Date: Mon, 3 Aug 2009 12:37:50 GMT From: Marko Zec <zec@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 166961 for review Message-ID: <200908031237.n73CboGC034520@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=166961 Change 166961 by zec@zec_tpx32 on 2009/08/03 12:37:40 Introduce socreate_vnet() function, which allows for sockets to be created in a vnet different from the current administrative vnet, i.e. the one defined by the curthread's ucred. Force RPC sockets to always beceme open in vnet0, which should allow NFS client mounts created in vnet0 to be accessible from non-default vnets. Ideally, NFS mounts would keep track in which vnet they have been created, in which case we wouldn't have to hardcode NFS to vnet0. Note that there's still nothing to prevent NFS mounts to be requested from non-default vnets, which will most probably never succed, and / or lead to cross-vnet leaks, and / or may lead to panics. Hence, we should impose some barriers to jailed processes from requesting any NFS mount / export operations. Affected files ... .. //depot/projects/vimage-commit2/src/sys/kern/uipc_socket.c#30 edit .. //depot/projects/vimage-commit2/src/sys/rpc/rpc_generic.c#5 edit .. //depot/projects/vimage-commit2/src/sys/sys/socketvar.h#9 edit Differences ... ==== //depot/projects/vimage-commit2/src/sys/kern/uipc_socket.c#30 (text+ko) ==== @@ -342,6 +342,24 @@ socreate(int dom, struct socket **aso, int type, int proto, struct ucred *cred, struct thread *td) { + +#ifndef VIMAGE + return (socreate_vnet(dom, aso, type, proto, cred, td, NULL); +#else + return (socreate_vnet(dom, aso, type, proto, cred, td, + CRED_TO_VNET(cred))); +#endif +} + +/* + * socreate_vnet returns a socket with a ref count of 1 in a vnet possibly + * different from CRED_TO_VNET(cred). The socket should be closed with + * soclose(). + */ +int +socreate_vnet(int dom, struct socket **aso, int type, int proto, + struct ucred *cred, struct thread *td, struct vnet *vnet) +{ struct protosw *prp; struct socket *so; int error; @@ -360,7 +378,7 @@ if (prp->pr_type != type) return (EPROTOTYPE); - so = soalloc(CRED_TO_VNET(cred)); + so = soalloc(vnet); if (so == NULL) return (ENOBUFS); ==== //depot/projects/vimage-commit2/src/sys/rpc/rpc_generic.c#5 (text+ko) ==== @@ -258,8 +258,8 @@ return 0; so = NULL; - error = socreate(si.si_af, &so, si.si_socktype, si.si_proto, - curthread->td_ucred, curthread); + error = socreate_vnet(si.si_af, &so, si.si_socktype, si.si_proto, + curthread->td_ucred, curthread, vnet0); if (error) return NULL; ==== //depot/projects/vimage-commit2/src/sys/sys/socketvar.h#9 (text+ko) ==== @@ -329,6 +329,8 @@ int socow_setup(struct mbuf *m0, struct uio *uio); int socreate(int dom, struct socket **aso, int type, int proto, struct ucred *cred, struct thread *td); +int socreate_vnet(int dom, struct socket **aso, int type, int proto, + struct ucred *cred, struct thread *td, struct vnet *vnet); int sodisconnect(struct socket *so); struct sockaddr *sodupsockaddr(const struct sockaddr *sa, int mflags); void sofree(struct socket *so);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908031237.n73CboGC034520>