svn commit: r196544 - in stable/7: sys sys/contrib/pf sys/kern usr.bin/cpuset usr.sbin/jail

Bjoern A. Zeeb bz at FreeBSD.org
Tue Aug 25 15:54:54 UTC 2009 

Author: bz
Date: Tue Aug 25 15:54:52 2009
New Revision: 196544
URL: http://svn.freebsd.org/changeset/base/196544

Log:
  Backout r191596:
    Document an issue of jail(8) in conjunction with cpuset(1).
  
  MFC r191639:
    Prevent a superuser inside a jail from modifying the dedicated
    root cpuset of that jail.
    Processes inside the jail will still be able to change child sets.
    A superuser outside of a jail will still be able to change the jail cpuset
    and thus limit the number of cpus available to the jail.
  
    Problem reported by: 000.fbsd at quip.cz (Miroslav Lachman)
    PR:           kern/134050
    Reviewed by:  jeff

Modified:
  stable/7/sys/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)
  stable/7/sys/kern/kern_cpuset.c
  stable/7/usr.bin/cpuset/cpuset.1
  stable/7/usr.sbin/jail/jail.8

Modified: stable/7/sys/kern/kern_cpuset.c
==============================================================================
--- stable/7/sys/kern/kern_cpuset.c	Tue Aug 25 14:08:33 2009	(r196543)
+++ stable/7/sys/kern/kern_cpuset.c	Tue Aug 25 15:54:52 2009	(r196544)
@@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset
 	if (error)
 		return (error);
 	/*
+	 * In case we are called from within the jail
+	 * we do not allow modifying the dedicated root
+	 * cpuset of the jail but may still allow to
+	 * change child sets.
+	 */
+	if (jailed(curthread->td_ucred) &&
+	    set->cs_flags & CPU_SET_ROOT)
+		return (EPERM);
+	/*
 	 * Verify that we have access to this set of
 	 * cpus.
 	 */

Modified: stable/7/usr.bin/cpuset/cpuset.1
==============================================================================
--- stable/7/usr.bin/cpuset/cpuset.1	Tue Aug 25 14:08:33 2009	(r196543)
+++ stable/7/usr.bin/cpuset/cpuset.1	Tue Aug 25 15:54:52 2009	(r196544)
@@ -177,9 +177,3 @@ command first appeared in
 .Fx 7.1 .
 .Sh AUTHORS
 .An Jeffrey Roberson Aq jeff at FreeBSD.org
-.Sh BUGS
-At the moment it is possible for a superuser inside a
-.Xr jail 8
-to modify the root
-.Xr cpuset 2
-of that jail.

Modified: stable/7/usr.sbin/jail/jail.8
==============================================================================
--- stable/7/usr.sbin/jail/jail.8	Tue Aug 25 14:08:33 2009	(r196543)
+++ stable/7/usr.sbin/jail/jail.8	Tue Aug 25 15:54:52 2009	(r196544)
@@ -699,9 +699,3 @@ Currently, the simplest answer is to min
 offered on the host, possibly limiting it to services offered from
 .Xr inetd 8
 which is easily configurable.
-.Pp
-At the moment it is possible for a superuser inside a
-.Nm
-to modify the root
-.Xr cpuset 2
-of that jail.

More information about the svn-src-stable mailing list