jail.chflags_allowed

Deyan Dyankov deyan.dyankov at gmail.com
Sat Jul 23 09:59:43 PDT 2005


Hi again. I think I did it ;-)

the code that checks jail.chflags_allowed is now located in
setfflags() (kern/vfs_syscalls.c).

in vfs/ there are about 20 directories with code for filesystems.
with a simple grep i understood that only 12 of them have
<fsname>_setattr() in vfs/<fsname>/<fsname>_vnops.c
Here they are:
nfs
union
fdesc
hpfs
msdosfs
coda
nullfs
nwfs
portal
procfs
smbfs
ufs

Now, ufs and msdosfs work. I'm sure because i tested them. I couldn't
test the other filesystems :( i can't create them right now.
Here's the patch ..and sorry about the delay. I was out of town..

--- sys.orig/kern/vfs_syscalls.c	2005-07-18 13:19:24.000000000 +0300
+++ sys/kern/vfs_syscalls.c	2005-07-23 14:49:09.000000000 +0300
@@ -73,6 +73,7 @@
 #include <vm/vm_page.h>
 
 #include <sys/file2.h>
+#include <sys/jail.h>
 
 static int checkvp_chdir (struct vnode *vn, struct thread *td);
 static void checkdirs (struct vnode *olddp, struct namecache *ncp);
@@ -2134,6 +2135,13 @@
 		return (error);
 
 	/*
+	 * If we are inside a jail and jail.chflags_allowed=0
+	 * return "Operation not permitted"
+	 */
+	if (!jail_chflags_allowed && p->p_ucred->cr_prison)
+		return (EPERM);	
+
+	/*
 	 * note: vget is required for any operation that might mod the vnode
 	 * so VINACTIVE is properly cleared.
 	 */
--- sys.orig/vfs/ufs/ufs_vnops.c	2005-07-18 13:18:50.000000000 +0300
+++ sys/vfs/ufs/ufs_vnops.c	2005-07-23 15:52:55.000000000 +0300
@@ -444,7 +444,7 @@
 		if (cred->cr_uid != ip->i_uid &&
 		    (error = suser_cred(cred, PRISON_ROOT)))
 			return (error);
-		if ((cred->cr_uid == 0) && (cred->cr_prison == NULL)) {
+		if (cred->cr_uid == 0) {
 			if ((ip->i_flags
 			    & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) &&
 			    securelevel > 0)





On 7/21/05, Deyan Dyankov <deyan.dyankov at xxxxxxxxx> wrote:
> Yes, at first i was looking at setfflags() but I couldn't figure out
> how to modify it correctly and i was afraid of missing something.
> I'll take a look at it again but if i can't figure it out i'll patch
> the other filesystems.
> 
> thanks for the advice ;-)
> 
> On 7/20/05, Matthew Dillon <dillon at xxxxxxxxxxxxxxxxxxxx> wrote:
> > :Hello guys.
> > :
> > :I have some experience with FreeBSD5.X's jails and I realized that
> > :jail.chflags_allowed is missing in DragonFly so I decided to implement
> > :it.
> > :
> > :I'm sure that if there's something wrong (or missed) in
> > :vfs/ufs/ufs_vnops.c you'll fix it.
> > :
> > :P.S.: this is my first patch submission so I wasn't sure how to create
> > :the .patch files but you'll figure them out :)
> > 
> >     It didn't patch but I did most of it manually.  The only problem I
> see
> >     is that this patch is UFS-specific.  I would like the feature to be
> >     disableable on any filesystem.
> > 
> >     I have committed everything except the ufs_vnops.c changes.  These
> >     changes are being made to UFS's ufs_setattr() function (the
> VOP_SETATTR
> >     VOP call).  It seems to me that this check could be made at a higher
> >     level, e.g. in setfflags() in kern/vfs_syscalls.c, and thus apply to
> >     all filesystems.
> > 
> >     Would you like to have a go at adding the required code to
> setfflags()
> > ?
> > 
> > 						-Matt
> > 
> >
>






More information about the Submit mailing list