svn commit: r318765 - in head: lib/libc/sys share/man/man4 sys/compat/freebsd32 sys/kern

Allan Jude allanjude at FreeBSD.org
Wed May 24 00:58:32 UTC 2017 

Author: allanjude
Date: Wed May 24 00:58:30 2017
New Revision: 318765
URL: https://svnweb.freebsd.org/changeset/base/318765

Log:
  Allow cpuset_{get,set}affinity in capabilities mode
  
  bhyve was recently sandboxed with capsicum, and needs to be able to
  control the CPU sets of its vcpu threads
  
  Reviewed by:	emaste, oshogbo, rwatson
  MFC after:	2 weeks
  Sponsored by:	ScaleEngine Inc.
  Differential Revision:	https://reviews.freebsd.org/D10170

Modified:
  head/lib/libc/sys/cpuset_getaffinity.2
  head/share/man/man4/capsicum.4
  head/sys/compat/freebsd32/capabilities.conf
  head/sys/kern/capabilities.conf
  head/sys/kern/kern_cpuset.c

Modified: head/lib/libc/sys/cpuset_getaffinity.2
==============================================================================
--- head/lib/libc/sys/cpuset_getaffinity.2	Wed May 24 00:36:27 2017	(r318764)
+++ head/lib/libc/sys/cpuset_getaffinity.2	Wed May 24 00:58:30 2017	(r318765)
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 2, 2016
+.Dd May 23, 2017
 .Dt CPUSET_GETAFFINITY 2
 .Os
 .Sh NAME
@@ -148,8 +148,14 @@ was either preposterously large or small
 .It Bq Er EPERM
 The calling process did not have the credentials required to complete the
 operation.
+.It Bq Er ECAPMODE
+The calling process attempted to act on a process other than itself, while 
+in capability mode.
+See
+.Xr capsicum 4 .
 .El
 .Sh SEE ALSO
+.Xr capsicum 4 ,
 .Xr cpuset 1 ,
 .Xr cpuset 2 ,
 .Xr cpuset_getid 2 ,

Modified: head/share/man/man4/capsicum.4
==============================================================================
--- head/share/man/man4/capsicum.4	Wed May 24 00:36:27 2017	(r318764)
+++ head/share/man/man4/capsicum.4	Wed May 24 00:58:30 2017	(r318765)
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 5, 2016
+.Dd May 18, 2017
 .Dt CAPSICUM 4
 .Os
 .Sh NAME
@@ -88,6 +88,16 @@ An extension to the POSIX shared memory 
 associated with file descriptors; described in greater detail in
 .Xr shm_open 2 .
 .El
+.Pp
+In some cases,
+.Nm
+limits the valid values of some parameters to traditional APIs in order to
+restrict access to global namespaces:
+.Bl -tag -width indent
+.It process IDs
+Processes can only act upon their own process ID with syscalls such as
+.Xr cpuset_setaffinity 2 .
+.El
 .Sh SEE ALSO
 .Xr cap_enter 2 ,
 .Xr cap_fcntls_limit 2 ,

Modified: head/sys/compat/freebsd32/capabilities.conf
==============================================================================
--- head/sys/compat/freebsd32/capabilities.conf	Wed May 24 00:36:27 2017	(r318764)
+++ head/sys/compat/freebsd32/capabilities.conf	Wed May 24 00:58:30 2017	(r318765)
@@ -76,9 +76,9 @@ close
 closefrom
 connectat
 #cpuset
-#freebsd32_cpuset_getaffinity
+freebsd32_cpuset_getaffinity
 #freebsd32_cpuset_getid
-#freebsd32_cpuset_setaffinity
+freebsd32_cpuset_setaffinity
 #freebsd32_cpuset_setid
 dup
 dup2

Modified: head/sys/kern/capabilities.conf
==============================================================================
--- head/sys/kern/capabilities.conf	Wed May 24 00:36:27 2017	(r318764)
+++ head/sys/kern/capabilities.conf	Wed May 24 00:58:30 2017	(r318765)
@@ -133,13 +133,12 @@ closefrom
 connectat
 
 ##
-## cpuset(2) and related calls require scoping by process, but should
-## eventually be allowed, at least in the current process case.
+## cpuset(2) and related calls are limited to caller's own process/thread.
 ##
 #cpuset
-#cpuset_getaffinity
+cpuset_getaffinity
 #cpuset_getid
-#cpuset_setaffinity
+cpuset_setaffinity
 #cpuset_setid
 
 ##

Modified: head/sys/kern/kern_cpuset.c
==============================================================================
--- head/sys/kern/kern_cpuset.c	Wed May 24 00:36:27 2017	(r318764)
+++ head/sys/kern/kern_cpuset.c	Wed May 24 00:58:30 2017	(r318765)
@@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sched.h>
 #include <sys/smp.h>
 #include <sys/syscallsubr.h>
+#include <sys/capsicum.h>
 #include <sys/cpuset.h>
 #include <sys/sx.h>
 #include <sys/queue.h>
@@ -522,6 +523,7 @@ cpuset_setproc(pid_t pid, struct cpuset 
 	int threads;
 	int nfree;
 	int error;
+
 	/*
 	 * The algorithm requires two passes due to locking considerations.
 	 * 
@@ -1096,6 +1098,15 @@ kern_cpuset_getaffinity(struct thread *t
 
 	if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
+	/* In Capability mode, you can only get your own CPU set. */
+	if (IN_CAPABILITY_MODE(td)) {
+	    if (level != CPU_LEVEL_WHICH)
+		return (ECAPMODE);
+	    if (which != CPU_WHICH_TID && which != CPU_WHICH_PID)
+		return (ECAPMODE);
+	    if (id != -1)
+		return (ECAPMODE);
+	}
 	size = cpusetsize;
 	mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
 	error = cpuset_which(which, id, &p, &ttd, &set);
@@ -1204,6 +1215,15 @@ kern_cpuset_setaffinity(struct thread *t
 
 	if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
+	/* In Capability mode, you can only set your own CPU set. */
+	if (IN_CAPABILITY_MODE(td)) {
+	    if (level != CPU_LEVEL_WHICH)
+		return (ECAPMODE);
+	    if (which != CPU_WHICH_TID && which != CPU_WHICH_PID)
+		return (ECAPMODE);
+	    if (id != -1)
+		return (ECAPMODE);
+	}
 	mask = malloc(cpusetsize, M_TEMP, M_WAITOK | M_ZERO);
 	error = copyin(maskp, mask, cpusetsize);
 	if (error)

More information about the svn-src-head mailing list