Date: Tue, 28 Apr 2009 21:00:50 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r191639 - head/sys/kern Message-ID: <200904282100.n3SL0ohI059844@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Tue Apr 28 21:00:50 2009 New Revision: 191639 URL: http://svn.freebsd.org/changeset/base/191639 Log: Prevent a superuser inside a jail from modifying the dedicated root cpuset of that jail. Processes inside the jail will still be able to change child sets. A superuser outside of a jail will still be able to change the jail cpuset and thus limit the number of cpus available to the jail. Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman) PR: kern/134050 Reviewed by: jeff MFC after: 3 weeks X-MFC: backout r191596 Modified: head/sys/kern/kern_cpuset.c Modified: head/sys/kern/kern_cpuset.c ============================================================================== --- head/sys/kern/kern_cpuset.c Tue Apr 28 20:49:47 2009 (r191638) +++ head/sys/kern/kern_cpuset.c Tue Apr 28 21:00:50 2009 (r191639) @@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset if (error) return (error); /* + * In case we are called from within the jail + * we do not allow modifying the dedicated root + * cpuset of the jail but may still allow to + * change child sets. + */ + if (jailed(curthread->td_ucred) && + set->cs_flags & CPU_SET_ROOT) + return (EPERM); + /* * Verify that we have access to this set of * cpus. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904282100.n3SL0ohI059844>