From 435d46675d86e84c1af413750dbc93db91bf1903 Mon Sep 17 00:00:00 2001 From: Martin Matuska Date: Tue, 2 Aug 2011 19:44:40 +0000 Subject: [PATCH] Always disable mount and unmount for jails with enforce_statfs==2. A working statfs(2) is required for umount(8) in jail. Reviewed by: pjd, kib Approved by: re (kib) MFC after: 2 weeks --- sys/kern/kern_jail.c | 3 ++- usr.sbin/jail/jail.8 | 9 +++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 584334af3ad..050563be9a9 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -3858,7 +3858,8 @@ prison_priv_check(struct ucred *cred, int priv) case PRIV_VFS_UNMOUNT: case PRIV_VFS_MOUNT_NONUSER: case PRIV_VFS_MOUNT_OWNER: - if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT) + if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && + cred->cr_prison->pr_enforce_statfs < 2) return (0); else return (EPERM); diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 8ed913a1eb0..c5a2245b0a3 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -393,6 +393,9 @@ The .Xr lsvfs 1 command can be used to find file system types available for mount from within a jail. +This permission is effective only if +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.quotas The prison root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or @@ -746,9 +749,11 @@ It is not possible to or .Xr umount 8 any file system inside a jail unless the file system is marked -jail-friendly and the jail's +jail-friendly, the jail's .Va allow.mount -parameter is set. +parameter is set and the jail's +.Va enforce_statfs +parameter is lower than 2. .Pp Multiple jails sharing the same file system can influence each other. For example a user in one jail can fill the file system also