Page MenuHomeFreeBSD
Files F97684523

D38144.id115539.diff
No OneTemporary
Actions

D38144.id115539.diff
View Options

diff --git a/sys/kern/kern_jail.c.ident b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c.ident
+++ b/sys/kern/kern_jail.c
@@ -118,6 +118,7 @@
.pr_flags = PR_HOST|_PR_IP_SADDRSEL,
#endif
.pr_allow = PR_ALLOW_ALL_STATIC,
+ .pr_ident = 1,
};
MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);
@@ -988,6 +989,7 @@
uint64_t pr_allow_diff;
unsigned tallow;
char numbuf[12];
+ static uint64_t init_ident = 2;
error = priv_check(td, PRIV_JAIL_SET);
if (!error && (flags & JAIL_ATTACH))
@@ -1617,6 +1619,7 @@
TASK_INIT(&pr->pr_task, 0, prison_complete, pr);
pr->pr_id = jid;
+ pr->pr_ident = init_ident++;
if (inspr != NULL)
TAILQ_INSERT_BEFORE(inspr, pr, pr_list);
else
diff --git a/sys/kern/vfs_export.c.vnet b/sys/kern/vfs_export.c
--- a/sys/kern/vfs_export.c.vnet
+++ b/sys/kern/vfs_export.c
@@ -52,6 +52,7 @@
#include <sys/mbuf.h>
#include <sys/mount.h>
#include <sys/mutex.h>
+#include <sys/proc.h>
#include <sys/rmlock.h>
#include <sys/refcount.h>
#include <sys/signalvar.h>
@@ -301,6 +302,7 @@
{
struct netexport *nep;
int error;
+ uint64_t jail_ident;
if ((argp->ex_flags & (MNT_DELEXPORT | MNT_EXPORTED)) == 0)
return (EINVAL);
@@ -311,13 +313,28 @@
return (EINVAL);
error = 0;
+ jail_ident = curthread->td_ucred->cr_prison->pr_ident;
lockmgr(&mp->mnt_explock, LK_EXCLUSIVE, NULL);
nep = mp->mnt_export;
if (argp->ex_flags & MNT_DELEXPORT) {
if (nep == NULL) {
+ KASSERT(mp->mnt_exjail == 0,
+ ("vfs_export: mnt_exjail delexport not 0"));
error = ENOENT;
goto out;
}
+ KASSERT(mp->mnt_exjail != 0,
+ ("vfs_export: mnt_exjail delexport 0"));
+ if (jail_ident == 1 && mp->mnt_exjail !=
+ jail_ident) {
+ /* EXDEV will not get logged by mountd(8). */
+ error = EXDEV;
+ goto out;
+ } else if (mp->mnt_exjail != jail_ident) {
+ /* EPERM will get logged by mountd(8). */
+ error = EPERM;
+ goto out;
+ }
if (mp->mnt_flag & MNT_EXPUBLIC) {
vfs_setpublicfs(NULL, NULL, NULL);
MNT_ILOCK(mp);
@@ -326,6 +343,7 @@
}
vfs_free_addrlist(nep);
mp->mnt_export = NULL;
+ mp->mnt_exjail = 0;
free(nep, M_MOUNT);
nep = NULL;
MNT_ILOCK(mp);
@@ -334,8 +352,15 @@
}
if (argp->ex_flags & MNT_EXPORTED) {
if (nep == NULL) {
+ KASSERT(mp->mnt_exjail == 0,
+ ("vfs_export: mnt_exjail not 0"));
nep = malloc(sizeof(struct netexport), M_MOUNT, M_WAITOK | M_ZERO);
mp->mnt_export = nep;
+ } else if (mp->mnt_exjail != jail_ident) {
+ KASSERT(mp->mnt_exjail != 0,
+ ("vfs_export: mnt_exjail 0"));
+ error = EPERM;
+ goto out;
}
if (argp->ex_flags & MNT_EXPUBLIC) {
if ((error = vfs_setpublicfs(mp, nep, argp)) != 0)
@@ -350,6 +375,7 @@
}
if ((error = vfs_hang_addrlist(mp, nep, argp)))
goto out;
+ mp->mnt_exjail = jail_ident;
MNT_ILOCK(mp);
mp->mnt_flag |= MNT_EXPORTED;
MNT_IUNLOCK(mp);
diff --git a/sys/sys/jail.h.ident b/sys/sys/jail.h
--- a/sys/sys/jail.h.ident
+++ b/sys/sys/jail.h
@@ -205,6 +205,7 @@
char pr_domainname[MAXHOSTNAMELEN]; /* (p) jail domainname */
char pr_hostuuid[HOSTUUIDLEN]; /* (p) jail hostuuid */
char pr_osrelease[OSRELEASELEN]; /* (c) kern.osrelease value */
+ uint64_t pr_ident; /* (c) unique identifier */
};
struct prison_racct {
diff --git a/sys/sys/mount.h.ident b/sys/sys/mount.h
--- a/sys/sys/mount.h.ident
+++ b/sys/sys/mount.h
@@ -252,6 +252,7 @@
int mnt_secondary_writes; /* (i) # of secondary writes */
int mnt_secondary_accwrites;/* (i) secondary wr. starts */
struct thread *mnt_susp_owner; /* (i) thread owning suspension */
+ uint64_t mnt_exjail; /* exported in jail ident */
#define mnt_endzero mnt_gjprovider
char *mnt_gjprovider; /* gjournal provider name */
struct mtx mnt_listmtx;

File Metadata

Mime Type
text/plain
Expires
Tue, Oct 1, 6:44 PM (7 h, 7 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
13271669
Default Alt Text
D38144.id115539.diff (3 KB)

Event Timeline