Date: Tue, 25 Aug 2009 15:54:53 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r196544 - in stable/7: sys sys/contrib/pf sys/kern usr.bin/cpuset usr.sbin/jail Message-ID: <200908251554.n7PFsrRQ032504@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Tue Aug 25 15:54:52 2009 New Revision: 196544 URL: http://svn.freebsd.org/changeset/base/196544 Log: Backout r191596: Document an issue of jail(8) in conjunction with cpuset(1). MFC r191639: Prevent a superuser inside a jail from modifying the dedicated root cpuset of that jail. Processes inside the jail will still be able to change child sets. A superuser outside of a jail will still be able to change the jail cpuset and thus limit the number of cpus available to the jail. Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman) PR: kern/134050 Reviewed by: jeff Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/kern/kern_cpuset.c stable/7/usr.bin/cpuset/cpuset.1 stable/7/usr.sbin/jail/jail.8 Modified: stable/7/sys/kern/kern_cpuset.c ============================================================================== --- stable/7/sys/kern/kern_cpuset.c Tue Aug 25 14:08:33 2009 (r196543) +++ stable/7/sys/kern/kern_cpuset.c Tue Aug 25 15:54:52 2009 (r196544) @@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset if (error) return (error); /* + * In case we are called from within the jail + * we do not allow modifying the dedicated root + * cpuset of the jail but may still allow to + * change child sets. + */ + if (jailed(curthread->td_ucred) && + set->cs_flags & CPU_SET_ROOT) + return (EPERM); + /* * Verify that we have access to this set of * cpus. */ Modified: stable/7/usr.bin/cpuset/cpuset.1 ============================================================================== --- stable/7/usr.bin/cpuset/cpuset.1 Tue Aug 25 14:08:33 2009 (r196543) +++ stable/7/usr.bin/cpuset/cpuset.1 Tue Aug 25 15:54:52 2009 (r196544) @@ -177,9 +177,3 @@ command first appeared in .Fx 7.1 . .Sh AUTHORS .An Jeffrey Roberson Aq jeff@FreeBSD.org -.Sh BUGS -At the moment it is possible for a superuser inside a -.Xr jail 8 -to modify the root -.Xr cpuset 2 -of that jail. Modified: stable/7/usr.sbin/jail/jail.8 ============================================================================== --- stable/7/usr.sbin/jail/jail.8 Tue Aug 25 14:08:33 2009 (r196543) +++ stable/7/usr.sbin/jail/jail.8 Tue Aug 25 15:54:52 2009 (r196544) @@ -699,9 +699,3 @@ Currently, the simplest answer is to min offered on the host, possibly limiting it to services offered from .Xr inetd 8 which is easily configurable. -.Pp -At the moment it is possible for a superuser inside a -.Nm -to modify the root -.Xr cpuset 2 -of that jail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908251554.n7PFsrRQ032504>