From a99a8a69bde61c22a20ce88c671f204243533b94 Mon Sep 17 00:00:00 2001 From: pjd Date: Thu, 23 Jun 2005 22:13:29 +0000 Subject: [PATCH] Actually only protect mount-point if security.jail.enforce_statfs is set to 2. If we don't return statistics about requested file systems, system tools may not work correctly or at all. Approved by: re (scottl) --- sys/compat/linux/linux_stats.c | 3 --- sys/kern/kern_jail.c | 1 - sys/kern/vfs_extattr.c | 10 ---------- sys/kern/vfs_syscalls.c | 10 ---------- 4 files changed, 24 deletions(-) diff --git a/sys/compat/linux/linux_stats.c b/sys/compat/linux/linux_stats.c index da08a10f2187..d0c52311e110 100644 --- a/sys/compat/linux/linux_stats.c +++ b/sys/compat/linux/linux_stats.c @@ -331,9 +331,6 @@ linux_ustat(struct thread *td, struct linux_ustat_args *args) if (dev != NULL && vfinddev(dev, &vp)) { if (vp->v_mount == NULL) return (EINVAL); - error = prison_canseemount(td->td_ucred, vp->v_mount); - if (error) - return (error); #ifdef MAC error = mac_check_mount_stat(td->td_ucred, vp->v_mount); if (error) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 9ca85c6a4d72..c3d1f9ad32d7 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -488,7 +488,6 @@ prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp) return; pr = cred->cr_prison; if (prison_canseemount(cred, mp) != 0) { - /* Should never happen. */ bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); strlcpy(sp->f_mntonname, "[restricted]", sizeof(sp->f_mntonname)); diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index fe796dc0ab59..fb7f46775861 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -257,11 +257,6 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, sp = &mp->mnt_stat; NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); - error = prison_canseemount(td->td_ucred, mp); - if (error) { - mtx_unlock(&Giant); - return (error); - } #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) { @@ -335,11 +330,6 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) mtx_unlock(&Giant); return (EBADF); } - error = prison_canseemount(td->td_ucred, mp); - if (error) { - mtx_unlock(&Giant); - return (error); - } #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) { diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index fe796dc0ab59..fb7f46775861 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -257,11 +257,6 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, sp = &mp->mnt_stat; NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); - error = prison_canseemount(td->td_ucred, mp); - if (error) { - mtx_unlock(&Giant); - return (error); - } #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) { @@ -335,11 +330,6 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) mtx_unlock(&Giant); return (EBADF); } - error = prison_canseemount(td->td_ucred, mp); - if (error) { - mtx_unlock(&Giant); - return (error); - } #ifdef MAC error = mac_check_mount_stat(td->td_ucred, mp); if (error) {