Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff --git a/sys/fs/fdescfs/fdesc_vfsops.c b/sys/fs/fdescfs/fdesc_vfsops.c
- index cb5e3c0..7193809 100644
- --- a/sys/fs/fdescfs/fdesc_vfsops.c
- +++ b/sys/fs/fdescfs/fdesc_vfsops.c
- @@ -50,6 +50,7 @@
- #include <sys/racct.h>
- #include <sys/resourcevar.h>
- #include <sys/vnode.h>
- +#include <sys/jail.h>
- #include <fs/fdescfs/fdesc.h>
- @@ -78,8 +79,11 @@ fdesc_mount(struct mount *mp)
- {
- int error = 0;
- struct fdescmount *fmp;
- + struct thread *td = curthread;
- struct vnode *rvp;
- + if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS))
- + return (EPERM);
- /*
- * Update is a no-op
- */
- @@ -237,4 +241,4 @@ static struct vfsops fdesc_vfsops = {
- .vfs_unmount = fdesc_unmount,
- };
- -VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC);
- +VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL);
- diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
- index 2846eca..791723d 100644
- --- a/sys/kern/kern_jail.c
- +++ b/sys/kern/kern_jail.c
- @@ -207,6 +207,7 @@ static char *pr_allow_names[] = {
- "allow.mount.zfs",
- "allow.mount.procfs",
- "allow.mount.tmpfs",
- + "allow.mount.fdescfs",
- };
- const size_t pr_allow_names_size = sizeof(pr_allow_names);
- @@ -223,6 +224,7 @@ static char *pr_allow_nonames[] = {
- "allow.mount.nozfs",
- "allow.mount.noprocfs",
- "allow.mount.notmpfs",
- + "allow.mount.nofdescfs",
- };
- const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
- @@ -4245,6 +4247,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
- CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
- "Processes in jail can mount the zfs file system");
- +SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
- + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- + NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
- + "Processes in jail can mount the fdescfs file system");
- static int
- sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
- @@ -4397,6 +4403,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the tmpfs file system");
- SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may mount the zfs file system");
- +SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
- + "B", "Jail may mount the fdescfs file system");
- void
- prison_racct_foreach(void (*callback)(struct racct *racct,
- diff --git a/sys/sys/jail.h b/sys/sys/jail.h
- index a82a499..a01d665 100644
- --- a/sys/sys/jail.h
- +++ b/sys/sys/jail.h
- @@ -228,7 +228,8 @@ struct prison_racct {
- #define PR_ALLOW_MOUNT_ZFS 0x0200
- #define PR_ALLOW_MOUNT_PROCFS 0x0400
- #define PR_ALLOW_MOUNT_TMPFS 0x0800
- -#define PR_ALLOW_ALL 0x0fff
- +#define PR_ALLOW_MOUNT_FDESCFS 0x1000
- +#define PR_ALLOW_ALL 0xffff
- /*
- * OSD methods
Add Comment
Please, Sign In to add comment