jail & getfsstat et al

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Tue, 9 Mar 2004 22:47:04 +0000 (UTC)
Hi,

I would like to get some comments on this:

I am not really lucky with the enhancement from the commit (commit
message attached) though it is far better than nothing. It
* still leaks the full path of the filesystem the jail is mounted on,
	p.ex.: /dev/ad0s3d    13G   210M    12G     2%    /u2/jails
* I could not see p.ex. free disk space of partitions mounted to
	somewhere under /u2/jails/var/mailboxen from within the jail
* ...


I am at the point to either update my patch[1] for HEAD or entirely
forget about it.

[1] http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/49085
    (see the PR for descriptions of more fine grained restrictions
     and link to further information)

If people would be interested in the more fine grained control option
I would get the patch updated and -if possible- simplified and
post the result for review ?


Thanks for _any_ feedback.

-- 
Greetings

Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
56 69 73 69 74				http://www.zabbadoz.net/

---------- Forwarded message ----------

rwatson     2004/02/14 10:31:12 PST

  FreeBSD src repository

  Modified files:
    sys/sys              jail.h
    sys/kern             kern_jail.c vfs_syscalls.c
  Log:
  By default, when a process in jail calls getfsstat(), only return the
  data for the file system on which the jail's root vnode is located.
  Previous behavior (show data for all mountpoints) can be restored
  by setting security.jail.getfsstatroot_only to 0.  Note: this also
  has the effect of hiding other mounts inside a jail, such as /dev,
  /tmp, and /proc, but errs on the side of leaking less information.

  Revision  Changes    Path
  1.36      +20 -0     src/sys/kern/kern_jail.c
  1.337     +8 -0      src/sys/kern/vfs_syscalls.c
  1.20      +3 -0      src/sys/sys/jail.h
Received on Tue Mar 09 2004 - 13:47:27 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:46 UTC