| #
267654 |
|
19-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| #
235836 |
|
23-May-2012 |
jamie |
MFC r235799:
The fix in r235291 (r235624) re-broke the "allow.nomount" case.
Re-fix it by testing for the right parameter name.
PR: bin/168250
|
| #
235624 |
|
18-May-2012 |
jamie |
MFC r235291:
The linker isn't consistent in the ordering of dynamic sysctls, so don't
assume that the unnamed final component of "security.jail.param.foo." is
one less than the "foo" component. It might be one greater instead.
|
| #
232728 |
|
09-Mar-2012 |
mm |
Jail-mount MFC: r231265,r231267,r231269,r232059,r232186,r232247,
r232278,r232307,r232342
MFC r231265:
Introduce the "ruleset=number" option for devfs(5) mounts.
Add support for updating the devfs mount (currently only changing the
ruleset number is supported).
Check mnt_optnew with vfs_filteropt(9).
This new option sets the specified ruleset number as the active ruleset
of the new devfs mount and applies all its rules at mount time. If the
specified ruleset doesn't exist, a new empty ruleset is created.
MFC r231267 [1]:
Add support for mounting devfs inside jails.
A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.
Utilizes new functions introduced in r231265.
MFC r231269:
Allow mounting nullfs(5) inside jails.
This is now possible thanks to r230129.
MFC r232059 [1]:
To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:
allow.mount.devfs:
allow mounting the devfs filesystem inside a jail
allow.mount.nullfs:
allow mounting the nullfs filesystem inside a jail
Both parameters are disabled by default (equals the behavior before
devfs and nullfs in jails). Administrators have to explicitly allow
mounting devfs and nullfs for each jail. The value "-1" of the
devfs_ruleset parameter is removed in favor of the new allow setting.
MFC r232186:
Analogous to r232059, add a parameter for the ZFS file system:
allow.mount.zfs:
allow mounting the zfs filesystem inside a jail
This way the permssions for mounting all current VFCF_JAIL filesystems
inside a jail are controlled wia allow.mount.* jail parameters.
Update sysctl descriptions.
Update jail(8) and zfs(8) manpages.
MFC r232247:
mdoc(7) stype - start new sentences on new line
MFC r232278 [1]:
Add procfs to jail-mountable filesystems.
MFC r232291:
Bump .Dd to reflect latest update
MFC r232307:
Add "export" to devfs_opts[] and return EOPNOTSUPP if called with it.
Fixes mountd warnings.
MFC r232342 (jamie) [2]:
Handle the case where a boolean parameter is also a node.
PR: bin/165515 [2]
Reviewed by: jamie [1]
|
| #
225736 |
|
22-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
| #
217616 |
|
19-Jan-2011 |
mdf |
Introduce signed and unsigned version of CTLTYPE_QUAD, renaming
existing uses. Rename sysctl_handle_quad() to sysctl_handle_64().
|
| #
214434 |
|
27-Oct-2010 |
jamie |
Find a jail's type as part of jailparam_init rather than waiting until
it's absolutely necessary.
MFC after: 1 week
|
| #
212074 |
|
31-Aug-2010 |
jamie |
Whitespace and comment fixes.
MFC after: 3 days
|
| #
212073 |
|
31-Aug-2010 |
jamie |
Don't over-allocate array values in jailparam_export.
Fix a little comment typo.
MFC after: 3 days
|
| #
210133 |
|
15-Jul-2010 |
jamie |
Don't import parameter values in jail_getv, except for the search key.
Remove the internal jailparam_vlist, in favor of using variants of its
logic separately in jail_setv and jail_getv.
Free the temporary parameter list and exported values in jail_setv
and jail_getv.
Noted by: Stanislav Uzunchev
MFC after: 3 days
|
| #
204008 |
|
17-Feb-2010 |
ru |
realloc() with a proper amount of memory.
MFC after: 3 days
|
| #
200623 |
|
17-Dec-2009 |
jamie |
Add a null pointer check so "name" can be used as a key parameter in
jailparam_get.
PR: bin/141692
Submitted by: delphij
MFC after: 3 days
|
| #
195870 |
|
25-Jul-2009 |
jamie |
Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.
Approved by: re (kib), bz (mentor)
Discussed with: rwatson
|
| #
195011 |
|
25-Jun-2009 |
jamie |
Fix dynamic (re)allocation logic in jailparam_set and jailparam_get.
Touch up jailparam_import a bit while I'm at it.
Approved by: bz (mentor)
|
| #
194869 |
|
24-Jun-2009 |
jamie |
Add libjail, a (somewhat) simpler interface to the jail_set and jail_get
system calls and the security.jail.param sysctls.
Approved by: bz (mentor)
|