* the PRIV_VFS_MOUNT_OWNER privilege. | * the PRIV_VFS_MOUNT_OWNER privilege. | ||||
*/ | */ | ||||
▲ Show 20 Lines • Show All 4,836 Lines • Show Last 20 Lines |