Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Apr 2009 19:02:09 GMT
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/134050: cpuset allows change of the jail's set from inside the jail
Message-ID:  <200904271902.n3RJ29at024522@www.freebsd.org>
Resent-Message-ID: <200904271910.n3RJA11t052105@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         134050
>Category:       kern
>Synopsis:       cpuset allows change of the jail's set from inside the jail
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 27 19:10:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Miroslav Lachman
>Release:        FreeBSD 7.2-RC1 i386 GENERIC
>Organization:
codeLab.cz
>Environment:
7.2-RC1 FreeBSD 7.2-RC1 #0: Wed Apr 15 20:34:10 UTC 2009     root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
If some jail is bound to specified core(s) by cpuset command (by root user of the host system), this can be changed from inside the jail (by root user inside the jail).


>How-To-Repeat:
Start the jail on multi-core machine and set it to run on one CPU core:

root@host# cpuset -l 0 -j 1

Now login to the jail as root and run cpuset command

root@injail# cpuset -l 0,1 -j 1

The jail is running on two cores

root@host# cpuset -g -j 1
jail 1 mask: 0, 1
>Fix:
Bjoern A. Zeeb posted attached patch which works for me.

http://lists.freebsd.org/pipermail/freebsd-jail/2009-April/000833.html

root@72-rc1 ~/# jls
   JID  IP Address      Hostname                      Path
     1                  alpha.test                    /usr/jail/alpha

root@72-rc1 ~/# jexec 1 tcsh

root@alpha //# cpuset -l 0 -j 1
cpuset: setaffinity: Operation not permitted

root@alpha //# cpuset -l 0 -r -j 1
cpuset: setaffinity: Operation not permitted 

Patch attached with submission follows:

Index: sys/kern/kern_cpuset.c
===================================================================
--- sys/kern/kern_cpuset.c	(revision 190341)
+++ sys/kern/kern_cpuset.c	(working copy)
@@ -357,6 +357,15 @@
 	if (error)
 		return (error);
 	/*
+	 * In case we are called from within the jail
+	 * we do not allow modifying the dedicated root
+	 * cpuset of the jail but may still allow to
+	 * change child sets.
+	 */
+	if (jailed(curthread->td_ucred) &&
+	    set->cs_flags & CPU_SET_ROOT)
+		return (EPERM);
+	/*
 	 * Verify that we have access to this set of
 	 * cpus.
 	 */


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904271902.n3RJ29at024522>