DragonFly submit List (threaded) for 2005-07
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
Re: jail.chflags_allowed
Hi again. I think I did it ;-)
the code that checks jail.chflags_allowed is now located in
setfflags() (kern/vfs_syscalls.c).
in vfs/ there are about 20 directories with code for filesystems.
with a simple grep i understood that only 12 of them have
<fsname>_setattr() in vfs/<fsname>/<fsname>_vnops.c
Here they are:
nfs
union
fdesc
hpfs
msdosfs
coda
nullfs
nwfs
portal
procfs
smbfs
ufs
Now, ufs and msdosfs work. I'm sure because i tested them. I couldn't
test the other filesystems :( i can't create them right now.
Here's the patch ..and sorry about the delay. I was out of town..
--- sys.orig/kern/vfs_syscalls.c 2005-07-18 13:19:24.000000000 +0300
+++ sys/kern/vfs_syscalls.c 2005-07-23 14:49:09.000000000 +0300
@@ -73,6 +73,7 @@
#include <vm/vm_page.h>
#include <sys/file2.h>
+#include <sys/jail.h>
static int checkvp_chdir (struct vnode *vn, struct thread *td);
static void checkdirs (struct vnode *olddp, struct namecache *ncp);
@@ -2134,6 +2135,13 @@
return (error);
/*
+ * If we are inside a jail and jail.chflags_allowed=0
+ * return "Operation not permitted"
+ */
+ if (!jail_chflags_allowed && p->p_ucred->cr_prison)
+ return (EPERM);
+
+ /*
* note: vget is required for any operation that might mod the vnode
* so VINACTIVE is properly cleared.
*/
--- sys.orig/vfs/ufs/ufs_vnops.c 2005-07-18 13:18:50.000000000 +0300
+++ sys/vfs/ufs/ufs_vnops.c 2005-07-23 15:52:55.000000000 +0300
@@ -444,7 +444,7 @@
if (cred->cr_uid != ip->i_uid &&
(error = suser_cred(cred, PRISON_ROOT)))
return (error);
- if ((cred->cr_uid == 0) && (cred->cr_prison == NULL)) {
+ if (cred->cr_uid == 0) {
if ((ip->i_flags
& (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) &&
securelevel > 0)
On 7/21/05, Deyan Dyankov <deyan.dyankov@xxxxxxxxx> wrote:
> Yes, at first i was looking at setfflags() but I couldn't figure out
> how to modify it correctly and i was afraid of missing something.
> I'll take a look at it again but if i can't figure it out i'll patch
> the other filesystems.
>
> thanks for the advice ;-)
>
> On 7/20/05, Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> wrote:
> > :Hello guys.
> > :
> > :I have some experience with FreeBSD5.X's jails and I realized that
> > :jail.chflags_allowed is missing in DragonFly so I decided to implement
> > :it.
> > :
> > :I'm sure that if there's something wrong (or missed) in
> > :vfs/ufs/ufs_vnops.c you'll fix it.
> > :
> > :P.S.: this is my first patch submission so I wasn't sure how to create
> > :the .patch files but you'll figure them out :)
> >
> > It didn't patch but I did most of it manually. The only problem I
> see
> > is that this patch is UFS-specific. I would like the feature to be
> > disableable on any filesystem.
> >
> > I have committed everything except the ufs_vnops.c changes. These
> > changes are being made to UFS's ufs_setattr() function (the
> VOP_SETATTR
> > VOP call). It seems to me that this check could be made at a higher
> > level, e.g. in setfflags() in kern/vfs_syscalls.c, and thus apply to
> > all filesystems.
> >
> > Would you like to have a go at adding the required code to
> setfflags()
> > ?
> >
> > -Matt
> >
> >
>
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]