CVS log for src/sys/kern/kern_jail.c
![[BACK]](/gifs/back.gif){kind=small}
Up to [FreeBSD] / src / sys / kern
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Revision 1.156: download - view: text, markup, annotated - select for diffs
Thu Feb 9 10:22:08 2012 UTC (15 hours, 31 minutes ago) by mm
Branches: MAIN
CVS tags: HEAD
Diff to: previous 1.155: preferred, colored
Changes since revision 1.155: +55 -2 lines
SVN rev 231267 on 2012-02-09 10:22:08Z by mm Add support for mounting devfs inside jails. A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules. Utilizes new functions introduced in r231265. Reviewed by: jamie MFC after: 1 month
Revision 1.155: download - view: text, markup, annotated - select for diffs
Sat Jan 21 00:06:21 2012 UTC (2 weeks, 6 days ago) by mm
Branches: MAIN
Diff to: previous 1.154: preferred, colored
Changes since revision 1.154: +11 -3 lines
SVN rev 230407 on 2012-01-21 00:06:21Z by mm Use separate buffer for global path to avoid overflow of path buffer. Reviewed by: jamie@ MFC after: 3 weeks
Revision 1.154: download - view: text, markup, annotated - select for diffs
Sun Jan 15 18:08:15 2012 UTC (3 weeks, 4 days ago) by mm
Branches: MAIN
Diff to: previous 1.153: preferred, colored
Changes since revision 1.153: +1 -0 lines
SVN rev 230143 on 2012-01-15 18:08:15Z by mm Fix missing in r230129: kern_jail.c: initialize fullpath_disabled to zero vfs_cache.c: add missing dot in comment Reported by: kib MFC after: 1 month
Revision 1.153: download - view: text, markup, annotated - select for diffs
Sun Jan 15 12:08:20 2012 UTC (3 weeks, 4 days ago) by mm
Branches: MAIN
Diff to: previous 1.152: preferred, colored
Changes since revision 1.152: +31 -19 lines
SVN rev 230129 on 2012-01-15 12:08:20Z by mm Introduce vn_path_to_global_path() This function updates path string to vnode's full global path and checks the size of the new path string against the pathlen argument. In vfs_domount(), sys_unmount() and kern_jail_set() this new function is used to update the supplied path argument to the respective global path. Unbreaks jailed zfs(8) with enforce_statfs set to 1. Reviewed by: kib MFC after: 1 month
Revision 1.150.2.1.2.1: download - view: text, markup, annotated - select for diffs
Fri Nov 11 04:20:22 2011 UTC (2 months, 4 weeks ago) by kensmith
Branches: RELENG_9_0
CVS tags: RELENG_9_0_0_RELEASE
Diff to: previous 1.150.2.1: preferred, colored; next MAIN 1.151: preferred, colored
Changes since revision 1.150.2.1: +0 -0 lines
SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release cycle. Approved by: re (implicit)
Revision 1.152: download - view: text, markup, annotated - select for diffs
Mon Nov 7 15:43:11 2011 UTC (3 months ago) by ed
Branches: MAIN
Diff to: previous 1.151: preferred, colored
Changes since revision 1.151: +1 -1 lines
SVN rev 227309 on 2011-11-07 15:43:11Z by ed Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs. The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
Revision 1.151: download - view: text, markup, annotated - select for diffs
Mon Nov 7 06:44:47 2011 UTC (3 months ago) by ed
Branches: MAIN
Diff to: previous 1.150: preferred, colored
Changes since revision 1.150: +1 -1 lines
SVN rev 227293 on 2011-11-07 06:44:47Z by ed Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs. This means that their use is restricted to a single C file.
Revision 1.150.2.1: download - view: text, markup, annotated - select for diffs
Fri Sep 23 00:51:37 2011 UTC (4 months, 2 weeks ago) by kensmith
Branches: RELENG_9
CVS tags: RELENG_9_0_BP
Branch point for: RELENG_9_0
Diff to: previous 1.150: preferred, colored; next MAIN 1.151: preferred, colored
Changes since revision 1.150: +0 -0 lines
SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith Copy head to stable/9 as part of 9.0-RELEASE release cycle. Approved by: re (implicit)
Revision 1.150: download - view: text, markup, annotated - select for diffs
Fri Sep 16 13:58:51 2011 UTC (4 months, 3 weeks ago) by kmacy
Branches: MAIN
CVS tags: RELENG_9_BP
Branch point for: RELENG_9
Diff to: previous 1.149: preferred, colored
Changes since revision 1.149: +6 -6 lines
SVN rev 225617 on 2011-09-16 13:58:51Z by kmacy In order to maximize the re-usability of kernel code in user space this patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls. Reviewed by: rwatson Approved by: re (bz)
Revision 1.149: download - view: text, markup, annotated - select for diffs
Fri Aug 26 16:03:34 2011 UTC (5 months, 2 weeks ago) by jamie
Branches: MAIN
Diff to: previous 1.148: preferred, colored
Changes since revision 1.148: +5 -26 lines
SVN rev 225191 on 2011-08-26 16:03:34Z by jamie Delay the recursive decrement of pr_uref when jails are made invisible but not removed; decrement it instead when the child jail actually goes away. This avoids letting the counter go below zero in the case where dying (pr_uref==0) jails are "resurrected", and an associated KASSERT panic. Submitted by: Steven Hartland Approved by: re (bz) MFC after: 1 week
Revision 1.148: download - view: text, markup, annotated - select for diffs
Tue Aug 2 19:44:40 2011 UTC (6 months, 1 week ago) by mm
Branches: MAIN
Diff to: previous 1.147: preferred, colored
Changes since revision 1.147: +2 -1 lines
SVN rev 224615 on 2011-08-02 19:44:40Z by mm Always disable mount and unmount for jails with enforce_statfs==2. A working statfs(2) is required for umount(8) in jail. Reviewed by: pjd, kib Approved by: re (kib) MFC after: 2 weeks
Revision 1.147: download - view: text, markup, annotated - select for diffs
Sun Jul 24 17:43:09 2011 UTC (6 months, 2 weeks ago) by mckusick
Branches: MAIN
Diff to: previous 1.146: preferred, colored
Changes since revision 1.146: +2 -2 lines
SVN rev 224290 on 2011-07-24 17:43:09Z by mckusick This update changes the mnt_flag field in the mount structure from 32 bits to 64 bits and eliminates the unused mnt_xflag field. The existing mnt_flag field is completely out of bits, so this update gives us room to expand. Note that the f_flags field in the statfs structure is already 64 bits, so the expanded mnt_flag field can be exported without having to make any changes in the statfs structure. Approved by: re (bz)
Revision 1.146: download - view: text, markup, annotated - select for diffs
Sun Jul 3 12:22:02 2011 UTC (7 months, 1 week ago) by bz
Branches: MAIN
Diff to: previous 1.145: preferred, colored
Changes since revision 1.145: +1 -0 lines
SVN rev 223735 on 2011-07-03 12:22:02Z by bz Add infrastructure to allow all frames/packets received on an interface to be assigned to a non-default FIB instance. You may need to recompile world or ports due to the change of struct ifnet. Submitted by: cjsp Submitted by: Alexander V. Chernikov (melifaro ipfw.ru) (original versions) Reviewed by: julian Reviewed by: Alexander V. Chernikov (melifaro ipfw.ru) MFC after: 2 weeks X-MFC: use spare in struct ifnet
Revision 1.145: download - view: text, markup, annotated - select for diffs
Tue May 3 07:32:58 2011 UTC (9 months, 1 week ago) by trasz
Branches: MAIN
Diff to: previous 1.144: preferred, colored
Changes since revision 1.144: +107 -9 lines
SVN rev 221362 on 2011-05-03 07:32:58Z by trasz Change the way rctl interfaces with jails by introducing prison_racct structure, which acts as a proxy between them. This makes jail rules persistent, i.e. they can be added before jail gets created, and they don't disappear when the jail gets destroyed.
Revision 1.144: download - view: text, markup, annotated - select for diffs
Wed Mar 30 17:48:15 2011 UTC (10 months, 1 week ago) by trasz
Branches: MAIN
Diff to: previous 1.143: preferred, colored
Changes since revision 1.143: +4 -0 lines
SVN rev 220163 on 2011-03-30 17:48:15Z by trasz Add rctl. It's used by racct to take user-configurable actions based on the set of rules it maintains and the current resource usage. It also privides userland API to manage that ruleset. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
Revision 1.143: download - view: text, markup, annotated - select for diffs
Tue Mar 29 17:47:25 2011 UTC (10 months, 1 week ago) by trasz
Branches: MAIN
Diff to: previous 1.142: preferred, colored
Changes since revision 1.142: +17 -0 lines
SVN rev 220137 on 2011-03-29 17:47:25Z by trasz Add racct. It's an API to keep per-process, per-jail, per-loginclass and per-loginclass resource accounting information, to be used by the new resource limits code. It's connected to the build, but the code that actually calls the new functions will come later. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
Revision 1.142: download - view: text, markup, annotated - select for diffs
Mon Mar 21 09:40:01 2011 UTC (10 months, 3 weeks ago) by jeff
Branches: MAIN
Diff to: previous 1.141: preferred, colored
Changes since revision 1.141: +1 -1 lines
SVN rev 219819 on 2011-03-21 09:40:01Z by jeff - Merge changes to the base system to support OFED. These include a wider arg2 for sysctl, updates to vlan code, IFT_INFINIBAND, and other miscellaneous small features.
Revision 1.141: download - view: text, markup, annotated - select for diffs
Sat Mar 5 12:40:35 2011 UTC (11 months ago) by trasz
Branches: MAIN
Diff to: previous 1.140: preferred, colored
Changes since revision 1.140: +6 -0 lines
SVN rev 219304 on 2011-03-05 12:40:35Z by trasz Add two new system calls, setloginclass(2) and getloginclass(2). This makes it possible for the kernel to track login class the process is assigned to, which is required for RCTL. This change also make setusercontext(3) call setloginclass(2) and makes it possible to retrieve current login class using id(1). Reviewed by: kib (as part of a larger patch)
Revision 1.118.2.16: download - view: text, markup, annotated - select for diffs
Tue Mar 1 20:44:14 2011 UTC (11 months, 1 week ago) by dchagin
Branches: RELENG_8
Diff to: previous 1.118.2.15: preferred, colored; branchpoint 1.118: preferred, colored; next MAIN 1.119: preferred, colored
Changes since revision 1.118.2.15: +2 -2 lines
SVN rev 219144 on 2011-03-01 20:44:14Z by dchagin MFC r217896: Add macro to test the sv_flags of any process. Change some places to test the flags instead of explicit comparing with address of known sysentvec structures.
Revision 1.140: download - view: text, markup, annotated - select for diffs
Wed Jan 26 20:03:58 2011 UTC (12 months, 2 weeks ago) by dchagin
Branches: MAIN
Diff to: previous 1.139: preferred, colored
Changes since revision 1.139: +2 -2 lines
SVN rev 217896 on 2011-01-26 20:03:58Z by dchagin Add macro to test the sv_flags of any process. Change some places to test the flags instead of explicit comparing with address of known sysentvec structures. MFC after: 1 month
Revision 1.118.2.15: download - view: text, markup, annotated - select for diffs
Sat Jan 8 19:49:27 2011 UTC (13 months ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.14: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.14: +8 -1 lines
SVN rev 217162 on 2011-01-08 19:49:27Z by bz MFC r216861: Mfp4 CH177924: Add and export constants of array sizes of jail parameters as compiled into the kernel. This is the least intrusive way to allow kvm to read the (sparse) arrays independent of the options the kernel was compiled with. Reviewed by: jhb (originally) MFC after: 1 week Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
Revision 1.139: download - view: text, markup, annotated - select for diffs
Fri Dec 31 22:49:13 2010 UTC (13 months, 1 week ago) by bz
Branches: MAIN
Diff to: previous 1.138: preferred, colored
Changes since revision 1.138: +8 -1 lines
SVN rev 216861 on 2010-12-31 22:49:13Z by bz Mfp4 CH177924: Add and export constants of array sizes of jail parameters as compiled into the kernel. This is the least intrusive way to allow kvm to read the (sparse) arrays independent of the options the kernel was compiled with. Reviewed by: jhb (originally) MFC after: 1 week Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
Revision 1.70.2.11.4.1: download - view: text, markup, annotated - select for diffs
Tue Dec 21 17:10:29 2010 UTC (13 months, 2 weeks ago) by kensmith
Branches: RELENG_7_4
CVS tags: RELENG_7_4_0_RELEASE
Diff to: previous 1.70.2.11: preferred, colored; next MAIN 1.71: preferred, colored
Changes since revision 1.70.2.11: +0 -0 lines
SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release. Approved by: re (implicit)
Revision 1.118.2.14.2.1: download - view: text, markup, annotated - select for diffs
Tue Dec 21 17:09:25 2010 UTC (13 months, 2 weeks ago) by kensmith
Branches: RELENG_8_2
CVS tags: RELENG_8_2_0_RELEASE
Diff to: previous 1.118.2.14: preferred, colored; next MAIN 1.118.2.15: preferred, colored
Changes since revision 1.118.2.14: +0 -0 lines
SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release. Approved by: re (implicit)
Revision 1.118.2.14: download - view: text, markup, annotated - select for diffs
Mon Sep 13 00:42:07 2010 UTC (16 months, 4 weeks ago) by jamie
Branches: RELENG_8
CVS tags: RELENG_8_2_BP
Branch point for: RELENG_8_2
Diff to: previous 1.118.2.13: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.13: +8 -5 lines
SVN rev 212510 on 2010-09-13 00:42:07Z by jamie MFC r212436: Don't exit kern_jail_set without freeing options when enforce_statfs has an illegal value.
Revision 1.138: download - view: text, markup, annotated - select for diffs
Fri Sep 10 21:45:42 2010 UTC (17 months ago) by jamie
Branches: MAIN
Diff to: previous 1.137: preferred, colored
Changes since revision 1.137: +8 -5 lines
SVN rev 212436 on 2010-09-10 21:45:42Z by jamie Don't exit kern_jail_set without freeing options when enforce_statfs has an illegal value. MFC after: 3 days
Revision 1.137: download - view: text, markup, annotated - select for diffs
Sun Aug 8 23:22:55 2010 UTC (18 months ago) by jamie
Branches: MAIN
Diff to: previous 1.136: preferred, colored
Changes since revision 1.136: +6 -2 lines
SVN rev 211085 on 2010-08-08 23:22:55Z by jamie Back out r210974. Any convenience of not typing "persist" is outweighed by the possibility of unintended partially-formed jails.
Revision 1.136: download - view: text, markup, annotated - select for diffs
Fri Aug 6 22:04:18 2010 UTC (18 months ago) by jamie
Branches: MAIN
Diff to: previous 1.135: preferred, colored
Changes since revision 1.135: +2 -6 lines
SVN rev 210974 on 2010-08-06 22:04:18Z by jamie Implicitly make a new jail persistent if it's set not to attach. MFC after: 3 days
Revision 1.118.2.13.2.1: download - view: text, markup, annotated - select for diffs
Mon Jun 14 02:09:06 2010 UTC (19 months, 4 weeks ago) by kensmith
Branches: RELENG_8_1
CVS tags: RELENG_8_1_0_RELEASE
Diff to: previous 1.118.2.13: preferred, colored; next MAIN 1.118.2.14: preferred, colored
Changes since revision 1.118.2.13: +0 -0 lines
SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith Copy stable/8 to releng/8.1 in preparation for 8.1-RC1. Approved by: re (implicit)
Revision 1.135: download - view: text, markup, annotated - select for diffs
Fri Jun 4 14:38:24 2010 UTC (20 months, 1 week ago) by cperciva
Branches: MAIN
Diff to: previous 1.134: preferred, colored
Changes since revision 1.134: +1 -1 lines
SVN rev 208803 on 2010-06-04 14:38:24Z by cperciva Declare ip6 as (struct in6_addr *) instead of (struct in_addr *). This is a harmless bug since we never actually use ip6 as anything other than an opaque pointer. Found with: Coverty Prevent(tm) CID: 4319 MFC after: 1 month
Revision 1.118.2.13: download - view: text, markup, annotated - select for diffs
Wed Apr 7 02:24:41 2010 UTC (22 months ago) by nwhitehorn
Branches: RELENG_8
CVS tags: RELENG_8_1_BP
Branch point for: RELENG_8_1
Diff to: previous 1.118.2.12: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.12: +4 -4 lines
SVN rev 206336 on 2010-04-07 02:24:41Z by nwhitehorn MFC r205014,205015: Provide groundwork for 32-bit binary compatibility on non-x86 platforms, for upcoming 64-bit PowerPC and MIPS support. This renames the COMPAT_IA32 option to COMPAT_FREEBSD32, removes some IA32-specific code from MI parts of the kernel and enhances the freebsd32 compatibility code to support big-endian platforms. This MFC is required for MFCs of later changes to the freebsd32 compatibility from HEAD. Requested by: kib
Revision 1.118.2.12: download - view: text, markup, annotated - select for diffs
Sat Mar 27 17:11:06 2010 UTC (22 months, 2 weeks ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.11: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.11: +6 -5 lines
SVN rev 205744 on 2010-03-27 17:11:06Z by bz
MFC r202123:
Change DDB show prison:
- name some columns more closely to the user space variables,
as we do for host.* or allow.* (in the listing) already.
- print pr_childmax (children.max).
- prefix hex values with 0x.
Revision 1.134: download - view: text, markup, annotated - select for diffs
Thu Mar 11 14:49:06 2010 UTC (23 months ago) by nwhitehorn
Branches: MAIN
Diff to: previous 1.133: preferred, colored
Changes since revision 1.133: +4 -4 lines
SVN rev 205014 on 2010-03-11 14:49:06Z by nwhitehorn Provide groundwork for 32-bit binary compatibility on non-x86 platforms, for upcoming 64-bit PowerPC and MIPS support. This renames the COMPAT_IA32 option to COMPAT_FREEBSD32, removes some IA32-specific code from MI parts of the kernel and enhances the freebsd32 compatibility code to support big-endian platforms. Reviewed by: kib, jhb
Revision 1.118.2.11: download - view: text, markup, annotated - select for diffs
Fri Feb 26 00:54:47 2010 UTC (23 months, 2 weeks ago) by delphij
Branches: RELENG_8
Diff to: previous 1.118.2.10: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.10: +1 -0 lines
SVN rev 204344 on 2010-02-26 00:54:47Z by delphij MFC 203052: Add interface description capability as inspired by OpenBSD. Thanks for rwatson@, jhb@, brooks@ and others for feedback to the old implementation! Sponsored by: iXsystems, Inc.
Revision 1.70.2.11.2.1: download - view: text, markup, annotated - select for diffs
Wed Feb 10 00:26:20 2010 UTC (2 years ago) by kensmith
Branches: RELENG_7_3
CVS tags: RELENG_7_3_0_RELEASE
Diff to: previous 1.70.2.11: preferred, colored; next MAIN 1.71: preferred, colored
Changes since revision 1.70.2.11: +0 -0 lines
SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process. Approved by: re (implicit)
Revision 1.118.2.10: download - view: text, markup, annotated - select for diffs
Sat Jan 30 12:11:21 2010 UTC (2 years ago) by antoine
Branches: RELENG_8
Diff to: previous 1.118.2.9: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.9: +1 -1 lines
SVN rev 203184 on 2010-01-30 12:11:21Z by antoine MFC r201145 to stable/8: (S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument. Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version)
Revision 1.133: download - view: text, markup, annotated - select for diffs
Wed Jan 27 00:30:07 2010 UTC (2 years ago) by delphij
Branches: MAIN
Diff to: previous 1.132: preferred, colored
Changes since revision 1.132: +1 -0 lines
SVN rev 203052 on 2010-01-27 00:30:07Z by delphij Revised revision 199201 (add interface description capability as inspired by OpenBSD), based on comments from many, including rwatson, jhb, brooks and others. Sponsored by: iXsystems, Inc. MFC after: 1 month
Revision 1.70.2.11: download - view: text, markup, annotated - select for diffs
Sun Jan 24 14:05:56 2010 UTC (2 years ago) by bz
Branches: RELENG_7
CVS tags: RELENG_7_4_BP, RELENG_7_3_BP
Branch point for: RELENG_7_4, RELENG_7_3
Diff to: previous 1.70.2.10: preferred, colored; branchpoint 1.70: preferred, colored; next MAIN 1.71: preferred, colored
Changes since revision 1.70.2.10: +82 -0 lines
SVN rev 202924 on 2010-01-24 14:05:56Z by bz MFC r202468: Add security.jail.ip4_saddrsel/ip6_nosaddrsel sysctls to control whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Note that in contrast to FreeBSD 8.x and newer, where we have per-jail options, the sysctls are global for all jails. Reviewed by: jamie, hrs (ipv6 part) [for HEAD] Pointed out by: hrs [1] Tested by: Jase Thew (bazerka beardz.net) (IPv4) Approved by: re (kib)
Revision 1.118.2.9: download - view: text, markup, annotated - select for diffs
Sat Jan 23 16:40:35 2010 UTC (2 years ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.8: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.8: +108 -2 lines
SVN rev 202891 on 2010-01-23 16:40:35Z by bz MFC r202468: Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Reviewed by: jamie, hrs (ipv6 part) Pointed out by: hrs [1]
Revision 1.70.2.10: download - view: text, markup, annotated - select for diffs
Sun Jan 17 13:45:33 2010 UTC (2 years ago) by bz
Branches: RELENG_7
Diff to: previous 1.70.2.9: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.9: +3 -1 lines
SVN rev 202482 on 2010-01-17 13:45:33Z by bz MFC r202116: Adjust a comment to reflect reality, as we have proper source address selection, even for IPv4, since r183571. Pointed out by: Jase Thew (bazerka beardz.net)
Revision 1.118.2.8: download - view: text, markup, annotated - select for diffs
Sun Jan 17 13:42:07 2010 UTC (2 years ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.7: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.7: +3 -1 lines
SVN rev 202481 on 2010-01-17 13:42:07Z by bz MFC r202116: Adjust a comment to reflect reality, as we have proper source address selection, even for IPv4, since r183571. Pointed out by: Jase Thew (bazerka beardz.net)
Revision 1.132: download - view: text, markup, annotated - select for diffs
Sun Jan 17 12:57:11 2010 UTC (2 years ago) by bz
Branches: MAIN
Diff to: previous 1.131: preferred, colored
Changes since revision 1.131: +108 -2 lines
SVN rev 202468 on 2010-01-17 12:57:11Z by bz Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Reviewed by: jamie, hrs (ipv6 part) Pointed out by: hrs [1] MFC After: 2 weeks Asked for by: Jase Thew (bazerka beardz.net)
Revision 1.131: download - view: text, markup, annotated - select for diffs
Mon Jan 11 22:34:25 2010 UTC (2 years ago) by bz
Branches: MAIN
Diff to: previous 1.130: preferred, colored
Changes since revision 1.130: +6 -5 lines
SVN rev 202123 on 2010-01-11 22:34:25Z by bz Change DDB show prison: - name some columns more closely to the user space variables, as we do for host.* or allow.* (in the listing) already. - print pr_childmax (children.max). - prefix hex values with 0x. MFC after: 3 weeks
Revision 1.130: download - view: text, markup, annotated - select for diffs
Mon Jan 11 21:21:30 2010 UTC (2 years ago) by bz
Branches: MAIN
Diff to: previous 1.129: preferred, colored
Changes since revision 1.129: +3 -1 lines
SVN rev 202116 on 2010-01-11 21:21:30Z by bz Adjust a comment to reflect reality, as we have proper source address selection, even for IPv4, since r183571. Pointed out by: Jase Thew (bazerka beardz.net) MFC after: 3 days
Revision 1.129: download - view: text, markup, annotated - select for diffs
Mon Dec 28 22:56:30 2009 UTC (2 years, 1 month ago) by antoine
Branches: MAIN
Diff to: previous 1.128: preferred, colored
Changes since revision 1.128: +1 -1 lines
SVN rev 201145 on 2009-12-28 22:56:30Z by antoine (S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument. Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version) MFC after: 1 month
Revision 1.118.2.7: download - view: text, markup, annotated - select for diffs
Mon Dec 28 14:40:58 2009 UTC (2 years, 1 month ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.6: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.6: +24 -1 lines
SVN rev 201128 on 2009-12-28 14:40:58Z by bz
MFC r200473:
Throughout the network stack we have a few places of
if (jailed(cred))
left. If you are running with a vnet (virtual network stack) those will
return true and defer you to classic IP-jails handling and thus things
will be "denied" or returned with an error.
Work around this problem by introducing another "jailed()" function,
jailed_without_vnet(), that also takes vnets into account, and permits
the calls, should the jail from the given cred have its own virtual
network stack.
We cannot change the classic jailed() call to do that, as it is used
outside the network stack as well.
Discussed with: julian, zec, jamie, rwatson (back in Sept)
Revision 1.128: download - view: text, markup, annotated - select for diffs
Sun Dec 13 13:57:32 2009 UTC (2 years, 1 month ago) by bz
Branches: MAIN
Diff to: previous 1.127: preferred, colored
Changes since revision 1.127: +24 -1 lines
SVN rev 200473 on 2009-12-13 13:57:32Z by bz Throughout the network stack we have a few places of if (jailed(cred)) left. If you are running with a vnet (virtual network stack) those will return true and defer you to classic IP-jails handling and thus things will be "denied" or returned with an error. Work around this problem by introducing another "jailed()" function, jailed_without_vnet(), that also takes vnets into account, and permits the calls, should the jail from the given cred have its own virtual network stack. We cannot change the classic jailed() call to do that, as it is used outside the network stack as well. Discussed with: julian, zec, jamie, rwatson (back in Sept) MFC after: 5 days
Revision 1.127: download - view: text, markup, annotated - select for diffs
Thu Nov 12 19:02:10 2009 UTC (2 years, 2 months ago) by delphij
Branches: MAIN
Diff to: previous 1.126: preferred, colored
Changes since revision 1.126: +0 -1 lines
SVN rev 199231 on 2009-11-12 19:02:10Z by delphij Revert revision 199201 for now as it has introduced a kernel vulnerability and requires more polishing.
Revision 1.126: download - view: text, markup, annotated - select for diffs
Wed Nov 11 21:30:58 2009 UTC (2 years, 2 months ago) by delphij
Branches: MAIN
Diff to: previous 1.125: preferred, colored
Changes since revision 1.125: +1 -0 lines
SVN rev 199201 on 2009-11-11 21:30:58Z by delphij Add interface description capability as inspired by OpenBSD. MFC after: 3 months
Revision 1.118.2.6.2.1: download - view: text, markup, annotated - select for diffs
Sun Oct 25 01:10:29 2009 UTC (2 years, 3 months ago) by kensmith
Branches: RELENG_8_0
CVS tags: RELENG_8_0_0_RELEASE
Diff to: previous 1.118.2.6: preferred, colored; next MAIN 1.118.2.7: preferred, colored
Changes since revision 1.118.2.6: +0 -0 lines
SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure. Approved by: re (implicit)
Revision 1.118.2.6: download - view: text, markup, annotated - select for diffs
Tue Sep 8 19:18:02 2009 UTC (2 years, 5 months ago) by jamie
Branches: RELENG_8
CVS tags: RELENG_8_0_BP
Branch point for: RELENG_8_0
Diff to: previous 1.118.2.5: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.5: +20 -9 lines
SVN rev 196989 on 2009-09-08 19:18:02Z by jamie MFC r196835: Allow a jail's name to be the same as its jid (which is the default if no name is specified), and let a numeric name specify the jid for a new jail when the jid isn't otherwise set. Still disallow other numeric names. Reviewed by: zec Approved by: re (kib), bz (mentor)
Revision 1.125: download - view: text, markup, annotated - select for diffs
Tue Sep 8 13:19:05 2009 UTC (2 years, 5 months ago) by phk
Branches: MAIN
Diff to: previous 1.124: preferred, colored
Changes since revision 1.124: +0 -1 lines
SVN rev 196970 on 2009-09-08 13:19:05Z by phk Revert previous commit and add myself to the list of people who should know better than to commit with a cat in the area.
Revision 1.124: download - view: text, markup, annotated - select for diffs
Tue Sep 8 13:16:55 2009 UTC (2 years, 5 months ago) by phk
Branches: MAIN
Diff to: previous 1.123: preferred, colored
Changes since revision 1.123: +1 -0 lines
SVN rev 196969 on 2009-09-08 13:16:55Z by phk Add necessary include.
Revision 1.123: download - view: text, markup, annotated - select for diffs
Fri Sep 4 19:00:48 2009 UTC (2 years, 5 months ago) by jamie
Branches: MAIN
Diff to: previous 1.122: preferred, colored
Changes since revision 1.122: +20 -9 lines
SVN rev 196835 on 2009-09-04 19:00:48Z by jamie Allow a jail's name to be the same as its jid (which is the default if no name is specified), but still disallow other numeric names. Reviewed by: zec Approved by: bz (mentor) MFC after: 3 days
Revision 1.118.2.5: download - view: text, markup, annotated - select for diffs
Mon Aug 31 14:13:45 2009 UTC (2 years, 5 months ago) by jamie
Branches: RELENG_8
Diff to: previous 1.118.2.4: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.4: +2 -2 lines
SVN rev 196699 on 2009-08-31 14:13:45Z by jamie MFC r196592: Fix a LOR between allprison_lock and vnode locks by releasing allprison_lock before releasing a prison's root vnode. PR: kern/138004 Reviewed by: kib Approved by: re (rwatson), bz (mentor)
Revision 1.118.2.4: download - view: text, markup, annotated - select for diffs
Fri Aug 28 19:15:17 2009 UTC (2 years, 5 months ago) by zec
Branches: RELENG_8
Diff to: previous 1.118.2.3: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.3: +1 -1 lines
SVN rev 196623 on 2009-08-28 19:15:17Z by zec MFC r196505: When "jail -c vnet" request fails, the current code actually creates and leaves behind an orphaned vnet. This change ensures that such vnets get released. This change affects only options VIMAGE builds. Submitted by: jamie Discussed with: bz Approved by: re (rwatson), julian (mentor) Approved by: re (rwatson)
Revision 1.122: download - view: text, markup, annotated - select for diffs
Thu Aug 27 16:15:51 2009 UTC (2 years, 5 months ago) by jamie
Branches: MAIN
Diff to: previous 1.121: preferred, colored
Changes since revision 1.121: +2 -2 lines
SVN rev 196592 on 2009-08-27 16:15:51Z by jamie Fix a LOR between allprison_lock and vnode locks by releasing allprison_lock before releasing a prison's root vnode. PR: kern/138004 Reviewed by: kib Approved by: bz (mentor) MFC after: 3 days
Revision 1.121: download - view: text, markup, annotated - select for diffs
Mon Aug 24 10:16:19 2009 UTC (2 years, 5 months ago) by zec
Branches: MAIN
Diff to: previous 1.120: preferred, colored
Changes since revision 1.120: +1 -1 lines
SVN rev 196505 on 2009-08-24 10:16:19Z by zec When "jail -c vnet" request fails, the current code actually creates and leaves behind an orphaned vnet. This change ensures that such vnets get released. This change affects only options VIMAGE builds. Submitted by: jamie Discussed with: bz Approved by: re (rwatson), julian (mentor) MFC after: 3 days
Revision 1.118.2.3: download - view: text, markup, annotated - select for diffs
Thu Aug 13 10:31:02 2009 UTC (2 years, 5 months ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.2: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.2: +23 -0 lines
SVN rev 196178 on 2009-08-13 10:31:02Z by bz MFC r196176: Make it possible to change the vnet sysctl variables on jails with their own virtual network stack. Jails only inheriting a network stack cannot change anything that cannot be changed from within a prison. Reviewed by: rwatson, zec Approved by: re (kib)
Revision 1.120: download - view: text, markup, annotated - select for diffs
Thu Aug 13 10:26:34 2009 UTC (2 years, 5 months ago) by bz
Branches: MAIN
Diff to: previous 1.119: preferred, colored
Changes since revision 1.119: +23 -0 lines
SVN rev 196176 on 2009-08-13 10:26:34Z by bz Make it possible to change the vnet sysctl variables on jails with their own virtual network stack. Jails only inheriting a network stack cannot change anything that cannot be changed from within a prison. Reviewed by: rwatson, zec Approved by: re (kib)
Revision 1.118.2.2: download - view: text, markup, annotated - select for diffs
Wed Aug 12 12:14:30 2009 UTC (2 years, 5 months ago) by bz
Branches: RELENG_8
Diff to: previous 1.118.2.1: preferred, colored; branchpoint 1.118: preferred, colored
Changes since revision 1.118.2.1: +2 -1 lines
SVN rev 196136 on 2009-08-12 12:14:30Z by bz MFC r196135: Make the kernel compile without IP networking by moving a variable under a proper #ifdef. Approved by: re (rwatson)
Revision 1.119: download - view: text, markup, annotated - select for diffs
Wed Aug 12 12:12:23 2009 UTC (2 years, 5 months ago) by bz
Branches: MAIN
Diff to: previous 1.118: preferred, colored
Changes since revision 1.118: +2 -1 lines
SVN rev 196135 on 2009-08-12 12:12:23Z by bz Make the kernel compile without IP networking by moving a variable under a proper #ifdef. Approved by: re (rwatson)
Revision 1.118.2.1: download - view: text, markup, annotated - select for diffs
Mon Aug 3 08:13:06 2009 UTC (2 years, 6 months ago) by kensmith
Branches: RELENG_8
Diff to: previous 1.118: preferred, colored
Changes since revision 1.118: +0 -0 lines
SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith Copy head to stable/8 as part of 8.0 Release cycle. Approved by: re (Implicit)
Revision 1.118: download - view: text, markup, annotated - select for diffs
Sat Aug 1 19:26:27 2009 UTC (2 years, 6 months ago) by rwatson
Branches: MAIN
CVS tags: RELENG_8_BP
Branch point for: RELENG_8
Diff to: previous 1.117: preferred, colored
Changes since revision 1.117: +4 -1 lines
SVN rev 196019 on 2009-08-01 19:26:27Z by rwatson Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
Revision 1.117: download - view: text, markup, annotated - select for diffs
Fri Jul 31 16:00:41 2009 UTC (2 years, 6 months ago) by jamie
Branches: MAIN
Diff to: previous 1.116: preferred, colored
Changes since revision 1.116: +4 -3 lines
SVN rev 196002 on 2009-07-31 16:00:41Z by jamie Make the "enforce_statfs" default 2 (most restrictive) in jail_set(2), instead of whatever the parent/system has (which is generally 0). This mirrors the old-style default used for jail(2) in conjunction with the security.jail.enforce_statfs sysctl. Approved by: re (kib), bz (mentor)
Revision 1.116: download - view: text, markup, annotated - select for diffs
Thu Jul 30 14:28:56 2009 UTC (2 years, 6 months ago) by jamie
Branches: MAIN
Diff to: previous 1.115: preferred, colored
Changes since revision 1.115: +187 -309 lines
SVN rev 195974 on 2009-07-30 14:28:56Z by jamie Remove a LOR, where the the sleepable allprison_lock was being obtained in prison_equal_ip4/6 while an inp mutex was held. Locking allprison_lock can be avoided by making a restriction on the IP addresses associated with jails: Don't allow the "ip4" and "ip6" parameters to be changed after a jail is created. Setting the "ip4.addr" and "ip6.addr" parameters is allowed, but only if the jail was already created with either ip4/6=new or ip4/6=disable. With this restriction, the prison flags in question (PR_IP4_USER and PR_IP6_USER) become read-only and can be checked without locking. This also allows the simplification of a messy code path that was needed to handle an existing prison gaining an IP address list. PR: kern/136899 Reported by: Dirk Meyer Approved by: re (kib), bz (mentor)
Revision 1.115: download - view: text, markup, annotated - select for diffs
Wed Jul 29 16:46:59 2009 UTC (2 years, 6 months ago) by jamie
Branches: MAIN
Diff to: previous 1.114: preferred, colored
Changes since revision 1.114: +98 -11 lines
SVN rev 195945 on 2009-07-29 16:46:59Z by jamie Don't allow mixing the "vnet" and "ip4/6" jail parameters, since vnet jails have their own IP stack and don't have access to the parent IP addresses anyway. Note that a virtual network stack forms a break between prisons with regard to the list of allowed IP addresses. Approved by: re (kib), bz (mentor)
Revision 1.114: download - view: text, markup, annotated - select for diffs
Wed Jul 29 16:41:02 2009 UTC (2 years, 6 months ago) by jamie
Branches: MAIN
Diff to: previous 1.113: preferred, colored
Changes since revision 1.113: +7 -27 lines
SVN rev 195944 on 2009-07-29 16:41:02Z by jamie Change the default value of the "ip4" and "ip6" jail parameters to "disable", which only allows access to the parent/physical system's IP addresses when specifically directed. Change the default value of "host" to "new", and don't copy the parent host values, to insulate jails from the parent hostname et al. Approved by: re (kib), bz (mentor)
Revision 1.113: download - view: text, markup, annotated - select for diffs
Sat Jul 25 14:48:57 2009 UTC (2 years, 6 months ago) by jamie
Branches: MAIN
Diff to: previous 1.112: preferred, colored
Changes since revision 1.112: +85 -35 lines
SVN rev 195870 on 2009-07-25 14:48:57Z by jamie Some jail parameters (in particular, "ip4" and "ip6" for IP address restrictions) were found to be inadequately described by a boolean. Define a new parameter type with three values (disable, new, inherit) to handle these and future cases. Approved by: re (kib), bz (mentor) Discussed with: rwatson
Revision 1.112: download - view: text, markup, annotated - select for diffs
Fri Jul 17 14:48:21 2009 UTC (2 years, 6 months ago) by jamie
Branches: MAIN
Diff to: previous 1.111: preferred, colored
Changes since revision 1.111: +0 -4 lines
SVN rev 195741 on 2009-07-17 14:48:21Z by jamie Remove the interim vimage containers, struct vimage and struct procg, and the ioctl-based interface that supported them. Approved by: re (kib), bz (mentor)
Revision 1.111: download - view: text, markup, annotated - select for diffs
Wed Jun 24 22:06:56 2009 UTC (2 years, 7 months ago) by jamie
Branches: MAIN
Diff to: previous 1.110: preferred, colored
Changes since revision 1.110: +2 -0 lines
SVN rev 194923 on 2009-06-24 22:06:56Z by jamie Wrap a PR_VNET inside "#ifdef VIMAGE" since that the only place it applies. bz wants the blame for this. Noticed by: rwatson Approved by: bz (mentor)
Revision 1.110: download - view: text, markup, annotated - select for diffs
Wed Jun 24 21:39:50 2009 UTC (2 years, 7 months ago) by jamie
Branches: MAIN
Diff to: previous 1.109: preferred, colored
Changes since revision 1.109: +128 -0 lines
SVN rev 194915 on 2009-06-24 21:39:50Z by jamie
In case of prisons with their own network stack, permit
additional privileges as well as not restricting the type of
sockets a user can open.
Note: the VIMAGE/vnet fetaure of of jails is still considered
experimental and cannot guarantee that privileged users
can be kept imprisoned if enabled.
Reviewed by: rwatson
Approved by: bz (mentor)
Revision 1.109: download - view: text, markup, annotated - select for diffs
Tue Jun 23 20:35:51 2009 UTC (2 years, 7 months ago) by jamie
Branches: MAIN
Diff to: previous 1.108: preferred, colored
Changes since revision 1.108: +50 -9 lines
SVN rev 194762 on 2009-06-23 20:35:51Z by jamie Add a limit for child jails via the "children.cur" and "children.max" parameters. This replaces the simple "allow.jails" permission. Approved by: bz (mentor)
Revision 1.108: download - view: text, markup, annotated - select for diffs
Mon Jun 15 18:59:29 2009 UTC (2 years, 7 months ago) by jamie
Branches: MAIN
Diff to: previous 1.107: preferred, colored
Changes since revision 1.107: +29 -0 lines
SVN rev 194251 on 2009-06-15 18:59:29Z by jamie Manage vnets via the jail system. If a jail is given the boolean parameter "vnet" when it is created, a new vnet instance will be created along with the jail. Networks interfaces can be moved between prisons with an ioctl similar to the one that moves them between vimages. For now vnets will co-exist under both jails and vimages, but soon struct vimage will be going away. Reviewed by: zec, julian Approved by: bz (mentor)
Revision 1.107: download - view: text, markup, annotated - select for diffs
Sat Jun 13 15:39:12 2009 UTC (2 years, 7 months ago) by jamie
Branches: MAIN
Diff to: previous 1.106: preferred, colored
Changes since revision 1.106: +33 -29 lines
SVN rev 194118 on 2009-06-13 15:39:12Z by jamie Rename the host-related prison fields to be the same as the host.* parameters they represent, and the variables they replaced, instead of abbreviated versions of them. Approved by: bz (mentor)
Revision 1.106: download - view: text, markup, annotated - select for diffs
Sat Jun 13 00:12:02 2009 UTC (2 years, 7 months ago) by jamie
Branches: MAIN
Diff to: previous 1.105: preferred, colored
Changes since revision 1.105: +32 -1 lines
SVN rev 194090 on 2009-06-13 00:12:02Z by jamie Add counterparts to getcredhostname: getcreddomainname, getcredhostuuid, getcredhostid Suggested by: rmacklem Approved by: bz
Revision 1.105: download - view: text, markup, annotated - select for diffs
Tue Jun 9 22:09:29 2009 UTC (2 years, 8 months ago) by jamie
Branches: MAIN
Diff to: previous 1.104: preferred, colored
Changes since revision 1.104: +12 -4 lines
SVN rev 193865 on 2009-06-09 22:09:29Z by jamie Fix some overflow errors: a signed allocation and an insufficiant array size. Reported by: pho Tested by: pho Approved by: bz (mentor)
Revision 1.104: download - view: text, markup, annotated - select for diffs
Fri Jun 5 14:55:22 2009 UTC (2 years, 8 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.103: preferred, colored
Changes since revision 1.103: +0 -1 lines
SVN rev 193511 on 2009-06-05 14:55:22Z by rwatson Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include. Discussed with: pjd
Revision 1.103: download - view: text, markup, annotated - select for diffs
Fri May 29 21:27:12 2009 UTC (2 years, 8 months ago) by jamie
Branches: MAIN
Diff to: previous 1.102: preferred, colored
Changes since revision 1.102: +155 -16 lines
SVN rev 193066 on 2009-05-29 21:27:12Z by jamie Place hostnames and similar information fully under the prison system. The system hostname is now stored in prison0, and the global variable "hostname" has been removed, as has the hostname_mtx mutex. Jails may have their own host information, or they may inherit it from the parent/system. The proper way to read the hostname is via getcredhostname(), which will copy either the hostname associated with the passed cred, or the system hostname if you pass NULL. The system hostname can still be accessed directly (and without locking) at prison0.pr_host, but that should be avoided where possible. The "similar information" referred to is domainname, hostid, and hostuuid, which have also become prison parameters and had their associated global variables removed. Approved by: bz (mentor)
Revision 1.102: download - view: text, markup, annotated - select for diffs
Wed May 27 14:11:23 2009 UTC (2 years, 8 months ago) by jamie
Branches: MAIN
Diff to: previous 1.101: preferred, colored
Changes since revision 1.101: +1656 -557 lines
SVN rev 192895 on 2009-05-27 14:11:23Z by jamie Add hierarchical jails. A jail may further virtualize its environment by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings. Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge(). Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call. Approved by: bz (mentor)
Revision 1.101: download - view: text, markup, annotated - select for diffs
Sat May 23 16:13:26 2009 UTC (2 years, 8 months ago) by jamie
Branches: MAIN
Diff to: previous 1.100: preferred, colored
Changes since revision 1.100: +6 -8 lines
SVN rev 192644 on 2009-05-23 16:13:26Z by jamie Delay an error message until the variable it uses gets initialized. Found with: Coverity Prevent(tm) CID: 4316 Reported by: trasz Approved by: bz (mentor)
Revision 1.100: download - view: text, markup, annotated - select for diffs
Fri May 8 14:11:06 2009 UTC (2 years, 9 months ago) by zec
Branches: MAIN
Diff to: previous 1.99: preferred, colored
Changes since revision 1.99: +4 -0 lines
SVN rev 191915 on 2009-05-08 14:11:06Z by zec Introduce a new virtualization container, provisionally named vprocg, to hold virtualized instances of hostname and domainname, as well as a new top-level virtualization struct vimage, which holds pointers to struct vnet and struct vprocg. Struct vprocg is likely to become replaced in the near future with a new jail management API import. As a consequence of this change, change struct ucred to point to a struct vimage, instead of directly pointing to a vnet. Merge vnet / vimage / ucred refcounting infrastructure from p4 / vimage branch. Permit kldload / kldunload operations to be executed only from the default vimage context. This change should have no functional impact on nooptions VIMAGE kernel builds. Reviewed by: bz Approved by: julian (mentor)
Revision 1.99: download - view: text, markup, annotated - select for diffs
Thu May 7 18:36:47 2009 UTC (2 years, 9 months ago) by jamie
Branches: MAIN
Diff to: previous 1.98: preferred, colored
Changes since revision 1.98: +0 -1 lines
SVN rev 191896 on 2009-05-07 18:36:47Z by jamie Move the per-prison Linux MIB from a private one-off pointer to the new OSD-based jail extensions. This allows the Linux MIB to accessed via jail_set and jail_get, and serves as a demonstration of adding jail support to a module. Reviewed by: dchagin, kib Approved by: bz (mentor)
Revision 1.98: download - view: text, markup, annotated - select for diffs
Wed Apr 29 21:14:15 2009 UTC (2 years, 9 months ago) by jamie
Branches: MAIN
Diff to: previous 1.97: preferred, colored
Changes since revision 1.97: +1535 -466 lines
SVN rev 191673 on 2009-04-29 21:14:15Z by jamie Introduce the extensible jail framework, using the same "name=value" interface as nmount(2). Three new system calls are added: * jail_set, to create jails and change the parameters of existing jails. This replaces jail(2). * jail_get, to read the parameters of existing jails. This replaces the security.jail.list sysctl. * jail_remove to kill off a jail's processes and remove the jail. Most jail parameters may now be changed after creation, and jails may be set to exist without any attached processes. The current jail(2) system call still exists, though it is now a stub to jail_set(2). Approved by: bz (mentor)
Revision 1.97: download - view: text, markup, annotated - select for diffs
Wed Apr 29 18:41:08 2009 UTC (2 years, 9 months ago) by jamie
Branches: MAIN
Diff to: previous 1.96: preferred, colored
Changes since revision 1.96: +5 -5 lines
SVN rev 191671 on 2009-04-29 18:41:08Z by jamie Some non-functional changes: whitespace, KASSERT strings, declaration order. Approved by: bz (mentor)
Revision 1.70.2.9.2.1: download - view: text, markup, annotated - select for diffs
Wed Apr 15 03:14:26 2009 UTC (2 years, 9 months ago) by kensmith
Branches: RELENG_7_2
CVS tags: RELENG_7_2_0_RELEASE
Diff to: previous 1.70.2.9: preferred, colored; next MAIN 1.70.2.10: preferred, colored
Changes since revision 1.70.2.9: +0 -0 lines
SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE. Approved by: re (implicit)
Revision 1.96: download - view: text, markup, annotated - select for diffs
Fri Mar 27 13:13:59 2009 UTC (2 years, 10 months ago) by jamie
Branches: MAIN
Diff to: previous 1.95: preferred, colored
Changes since revision 1.95: +12 -12 lines
SVN rev 190466 on 2009-03-27 13:13:59Z by jamie Whitespace/spelling fixes in advance of upcoming functional changes. Approved by: bz (mentor)
Revision 1.70.2.9: download - view: text, markup, annotated - select for diffs
Tue Mar 10 19:33:50 2009 UTC (2 years, 11 months ago) by jhb
Branches: RELENG_7
CVS tags: RELENG_7_2_BP
Branch point for: RELENG_7_2
Diff to: previous 1.70.2.8: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.8: +6 -4 lines
SVN rev 189644 on 2009-03-10 19:33:50Z by jhb MFC: Add a flag to tag individual sysctl leaf nodes as MPSAFE. Tag the following nodes as MPSAFE: - All standalone INT/LONG sysctls. - kern.proc.* - All name-cache related sysctls. - vm.loadavg - vm.vmtotal - vm.stats.(sys|vm).* - sysctl.name2oid - kern.ident, kern.osrelease, kern.version, etc. - kern.arandom - security.jail.jailed - kern.devname Other changes: - Remove GIANT_REQUIRED from vmtotal(). - Add conditional Giant locking around the vrele() in sysctl_kern_proc_pathname().
Revision 1.70.2.8: download - view: text, markup, annotated - select for diffs
Wed Feb 18 20:12:08 2009 UTC (2 years, 11 months ago) by jamie
Branches: RELENG_7
Diff to: previous 1.70.2.7: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.7: +116 -70 lines
SVN rev 188761 on 2009-02-18 20:12:08Z by jamie MFC: r188144: Standardize the various prison_foo_ip[46] functions and prison_if to return zero on success and an error code otherwise. The possible errors are EADDRNOTAVAIL if an address being checked for doesn't match the prison, and EAFNOSUPPORT if the prison doesn't have any addresses in that address family. For most callers of these functions, use the returned error code instead of e.g. a hard-coded EADDRNOTAVAIL or EINVAL. Always include a jailed() check in these functions, where a non-jailed cred always returns success (and makes no changes). Remove the explicit jailed() checks that preceded many of the function calls. r188146: Don't allow creating a socket with a protocol family that the current jail doesn't support. This involves a new function prison_check_af, like prison_check_ip[46] but that checks only the family. With this change, most of the errors generated by jailed sockets shouldn't ever occur, at least until jails are changeable. r188148: Remove redundant calls of prison_local_ip4 in in_pcbbind_setup, and of prison_local_ip6 in in6_pcbbind. r188149: Call prison_if from rtm_get_jailed, instead of splitting it out into prison_check_ip4 and prison_check_ip6. As prison_if includes a jailed() check, remove that check before calling rtm_get_jailed. r188151: Don't bother null-checking the thread pointer before the prison checks in udp6_connect (td is already dereferenced elsewhere without such a check). This makes the conversion from a sockaddr to a sockaddr_in6 always happen, so convert once at the beginning of the function rather than twice in the middle. Approved by: bz (mentor)
Revision 1.70.2.7: download - view: text, markup, annotated - select for diffs
Sat Feb 7 13:55:12 2009 UTC (3 years ago) by bz
Branches: RELENG_7
Diff to: previous 1.70.2.6: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.6: +2 -2 lines
SVN rev 188286 on 2009-02-07 13:55:12Z by bz
MFC: r187684
For consistency with prison_{local,remote,check}_ipN rename
prison_getipN to prison_get_ipN.
Revision 1.70.2.6: download - view: text, markup, annotated - select for diffs
Sat Feb 7 13:19:08 2009 UTC (3 years ago) by bz
Branches: RELENG_7
Diff to: previous 1.70.2.5: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.5: +878 -69 lines
SVN rev 188281 on 2009-02-07 13:19:08Z by bz MFC: r185435: This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,.. SCTP support was updated and supports IPv6 in jails as well. Cpuset support permits jails to be bound to specific processor sets after creation. Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future. DDB 'show jails' command was added to aid debugging. Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities. Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years. Bump __FreeBSD_version for the afore mentioned and in kernel changes. r185441: Unbreak the no-networks (no INET/6) build. r185899: Correctly check the number of prison states to not access anything outside the prison_states array. When checking if there is a name configured for the prison, check the first character to not be '\0' instead of checking if the char array is present, which it always is. Note, that this is different for the *jailname in the syscall. Found with: Coverity Prevent(tm) CID: 4156, 4155 r186085: Make sure that the direct jls invocations prints something reasonable close to and in the same format as it had always. r186606: Make sure that unused j->ip[46] are cleared. r186834: Document the special loopback address behaviour of jails. PR: kern/103464 r186841: Put the devfs ruleset next to devfs enable, add a comment about the suggested ruleset[1]. While here use an IP from the 'test-net' prefix for docs. PR: kern/130102 r187059: Add a short section talking about jails and file systems; mention the mountand jail-aware file systems as well as quota. PR: kern/68192 r187092: Sort .Xr. r187365: s,unmount 8,umount 8, it is unmount(2) which I did not mean. r187669: Update the description of the '-h' option wrt to primary addresses per address family and add a reference to the ip-addresses option. r187670: New sentence starts on a new line.
Revision 1.70.2.5: download - view: text, markup, annotated - select for diffs
Sat Feb 7 10:29:07 2009 UTC (3 years ago) by bz
Branches: RELENG_7
Diff to: previous 1.70.2.4: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.4: +22 -6 lines
SVN rev 188276 on 2009-02-07 10:29:07Z by bz MFC: r185404 With the permissions of phk@ change the license on kern_jail.c to a 2 clause BSD license.
Revision 1.95: download - view: text, markup, annotated - select for diffs
Thu Feb 5 14:15:18 2009 UTC (3 years ago) by jamie
Branches: MAIN
Diff to: previous 1.94: preferred, colored
Changes since revision 1.94: +42 -0 lines
SVN rev 188146 on 2009-02-05 14:15:18Z by jamie Don't allow creating a socket with a protocol family that the current jail doesn't support. This involves a new function prison_check_af, like prison_check_ip[46] but that checks only the family. With this change, most of the errors generated by jailed sockets shouldn't ever occur, at least until jails are changeable. Approved by: bz (mentor)
Revision 1.94: download - view: text, markup, annotated - select for diffs
Thu Feb 5 14:06:09 2009 UTC (3 years ago) by jamie
Branches: MAIN
Diff to: previous 1.93: preferred, colored
Changes since revision 1.93: +74 -70 lines
SVN rev 188144 on 2009-02-05 14:06:09Z by jamie Standardize the various prison_foo_ip[46] functions and prison_if to return zero on success and an error code otherwise. The possible errors are EADDRNOTAVAIL if an address being checked for doesn't match the prison, and EAFNOSUPPORT if the prison doesn't have any addresses in that address family. For most callers of these functions, use the returned error code instead of e.g. a hard-coded EADDRNOTAVAIL or EINVAL. Always include a jailed() check in these functions, where a non-jailed cred always returns success (and makes no changes). Remove the explicit jailed() checks that preceded many of the function calls. Approved by: bz (mentor)
Revision 1.93: download - view: text, markup, annotated - select for diffs
Wed Jan 28 19:58:05 2009 UTC (3 years ago) by ed
Branches: MAIN
Diff to: previous 1.92: preferred, colored
Changes since revision 1.92: +6 -4 lines
SVN rev 187864 on 2009-01-28 19:58:05Z by ed Mark most often used sysctl's as MPSAFE. After running a `make buildkernel', I noticed most of the Giant locks in sysctl are only caused by a very small amount of sysctl's: - sysctl.name2oid. This one is locked by SYSCTL_LOCK, just like sysctl.oidfmt. - kern.ident, kern.osrelease, kern.version, etc. These are just constant strings. - kern.arandom, used by the stack protector. It is already protected by arc4_mtx. I also saw the following sysctl's show up. Not as often as the ones above, but still quite often: - security.jail.jailed. Also mark security.jail.list as MPSAFE. They don't need locking or already use allprison_lock. - kern.devname, used by devname(3), ttyname(3), etc. This seems to reduce Giant locking inside sysctl by ~75% in my primitive test setup.
Revision 1.92: download - view: text, markup, annotated - select for diffs
Sun Jan 25 10:11:58 2009 UTC (3 years ago) by bz
Branches: MAIN
Diff to: previous 1.91: preferred, colored
Changes since revision 1.91: +2 -2 lines
SVN rev 187684 on 2009-01-25 10:11:58Z by bz
For consistency with prison_{local,remote,check}_ipN rename
prison_getipN to prison_get_ipN.
Submitted by: jamie (as part of a larger patch)
MFC after: 1 week
Revision 1.91: download - view: text, markup, annotated - select for diffs
Sun Jan 4 12:18:18 2009 UTC (3 years, 1 month ago) by bz
Branches: MAIN
Diff to: previous 1.90: preferred, colored
Changes since revision 1.90: +0 -2 lines
SVN rev 186736 on 2009-01-04 12:18:18Z by bz Back out r186615; the sanitizing of the pointers in the error case is not needed and seems that it will not be needed either. Pointy hat: mine, mine, mine and not pho's
Revision 1.90: download - view: text, markup, annotated - select for diffs
Tue Dec 30 20:39:47 2008 UTC (3 years, 1 month ago) by pho
Branches: MAIN
Diff to: previous 1.89: preferred, colored
Changes since revision 1.89: +2 -0 lines
SVN rev 186615 on 2008-12-30 20:39:47Z by pho Added missing second part of cleaning j->ip[46] as requested by bz Approved by: kib (mentor) Pointy hat: pho
Revision 1.89: download - view: text, markup, annotated - select for diffs
Tue Dec 30 17:54:25 2008 UTC (3 years, 1 month ago) by pho
Branches: MAIN
Diff to: previous 1.88: preferred, colored
Changes since revision 1.88: +4 -2 lines
SVN rev 186606 on 2008-12-30 17:54:25Z by pho Make sure that unused j->ip[46] are cleared Reviewed by: bz Approved by: kib (mentor)
Revision 1.88: download - view: text, markup, annotated - select for diffs
Thu Dec 11 01:04:25 2008 UTC (3 years, 2 months ago) by bz
Branches: MAIN
Diff to: previous 1.87: preferred, colored
Changes since revision 1.87: +2 -2 lines
SVN rev 185899 on 2008-12-11 01:04:25Z by bz Correctly check the number of prison states to not access anything outside the prison_states array. When checking if there is a name configured for the prison, check the first character to not be '\0' instead of checking if the char array is present, which it always is. Note, that this is different for the *jailname in the syscall. Found with: Coverity Prevent(tm) CID: 4156, 4155 MFC after: 4 weeks (just that I get the mail)
Revision 1.87: download - view: text, markup, annotated - select for diffs
Sat Nov 29 16:17:39 2008 UTC (3 years, 2 months ago) by bz
Branches: MAIN
Diff to: previous 1.86: preferred, colored
Changes since revision 1.86: +2 -0 lines
SVN rev 185441 on 2008-11-29 16:17:39Z by bz Unbreak the no-networks (no INET/6) build that I broke with the commit in r185435. Pointyhat: no, but I could need a ski cap for the winter
Revision 1.86: download - view: text, markup, annotated - select for diffs
Sat Nov 29 14:32:14 2008 UTC (3 years, 2 months ago) by bz
Branches: MAIN
Diff to: previous 1.85: preferred, colored
Changes since revision 1.85: +848 -60 lines
SVN rev 185435 on 2008-11-29 14:32:14Z by bz MFp4: Bring in updated jail support from bz_jail branch. This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,.. SCTP support was updated and supports IPv6 in jails as well. Cpuset support permits jails to be bound to specific processor sets after creation. Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future. DDB 'show jails' command was added to aid debugging. Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities. Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years. Bump __FreeBSD_version for the afore mentioned and in kernel changes. Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this. Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible
Revision 1.85: download - view: text, markup, annotated - select for diffs
Fri Nov 28 19:23:46 2008 UTC (3 years, 2 months ago) by bz
Branches: MAIN
Diff to: previous 1.84: preferred, colored
Changes since revision 1.84: +22 -6 lines
SVN rev 185404 on 2008-11-28 19:23:46Z by bz With the permissions of phk@ change the license on kern_jail.c to a 2 clause BSD license.
Revision 1.70.2.4.2.1: download - view: text, markup, annotated - select for diffs
Tue Nov 25 02:59:29 2008 UTC (3 years, 2 months ago) by kensmith
Branches: RELENG_7_1
CVS tags: RELENG_7_1_0_RELEASE
Diff to: previous 1.70.2.4: preferred, colored; next MAIN 1.70.2.5: preferred, colored
Changes since revision 1.70.2.4: +0 -0 lines
SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith Create releng/7.1 in preparation for moving into RC phase of 7.1 release cycle. Approved by: re (implicit)
Revision 1.84: download - view: text, markup, annotated - select for diffs
Mon Nov 17 20:49:29 2008 UTC (3 years, 2 months ago) by pjd
Branches: MAIN
Diff to: previous 1.83: preferred, colored
Changes since revision 1.83: +28 -234 lines
SVN rev 185029 on 2008-11-17 20:49:29Z by pjd Update ZFS from version 6 to 13 and bring some FreeBSD-specific changes. This bring huge amount of changes, I'll enumerate only user-visible changes: - Delegated Administration Allows regular users to perform ZFS operations, like file system creation, snapshot creation, etc. - L2ARC Level 2 cache for ZFS - allows to use additional disks for cache. Huge performance improvements mostly for random read of mostly static content. - slog Allow to use additional disks for ZFS Intent Log to speed up operations like fsync(2). - vfs.zfs.super_owner Allows regular users to perform privileged operations on files stored on ZFS file systems owned by him. Very careful with this one. - chflags(2) Not all the flags are supported. This still needs work. - ZFSBoot Support to boot off of ZFS pool. Not finished, AFAIK. Submitted by: dfr - Snapshot properties - New failure modes Before if write requested failed, system paniced. Now one can select from one of three failure modes: - panic - panic on write error - wait - wait for disk to reappear - continue - serve read requests if possible, block write requests - Refquota, refreservation properties Just quota and reservation properties, but don't count space consumed by children file systems, clones and snapshots. - Sparse volumes ZVOLs that don't reserve space in the pool. - External attributes Compatible with extattr(2). - NFSv4-ACLs Not sure about the status, might not be complete yet. Submitted by: trasz - Creation-time properties - Regression tests for zpool(8) command. Obtained from: OpenSolaris
Revision 1.83: download - view: text, markup, annotated - select for diffs
Thu Oct 23 15:53:51 2008 UTC (3 years, 3 months ago) by des
Branches: MAIN
Diff to: previous 1.82: preferred, colored
Changes since revision 1.82: +6 -6 lines
SVN rev 184205 on 2008-10-23 15:53:51Z by des Retire the MALLOC and FREE macros. They are an abomination unto style(9). MFC after: 3 months
Revision 1.82: download - view: text, markup, annotated - select for diffs
Thu Oct 2 15:37:58 2008 UTC (3 years, 4 months ago) by zec
Branches: MAIN
Diff to: previous 1.81: preferred, colored
Changes since revision 1.81: +1 -0 lines
SVN rev 183550 on 2008-10-02 15:37:58Z by zec Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
Revision 1.50.2.1.8.1: download - view: text, markup, annotated - select for diffs
Thu Oct 2 02:57:24 2008 UTC (3 years, 4 months ago) by kensmith
Branches: RELENG_6_4
CVS tags: RELENG_6_4_0_RELEASE
Diff to: previous 1.50.2.1: preferred, colored; next MAIN 1.51: preferred, colored
Changes since revision 1.50.2.1: +0 -0 lines
SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith Create releng/6.4 from stable/6 in preparation for 6.4-RC1. Approved by: re (implicit)
Revision 1.81: download - view: text, markup, annotated - select for diffs
Sun Aug 17 23:27:27 2008 UTC (3 years, 5 months ago) by bz
Branches: MAIN
Diff to: previous 1.80: preferred, colored
Changes since revision 1.80: +2 -1 lines
SVN rev 181803 on 2008-08-17 23:27:27Z by bz Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
Revision 1.70.2.4: download - view: text, markup, annotated - select for diffs
Sat Aug 2 16:53:45 2008 UTC (3 years, 6 months ago) by bz
Branches: RELENG_7
CVS tags: RELENG_7_1_BP
Branch point for: RELENG_7_1
Diff to: previous 1.70.2.3: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.3: +4 -0 lines
SVN rev 181190 on 2008-08-02 16:53:45Z by bz MFC: r180357, cvs rev. 1.80 kern_jail.c Plug a memory leak with jail services. PR: 125257 Submitted by: Mateusz Guzik <mjguzik gmail.com>
Revision 1.70.2.3: download - view: text, markup, annotated - select for diffs
Sun Jul 27 18:55:03 2008 UTC (3 years, 6 months ago) by delphij
Branches: RELENG_7
Diff to: previous 1.70.2.2: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.2: +24 -18 lines
SVN rev 180849 on 2008-07-27 18:55:03Z by delphij MFC r179881: Revert rev. 178124 as requested by kris@. Having jail id not being reused too frequently is useful for script controlled environment.
Revision 1.80: download - view: text, markup, annotated - select for diffs
Mon Jul 7 20:53:49 2008 UTC (3 years, 7 months ago) by bz
Branches: MAIN
Diff to: previous 1.79: preferred, colored
Changes since revision 1.79: +4 -0 lines
SVN rev 180357 on 2008-07-07 20:53:49Z by bz MFp4 144659: Plug a memory leak with jail services. PR: 125257 Submitted by: Mateusz Guzik <mjguzik gmail.com> MFC after: 6 days
Revision 1.79: download - view: text, markup, annotated - select for diffs
Sat Jul 5 13:10:10 2008 UTC (3 years, 7 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.78: preferred, colored
Changes since revision 1.78: +4 -1 lines
SVN rev 180291 on 2008-07-05 13:10:10Z by rwatson Introduce a new lock, hostname_mtx, and use it to synchronize access to global hostname and domainname variables. Where necessary, copy to or from a stack-local buffer before performing copyin() or copyout(). A few uses, such as in cd9660 and daemon_saver, remain under-synchronized and will require further updates. Correct a bug in which a failed copyin() of domainname would leave domainname potentially corrupted. MFC after: 3 weeks
Revision 1.78: download - view: text, markup, annotated - select for diffs
Thu Jun 19 21:41:57 2008 UTC (3 years, 7 months ago) by delphij
Branches: MAIN
Diff to: previous 1.77: preferred, colored
Changes since revision 1.77: +24 -18 lines
SVN rev 179881 on 2008-06-19 21:41:57Z by delphij Revert rev. 178124 as requested by kris@. Having jail id not being reused too frequently is useful for script controlled environment.
Revision 1.70.2.2: download - view: text, markup, annotated - select for diffs
Mon May 12 18:00:54 2008 UTC (3 years, 8 months ago) by delphij
Branches: RELENG_7
Diff to: previous 1.70.2.1: preferred, colored; branchpoint 1.70: preferred, colored
Changes since revision 1.70.2.1: +18 -24 lines
MFC: Instead of rolling our own jail number allocation procedure, use alloc_unr() to do it. Submitted by: Ed Schouten <ed 80386 nl> PR: kern/122270
Revision 1.77: download - view: text, markup, annotated - select for diffs
Fri Apr 11 21:31:14 2008 UTC (3 years, 10 months ago) by delphij
Branches: MAIN
Diff to: previous 1.76: preferred, colored
Changes since revision 1.76: +18 -24 lines
Instead of rolling our own jail number allocation procedure, use alloc_unr() to do it. Submitted by: Ed Schouten <ed 80386 nl> PR: kern/122270 MFC after: 1 month
Revision 1.76: download - view: text, markup, annotated - select for diffs
Mon Mar 31 12:01:20 2008 UTC (3 years, 10 months ago) by kib
Branches: MAIN
Diff to: previous 1.75: preferred, colored
Changes since revision 1.75: +1 -0 lines
Add the support for the AT_FDCWD and fd-relative name lookups to the namei(9). Based on the submission by rdivacky, sponsored by Google Summer of Code 2007 Reviewed by: rwatson, rdivacky Tested by: pho
Revision 1.70.2.1: download - view: text, markup, annotated - select for diffs
Sun Mar 9 19:01:50 2008 UTC (3 years, 11 months ago) by bz
Branches: RELENG_7
Diff to: previous 1.70: preferred, colored
Changes since revision 1.70: +6 -0 lines
MFC: 1.75 sys/kern/kern_jail.c 1.8 sys/netinet/ip_options.c 1.78 sys/netinet6/in6.c 1.113 sys/netinet6/ip6_output.c 1.41 sys/netinet6/ip6_var.h 1.76 sys/netinet6/raw_ip6.c 1.85 sys/netinet6/udp6_usrreq.c [ previously MFCed by rwatson 1.18 sys/sys/priv.h belonging to this change ] Replace the last susers calls in netinet6/ with privilege checks. Introduce a new privilege allowing to set certain IP header options (hop-by-hop, routing headers). Leave a few comments that we would like to address later. Discussed with: rwatson
Revision 1.75: download - view: text, markup, annotated - select for diffs
Thu Jan 24 08:25:58 2008 UTC (4 years ago) by bz
Branches: MAIN
Diff to: previous 1.74: preferred, colored
Changes since revision 1.74: +6 -0 lines
Replace the last susers calls in netinet6/ with privilege checks. Introduce a new privilege allowing to set certain IP header options (hop-by-hop, routing headers). Leave a few comments to be addressed later. Reviewed by: rwatson (older version, before addressing his comments)
Revision 1.74: download - view: text, markup, annotated - select for diffs
Sun Jan 13 14:44:08 2008 UTC (4 years ago) by attilio
Branches: MAIN
Diff to: previous 1.73: preferred, colored
Changes since revision 1.73: +3 -3 lines
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary. KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed. Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
Revision 1.73: download - view: text, markup, annotated - select for diffs
Thu Jan 10 01:10:52 2008 UTC (4 years, 1 month ago) by attilio
Branches: MAIN
Diff to: previous 1.72: preferred, colored
Changes since revision 1.72: +1 -1 lines
vn_lock() is currently only used with the 'curthread' passed as argument. Remove this argument and pass curthread directly to underlying VOP_LOCK1() VFS method. This modify makes the code cleaner and in particular remove an annoying dependence helping next lockmgr() cleanup. KPI results, obviously, changed. Manpage and FreeBSD_version will be updated through further commits. As a side note, would be valuable to say that next commits will address a similar cleanup about VFS methods, in particular vop_lock1 and vop_unlock. Tested by: Diego Sardina <siarodx at gmail dot com>, Andrea Di Pasquale <whyx dot it at gmail dot com>
Revision 1.72: download - view: text, markup, annotated - select for diffs
Wed Oct 24 19:03:54 2007 UTC (4 years, 3 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.71: preferred, colored
Changes since revision 1.71: +1 -1 lines
Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.
All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
Revision 1.71: download - view: text, markup, annotated - select for diffs
Sun Oct 21 22:50:11 2007 UTC (4 years, 3 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.70: preferred, colored
Changes since revision 1.70: +1 -0 lines
Add PRIV_VFS_STAT privilege, which will allow overriding policy limits on the right to stat() a file, such as in mac_bsdextended. Obtained from: TrustedBSD Project MFC after: 3 months
Revision 1.70: download - view: text, markup, annotated - select for diffs
Fri Apr 13 23:54:22 2007 UTC (4 years, 9 months ago) by pjd
Branches: MAIN
CVS tags: RELENG_7_BP, RELENG_7_0_BP, RELENG_7_0_0_RELEASE, RELENG_7_0
Branch point for: RELENG_7
Diff to: previous 1.69: preferred, colored
Changes since revision 1.69: +1 -0 lines
Fix jails and jail-friendly file systems handling: - We need to allow for PRIV_VFS_MOUNT_OWNER inside a jail. - Move security checks to vfs_suser() and deny unmounting and updating for jailed root from different jails, etc. OK'ed by: rwatson
Revision 1.69: download - view: text, markup, annotated - select for diffs
Tue Apr 10 15:59:49 2007 UTC (4 years, 10 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.68: preferred, colored
Changes since revision 1.68: +3 -1 lines
Allow PRIV_NETINET_REUSEPORT in jail.
Revision 1.68: download - view: text, markup, annotated - select for diffs
Sun Apr 8 10:46:23 2007 UTC (4 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.67: preferred, colored
Changes since revision 1.67: +16 -11 lines
prison_free() can be called with a mutex held. This wasn't a problem until I converted allprison_mtx mutex to allprison_lock sx lock. To fix this LOR, move prison removal to prison_complete() entirely. To ensure that noone will reference this prison before it's beeing removed from the list skip prisons with 'pr_ref == 0' in prison_find() and assert that pr_ref has to greater than 0 in prison_hold(). Reported by: kris OK'ed by: rwatson
Revision 1.67: download - view: text, markup, annotated - select for diffs
Sun Apr 8 10:21:38 2007 UTC (4 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.66: preferred, colored
Changes since revision 1.66: +2 -2 lines
Only use prison mutex to protect the fields that need to be protected by it.
Revision 1.66: download - view: text, markup, annotated - select for diffs
Sun Apr 8 02:13:32 2007 UTC (4 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.65: preferred, colored
Changes since revision 1.65: +1 -1 lines
pr_list is protected by the allprison_lock.
Revision 1.65: download - view: text, markup, annotated - select for diffs
Thu Apr 5 23:19:12 2007 UTC (4 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.64: preferred, colored
Changes since revision 1.64: +244 -27 lines
Implement functionality I called 'jail services'. It may be used for external modules to attach some data to jail's in-kernel structure. - Change allprison_mtx mutex to allprison_sx sx(9) lock. We will need to call external functions while holding this lock, which may want to allocate memory. Make use of the fact that this is shared-exclusive lock and use shared version when possible. - Implement the following functions: prison_service_register() - registers a service that wants to be noticed when a jail is created and destroyed prison_service_deregister() - deregisters service prison_service_data_add() - adds service-specific data to the jail structure prison_service_data_get() - takes service-specific data from the jail structure prison_service_data_del() - removes service-specific data from the jail structure Reviewed by: rwatson
Revision 1.64: download - view: text, markup, annotated - select for diffs
Thu Apr 5 21:34:54 2007 UTC (4 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.63: preferred, colored
Changes since revision 1.63: +1 -2 lines
Make prison_find() globally accessible.
Revision 1.63: download - view: text, markup, annotated - select for diffs
Thu Apr 5 21:03:04 2007 UTC (4 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.62: preferred, colored
Changes since revision 1.62: +17 -0 lines
Add security.jail.mount_allowed sysctl, which allows to mount and unmount jail-friendly file systems from within a jail. Precisely it grants PRIV_VFS_MOUNT, PRIV_VFS_UNMOUNT and PRIV_VFS_MOUNT_NONUSER privileges for a jailed super-user. It is turned off by default. A jail-friendly file system is a file system which driver registers itself with VFCF_JAIL flag via VFS_SET(9) API. The lsvfs(1) command can be used to see which file systems are jail-friendly ones. There currently no jail-friendly file systems, ZFS will be the first one. In the future we may consider marking file systems like nullfs as jail-friendly. Reviewed by: rwatson
Revision 1.62: download - view: text, markup, annotated - select for diffs
Fri Mar 9 05:22:10 2007 UTC (4 years, 11 months ago) by pjd
Branches: MAIN
Diff to: previous 1.61: preferred, colored
Changes since revision 1.61: +1 -3 lines
Minor simplification.
Revision 1.61: download - view: text, markup, annotated - select for diffs
Wed Mar 7 21:24:51 2007 UTC (4 years, 11 months ago) by pjd
Branches: MAIN
Diff to: previous 1.60: preferred, colored
Changes since revision 1.60: +4 -4 lines
White space nits.
Revision 1.60: download - view: text, markup, annotated - select for diffs
Sun Mar 4 22:36:46 2007 UTC (4 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.59: preferred, colored
Changes since revision 1.59: +0 -4 lines
Remove 'MPSAFE' annotations from the comments above most system calls: all system calls now enter without Giant held, and then in some cases, acquire Giant explicitly. Remove a number of other MPSAFE annotations in the credential code and tweak one or two other adjacent comments.
Revision 1.59: download - view: text, markup, annotated - select for diffs
Thu Mar 1 20:47:41 2007 UTC (4 years, 11 months ago) by pjd
Branches: MAIN
Diff to: previous 1.58: preferred, colored
Changes since revision 1.58: +1 -1 lines
Rename PRIV_VFS_CLEARSUGID to PRIV_VFS_RETAINSUGID, which seems to better describe the privilege. OK'ed by: rwatson
Revision 1.58: download - view: text, markup, annotated - select for diffs
Tue Feb 20 00:12:52 2007 UTC (4 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.57: preferred, colored
Changes since revision 1.57: +0 -1 lines
Remove unused PRIV_IPC_EXEC. Renumbers System V IPC privilege.
Revision 1.57: download - view: text, markup, annotated - select for diffs
Mon Feb 19 13:33:09 2007 UTC (4 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.56: preferred, colored
Changes since revision 1.56: +2 -2 lines
Rename three quota privileges from the UFS privilege namespace to the VFS privilege namespace: exceedquota, getquota, and setquota. Leave UFS-specific quota configuration privileges in the UFS name space. This renumbers VFS and UFS privileges, so requires rebuilding modules if you are using security policies aware of privilege identifiers. This is likely no one at this point since none of the committed MAC policies use the privilege checks.
Revision 1.56: download - view: text, markup, annotated - select for diffs
Mon Feb 19 13:26:39 2007 UTC (4 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.55: preferred, colored
Changes since revision 1.55: +2 -5 lines
Limit quota privileges in jail to PRIV_UFS_GETQUOTA and PRIV_UFS_SETQUOTA.
Revision 1.55: download - view: text, markup, annotated - select for diffs
Mon Feb 19 13:10:29 2007 UTC (4 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.54: preferred, colored
Changes since revision 1.54: +2 -0 lines
For now, reflect practical reality that Audit system calls aren't allowed in Jail: return a privilege error.
Revision 1.54: download - view: text, markup, annotated - select for diffs
Mon Nov 6 13:37:17 2006 UTC (5 years, 3 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.53: preferred, colored
Changes since revision 1.53: +168 -1 lines
Add a new priv(9) kernel interface for checking the availability of privilege for threads and credentials. Unlike the existing suser(9) interface, priv(9) exposes a named privilege identifier to the privilege checking code, allowing more complex policies regarding the granting of privilege to be expressed. Two interfaces are provided, replacing the existing suser(9) interface: suser(td) -> priv_check(td, priv) suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags) A comprehensive list of currently available kernel privileges may be found in priv.h. New privileges are easily added as required, but the comments on adding privileges found in priv.h and priv(9) should be read before doing so. The new privilege interface exposed sufficient information to the privilege checking routine that it will now be possible for jail to determine whether a particular privilege is granted in the check routine, rather than relying on hints from the calling context via the SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail check function, prison_priv_check(), is exposed from kern_jail.c and used by the privilege check routine to determine if the privilege is permitted in jail. As a result, a centralized list of privileges permitted in jail is now present in kern_jail.c. The MAC Framework is now also able to instrument privilege checks, both to deny privileges otherwise granted (mac_priv_check()), and to grant privileges otherwise denied (mac_priv_grant()), permitting MAC Policy modules to implement privilege models, as well as control a much broader range of system behavior in order to constrain processes running with root privilege. The suser() and suser_cred() functions remain implemented, now in terms of priv_check() and the PRIV_ROOT privilege, for use during the transition and possibly continuing use by third party kernel modules that have not been updated. The PRIV_DRIVER privilege exists to allow device drivers to check privilege without adopting a more specific privilege identifier. This change does not modify the actual security policy, rather, it modifies the interface for privilege checks so changes to the security policy become more feasible. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
Revision 1.53: download - view: text, markup, annotated - select for diffs
Sun Oct 22 11:52:13 2006 UTC (5 years, 3 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.52: preferred, colored
Changes since revision 1.52: +2 -1 lines
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead. This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd. Obtained from: TrustedBSD Project Sponsored by: SPARTA
Revision 1.52: download - view: text, markup, annotated - select for diffs
Sun Sep 17 20:00:35 2006 UTC (5 years, 4 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.51: preferred, colored
Changes since revision 1.51: +0 -1 lines
Declare security and security.bsd sysctl hierarchies in sysctl.h along with other commonly used sysctl name spaces, rather than declaring them all over the place. MFC after: 1 month Sponsored by: nCircle Network Security, Inc.
Revision 1.50.2.1: download - view: text, markup, annotated - select for diffs
Sun Nov 13 03:12:32 2005 UTC (6 years, 2 months ago) by csjp
Branches: RELENG_6
CVS tags: RELENG_6_4_BP, RELENG_6_3_BP, RELENG_6_3_0_RELEASE, RELENG_6_3, RELENG_6_2_BP, RELENG_6_2_0_RELEASE, RELENG_6_2, RELENG_6_1_BP, RELENG_6_1_0_RELEASE, RELENG_6_1
Branch point for: RELENG_6_4
Diff to: previous 1.50: preferred, colored; next MAIN 1.51: preferred, colored
Changes since revision 1.50: +15 -16 lines
MFC revision 1.51 Giant push down.
Revision 1.51: download - view: text, markup, annotated - select for diffs
Wed Sep 28 00:30:56 2005 UTC (6 years, 4 months ago) by csjp
Branches: MAIN
Diff to: previous 1.50: preferred, colored
Changes since revision 1.50: +15 -16 lines
Push Giant down in jails. Pass the MPSAFE flag to NDINIT, and keep track of whether or not Giant was picked up by the filesystem. Add VFS_LOCK_GIANT macros around vrele as it's possible that this can call in the VOP_INACTIVE filesystem specific code. Also while we are here, remove the Giant assertion. from the sysctl handler, we do not actually require Giant here so we shouldn't assert it. Doing so will just complicate things when Giant is removed from the sysctl framework.
Revision 1.50: download - view: text, markup, annotated - select for diffs
Thu Jun 23 22:13:28 2005 UTC (6 years, 7 months ago) by pjd
Branches: MAIN
CVS tags: RELENG_6_BP, RELENG_6_0_BP, RELENG_6_0_0_RELEASE, RELENG_6_0
Branch point for: RELENG_6
Diff to: previous 1.49: preferred, colored
Changes since revision 1.49: +0 -1 lines
Actually only protect mount-point if security.jail.enforce_statfs is set to 2. If we don't return statistics about requested file systems, system tools may not work correctly or at all. Approved by: re (scottl)
Revision 1.49: download - view: text, markup, annotated - select for diffs
Thu Jun 9 18:49:19 2005 UTC (6 years, 8 months ago) by pjd
Branches: MAIN
Diff to: previous 1.48: preferred, colored
Changes since revision 1.48: +86 -11 lines
Rename sysctl security.jail.getfsstatroot_only to security.jail.enforce_statfs and extend its functionality: value policy 0 show all mount-points without any restrictions 1 show only mount-points below jail's chroot and show only part of the mount-point's path (if jail's chroot directory is /jails/foo and mount-point is /jails/foo/usr/home only /usr/home will be shown) 2 show only mount-point where jail's chroot directory is placed. Default value is 2. Discussed with: rwatson
Revision 1.48: download - view: text, markup, annotated - select for diffs
Tue Apr 5 08:51:45 2005 UTC (6 years, 10 months ago) by jeff
Branches: MAIN
Diff to: previous 1.47: preferred, colored
Changes since revision 1.47: +1 -1 lines
- Use taskqueue_thread rather than taskqueue_swi since our task is going to vrele, which may vop lock. This is not safe in a software interrupt context.
Revision 1.47: download - view: text, markup, annotated - select for diffs
Thu Mar 31 22:47:57 2005 UTC (6 years, 10 months ago) by jhb
Branches: MAIN
Diff to: previous 1.46: preferred, colored
Changes since revision 1.46: +0 -2 lines
Drop a bogus mp_fixme(). Adding a lock would do nothing to reduce userland races regarding changing of jail-related sysctls.
Revision 1.44.2.2: download - view: text, markup, annotated - select for diffs
Tue Feb 22 15:49:22 2005 UTC (6 years, 11 months ago) by cperciva
Branches: RELENG_5
CVS tags: RELENG_5_5_BP, RELENG_5_5_0_RELEASE, RELENG_5_5, RELENG_5_4_BP, RELENG_5_4_0_RELEASE, RELENG_5_4
Diff to: previous 1.44.2.1: preferred, colored; branchpoint 1.44: preferred, colored; next MAIN 1.45: preferred, colored
Changes since revision 1.44.2.1: +5 -0 lines
MFC revision 1.46 of sys/kern/kern_jail.c, revision 1.24 of sys/sys/jail.h, 1.264 of sys/ufs/ufs/ufs_vnops.c, and revision 1.61 of usr.sbin/jail/jail.8: Add a new sysctl, "security.jail.chflags_allowed", which controls the behaviour of chflags within a jail. [...] The default behaviour (security.jail.chflags_allowed = 0) is unchanged.
Revision 1.46: download - view: text, markup, annotated - select for diffs
Tue Feb 8 21:31:10 2005 UTC (7 years ago) by cperciva
Branches: MAIN
Diff to: previous 1.45: preferred, colored
Changes since revision 1.45: +5 -0 lines
Add a new sysctl, "security.jail.chflags_allowed", which controls the behaviour of chflags within a jail. If set to 0 (the default), then a jailed root user is treated as an unprivileged user; if set to 1, then a jailed root user is treated the same as an unjailed root user. This is necessary to allow "make installworld" to work inside a jail, since it attempts to manipulate the system immutable flag on certain files. Discussed with: csjp, rwatson MFC after: 2 weeks
Revision 1.44.2.1: download - view: text, markup, annotated - select for diffs
Mon Jan 31 23:26:15 2005 UTC (7 years ago) by imp
Branches: RELENG_5
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +1 -1 lines
MFC: /*- and related license changes
Revision 1.45: download - view: text, markup, annotated - select for diffs
Thu Jan 6 23:35:39 2005 UTC (7 years, 1 month ago) by imp
Branches: MAIN
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +1 -1 lines
/* -> /*- for copyright notices, minor format tweaks as necessary
Revision 1.44: download - view: text, markup, annotated - select for diffs
Sun Jun 27 09:03:21 2004 UTC (7 years, 7 months ago) by pjd
Branches: MAIN
CVS tags: RELENG_5_BP, RELENG_5_3_BP, RELENG_5_3_0_RELEASE, RELENG_5_3
Branch point for: RELENG_5
Diff to: previous 1.43: preferred, colored
Changes since revision 1.43: +3 -0 lines
Add two missing includes and remove two uneeded. This is quite serious fix, because even with MAC framework compiled in, MAC entry points in those two files were simply ignored.
Revision 1.43: download - view: text, markup, annotated - select for diffs
Thu May 20 05:28:44 2004 UTC (7 years, 8 months ago) by pjd
Branches: MAIN
Diff to: previous 1.42: preferred, colored
Changes since revision 1.42: +1 -1 lines
Fix sysctl name: security.jail.getfsstate_getfsstatroot_only -> security.jail.getfsstatroot_only. Approved by: rwatson
Revision 1.42: download - view: text, markup, annotated - select for diffs
Mon Apr 26 19:46:52 2004 UTC (7 years, 9 months ago) by bmilekic
Branches: MAIN
Diff to: previous 1.41: preferred, colored
Changes since revision 1.41: +5 -0 lines
Give jail(8) the feature to allow raw sockets from within a jail, which is less restrictive but allows for more flexible jail usage (for those who are willing to make the sacrifice). The default is off, but allowing raw sockets within jails can now be accomplished by tuning security.jail.allow_raw_sockets to 1. Turning this on will allow you to use things like ping(8) or traceroute(8) from within a jail. The patch being committed is not identical to the patch in the PR. The committed version is more friendly to APIs which pjd is working on, so it should integrate into his work quite nicely. This change has also been presented and addressed on the freebsd-hackers mailing list. Submitted by: Christian S.J. Peron <maneo@bsdpro.com> PR: kern/65800
Revision 1.41: download - view: text, markup, annotated - select for diffs
Mon Mar 15 12:10:34 2004 UTC (7 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.40: preferred, colored
Changes since revision 1.40: +1 -6 lines
Remove sysctl security.jail.list_allowed. This functionality was a misfeature, sysctl was added and turned off by default just to check if nobody complains. Reviewed by: rwatson
Revision 1.33.2.1: download - view: text, markup, annotated - select for diffs
Wed Feb 25 20:03:35 2004 UTC (7 years, 11 months ago) by nectar
Branches: RELENG_5_1
Diff to: previous 1.33: preferred, colored; next MAIN 1.34: preferred, colored
Changes since revision 1.33: +15 -12 lines
MFC kern_jail.c 1.40: Rework jail_attach(2) so that an already jailed process cannot hop to another jail.
Revision 1.34.2.1: download - view: text, markup, annotated - select for diffs
Thu Feb 19 23:26:39 2004 UTC (7 years, 11 months ago) by nectar
Branches: RELENG_5_2
CVS tags: RELENG_5_2_1_RELEASE
Diff to: previous 1.34: preferred, colored; next MAIN 1.35: preferred, colored
Changes since revision 1.34: +12 -12 lines
MFC 1.40: Rework jail_attach(2) so that an already jailed process cannot hop to another jail. Approved by: re
Revision 1.40: download - view: text, markup, annotated - select for diffs
Thu Feb 19 21:03:20 2004 UTC (7 years, 11 months ago) by nectar
Branches: MAIN
Diff to: previous 1.39: preferred, colored
Changes since revision 1.39: +12 -12 lines
Rework jail_attach(2) so that an already jailed process cannot hop to another jail. Submitted by: rwatson
Revision 1.39: download - view: text, markup, annotated - select for diffs
Thu Feb 19 14:29:14 2004 UTC (7 years, 11 months ago) by pjd
Branches: MAIN
Diff to: previous 1.38: preferred, colored
Changes since revision 1.38: +13 -0 lines
Added sysctl security.jail.jailed. It returns 1 is process is inside of jail and 0 if it is not. Information if we are in jail or not is not a secret, there is plenty of ways to discover it. Many people are using own hack to check this and this will be a legal way from now on. It will be great if our starting scripts will take advantage of this sysctl to allow clean "boot" inside jail. Approved by: rwatson, scottl (mentor)
Revision 1.38: download - view: text, markup, annotated - select for diffs
Sat Feb 14 19:19:47 2004 UTC (7 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.37: preferred, colored
Changes since revision 1.37: +7 -0 lines
By default, don't allow processes in a jail to list the set of jails in the system. Previous behavior (allowed) may be restored by setting security.jail.list_allowed=1.
Revision 1.37: download - view: text, markup, annotated - select for diffs
Sat Feb 14 18:52:43 2004 UTC (7 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +1 -1 lines
Fix mismerge in last commit: check that cred->cr_prison is NULL before dereferencing the prison pointer.
Revision 1.36: download - view: text, markup, annotated - select for diffs
Sat Feb 14 18:31:11 2004 UTC (7 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +20 -0 lines
By default, when a process in jail calls getfsstat(), only return the data for the file system on which the jail's root vnode is located. Previous behavior (show data for all mountpoints) can be restored by setting security.jail.getfsstatroot_only to 0. Note: this also has the effect of hiding other mounts inside a jail, such as /dev, /tmp, and /proc, but errs on the side of leaking less information.
Revision 1.35: download - view: text, markup, annotated - select for diffs
Fri Jan 23 20:44:26 2004 UTC (8 years ago) by rwatson
Branches: MAIN
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +22 -6 lines
Defer the vrele() on a jail's root vnode reference from prison_free() to a new prison_complete() task run by a task queue. This removes a requirement for grabbing Giant in crfree(). Embed the 'struct task' in 'struct prison' so that we don't have to allocate memory from prison_free() (which means we also defer the FREE()). With this change, I believe grabbing Giant from crfree() can now be removed, but need to check the uidinfo code paths. To avoid header pollution, move the definition of 'struct task' to _task.h, and recursively include from taskqueue.h and jail.h; much preferably to all files including jail.h picking up a requirement to include taskqueue.h. Bumped into by: sam Reviewed by: bde, tjr
Revision 1.34: download - view: text, markup, annotated - select for diffs
Wed Jun 11 00:56:55 2003 UTC (8 years, 8 months ago) by obrien
Branches: MAIN
CVS tags: RELENG_5_2_BP, RELENG_5_2_0_RELEASE
Branch point for: RELENG_5_2
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +3 -3 lines
Use __FBSDID().
Revision 1.33: download - view: text, markup, annotated - select for diffs
Mon Apr 28 18:32:19 2003 UTC (8 years, 9 months ago) by mike
Branches: MAIN
CVS tags: RELENG_5_1_BP, RELENG_5_1_0_RELEASE
Branch point for: RELENG_5_1
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +20 -25 lines
style(9)
Revision 1.32: download - view: text, markup, annotated - select for diffs
Thu Apr 17 22:26:53 2003 UTC (8 years, 9 months ago) by jhb
Branches: MAIN
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +1 -3 lines
- The prison mutex cannot possibly protect pointers to the prison it protects, so don't bother locking it while we assign it to a ucred's cr_prison. - Fully construct the new credential for a process before assigning it to p_ucred.
Revision 1.31: download - view: text, markup, annotated - select for diffs
Wed Apr 9 02:55:17 2003 UTC (8 years, 10 months ago) by mike
Branches: MAIN
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +218 -20 lines
o In struct prison, add an allprison linked list of prisons (protected by allprison_mtx), a unique prison/jail identifier field, two path fields (pr_path for reporting and pr_root vnode instance) to store the chroot() point of each jail. o Add jail_attach(2) to allow a process to bind to an existing jail. o Add change_root() to perform the chroot operation on a specified vnode. o Generalize change_dir() to accept a vnode, and move namei() calls to callers of change_dir(). o Add a new sysctl (security.jail.list) which is a group of struct xprison instances that represent a snapshot of active jails. Reviewed by: rwatson, tjr
Revision 1.30: download - view: text, markup, annotated - select for diffs
Wed Feb 19 05:47:25 2003 UTC (8 years, 11 months ago) by imp
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +1 -1 lines
Back out M_* changes, per decision of the TRB. Approved by: trb
Revision 1.29: download - view: text, markup, annotated - select for diffs
Tue Jan 21 08:55:54 2003 UTC (9 years ago) by alfred
Branches: MAIN
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +1 -1 lines
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
Revision 1.28: download - view: text, markup, annotated - select for diffs
Fri Dec 20 14:32:20 2002 UTC (9 years, 1 month ago) by mux
Branches: MAIN
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +1 -0 lines
Don't forget to destroy the mutex if an error occurs in the jail() system call. Submitted by: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Revision 1.26.2.1: download - view: text, markup, annotated - select for diffs
Thu Dec 19 09:40:10 2002 UTC (9 years, 1 month ago) by alfred
Branches: RELENG_5_0
CVS tags: RELENG_5_0_0_RELEASE
Diff to: previous 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26: +1 -1 lines
MFC: SCARGS and syscallargs removal. Approved by: re@ (rwatson)
Revision 1.27: download - view: text, markup, annotated - select for diffs
Sat Dec 14 02:07:32 2002 UTC (9 years, 1 month ago) by alfred
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +1 -1 lines
remove syscallarg(). Suggested by: peter
Revision 1.26: download - view: text, markup, annotated - select for diffs
Thu Oct 17 20:03:38 2002 UTC (9 years, 3 months ago) by robert
Branches: MAIN
CVS tags: RELENG_5_0_BP
Branch point for: RELENG_5_0
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +2 -3 lines
Use strlcpy() instead of strncpy() to copy NUL terminated strings for safety and consistency.
Revision 1.25: download - view: text, markup, annotated - select for diffs
Mon Jul 1 20:46:01 2002 UTC (9 years, 7 months ago) by iedowse
Branches: MAIN
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +2 -0 lines
The jail syscall calls chroot, which is not mpsafe, so put back a mtx_lock(&Giant) around that call. Reviewed by: arr
Revision 1.24: download - view: text, markup, annotated - select for diffs
Wed Jun 26 00:29:01 2002 UTC (9 years, 7 months ago) by arr
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +0 -3 lines
- Alleviate jail() from having the burden of acquiring Giant by simply removing. We can do this since we no longer need Giant to safely execute jail(). Reviewed by: rwatson, jhb
Revision 1.23: download - view: text, markup, annotated - select for diffs
Thu Apr 4 21:03:25 2002 UTC (9 years, 10 months ago) by jhb
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +1 -1 lines
Change callers of mtx_init() to pass in an appropriate lock type name. In most cases NULL is passed, but in some cases such as network driver locks (which use the MTX_NETWORK_LOCK macro) and UMA zone locks, a name is used. Tested on: i386, alpha, sparc64
Revision 1.22: download - view: text, markup, annotated - select for diffs
Mon Apr 1 21:30:48 2002 UTC (9 years, 10 months ago) by jhb
Branches: MAIN
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +1 -1 lines
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag. Discussed on: smp@
Revision 1.21: download - view: text, markup, annotated - select for diffs
Wed Feb 27 16:43:19 2002 UTC (9 years, 11 months ago) by robert
Branches: MAIN
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +12 -3 lines
Make getcredhostname() take a buffer and the buffer's size as arguments. The correct hostname is copied into the buffer while having the prison's lock acquired in a jailed process' case. Reviewed by: jhb, rwatson
Revision 1.20: download - view: text, markup, annotated - select for diffs
Wed Feb 27 14:58:31 2002 UTC (9 years, 11 months ago) by robert
Branches: MAIN
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +11 -0 lines
Add a function which returns the correct hostname for a given credential. Reviewed by: phk
Revision 1.19: download - view: text, markup, annotated - select for diffs
Wed Jan 16 06:55:30 2002 UTC (10 years ago) by arr
Branches: MAIN
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +5 -5 lines
- Attempt to help declutter kern. sysctl by moving security out from beneath it. Reviewed by: rwatson
Revision 1.18: download - view: text, markup, annotated - select for diffs
Wed Dec 12 05:23:20 2001 UTC (10 years, 2 months ago) by arr
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +5 -4 lines
- Move _jail sysctl node underneath _kern_security in order to standardize where our security related sysctl tuneables are located. Also, this will help if/when we move _security node out from under _kern as to help make _kern less cluttered. Approved by: rwatson Review by: rwatson
Revision 1.17: download - view: text, markup, annotated - select for diffs
Mon Dec 3 16:12:27 2001 UTC (10 years, 2 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +17 -0 lines
o Introduce pr_mtx into struct prison, providing protection for the mutable contents of struct prison (hostname, securelevel, refcount, pr_linux, ...) o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/ so as to enforce these protections, in particular, in kern_mib.c protection sysctl access to the hostname and securelevel, as well as kern_prot.c access to the securelevel for access control purposes. o Rewrite linux emulator abstractions for accessing per-jail linux mib entries (osname, osrelease, osversion) so that they don't return a pointer to the text in the struct linux_prison, rather, a copy to an array passed into the calls. Likewise, update linprocfs to use these primitives. o Update in_pcb.c to always use prison_getip() rather than directly accessing struct prison. Reviewed by: jhb
Revision 1.16: download - view: text, markup, annotated - select for diffs
Thu Nov 1 20:56:57 2001 UTC (10 years, 3 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +2 -2 lines
o Move suser() calls in kern/ to using suser_xxx() with an explicit credential selection, rather than reference via a thread or process pointer. This is part of a gradual migration to suser() accepting a struct ucred instead of a struct proc, simplifying the reference and locking semantics of suser(). Obtained from: TrustedBSD Project
Revision 1.15: download - view: text, markup, annotated - select for diffs
Thu Oct 11 23:39:43 2001 UTC (10 years, 4 months ago) by jhb
Branches: MAIN
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +25 -19 lines
- Catch up to the new ucred API. - Add proc locking to the jail() syscall. This mostly involved shuffling a few things around so that blockable things like malloc and copyin were performed before acquiring the lock and checking the existing ucred and then updating the ucred as one "atomic" change under the proc lock.
Revision 1.14: download - view: text, markup, annotated - select for diffs
Wed Sep 26 20:37:15 2001 UTC (10 years, 4 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +2 -1 lines
o Initialize per-jail securelevel from global securelevel as part of jail creation. Obtained from: TrustedBSD Project
Revision 1.13: download - view: text, markup, annotated - select for diffs
Wed Sep 12 08:37:44 2001 UTC (10 years, 5 months ago) by julian
Branches: MAIN
CVS tags: KSE_MILESTONE_2
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +5 -4 lines
KSE Milestone 2 Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process. Sorry john! (your next MFC will be a doosie!) Reviewed by: peter@freebsd.org, dillon@freebsd.org X-MFC after: ha ha ha ha
Revision 1.12: download - view: text, markup, annotated - select for diffs
Sat Sep 1 03:04:31 2001 UTC (10 years, 5 months ago) by dillon
Branches: MAIN
CVS tags: KSE_PRE_MILESTONE_2
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +15 -5 lines
Pushdown Giant for acct(), kqueue(), kevent(), execve(), fork(), vfork(), rfork(), jail().
Revision 1.6.2.3: download - view: text, markup, annotated - select for diffs
Fri Aug 17 01:00:26 2001 UTC (10 years, 5 months ago) by rwatson
Branches: RELENG_4
CVS tags: RELENG_4_9_BP, RELENG_4_9_0_RELEASE, RELENG_4_9, RELENG_4_8_BP, RELENG_4_8_0_RELEASE, RELENG_4_8, RELENG_4_7_BP, RELENG_4_7_0_RELEASE, RELENG_4_7, RELENG_4_6_BP, RELENG_4_6_2_RELEASE, RELENG_4_6_1_RELEASE, RELENG_4_6_0_RELEASE, RELENG_4_6, RELENG_4_5_BP, RELENG_4_5_0_RELEASE, RELENG_4_5, RELENG_4_4_BP, RELENG_4_4_0_RELEASE, RELENG_4_4, RELENG_4_11_BP, RELENG_4_11_0_RELEASE, RELENG_4_11, RELENG_4_10_BP, RELENG_4_10_0_RELEASE, RELENG_4_10
Diff to: previous 1.6.2.2: preferred, colored; branchpoint 1.6: preferred, colored; next MAIN 1.7: preferred, colored
Changes since revision 1.6.2.2: +9 -2 lines
MFC of jail fixes regarding INADDR_LOOPBACK. -CURRENT commit message:
Anton kindly pointed out (and fixed) a bug in the Jail handling of the
bind() call on IPv4 sockets:
Currently, if one tries to bind a socket using INADDR_LOOPBACK inside a
jail, it will fail because prison_ip() does not take this possibility
into account. On the other hand, when one tries to connect(), for
example, to localhost, prison_remote_ip() will silently convert
INADDR_LOOPBACK to the jail's IP address. Therefore, it is desirable to
make bind() to do this implicit conversion as well.
Apart from this, the patch also replaces 0x7f000001 in
prison_remote_ip() to a more correct INADDR_LOOPBACK.
Approved by: re@FreeBSD.org (Murray)
Revision 1.11: download - view: text, markup, annotated - select for diffs
Fri Aug 3 18:21:06 2001 UTC (10 years, 6 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +9 -2 lines
Anton kindly pointed out (and fixed) a bug in the Jail handling of the bind() call on IPv4 sockets: Currently, if one tries to bind a socket using INADDR_LOOPBACK inside a jail, it will fail because prison_ip() does not take this possibility into account. On the other hand, when one tries to connect(), for example, to localhost, prison_remote_ip() will silently convert INADDR_LOOPBACK to the jail's IP address. Therefore, it is desirable to make bind() to do this implicit conversion as well. Apart from this, the patch also replaces 0x7f000001 in prison_remote_ip() to a more correct INADDR_LOOPBACK. This is a 4.4-RELEASE "during the freeze, thanks" MFC candidate. Submitted by: Anton Berezin <tobez@FreeBSD.org> Discussed with at some point: phk MFC after: 3 days
Revision 1.10: download - view: text, markup, annotated - select for diffs
Wed Feb 21 06:39:54 2001 UTC (10 years, 11 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +68 -19 lines
o Move per-process jail pointer (p->pr_prison) to inside of the subject credential structure, ucred (cr->cr_prison). o Allow jail inheritence to be a function of credential inheritence. o Abstract prison structure reference counting behind pr_hold() and pr_free(), invoked by the similarly named credential reference management functions, removing this code from per-ABI fork/exit code. o Modify various jail() functions to use struct ucred arguments instead of struct proc arguments. o Introduce jailed() function to determine if a credential is jailed, rather than directly checking pointers all over the place. o Convert PRISON_CHECK() macro to prison_check() function. o Move jail() function prototypes to jail.h. o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the flag in the process flags field itself. o Eliminate that "const" qualifier from suser/p_can/etc to reflect mutex use. Notes: o Some further cleanup of the linux/jail code is still required. o It's now possible to consider resolving some of the process vs credential based permission checking confusion in the socket code. o Mutex protection of struct prison is still not present, and is required to protect the reference count plus some fields in the structure. Reviewed by: freebsd-arch Obtained from: TrustedBSD Project
Revision 1.9: download - view: text, markup, annotated - select for diffs
Fri Dec 8 21:50:32 2000 UTC (11 years, 2 months ago) by dwmalone
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +2 -3 lines
Convert more malloc+bzero to malloc+M_ZERO. Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
Revision 1.6.2.2: download - view: text, markup, annotated - select for diffs
Wed Nov 1 17:58:06 2000 UTC (11 years, 3 months ago) by rwatson
Branches: RELENG_4
CVS tags: RELENG_4_3_BP, RELENG_4_3_0_RELEASE, RELENG_4_3, RELENG_4_2_0_RELEASE
Diff to: previous 1.6.2.1: preferred, colored; branchpoint 1.6: preferred, colored
Changes since revision 1.6.2.1: +6 -1 lines
o MFC of System V IPC disabling in jail():
1.8 +6 -1 src/sys/kern/kern_jail.c
1.26 +17 -1 src/sys/kern/sysv_msg.c
1.29 +14 -1 src/sys/kern/sysv_sem.c
1.49 +20 -1 src/sys/kern/sysv_shm.c
1.10 +2 -1 src/sys/sys/jail.h
Log:
o Deny access to System V IPC from within jail by default, as in the
current implementation, jail neither virtualizes the Sys V IPC namespace,
nor provides inter-jail protections on IPC objects.
o Support for System V IPC can be enabled by setting jail.sysvipc_allowed=1
using sysctl.
o This is not the "real fix" which involves virtualizing the System V
IPC namespace, but prevents processes within jail from influencing those
outside of jail when not approved by the administrator.
Reported by: Paulo Fragoso <paulo@nlink.com.br>
Revision 1.8: download - view: text, markup, annotated - select for diffs
Tue Oct 31 01:33:59 2000 UTC (11 years, 3 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +6 -1 lines
o Deny access to System V IPC from within jail by default, as in the current implementation, jail neither virtualizes the Sys V IPC namespace, nor provides inter-jail protections on IPC objects. o Support for System V IPC can be enabled by setting jail.sysvipc_allowed=1 using sysctl. o This is not the "real fix" which involves virtualizing the System V IPC namespace, but prevents processes within jail from influencing those outside of jail when not approved by the administrator. Reported by: Paulo Fragoso <paulo@nlink.com.br>
Revision 1.6.2.1: download - view: text, markup, annotated - select for diffs
Sun Oct 29 19:25:38 2000 UTC (11 years, 3 months ago) by rwatson
Branches: RELENG_4
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +9 -2 lines
MFC of jail fixups:
1.7 +9 -2 src/sys/kern/kern_jail.c
1.73 +10 -1 src/sys/kern/uipc_socket.c
1.9 +2 -1 src/sys/sys/jail.h
For reference:
o Modify jail to limit creation of sockets to UNIX domain sockets,
TCP/IP (v4) sockets, and routing sockets. Previously, interaction
with IPv6 was not well-defined, and might be inappropriate for some
environments. Similarly, sysctl MIB entries providing interface
information also give out only addresses from those protocol domains.
For the time being, this functionality is enabled by default, and
toggleable using the sysctl variable jail.socket_unixiproute_only.
In the future, protocol domains will be able to determine whether or
not they are ``jail aware''.
Revision 1.7: download - view: text, markup, annotated - select for diffs
Sun Jun 4 04:28:31 2000 UTC (11 years, 8 months ago) by rwatson
Branches: MAIN
CVS tags: PRE_SMPNG
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +9 -2 lines
o Modify jail to limit creation of sockets to UNIX domain sockets, TCP/IP (v4) sockets, and routing sockets. Previously, interaction with IPv6 was not well-defined, and might be inappropriate for some environments. Similarly, sysctl MIB entries providing interface information also give out only addresses from those protocol domains. For the time being, this functionality is enabled by default, and toggleable using the sysctl variable jail.socket_unixiproute_only. In the future, protocol domains will be able to determine whether or not they are ``jail aware''. o Further limitations on process use of getpriority() and setpriority() by jailed processes. Addresses problem described in kern/17878. Reviewed by: phk, jmg
Revision 1.6: download - view: text, markup, annotated - select for diffs
Sat Feb 12 13:41:55 2000 UTC (12 years ago) by rwatson
Branches: MAIN
CVS tags: RELENG_4_BP, RELENG_4_1_1_RELEASE, RELENG_4_1_0_RELEASE, RELENG_4_0_0_RELEASE
Branch point for: RELENG_4
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +10 -1 lines
Yet-another-update: rename ``kern.prison'' to a new sysctl root entry, ``jail'', and move the set_hostname_allowed sysctl there, as well as fixing a bug in the sysctl that resulted in jails being over-limited (preventing them from reading as well as writing the hostname). Also, correct some formatting issues, courtesy bde :-). Reviewed by: phk Approved by: jkh
Revision 1.5: download - view: text, markup, annotated - select for diffs
Sun Sep 19 08:35:59 1999 UTC (12 years, 4 months ago) by phk
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +3 -1 lines
Add a version number field to the jail(2) argument so that future changes can be handled intelligently.
Revision 1.4: download - view: text, markup, annotated - select for diffs
Sat Aug 28 00:46:12 1999 UTC (12 years, 5 months ago) by peter
Branches: MAIN
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +1 -1 lines
$Id$ -> $FreeBSD$
Revision 1.3: download - view: text, markup, annotated - select for diffs
Fri Apr 30 06:51:51 1999 UTC (12 years, 9 months ago) by phk
Branches: MAIN
CVS tags: PRE_VFS_BIO_NFS_PATCH, POST_VFS_BIO_NFS_PATCH
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +11 -0 lines
Add beer-ware license and $Id$ Noticed by: dillon
Revision 1.2: download - view: text, markup, annotated - select for diffs
Fri Apr 30 06:30:15 1999 UTC (12 years, 9 months ago) by phk
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +1 -1 lines
Make BOOTP to work again. Submitted by: dillon Reviewed by: phk
Revision 1.1: download - view: text, markup, annotated - select for diffs
Wed Apr 28 11:36:54 1999 UTC (12 years, 9 months ago) by phk
Branches: MAIN
This Implements the mumbled about "Jail" feature. This is a seriously beefed up chroot kind of thing. The process is jailed along the same lines as a chroot does it, but with additional tough restrictions imposed on what the superuser can do. For all I know, it is safe to hand over the root bit inside a prison to the customer living in that prison, this is what it was developed for in fact: "real virtual servers". Each prison has an ip number associated with it, which all IP communications will be coerced to use and each prison has its own hostname. Needless to say, you need more RAM this way, but the advantage is that each customer can run their own particular version of apache and not stomp on the toes of their neighbors. It generally does what one would expect, but setting up a jail still takes a little knowledge. A few notes: I have no scripts for setting up a jail, don't ask me for them. The IP number should be an alias on one of the interfaces. mount a /proc in each jail, it will make ps more useable. /proc/<pid>/status tells the hostname of the prison for jailed processes. Quotas are only sensible if you have a mountpoint per prison. There are no privisions for stopping resource-hogging. Some "#ifdef INET" and similar may be missing (send patches!) If somebody wants to take it from here and develop it into more of a "virtual machine" they should be most welcome! Tools, comments, patches & documentation most welcome. Have fun... Sponsored by: http://www.rndassociates.com/ Run for almost a year by: http://www.servetheweb.com/