Add procfs to jail-mountable filesystems.

Reviewed by: jamie MFC after: 1 week
svn path=/head/; revision=232278
2025-01-15 15:06:42 +00:00 · 2012-02-29 00:30:18 +00:00 · 2012-02-29 00:30:18 +00:00 · 41c0675e6e · 2020-12-20 02:59:44 +00:00
commit 41c0675e6e
parent 5b2a5decd1
7 changed files with 27 additions and 6 deletions
--- a/sys/compat/linprocfs/linprocfs.c
+++ b/sys/compat/linprocfs/linprocfs.c
@ -1460,7 +1460,7 @@ linprocfs_uninit(PFS_INIT_ARGS)
 	return (0);
 }

-PSEUDOFS(linprocfs, 1);
+PSEUDOFS(linprocfs, 1, 0);
 MODULE_DEPEND(linprocfs, linux, 1, 1, 1);
 MODULE_DEPEND(linprocfs, procfs, 1, 1, 1);
 MODULE_DEPEND(linprocfs, sysvmsg, 1, 1, 1);
--- a/sys/compat/linsysfs/linsysfs.c
+++ b/sys/compat/linsysfs/linsysfs.c
@ -280,5 +280,5 @@ linsysfs_uninit(PFS_INIT_ARGS)
 	return (0);
 }

-PSEUDOFS(linsysfs, 1);
+PSEUDOFS(linsysfs, 1, 0);
 MODULE_DEPEND(linsysfs, linux, 1, 1, 1);
--- a/sys/fs/procfs/procfs.c
+++ b/sys/fs/procfs/procfs.c
@ -209,4 +209,4 @@ procfs_uninit(PFS_INIT_ARGS)
 	return (0);
 }

-PSEUDOFS(procfs, 1);
+PSEUDOFS(procfs, 1, PR_ALLOW_MOUNT_PROCFS);
--- a/sys/fs/pseudofs/pseudofs.h
+++ b/sys/fs/pseudofs/pseudofs.h
@ -31,6 +31,8 @@
 #ifndef _PSEUDOFS_H_INCLUDED
 #define _PSEUDOFS_H_INCLUDED

+#include <sys/jail.h>
+
 /*
 * Opaque structures
 */
@ -271,7 +273,7 @@ int		 pfs_destroy	(struct pfs_node *pn);
 /*
 * Now for some initialization magic...
 */
-#define PSEUDOFS(name, version)						\
+#define PSEUDOFS(name, version, jflag)					\
 									\
 static struct pfs_info name##_info = {					\
 	#name,								\
@ -281,6 +283,8 @@ static struct pfs_info name##_info = {					\
 									\
 static int								\
 _##name##_mount(struct mount *mp) {					\
+        if (jflag && !prison_allow(curthread->td_ucred, jflag))		\
+                return (EPERM);						\
 	return pfs_mount(&name##_info, mp);				\
 }									\
 									\
@ -303,7 +307,7 @@ static struct vfsops name##_vfsops = {					\
 	.vfs_uninit =		_##name##_uninit,			\
 	.vfs_unmount =		pfs_unmount,				\
 };									\
-VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC);				\
+VFS_SET(name##_vfsops, name, VFCF_SYNTHETIC | (jflag ? VFCF_JAIL : 0));	\
 MODULE_VERSION(name, version);						\
 MODULE_DEPEND(name, pseudofs, 1, 1, 1);

--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -204,6 +204,7 @@ static char *pr_allow_names[] = {
 	"allow.mount.devfs",
 	"allow.mount.nullfs",
 	"allow.mount.zfs",
+	"allow.mount.procfs",
 };
 const size_t pr_allow_names_size = sizeof(pr_allow_names);

@ -218,6 +219,7 @@ static char *pr_allow_nonames[] = {
 	"allow.mount.nodevfs",
 	"allow.mount.nonullfs",
 	"allow.mount.nozfs",
+	"allow.mount.noprocfs",
 };
 const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);

@ -4206,6 +4208,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
    NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
    "Processes in jail can mount the nullfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
+    "Processes in jail can mount the procfs file system");
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
    NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
@ -4356,6 +4362,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may mount the devfs file system");
 SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may mount the nullfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may mount the procfs file system");
 SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may mount the zfs file system");

--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@ -226,7 +226,8 @@ struct prison_racct {
 #define	PR_ALLOW_MOUNT_DEVFS		0x0080
 #define	PR_ALLOW_MOUNT_NULLFS		0x0100
 #define	PR_ALLOW_MOUNT_ZFS		0x0200
-#define	PR_ALLOW_ALL			0x03ff
+#define	PR_ALLOW_MOUNT_PROCFS		0x0400
+#define	PR_ALLOW_ALL			0x07ff

 /*
 * OSD methods
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@ -428,6 +428,14 @@ This permission is effective only together with
 and if
 .Va enforce_statfs
 is set to a value lower than 2.
+.It Va allow.mount.procfs
+privileged users inside the jail will be able to mount and unmount the
+procfs file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2.
 .It Va allow.mount.zfs
 privileged users inside the jail will be able to mount and unmount the
 ZFS file system.