jail extensions
Julian Elischer
julian at elischer.org
Fri Jun 9 13:24:48 UTC 2006
Alex Lyashkov wrote:
>>2) at MOD_LOAD case run loop for each prisons and init private data for
>>this module at all contexts. At this way module always 'exist' at all
>>contexts.
>>and disable module compiling (loading) when module don`t marked jail
>>safe.
>>
>>
>example for this way.
>http://cvs.freevps.com/index.cgi/kernel/include/linux/freevps/s_context_xfrm.h?rev=1.3
>http://cvs.freevps.com/index.cgi/kernel/net/ipv4/ah4.c?rev=1.3
>ah4_init/ah4_fini functions.
>
>
this is the bit that is obvious.
The hard bit is the non obvious difficulty of changing all existing
modules in such away that
they can be compiled both in the new way, and in a way that they are
still compiled to the old way.
You need to put all the currently global variables into a structure that
can be instantiated
for each jail, but in order to make this continue to work in the
existing system, they still need to
be compiled as a global when the normal buold is made.
for this reason Marco and I were looking at various macros that can be
defined to
allow the variables to be compiled both ways.
For example :
int xx;
static int yy;
struct a {
int aa;
int bb;
} cc;
might become:
VM_GLOBAL_START(modname)
int xx;
VMG_STATIC int yy;
struct a {
int aa;
int bb;
} cc;
VM_GLOBAL_STOP(modname)
You would access these as:
VM_GLOBAL(modname, yy) = 2
foobar( VM_GLOBAL_STRUCT(cc, modname)->bb);
or similar.
More information about the freebsd-arch
mailing list