mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-17 10:26:15 +00:00
Limit quota privileges in jail to PRIV_UFS_GETQUOTA and
PRIV_UFS_SETQUOTA.
This commit is contained in:
parent
8bd5639f18
commit
e82d0201bd
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=166831
@ -618,14 +618,11 @@ prison_priv_check(struct ucred *cred, int priv)
|
||||
|
||||
/*
|
||||
* Allow root in jail to manage a variety of quota
|
||||
* properties. Some are a bit surprising and should be
|
||||
* reconsidered.
|
||||
* properties. These should likely be conditional on a
|
||||
* configuration option.
|
||||
*/
|
||||
case PRIV_UFS_GETQUOTA:
|
||||
case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */
|
||||
case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */
|
||||
case PRIV_UFS_SETQUOTA:
|
||||
case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */
|
||||
|
||||
/*
|
||||
* Since Jail relies on chroot() to implement file system
|
||||
|
@ -451,11 +451,7 @@ quotaon(td, mp, type, fname)
|
||||
int error, flags;
|
||||
struct nameidata nd;
|
||||
|
||||
/*
|
||||
* XXXRW: Can this be right? Jail is allowed to do this?
|
||||
*/
|
||||
error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAON,
|
||||
SUSER_ALLOWJAIL);
|
||||
error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAON, 0);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
@ -550,11 +546,7 @@ quotaoff(td, mp, type)
|
||||
struct inode *ip;
|
||||
int error;
|
||||
|
||||
/*
|
||||
* XXXRW: This also seems wrong to allow in a jail?
|
||||
*/
|
||||
error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAOFF,
|
||||
SUSER_ALLOWJAIL);
|
||||
error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAOFF, 0);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
@ -741,8 +733,7 @@ setuse(td, mp, id, type, addr)
|
||||
struct dqblk usage;
|
||||
int error;
|
||||
|
||||
error = priv_check_cred(td->td_ucred, PRIV_UFS_SETUSE,
|
||||
SUSER_ALLOWJAIL);
|
||||
error = priv_check_cred(td->td_ucred, PRIV_UFS_SETUSE, 0);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user