FreeBSD/10 hierarchical jail fdescfs patch

1. diff --git a/sys/fs/fdescfs/fdesc_vfsops.c b/sys/fs/fdescfs/fdesc_vfsops.c
2. index cb5e3c0..7193809 100644
3. --- a/sys/fs/fdescfs/fdesc_vfsops.c
4. +++ b/sys/fs/fdescfs/fdesc_vfsops.c
5. @@ -50,6 +50,7 @@
6.  #include <sys/racct.h>
7.  #include <sys/resourcevar.h>
8.  #include <sys/vnode.h>
9. +#include <sys/jail.h>
10.  
11.  #include <fs/fdescfs/fdesc.h>
12.  
13. @@ -78,8 +79,11 @@ fdesc_mount(struct mount *mp)
14.  {
15.     int error = 0;
16.     struct fdescmount *fmp;
17. +   struct thread *td = curthread;
18.     struct vnode *rvp;
19.  
20. +   if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS))
21. +       return (EPERM);
22.     /*
23.      * Update is a no-op
24.      */
25. @@ -237,4 +241,4 @@ static struct vfsops fdesc_vfsops = {
26.     .vfs_unmount =      fdesc_unmount,
27.  };
28.  
29. -VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC);
30. +VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL);
31. diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
32. index 2846eca..791723d 100644
33. --- a/sys/kern/kern_jail.c
34. +++ b/sys/kern/kern_jail.c
35. @@ -207,6 +207,7 @@ static char *pr_allow_names[] = {
36.     "allow.mount.zfs",
37.     "allow.mount.procfs",
38.     "allow.mount.tmpfs",
39. +   "allow.mount.fdescfs",
40.  };
41.  const size_t pr_allow_names_size = sizeof(pr_allow_names);
42.  
43. @@ -223,6 +224,7 @@ static char *pr_allow_nonames[] = {
44.     "allow.mount.nozfs",
45.     "allow.mount.noprocfs",
46.     "allow.mount.notmpfs",
47. +   "allow.mount.nofdescfs",
48.  };
49.  const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
50.  
51. @@ -4245,6 +4247,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
52.      CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
53.      NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
54.      "Processes in jail can mount the zfs file system");
55. +SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
56. +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
57. +    NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
58. +    "Processes in jail can mount the fdescfs file system");
59.  
60.  static int
61.  sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
62. @@ -4397,6 +4403,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
63.      "B", "Jail may mount the tmpfs file system");
64.  SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
65.      "B", "Jail may mount the zfs file system");
66. +SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
67. +    "B", "Jail may mount the fdescfs file system");
68.  
69.  void
70.  prison_racct_foreach(void (*callback)(struct racct *racct,
71. diff --git a/sys/sys/jail.h b/sys/sys/jail.h
72. index a82a499..a01d665 100644
73. --- a/sys/sys/jail.h
74. +++ b/sys/sys/jail.h
75. @@ -228,7 +228,8 @@ struct prison_racct {
76.  #define    PR_ALLOW_MOUNT_ZFS      0x0200
77.  #define    PR_ALLOW_MOUNT_PROCFS       0x0400
78.  #define    PR_ALLOW_MOUNT_TMPFS        0x0800
79. -#define    PR_ALLOW_ALL            0x0fff
80. +#define    PR_ALLOW_MOUNT_FDESCFS      0x1000
81. +#define    PR_ALLOW_ALL            0xffff
82.  
83.  /*
84.   * OSD methods