From owner-svn-src-stable-9@FreeBSD.ORG Wed May 22 18:26:13 2013 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DB093227; Wed, 22 May 2013 18:26:13 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id CBCCBCD5; Wed, 22 May 2013 18:26:13 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4MIQDka008756; Wed, 22 May 2013 18:26:13 GMT (envelope-from jamie@svn.freebsd.org) Received: (from jamie@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4MIQCTM008747; Wed, 22 May 2013 18:26:12 GMT (envelope-from jamie@svn.freebsd.org) Message-Id: <201305221826.r4MIQCTM008747@svn.freebsd.org> From: Jamie Gritton Date: Wed, 22 May 2013 18:26:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r250915 - in stable/9: etc etc/rc.d sys/kern X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 May 2013 18:26:13 -0000 Author: jamie Date: Wed May 22 18:26:12 2013 New Revision: 250915 URL: http://svnweb.freebsd.org/changeset/base/250915 Log: MFC r250804: Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't apply to most jails but do apply to vnet jails. This includes adding a new sysctl "security.jail.vnet" to identify vnet jails. PR: conf/149050 Submitted by: mdodd Modified: stable/9/etc/rc stable/9/etc/rc.d/ipfw stable/9/etc/rc.d/netif stable/9/etc/rc.d/routing stable/9/etc/rc.shutdown stable/9/sys/kern/kern_jail.c Directory Properties: stable/9/etc/ (props changed) stable/9/etc/rc.d/ (props changed) stable/9/sys/ (props changed) Modified: stable/9/etc/rc ============================================================================== --- stable/9/etc/rc Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc Wed May 22 18:26:12 2013 (r250915) @@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jail if [ "$early_late_divider" = "FILESYSTEMS" ]; then early_late_divider=NETWORKING fi + if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then + skip="$skip -s nojailvnet" + fi fi # Do a first pass to get everything up to $early_late_divider so that Modified: stable/9/etc/rc.d/ipfw ============================================================================== --- stable/9/etc/rc.d/ipfw Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.d/ipfw Wed May 22 18:26:12 2013 (r250915) @@ -5,7 +5,7 @@ # PROVIDE: ipfw # REQUIRE: ppp -# KEYWORD: nojail +# KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr Modified: stable/9/etc/rc.d/netif ============================================================================== --- stable/9/etc/rc.d/netif Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.d/netif Wed May 22 18:26:12 2013 (r250915) @@ -28,7 +28,7 @@ # PROVIDE: netif # REQUIRE: atm1 FILESYSTEMS serial sppp sysctl # REQUIRE: ipfilter ipfs -# KEYWORD: nojail +# KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr Modified: stable/9/etc/rc.d/routing ============================================================================== --- stable/9/etc/rc.d/routing Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.d/routing Wed May 22 18:26:12 2013 (r250915) @@ -7,7 +7,7 @@ # PROVIDE: routing # REQUIRE: faith netif ppp stf -# KEYWORD: nojail +# KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr Modified: stable/9/etc/rc.shutdown ============================================================================== --- stable/9/etc/rc.shutdown Wed May 22 17:47:45 2013 (r250914) +++ stable/9/etc/rc.shutdown Wed May 22 18:26:12 2013 (r250915) @@ -81,7 +81,12 @@ fi # and perform the operation # rcorder_opts="-k shutdown" -[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail" +if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then + rcorder_opts="$rcorder_opts -s nojail" + if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then + rcorder_opts="$rcorder_opts -s nojailvnet" + fi +fi case ${local_startup} in [Nn][Oo] | '') ;; Modified: stable/9/sys/kern/kern_jail.c ============================================================================== --- stable/9/sys/kern/kern_jail.c Wed May 22 17:47:45 2013 (r250914) +++ stable/9/sys/kern/kern_jail.c Wed May 22 18:26:12 2013 (r250915) @@ -4147,6 +4147,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, ja CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_jailed, "I", "Process in jail?"); +static int +sysctl_jail_vnet(SYSCTL_HANDLER_ARGS) +{ + int error, havevnet; +#ifdef VIMAGE + struct ucred *cred = req->td->td_ucred; + + havevnet = jailed(cred) && prison_owns_vnet(cred); +#else + havevnet = 0; +#endif + error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet)); + + return (error); +} + +SYSCTL_PROC(_security_jail, OID_AUTO, vnet, + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + sysctl_jail_vnet, "I", "Jail owns VNET?"); + #if defined(INET) || defined(INET6) SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW, &jail_max_af_ips, 0,