svn commit: r191639 - head/sys/kern
Bjoern A. Zeeb
bz at FreeBSD.org
Tue Apr 28 21:00:51 UTC 2009
Author: bz
Date: Tue Apr 28 21:00:50 2009
New Revision: 191639
URL: http://svn.freebsd.org/changeset/base/191639
Log:
Prevent a superuser inside a jail from modifying the dedicated
root cpuset of that jail.
Processes inside the jail will still be able to change child sets.
A superuser outside of a jail will still be able to change the jail cpuset
and thus limit the number of cpus available to the jail.
Problem reported by: 000.fbsd at quip.cz (Miroslav Lachman)
PR: kern/134050
Reviewed by: jeff
MFC after: 3 weeks
X-MFC: backout r191596
Modified:
head/sys/kern/kern_cpuset.c
Modified: head/sys/kern/kern_cpuset.c
==============================================================================
--- head/sys/kern/kern_cpuset.c Tue Apr 28 20:49:47 2009 (r191638)
+++ head/sys/kern/kern_cpuset.c Tue Apr 28 21:00:50 2009 (r191639)
@@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset
if (error)
return (error);
/*
+ * In case we are called from within the jail
+ * we do not allow modifying the dedicated root
+ * cpuset of the jail but may still allow to
+ * change child sets.
+ */
+ if (jailed(curthread->td_ucred) &&
+ set->cs_flags & CPU_SET_ROOT)
+ return (EPERM);
+ /*
* Verify that we have access to this set of
* cpus.
*/
More information about the svn-src-head
mailing list