[Bug 253724] FreeBSD 13.0-BETA3: jail: cpuset: setaffinity: Resource deadlock avoided
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Mar 4 02:04:52 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253724
--- Comment #5 from commit-hook at FreeBSD.org ---
A commit in branch stable/13 references this bug:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c4ccb6d1be1f00ebcda9e83f06db55f9d6c152ac
commit c4ccb6d1be1f00ebcda9e83f06db55f9d6c152ac
Author: Kyle Evans <kevans at FreeBSD.org>
AuthorDate: 2021-02-26 21:46:47 +0000
Commit: Kyle Evans <kevans at FreeBSD.org>
CommitDate: 2021-03-04 02:04:10 +0000
jail: allow root to implicitly widen its cpuset to attach
The default behavior for attaching processes to jails is that the jail's
cpuset augments the attaching processes, so that it cannot be used to
escalate a user's ability to take advantage of more CPUs than the
administrator wanted them to.
This is problematic when root needs to manage jails that have disjoint
sets with whatever process is attaching, as this would otherwise result
in a deadlock. Therefore, if we did not have an appropriate common
subset of cpus/domains for our new policy, we now allow the process to
simply take on the jail set *if* it has the privilege to widen its mask
anyways.
With the new logic, root can still usefully cpuset a process that
attaches to a jail with the desire of maintaining the set it was given
pre-attachment while still retaining the ability to manage child jails
without jumping through hoops.
A test has been added to demonstrate the issue; cpuset of a process
down to just the first CPU and attempting to attach to a jail without
access to any of the same CPUs previously resulted in EDEADLK and now
results in taking on the jail's mask for privileged users.
PR: 253724
(cherry picked from commit 60c4ec806dfd0f79edf8ca3abc04bbb69c0418f7)
lib/libc/tests/sys/cpuset_test.c | 203 ++++++++++++++++++++++++++++++++++++++-
sys/kern/kern_cpuset.c | 8 ++
2 files changed, 210 insertions(+), 1 deletion(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-bugs
mailing list