#
267654 |
|
19-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
235836 |
|
23-May-2012 |
jamie |
MFC r235799:
The fix in r235291 (r235624) re-broke the "allow.nomount" case. Re-fix it by testing for the right parameter name.
PR: bin/168250
|
#
235624 |
|
18-May-2012 |
jamie |
MFC r235291:
The linker isn't consistent in the ordering of dynamic sysctls, so don't assume that the unnamed final component of "security.jail.param.foo." is one less than the "foo" component. It might be one greater instead.
|
#
232728 |
|
09-Mar-2012 |
mm |
Jail-mount MFC: r231265,r231267,r231269,r232059,r232186,r232247, r232278,r232307,r232342
MFC r231265: Introduce the "ruleset=number" option for devfs(5) mounts. Add support for updating the devfs mount (currently only changing the ruleset number is supported). Check mnt_optnew with vfs_filteropt(9).
This new option sets the specified ruleset number as the active ruleset of the new devfs mount and applies all its rules at mount time. If the specified ruleset doesn't exist, a new empty ruleset is created.
MFC r231267 [1]: Add support for mounting devfs inside jails.
A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules.
Utilizes new functions introduced in r231265.
MFC r231269: Allow mounting nullfs(5) inside jails.
This is now possible thanks to r230129.
MFC r232059 [1]: To improve control over the use of mount(8) inside a jail(8), introduce a new jail parameter node with the following parameters:
allow.mount.devfs: allow mounting the devfs filesystem inside a jail
allow.mount.nullfs: allow mounting the nullfs filesystem inside a jail
Both parameters are disabled by default (equals the behavior before devfs and nullfs in jails). Administrators have to explicitly allow mounting devfs and nullfs for each jail. The value "-1" of the devfs_ruleset parameter is removed in favor of the new allow setting.
MFC r232186: Analogous to r232059, add a parameter for the ZFS file system:
allow.mount.zfs: allow mounting the zfs filesystem inside a jail
This way the permssions for mounting all current VFCF_JAIL filesystems inside a jail are controlled wia allow.mount.* jail parameters.
Update sysctl descriptions. Update jail(8) and zfs(8) manpages.
MFC r232247: mdoc(7) stype - start new sentences on new line
MFC r232278 [1]: Add procfs to jail-mountable filesystems.
MFC r232291: Bump .Dd to reflect latest update
MFC r232307: Add "export" to devfs_opts[] and return EOPNOTSUPP if called with it. Fixes mountd warnings.
MFC r232342 (jamie) [2]: Handle the case where a boolean parameter is also a node.
PR: bin/165515 [2] Reviewed by: jamie [1]
|
#
225736 |
|
22-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
#
217616 |
|
19-Jan-2011 |
mdf |
Introduce signed and unsigned version of CTLTYPE_QUAD, renaming existing uses. Rename sysctl_handle_quad() to sysctl_handle_64().
|
#
214434 |
|
27-Oct-2010 |
jamie |
Find a jail's type as part of jailparam_init rather than waiting until it's absolutely necessary.
MFC after: 1 week
|
#
212074 |
|
31-Aug-2010 |
jamie |
Whitespace and comment fixes.
MFC after: 3 days
|
#
212073 |
|
31-Aug-2010 |
jamie |
Don't over-allocate array values in jailparam_export. Fix a little comment typo.
MFC after: 3 days
|
#
210133 |
|
15-Jul-2010 |
jamie |
Don't import parameter values in jail_getv, except for the search key. Remove the internal jailparam_vlist, in favor of using variants of its logic separately in jail_setv and jail_getv. Free the temporary parameter list and exported values in jail_setv and jail_getv.
Noted by: Stanislav Uzunchev MFC after: 3 days
|
#
204008 |
|
17-Feb-2010 |
ru |
realloc() with a proper amount of memory.
MFC after: 3 days
|
#
200623 |
|
17-Dec-2009 |
jamie |
Add a null pointer check so "name" can be used as a key parameter in jailparam_get.
PR: bin/141692 Submitted by: delphij MFC after: 3 days
|
#
195870 |
|
25-Jul-2009 |
jamie |
Some jail parameters (in particular, "ip4" and "ip6" for IP address restrictions) were found to be inadequately described by a boolean. Define a new parameter type with three values (disable, new, inherit) to handle these and future cases.
Approved by: re (kib), bz (mentor) Discussed with: rwatson
|
#
195011 |
|
25-Jun-2009 |
jamie |
Fix dynamic (re)allocation logic in jailparam_set and jailparam_get. Touch up jailparam_import a bit while I'm at it.
Approved by: bz (mentor)
|
#
194869 |
|
24-Jun-2009 |
jamie |
Add libjail, a (somewhat) simpler interface to the jail_set and jail_get system calls and the security.jail.param sysctls.
Approved by: bz (mentor)
|