Hi, I would like to get some comments on this: I am not really lucky with the enhancement from the commit (commit message attached) though it is far better than nothing. It * still leaks the full path of the filesystem the jail is mounted on, p.ex.: /dev/ad0s3d 13G 210M 12G 2% /u2/jails * I could not see p.ex. free disk space of partitions mounted to somewhere under /u2/jails/var/mailboxen from within the jail * ... I am at the point to either update my patch[1] for HEAD or entirely forget about it. [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/49085 (see the PR for descriptions of more fine grained restrictions and link to further information) If people would be interested in the more fine grained control option I would get the patch updated and -if possible- simplified and post the result for review ? Thanks for _any_ feedback. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ ---------- Forwarded message ---------- rwatson 2004/02/14 10:31:12 PST FreeBSD src repository Modified files: sys/sys jail.h sys/kern kern_jail.c vfs_syscalls.c Log: By default, when a process in jail calls getfsstat(), only return the data for the file system on which the jail's root vnode is located. Previous behavior (show data for all mountpoints) can be restored by setting security.jail.getfsstatroot_only to 0. Note: this also has the effect of hiding other mounts inside a jail, such as /dev, /tmp, and /proc, but errs on the side of leaking less information. Revision Changes Path 1.36 +20 -0 src/sys/kern/kern_jail.c 1.337 +8 -0 src/sys/kern/vfs_syscalls.c 1.20 +3 -0 src/sys/sys/jail.hReceived on Tue Mar 09 2004 - 13:47:27 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:46 UTC