diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2015-04-15 21:09:55 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2015-04-15 21:09:55 +0000 |
| commit | 111e3e8e70d0358526a5bc114eeb6d3b089e0d3b (patch) | |
| tree | 2f217c8165715e34bd184cfa6c9c024752c0b18d | |
| parent | 7652b10523b05b4d89e5deb010e8b0ea590ceb7d (diff) | |
| download | illumos-joyent-111e3e8e70d0358526a5bc114eeb6d3b089e0d3b.tar.gz | |
OS-3757 Allow disabling of zfs recv for a zone
| -rw-r--r-- | usr/src/man/man1m/zfs.1m | 4 | ||||
| -rw-r--r-- | usr/src/man/man5/privileges.5 | 12 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/zfs/zfs_ioctl.c | 5 | ||||
| -rw-r--r-- | usr/src/uts/common/os/policy.c | 7 | ||||
| -rw-r--r-- | usr/src/uts/common/os/priv_defs | 4 | ||||
| -rw-r--r-- | usr/src/uts/common/sys/policy.h | 1 |
6 files changed, 30 insertions, 3 deletions
diff --git a/usr/src/man/man1m/zfs.1m b/usr/src/man/man1m/zfs.1m index c71dfa5ab2..3347291fc5 100644 --- a/usr/src/man/man1m/zfs.1m +++ b/usr/src/man/man1m/zfs.1m @@ -24,7 +24,7 @@ .\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org> .\" Copyright (c) 2011, 2014 by Delphix. All rights reserved. .\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved. -.\" Copyright (c) 2014, Joyent, Inc. All rights reserved. +.\" Copyright (c) 2015, Joyent, Inc. All rights reserved. .\" Copyright (c) 2014 by Adam Stevko. All rights reserved. .\" Copyright 2014 Nexenta Systems, Inc. All Rights Reserved. .\" @@ -3250,6 +3250,8 @@ specified one are created. If the \fB-e\fR option is specified, then only the last element of the sent snapshot's file system name (i.e. the name of the source file system itself) is used as the target file system name. .sp +The process requires the \fBPRIV_SYS_FS_IMPORT\fR privilege to receive. +.sp .ne 2 .na \fB\fB-d\fR\fR diff --git a/usr/src/man/man5/privileges.5 b/usr/src/man/man5/privileges.5 index 3b23e2174f..260a768e81 100644 --- a/usr/src/man/man5/privileges.5 +++ b/usr/src/man/man5/privileges.5 @@ -4,7 +4,7 @@ .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH PRIVILEGES 5 "Mar 10, 2015" +.TH PRIVILEGES 5 "Apr 15, 2015" .SH NAME privileges \- process privilege model .SH DESCRIPTION @@ -690,6 +690,16 @@ Allow a process to configure a system's datalink interfaces. .sp .ne 2 .na +\fB\fBPRIV_SYS_FS_IMPORT\fR\fR +.ad +.sp .6 +.RS 4n +Allow a process to import a potentially untrusted file system (e.g. ZFS recv). +.RE + +.sp +.ne 2 +.na \fB\fBPRIV_SYS_IP_CONFIG\fR\fR .ad .sp .6 diff --git a/usr/src/uts/common/fs/zfs/zfs_ioctl.c b/usr/src/uts/common/fs/zfs/zfs_ioctl.c index 98c19c591d..12eaaba09f 100644 --- a/usr/src/uts/common/fs/zfs/zfs_ioctl.c +++ b/usr/src/uts/common/fs/zfs/zfs_ioctl.c @@ -23,7 +23,7 @@ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * Portions Copyright 2011 Martin Matuska * Copyright 2011 Nexenta Systems, Inc. All rights reserved. - * Copyright (c) 2014, Joyent, Inc. All rights reserved. + * Copyright (c) 2015, Joyent, Inc. All rights reserved. * Copyright (c) 2011, 2014 by Delphix. All rights reserved. * Copyright (c) 2013 by Saso Kiselkov. All rights reserved. * Copyright (c) 2013 Steven Hartland. All rights reserved. @@ -945,6 +945,9 @@ zfs_secpolicy_recv(zfs_cmd_t *zc, nvlist_t *innvl, cred_t *cr) { int error; + if (secpolicy_fs_import(cr) != 0) + return (set_errno(EPERM)); + if ((error = zfs_secpolicy_write_perms(zc->zc_name, ZFS_DELEG_PERM_RECEIVE, cr)) != 0) return (error); diff --git a/usr/src/uts/common/os/policy.c b/usr/src/uts/common/os/policy.c index fa943a5c3e..d2bdb4ce37 100644 --- a/usr/src/uts/common/os/policy.c +++ b/usr/src/uts/common/os/policy.c @@ -2095,6 +2095,13 @@ secpolicy_meminfo(const cred_t *cr) } int +secpolicy_fs_import(const cred_t *cr) +{ + return (PRIV_POLICY(cr, PRIV_SYS_FS_IMPORT, B_FALSE, EPERM, NULL)); +} + + +int secpolicy_pfexec_register(const cred_t *cr) { return (PRIV_POLICY(cr, PRIV_SYS_ADMIN, B_TRUE, EPERM, NULL)); diff --git a/usr/src/uts/common/os/priv_defs b/usr/src/uts/common/os/priv_defs index 8776f6e7ae..cc1c5e03a6 100644 --- a/usr/src/uts/common/os/priv_defs +++ b/usr/src/uts/common/os/priv_defs @@ -376,6 +376,10 @@ privilege PRIV_SYS_DEVICES Allows a process to open the real console device directly. Allows a process to open devices that have been exclusively opened. +privilege PRIV_SYS_FS_IMPORT + + Allows a process to import a potentially untrusted file system. + privilege PRIV_SYS_IPC_CONFIG Allows a process to increase the size of a System V IPC Message diff --git a/usr/src/uts/common/sys/policy.h b/usr/src/uts/common/sys/policy.h index ce4da29a97..5328d02c59 100644 --- a/usr/src/uts/common/sys/policy.h +++ b/usr/src/uts/common/sys/policy.h @@ -108,6 +108,7 @@ int secpolicy_ipc_owner(const cred_t *, const struct kipc_perm *); int secpolicy_kmdb(const cred_t *); int secpolicy_lock_memory(const cred_t *); int secpolicy_meminfo(const cred_t *); +int secpolicy_fs_import(const cred_t *); int secpolicy_modctl(const cred_t *, int); int secpolicy_net(const cred_t *, int, boolean_t); int secpolicy_net_bindmlp(const cred_t *); |