Date: Wed, 22 May 2013 18:26:12 +0000 (UTC) From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r250915 - in stable/9: etc etc/rc.d sys/kern Message-ID: <201305221826.r4MIQCTM008747@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jamie Date: Wed May 22 18:26:12 2013 New Revision: 250915 URL: http://svnweb.freebsd.org/changeset/base/250915 Log: MFC r250804: Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't apply to most jails but do apply to vnet jails. This includes adding a new sysctl "security.jail.vnet" to identify vnet jails. PR: conf/149050 Submitted by: mdodd Modified: stable/9/etc/rc stable/9/etc/rc.d/ipfw stable/9/etc/rc.d/netif stable/9/etc/rc.d/routing stable/9/etc/rc.shutdown stable/9/sys/kern/kern_jail.c Directory Properties: stable/9/etc/ (props changed) stable/9/etc/rc.d/ (props changed) stable/9/sys/ (props changed) Modified: stable/9/etc/rc ============================================================================== --- stable/9/etc/rc Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc Wed May 22 18:26:12 2013 (r250915) @@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jail if [ "$early_late_divider" = "FILESYSTEMS" ]; then early_late_divider=NETWORKING fi + if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then + skip="$skip -s nojailvnet" + fi fi # Do a first pass to get everything up to $early_late_divider so that Modified: stable/9/etc/rc.d/ipfw ============================================================================== --- stable/9/etc/rc.d/ipfw Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.d/ipfw Wed May 22 18:26:12 2013 (r250915) @@ -5,7 +5,7 @@ # PROVIDE: ipfw # REQUIRE: ppp -# KEYWORD: nojail +# KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr Modified: stable/9/etc/rc.d/netif ============================================================================== --- stable/9/etc/rc.d/netif Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.d/netif Wed May 22 18:26:12 2013 (r250915) @@ -28,7 +28,7 @@ # PROVIDE: netif # REQUIRE: atm1 FILESYSTEMS serial sppp sysctl # REQUIRE: ipfilter ipfs -# KEYWORD: nojail +# KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr Modified: stable/9/etc/rc.d/routing ============================================================================== --- stable/9/etc/rc.d/routing Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.d/routing Wed May 22 18:26:12 2013 (r250915) @@ -7,7 +7,7 @@ # PROVIDE: routing # REQUIRE: faith netif ppp stf -# KEYWORD: nojail +# KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr Modified: stable/9/etc/rc.shutdown ============================================================================== --- stable/9/etc/rc.shutdown Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.shutdown Wed May 22 18:26:12 2013 (r250915) @@ -81,7 +81,12 @@ fi # and perform the operation # rcorder_opts="-k shutdown" -[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail" +if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then + rcorder_opts="$rcorder_opts -s nojail" + if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then + rcorder_opts="$rcorder_opts -s nojailvnet" + fi +fi case ${local_startup} in [Nn][Oo] | '') ;; Modified: stable/9/sys/kern/kern_jail.c ============================================================================== --- stable/9/sys/kern/kern_jail.c Wed May 22 17:47:45 2013 (r250914) +++ stable/9/sys/kern/kern_jail.c Wed May 22 18:26:12 2013 (r250915) @@ -4147,6 +4147,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, ja CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_jailed, "I", "Process in jail?"); +static int +sysctl_jail_vnet(SYSCTL_HANDLER_ARGS) +{ + int error, havevnet; +#ifdef VIMAGE + struct ucred *cred = req->td->td_ucred; + + havevnet = jailed(cred) && prison_owns_vnet(cred); +#else + havevnet = 0; +#endif + error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet)); + + return (error); +} + +SYSCTL_PROC(_security_jail, OID_AUTO, vnet, + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + sysctl_jail_vnet, "I", "Jail owns VNET?"); + #if defined(INET) || defined(INET6) SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW, &jail_max_af_ips, 0,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305221826.r4MIQCTM008747>