jail.chflags_allowed
Deyan Dyankov
deyan.dyankov at gmail.com
Wed Jul 20 09:58:54 PDT 2005
Hello guys.
I have some experience with FreeBSD5.X's jails and I realized that
jail.chflags_allowed is missing in DragonFly so I decided to implement
it.
I'm sure that if there's something wrong (or missed) in
vfs/ufs/ufs_vnops.c you'll fix it.
P.S.: this is my first patch submission so I wasn't sure how to create
the .patch files but you'll figure them out :)
--- sys.orig/sys/jail.h 2005-07-18 13:19:22.000000000 +0300
+++ sys/sys/jail.h 2005-07-20 14:58:36.000000000 +0300
@@ -60,6 +60,7 @@
extern int jail_set_hostname_allowed;
extern int jail_socket_unixiproute_only;
extern int jail_sysvipc_allowed;
+extern int jail_chflags_allowed;
void prison_hold(struct prison *);
void prison_free(struct prison *);
--- sys.orig/kern/kern_jail.c 2005-07-18 13:19:23.000000000 +0300
+++ sys/kern/kern_jail.c 2005-07-20 15:04:49.000000000 +0300
@@ -51,6 +51,11 @@
&jail_sysvipc_allowed, 0,
"Processes in jail can use System V IPC primitives");
+int jail_chflags_allowed = 0;
+SYSCTL_INT(_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
+ &jail_chflags_allowed, 0,
+ "Process in jail can set chflags(1)");
+
int lastprid = 0;
int prisoncount = 0;
--- sys.orig/vfs/ufs/ufs_vnops.c 2005-07-18 13:18:50.000000000 +0300
+++ sys/vfs/ufs/ufs_vnops.c 2005-07-20 15:01:37.000000000 +0300
@@ -67,6 +67,7 @@
#include <vm/vm_extern.h>
#include <vfs/fifofs/fifo.h>
+#include <sys/jail.h>
#include "quota.h"
#include "inode.h"
@@ -444,7 +445,9 @@
if (cred->cr_uid != ip->i_uid &&
(error = suser_cred(cred, PRISON_ROOT)))
return (error);
- if ((cred->cr_uid == 0) && (cred->cr_prison == NULL)) {
+ if (!jail_chflags_allowed && cred->cr_prison)
+ return (EPERM);
+ if (cred->cr_uid == 0) {
if ((ip->i_flags
& (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) &&
securelevel > 0)
More information about the Submit
mailing list