#
61cc4830 |
|
18-Jan-2024 |
Alfredo Mazzinghi <am2419@cl.cam.ac.uk> |
Abstract UIO allocation and deallocation. Introduce the allocuio() and freeuio() functions to allocate and deallocate struct uio. This hides the actual allocator interface, so it is easier to modify the sub-allocation layout of struct uio and the corresponding iovec array. Obtained from: CheriBSD Reviewed by: kib, markj MFC after: 2 weeks Sponsored by: CHaOS, EPSRC grant EP/V000292/1 Differential Revision: https://reviews.freebsd.org/D43711
|
#
ab0841bd |
|
26-Jan-2024 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: expose children.max and children.cur via sysctl Submitted by: Igor Ostapenko <igor.ostapenko_pm.me> Differential Revision: <https://reviews.freebsd.org/D43565>
|
#
9fd97868 |
|
04-Jan-2024 |
Baptiste Daroussin <bapt@FreeBSD.org> |
jail: add security.jail.mlock_allowed when the parameter allow.mlock was added a way for jails to check if the parameter was set or now has not been added, this change covers it. MFC After: 3 days Reviewed by: jamie@ Differential Revision: https://reviews.freebsd.org/D43314
|
#
abbc260f |
|
25-Dec-2023 |
Mark Johnston <markj@FreeBSD.org> |
jail: Ignore errors from copyout() while copying the error string Reviewed by: zlei, jamie MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D43142
|
#
ed31b3f4 |
|
29-Nov-2023 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Don't allow jail_set(2) to resurrect dying jails. Currently, a prison in "dying" state (removed but still holding resources) can be brought back to alive state via "jail -d", or the JAIL_DYING flag to jail_set(2). This seemed like a good idea at the time. Its main use was to improve support for specifying the jid when creating a jail, which also seemed like a good idea at the time. But resurrecting a jail that was partway through thr process of shutting down is trouble waiting to happen. This patch deprecates that flag, leaving it as a no-op for creating jails (but still useful for looking at dying jails). It sill allows creating a new jail with the same jid as a dying one, but will renumber the old one in that case. That's imperfect, but allows for current behavior. Reviewed by: bz Differential Revision: https://reviews.freebsd.org/D28150
|
#
7974ca1c |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
cr_canseejailproc(): New privilege, no direct check for UID 0 Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for almost 20 years). As a consequence, cr_canseejailproc() now abides by the 'security.bsd.suser_enabled' sysctl and MAC policies. Update the MAC policies Biba and LOMAC, and prison_priv_check() so that they don't deny this privilege. This preserves the existing behavior (the 'root' user is not restricted, even when jailed, unless 'security.bsd.suser_enabled' is not 0) and is consistent with what is done for the related policies/privileges (PRIV_SEEOTHERGIDS, PRIV_SEEOTHERUIDS). Reviewed by: emaste (earlier version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40626
|
#
cb48780d |
|
01-Sep-2023 |
Shawn Webb <shawn.webb@hardenedbsd.org> |
jail: Add the ability to access system-level filesystem extended attributes Prior to this commit privileged accounts in a jail could not access to the filesystem extended attributes in the system namespace. To control access to the system namespace in a per-jail basis add a new configuration parameter allow.extattr which is off by default. Reported by: zirias Tested by: zirias Obtained from: HardenedBSD Reviewed by: kevans, jamie Differential revision: https://reviews.freebsd.org/D41643 MFC after: 1 week Relnotes: yes
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
04f75b98 |
|
26-Mar-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
netlink: allow netlink sockets in non-vnet jails. This change allow to open Netlink sockets in the non-vnet jails, even for unpriviledged processes. The security model largely follows the existing one. To be more specific: * by default, every `NETLINK_ROUTE` command is **NOT** allowed in non-VNET jail UNLESS `RTNL_F_ALLOW_NONVNET_JAIL` flag is specified in the command handler. * All notifications are **disabled** for non-vnet jails (requests to subscribe for the notifications are ignored). This will change to be more fine-grained model once the first netlink provider requiring this gets committed. * Listing interfaces (RTM_GETLINK) is **allowed** w/o limits (**including** interfaces w/o any addresses attached to the jail). The value of this is questionable, but it follows the existing approach. * Listing ARP/NDP neighbours is **forbidden**. This is a **change** from the current approach - currently we list static ARP/ND entries belonging to the addresses attached to the jail. * Listing interface addresses is **allowed**, but the addresses are filtered to match only ones attached to the jail. * Listing routes is **allowed**, but the routes are filtered to provide only host routes matching the addresses attached to the jail. * By default, every `NETLINK_GENERIC` command is **allowed** in non-VNET jail (as sub-families may be unrelated to network at all). It is the goal of the family author to implement the restriction if necessary. Differential Revision: https://reviews.freebsd.org/D39206 MFC after: 1 month
|
#
0b0ae2e4 |
|
14-Mar-2023 |
Mina Galić <freebsd@igalic.co> |
jail: convert several functions from int to bool these functions exclusively return (0) and (1), so convert them to bool We also convert some networking related jail functions from int to bool some of which were returning an error that was never used. Differential Revision: https://reviews.freebsd.org/D29659 Reviewed by: imp, jamie (earlier version) Pull Request: https://github.com/freebsd/freebsd-src/pull/663
|
#
cbbb2203 |
|
02-Mar-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
kern_jail.c: Remove #ifdefs for VNET_NFSD The consensus was that VNET_NFSD was not needed. This patch removes it from kern_jail.c. With this patch, support for the "allow.nfsd" jail parameter is enabled in the kernel for kernels built with "options VIMAGE". Reviewed by: markj MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D38808
|
#
2c33b456 |
|
28-Feb-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Improve readability No functional change intended. Reviewed by: melifaro Differential Revision: https://reviews.freebsd.org/D37890
|
#
500f82d6 |
|
28-Feb-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Use flexible array member within struct prison_ip Current implementation utilize off-by-one struct prison_ip to access the IPv[46] addresses. It is error prone and hence comes the regression fix 21ad3e27fabc and ddbf879d79d4. Use flexible array member so that compiler will catch such errors and it will also be easier to review. No functional change intended. Reviewed by: melifaro, glebius Differential Revision: https://reviews.freebsd.org/D37874
|
#
88175af8 |
|
21-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
vfs_export: Add mnt_exjail to control exports done in prisons If there are multiple instances of mountd(8) (in different prisons), there will be confusion if they manipulate the exports of the same file system. This patch adds mnt_exjail to "struct mount" so that the credentials (and, therefore, the prison) that did the exports for that file system can be recorded. If another prison has already exported the file system, vfs_export() will fail with an error. If mnt_exjail == NULL, the file system has not been exported. mnt_exjail is checked by the NFS server, so that exports done from within a different prison will not be used. The patch also implements vfs_exjail_destroy(), which is called from prison_cleanup() to release all the mnt_exjail credential references, so that the prison can be removed. Mainly to avoid doing a scan of the mountlist for the case where there were no exports done from within the prison, a count of how many file systems have been exported from within the prison is kept in pr_exportcnt. Reviewed by: markj Discussed with: jamie Differential Revision: https://reviews.freebsd.org/D38371 MFC after: 3 months
|
#
b2d76b52 |
|
21-Feb-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Fix redoing ip restricting `prison_ip_restrict()` is called in loop FOREACH_PRISON_DESCENDANT_LOCKED. While under low memory, it is still possible that in subsequent rounds `prison_ip_restrict()` succeed and `redo_ip[46]` flip over from true to false, thus leave some prisons's IPv[46] addresses unrestricted. Reviewed by: jamie Fixes: 8bce8d28abe6 jail: Avoid multipurpose return value of function prison_ip_restrict() Differential Revision: https://reviews.freebsd.org/D38697
|
#
27202b98 |
|
07-Feb-2023 |
Mark Johnston <markj@FreeBSD.org> |
jail: Use atomic(9) instead of CK atomics There's no reason to use one over the other here, let's prefer the interface that's used elsewhere in the kernel. No functional change intended. Reviewed by: mjg Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D38360
|
#
d94e0bdc |
|
04-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
Revert "vfs_export: Add checks for correct prison when updating exports" This reverts commit 7926a01ed7ae7cefd81ef4cc2142c35b84d81913. A new patch in D38371 is being considered for doing this.
|
#
7926a01e |
|
02-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
vfs_export: Add checks for correct prison when updating exports mountd(8) basically does the following: getmntinfo() for each mount delete_exports using nmount(2) to do the creation/deletion of individual exports. For prison0 (and for other prisons if enforce_statfs == 0) getmntinfo() returns all mount points, including ones being used within other prisons. This can cause confusion if the same file system is specified in the exports(5) file for multiple prisons. This patch adds a perminent identifier to each prison and marks which prison did the exports in a field of the mount structure called mnt_exjail. This field can then be compared to the perminent identifier for the prison that the thread's credentials is in. Also required was a new function called prison_isalive_permid() which returns if the prison is alive, so that the check can be ignored for prisons that have been removed. This prepares the system to allow mountd(8) to run in multiple prisons, including prison0. Future commits will complete the modifications to allow mountd(8) to run in vnet prisons. Until then, these changes should not affect semantics. Reviewed by: markj MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D38144
|
#
99187c3a |
|
01-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
prison_check_nfsd: Add check for enforce_statfs != 0 Since mountd(8) will not be able to do exports when running in a vnet prison if enforce_statfs is set to 0, add a check for this to prison_check_nfsd(). Reviewed by: jamie, markj MFC after: 2 months Differential Revision: https://reviews.freebsd.org/D38189
|
#
8bce8d28 |
|
30-Dec-2022 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Avoid multipurpose return value of function prison_ip_restrict() Currently function prison_ip_restrict() returns true if the replacement buffer was used, or no buffer provided and allocation fails and should redo. The logic is confusing and cause possibly infinite loop from eb8dcdeac22d . Reviewed by: jamie, glebius Approved by: kp (mentor) Differential Revision: https://reviews.freebsd.org/D37918
|
#
89ddfbba |
|
13-Jan-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Fix regression panic from eb8dcdeac22d And possibly infinite loop calling prison_ip_restrict() in kern_jail_set() [2]. [1] It is possible that prisons do not have any IPv4 or IPv6 addresses. [2] If prison_ip_restrict() is not provided with prison_ip, when it allocates prison_ip successfully, then it should return false to indicate not redo prison_ip_restrict() later. Reviewed by: glebius Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential Revision: https://reviews.freebsd.org/D37906
|
#
ddbf879d |
|
13-Jan-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Correctly access IPv[46] addresses of prison_ip * Fix wrong IPv[46] addresses inherited from parent jail * Properly restrict the child jail's IPv[46] addresses Reviewed by: melifaro, glebius Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential Revision: https://reviews.freebsd.org/D37871 Differential Revision: https://reviews.freebsd.org/D37872
|
#
21ad3e27 |
|
20-Dec-2022 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Fix output of IPv[46] addresses of DDB `show prison` Reviewed by: melifaro, jamie Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential Revision: https://reviews.freebsd.org/D37732
|
#
bba7a2e8 |
|
17-Dec-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
kern_jail.c: Allow mountd/nfsd to optionally run in a jail This patch adds "allow.nfsd" to the jail code based on a new kernel build option VNET_NFSD. This will not work until future patches fix nmount(2) to allow mountd to run in a vnet prison and the NFS server code is patched so that global variables are in a vnet. The jail(8) man page will be patched in a future commit. Reviewed by: jamie MFC after: 4 months Differential Revision: https://reviews.freebsd.org/D37637
|
#
744bfb21 |
|
28-Oct-2022 |
John Baldwin <jhb@FreeBSD.org> |
Import the WireGuard driver from zx2c4.com. This commit brings back the driver from FreeBSD commit f187d6dfbf633665ba6740fe22742aec60ce02a2 plus subsequent fixes from upstream. Relative to upstream this commit includes a few other small fixes such as additional INET and INET6 #ifdef's, #include cleanups, and updates for recent API changes in main. Reviewed by: pauamma, gbe, kevans, emaste Obtained from: git@git.zx2c4.com:wireguard-freebsd @ 3cc22b2 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D36909
|
#
43f8c763 |
|
15-Oct-2022 |
Zhenlei Huang <zlei.huang@gmail.com> |
if_me: Use dedicated network privilege Separate if_me privileges from if_gif. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D36691
|
#
4771011b |
|
15-Sep-2022 |
Gordon Bergling <gbe@FreeBSD.org> |
kern_jail: Fix a typo in a source code comment - s/paramter/parameter/ MFC after: 3 days
|
#
5ecb5444 |
|
10-Mar-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
jail: add process linkage It allows iteration over processes belonging to given jail instead of having to walk the entire allproc list. Note the iteration can miss processes which remains bug-compatible with previous code. Reviewed by: jamie (previous version), markj (previous version) Differential Revision: https://reviews.freebsd.org/D34522
|
#
49a033d8 |
|
04-Sep-2022 |
Gordon Bergling <gbe@FreeBSD.org> |
kern: Correct some typos in source code comments - s/occured/occurred/ - s/the the/the/ MFC after: 3 days
|
#
7060da62 |
|
29-Jun-2022 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Remove a prison's shared memory when it dies Add shm_remove_prison(), that removes all POSIX shared memory segments belonging to a prison. Call it from prison_cleanup() so a prison won't be stuck in a dying state due to the resources still held. PR: 257555 Reported by: grembo
|
#
a9f7455c |
|
29-Jun-2022 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: add prison_cleanup() to release resources held by a dying jail Currently, when a jail starts dying, either by losing its last user reference or by being explicitly killed, osd_jail_call(...PR_METHOD_REMOVE...) is called. Encapsulate this into a function prison_cleanup() that can then do other cleanup.
|
#
ab91feab |
|
22-Feb-2022 |
Kristof Provost <kp@FreeBSD.org> |
ovpn: Introduce OpenVPN DCO support OpenVPN Data Channel Offload (DCO) moves OpenVPN data plane processing (i.e. tunneling and cryptography) into the kernel, rather than using tap devices. This avoids significant copying and context switching overhead between kernel and user space and improves OpenVPN throughput. In my test setup throughput improved from around 660Mbit/s to around 2Gbit/s. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34340
|
#
f171938c |
|
09-Apr-2022 |
Gordon Bergling <gbe@FreeBSD.org> |
jail: Remove a double word in a source code comment - s/a a/a/ MFC after: 3 days
|
#
bb92cd7b |
|
24-Mar-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: NDFREE(&nd, NDF_ONLY_PNBUF) -> NDFREE_PNBUF(&nd)
|
#
eb8dcdea |
|
26-Dec-2021 |
Gleb Smirnoff <glebius@FreeBSD.org> |
jail: network epoch protection for IP address lists Now struct prison has two pointers (IPv4 and IPv6) of struct prison_ip type. Each points into epoch context, address count and variable size array of addresses. These structures are freed with network epoch deferred free and are not edited in place, instead a new structure is allocated and set. While here, the change also generalizes a lot (but not enough) of IPv4 and IPv6 processing. E.g. address family agnostic helpers for kern_jail_set() are provided, that reduce v4-v6 copy-paste. The fast-path prison_check_ip[46]_locked() is also generalized into prison_ip_check() that can be executed with network epoch protection only. Reviewed by: jamie Differential revision: https://reviews.freebsd.org/D33339
|
#
d2ef3774 |
|
22-Dec-2021 |
Jessica Clarke <jrtc27@FreeBSD.org> |
Fix buffer overread in preloaded hostuuid parsing Commit b6be9566d236 stopped prison0_init writing outside of the preloaded hostuuid's bounds. However, the preloaded data will not (normally) have a NUL in it, and so validate_uuid will walk off the end of the buffer in its call to sscanf. Previously if there was any whitespace in the string we'd at least know there's a NUL one past the end due to the off-by-one error, but now no such byte is guaranteed. Fix this by copying to a temporary buffer and explicitly adding a NUL. Whilst here, change the strlcpy call to use a far less suspicious argument for dstsize; in practice it's fine, but it's an unusual pattern and not necessary. Found by: CHERI Reviewed by: emaste, kevans, jhb MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D33616
|
#
7e1d3eef |
|
25-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: remove the unused thread argument from NDINIT* See b4a58fbf640409a1 ("vfs: remove cn_thread") Bump __FreeBSD_version to 1400043.
|
#
70de1003 |
|
26-Oct-2021 |
Gordon Bergling <gbe@FreeBSD.org> |
jail(8): Fix a few common typos in source code comments - s/phyiscal/physical/ MFC after: 3 days
|
#
8771ff75 |
|
26-Sep-2021 |
Gordon Bergling <gbe@FreeBSD.org> |
jail(9): Fix a typo in a comment - s/erorr/error/ MFC after: 3 days
|
#
2d741f33 |
|
15-Apr-2021 |
Kyle Evans <kevans@FreeBSD.org> |
kern: ether_gen_addr: randomize on default hostuuid, too Currently, this will still hash the default (all zero) hostuuid and potentially arrive at a MAC address that has a high chance of collision if another interface of the same name appears in the same broadcast domain on another host without a hostuuid, e.g., some virtual machine setups. Instead of using the default hostuuid, just treat it as a failure and generate a random LA unicast MAC address. Reviewed by: bz, gbe, imp, kbowling, kp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D29788
|
#
b6be9566 |
|
14-May-2021 |
Colin Percival <cperciva@FreeBSD.org> |
Fix buffer overflow in preloaded hostuuid cleaning When a module of type "hostuuid" is provided by the loader, prison0_init strips any trailing whitespace and ASCII control characters by (a) adjusting the buffer length, and (b) zeroing out the characters in question, before storing it as the system's hostuuid. The buffer length adjustment was correct, but the zeroing overwrote one byte higher in memory than intended -- in the typical case, zeroing one byte past the end of the hostuuid buffer. Due to the layout of buffers passed by the boot loader to the kernel, this will be the first byte of a subsequent buffer. This was *probably* harmless; prison0_init runs after preloaded kernel modules have been linked and after the preloaded /boot/entropy cache has been processed, so in both cases having the first byte overwritten will not cause problems. We cannot however rule out the possibility that other objects which are preloaded by the loader could suffer from having the first byte overwritten. Since the zeroing does not in fact serve any purpose, remove it and trim trailing whitespace and ASCII control characters by adjusting the buffer length alone. Fixes: c3188289 Preload hostuuid for early-boot use Reviewed by: kevans, markj MFC after: 3 days
|
#
330f110b |
|
14-May-2021 |
Colin Percival <cperciva@FreeBSD.org> |
Fix 'hostuuid: preload data malformed' warning If the preloaded hostuuid value is invalid and verbose booting is enabled, a warning is printed. This printf had two bugs: 1. It was missing a trailing \n character. 2. The malformed UUID is printed with %s even though it is not known to be NUL-terminated. This commit adds the missing \n and uses %.*s with the (already known) length of the preloaded UUID to ensure that we don't read past the end of the buffer. Reported by: kevans Fixes: c3188289 Preload hostuuid for early-boot use MFC after: 3 days
|
#
f187d6df |
|
15-Mar-2021 |
Kyle Evans <kevans@FreeBSD.org> |
base: remove if_wg(4) and associated utilities, manpage After length decisions, we've decided that the if_wg(4) driver and related work is not yet ready to live in the tree. This driver has larger security implications than many, and thus will be held to more scrutiny than other drivers. Please also see the related message sent to the freebsd-hackers@ and freebsd-arch@ lists by Kyle Evans <kevans@FreeBSD.org> on 2021/03/16, with the subject line "Removing WireGuard Support From Base" for additional context.
|
#
74ae3f3e |
|
14-Mar-2021 |
Kyle Evans <kevans@FreeBSD.org> |
if_wg: import latest fixup work from the wireguard-freebsd project This is the culmination of about a week of work from three developers to fix a number of functional and security issues. This patch consists of work done by the following folks: - Jason A. Donenfeld <Jason@zx2c4.com> - Matt Dunwoodie <ncon@noconroy.net> - Kyle Evans <kevans@FreeBSD.org> Notable changes include: - Packets are now correctly staged for processing once the handshake has completed, resulting in less packet loss in the interim. - Various race conditions have been resolved, particularly w.r.t. socket and packet lifetime (panics) - Various tests have been added to assure correct functionality and tooling conformance - Many security issues have been addressed - if_wg now maintains jail-friendly semantics: sockets are created in the interface's home vnet so that it can act as the sole network connection for a jail - if_wg no longer fails to remove peer allowed-ips of 0.0.0.0/0 - if_wg now exports via ioctl a format that is future proof and complete. It is additionally supported by the upstream wireguard-tools (which we plan to merge in to base soon) - if_wg now conforms to the WireGuard protocol and is more closely aligned with security auditing guidelines Note that the driver has been rebased away from using iflib. iflib poses a number of challenges for a cloned device trying to operate in a vnet that are non-trivial to solve and adds complexity to the implementation for little gain. The crypto implementation that was previously added to the tree was a super complex integration of what previously appeared in an old out of tree Linux module, which has been reduced to crypto.c containing simple boring reference implementations. This is part of a near-to-mid term goal to work with FreeBSD kernel crypto folks and take advantage of or improve accelerated crypto already offered elsewhere. There's additional test suite effort underway out-of-tree taking advantage of the aforementioned jail-friendly semantics to test a number of real-world topologies, based on netns.sh. Also note that this is still a work in progress; work going further will be much smaller in nature. MFC after: 1 month (maybe)
|
#
589e4c1d |
|
25-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Add safety around prison_deref() flags. do_jail_attach() now only uses the PD_XXX flags that refer to lock status, so make sure that something else like PD_KILL doesn't slip through. Add a KASSERT() in prison_deref() to catch any further PD_KILL misuse.
|
#
108a9384 |
|
25-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Fix locking on an early jail_set error. I had locked allprison_lock without immediately setting PD_LIST_LOCKED.
|
#
c861373b |
|
24-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: re-commit 811e27fa3c44 with fixes Make sure PD_KILL isn't passed to do_jail_attach, where it might end up trying to kill the caller's prison (even prison0). Fix the child jail loop in prison_deref_kill, which was doing the post-order part during the pre-order part. That's not a system- killer, but make jails not always die correctly.
|
#
ddfffb41 |
|
24-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: back out 811e27fa3c44 until it doesn't break Jenkins Reported by: arichardson
|
#
0a2a96f3 |
|
22-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Don't allow jails under dying parents If a jail is created with jail_set(...JAIL_DYING), and it has a parent currently in a dying state, that will bring the parent jail back to life. Restrict that to require that the parent itself be explicitly brought back first, and not implicitly created along with the new child jail. Differential Revision: https://reviews.freebsd.org/D28515
|
#
701d6b50 |
|
22-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Fix a LOR introduced in 1158508a8086
|
#
811e27fa |
|
22-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Add PD_KILL to remove a prison in prison_deref(). Add the PD_KILL flag that instructs prison_deref() to take steps to actively kill a prison and its descendents, namely marking it PRISON_STATE_DYING, clearing its PR_PERSIST flag, and killing any attached processes. This replaces a similar loop in sys_jail_remove(), bringing the operation under the same single hold on allprison_lock that it already has. It is also used to clean up failed jail (re-)creations in kern_jail_set(), which didn't generally take all the proper steps. Differential Revision: https://reviews.freebsd.org/D28473
|
#
1158508a |
|
21-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Add pr_state to struct prison Rather that using references (pr_ref and pr_uref) to deduce the state of a prison, keep track of its state explicitly. A prison is either "invalid" (pr_ref == 0), "alive" (pr_uref > 0) or "dying" (pr_uref == 0). State transitions are generally tied to the reference counts, but with some flexibility: a new prison is "invalid" even though it now starts with a reference, and jail_remove(2) sets the state to "dying" before the user reference count drops to zero (which was prviously accomplished via the PR_REMOVE flag). pr_state is protected by both the prison mutex and allprison_lock, so it has the same availablity guarantees as the reference counts do. Differential Revision: https://reviews.freebsd.org/D27876
|
#
ee9b37ae |
|
21-Feb-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
jail: fix build after the previous commit Noted by: Michael Butler <imb protected-networks.net>
|
#
f7496dca |
|
21-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Change the locking around pr_ref and pr_uref Require both the prison mutex and allprison_lock when pr_ref or pr_uref go to/from zero. Adding a non-first or removing a non-last reference remain lock-free. This means that a shared hold on allprison_lock is sufficient for prison_isalive() to be useful, which removes a number of cases of lock/check/unlock on the prison mutex. Expand the locking in kern_jail_set() to keep allprison_lock held exclusive until the new prison is valid, thus making invalid prisons invisible to any thread holding allprison_lock (except of course the one creating or destroying the prison). This renders prison_isvalid() nearly redundant, now used only in asserts. Differential Revision: https://reviews.freebsd.org/D28419 Differential Revision: https://reviews.freebsd.org/D28458
|
#
6e1d1bfc |
|
20-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Improve locking when removing prisons Change the flow of prison_deref() so it doesn't let go of allprison_lock until it's completely done using it (except for a possible drop as part of an upgrade on its first try). Differential Revision: https://reviews.freebsd.org/D28458 MFC after: 3 days
|
#
d4380c0c |
|
19-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Change both root and working directories in jail_attach(2) jail_attach(2) performs an internal chroot operation, leaving it up to the calling process to assure the working directory is inside the jail. Add a matching internal chdir operation to the jail's root. Also ignore kern.chroot_allow_open_directories, and always disallow the operation if there are any directory descriptors open. Reported by: mjg Approved by: markj, kib MFC after: 3 days
|
#
cc7b7306 |
|
16-Feb-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Handle a possible race between jail_remove(2) and fork(2) jail_remove(2) includes a loop that sends SIGKILL to all processes in a jail, but skips processes in PRS_NEW state. Thus it is possible the a process in mid-fork(2) during jail removal can survive the jail being removed. Add a prison flag PR_REMOVE, which is checked before the new process returns. If the jail is being removed, the process will then exit. Also check this flag in jail_attach(2) which has a similar issue. Reported by: trasz Approved by: kib MFC after: 3 days
|
#
c050ea80 |
|
28-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Handle a parent jail when a child is added to it It's possible when adding a jail that its dying parent comes back to life. Only allow that to happen when JAIL_DYING is specified. And if it does happen, call PR_METHOD_CREATE on it.
|
#
195cd6ae |
|
22-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: fix dangling reference bug from 6754ae2572eb The change to use refcounts for pr_uref was mishandled in prison_proc_free, so killing a jail's last process could add an extra reference, leaving it an unkillable zombie.
|
#
39c8ef90 |
|
22-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: A jail could be removed without calling OSD methods Fix a long-standing bug where setting nopersist on a process-less jail would remove it without calling the the OSD PR_METHOD_REMOVE methods.
|
#
6754ae25 |
|
20-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Use refcount(9) for prison references. Use refcount(9) for both pr_ref and pr_uref in struct prison. This allows prisons to held and freed without requiring the prison mutex. An exception to this is that dropping the last reference will still lock the prison, to keep the guarantee that a locked prison remains valid and alive (provided it was at the time it was locked). Among other things, this honors the promise made in a comment in crcopy(9), that it will not block, which hasn't been true for two decades.
|
#
effad35e |
|
18-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Clean up some function placement and improve comments. Move prison_hold, prison_hold_locked ,prison_proc_hold, and prison_proc_free to a more intuitive part of the file (together with with prison_free and prison_free_locked), and add or improve comments to these and others, to better describe what's going in the prison reference cycle. No functional changes.
|
#
83bc72a0 |
|
18-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Fix a stray mutex from 76ad42abf9d4.
|
#
76ad42ab |
|
18-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Add prison_isvalid() and prison_isalive() prison_isvalid() checks if a prison record can be used at all, i.e. pr_ref > 0. This filters out prisons that aren't fully created, and those that are either in the process of being dismantled, or will be at the next opportunity. While the check for pr_ref > 0 is simple enough to make without a convenience function, this prepares the way for other measures of prison validity. prison_isalive() checks not only validity as far as the useablity of the prison structure, but also whether the prison is visible to user space. It replaces a test for pr_uref > 0, which is currently only used within kern_jail.c, and not often there. Both of these functions also assert that either the prison mutex or allprison_lock is held, since it's generally the case that unlocked prisons aren't guaranteed to remain useable for any length of time. This isn't entirely true, for example a thread can assume its own prison is good, but most exceptions will exist inside of kern_jail.c.
|
#
2a4b2251 |
|
09-Jan-2021 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Simplify handling of prison_deref() Track the the current lock/reference state in a single variable, rather than deducing the proper prison_deref() flags from a combination of equations and hard-coded values.
|
#
b58a4634 |
|
31-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: revert the attachment part of b4e87a632955 The change to kern_jail_set that was supposed to "also properly clean up when attachment fails" didn't fix a memory leak but actually caused a double free. Back that part out, and leave the part that manages allprison_lock state.
|
#
b4e87a63 |
|
31-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Clean up allprison_lock handing in kern_jail_set Keep explicit track of the allprison_lock state during the final part of kern_jail_set, instead of deducing it from the JAIL_ATTACH flag. Also properly clean up when the attachment fails, fixing a long- standing (though minor) memory leak.
|
#
7f4e7248 |
|
26-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: add a missing lock around an osd_jail_call(). allprison_lock should be at least held shared when jail OSD methods are called. Add a shared lock around one such call where that wasn't the case. In another such call, change an exclusive lock grab to be shared in what is likely the more common case.
|
#
0fe74ae6 |
|
26-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Consistently handle the pr_allow bitmask Return a boolean (i.e. 0 or 1) from prison_allow, instead of the flag value itself, which is what sysctl expects. Add prison_set_allow(), which can set or clear a permission bit, and propagates cleared bits down to child jails. Use prison_allow() and prison_set_allow() in the various jail.allow.* sysctls, and others that depend on thoe permissions. Add locking around checking both pr_allow and pr_enforce_statfs in prison_priv_check().
|
#
5d58f959 |
|
26-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Fix lock-free access to dynamic pr.allow flags Use atomic access and a memory barrier to ensure that the flag parameter in pr_flag_allow is indeed set after the rest of the structure is valid. Simplify adding flag bits with pr_allow_all, a dynamic version of PR_ALLOW_ALL_STATIC.
|
#
7de883c8 |
|
26-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Fix an O(n^2) loop when adding jails When a jail is added using the default (system-chosen) JID, and non-default-JID jails already exist, a loop through the allprison list could restart and result in unnecessary O(n^2) behaviour. There should never be more than two list passes required. Also clean up inefficient (though still O(n)) allprison list traversal when finding jails by ID, or when adding jails in the common case of all default JIDs.
|
#
05e1e482 |
|
18-Nov-2020 |
Mariusz Zaborski <oshogbo@FreeBSD.org> |
jail: introduce per jail suser_enabled setting The suser_enable sysctl allows to remove a privileged rights from uid 0. This change introduce per jail setting which allow to make root a normal user. Reviewed by: jamie Previous version reviewed by: kevans, emaste, markj, me_igalic.co Discussed with: pjd Differential Revision: https://reviews.freebsd.org/D27128
|
#
21fe9441 |
|
18-Nov-2020 |
Mariusz Zaborski <oshogbo@FreeBSD.org> |
Fix style nits.
|
#
6fed89b1 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
kern: clean up empty lines in .c and .h files
|
#
a459a6cf |
|
25-Aug-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: respect PRIV_VFS_LOOKUP in vaccess_smr Reported by: novel
|
#
f7d38a13 |
|
19-Jul-2020 |
Adrian Chadd <adrian@FreeBSD.org> |
[net80211] Add new privileges; restrict what can be done in a jail. Split the MANAGE privilege into MANAGE, SETMAC and CREATE_VAP. + VAP_MANAGE is everything but setting the MAC and creating a VAP. + VAP_SETMAC is setting the MAC address of the VAP. Typically you wouldn't want the jail to be able to modify this. + CREATE_VAP is to create a new VAP. Again, you don't want to be doing this in a jail, but this DOES stop being able to run some corner cases like Dynamic WDS (DWDS) AP in a jail/vnet. We can figure this bit out later. This allows me to run wpa_supplicant in a jail after transferring a STA VAP into it. I unfortunately can't currently set the wlan debugging inside the jail; that would be super useful! Reviewed by: bz Differential Revision: https://reviews.freebsd.org/D25630
|
#
63619b6d |
|
04-Jun-2020 |
Kyle Evans <kevans@FreeBSD.org> |
vfs: add restrictions to read(2) of a directory [2/2] This commit adds the priv(9) that waters down the sysctl to make it only allow read(2) of a dirfd by the system root. Jailed root is not allowed, but jail policy and superuser policy will abstain from allowing/denying it so that a MAC module can fully control the policy. Such a MAC module has been written, and can be found at: https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz It is expected that the MAC module won't be needed by many, as most only need to do such diagnostics that require this behavior as system root anyways. Interested parties are welcome to grab the MAC module above and create a port or locally integrate it, and with enough support it could see introduction to base. As noted in mac_read_dir.c, it is released under the BSD 2 clause license and allows the restrictions to be lifted for only jailed root or for all unprivileged users. PR: 246412 Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous) Reviewed by: rgrimes (latest version) Differential Revision: https://reviews.freebsd.org/D24596
|
#
3f8bc99c |
|
18-Apr-2020 |
Kristof Provost <kp@FreeBSD.org> |
ethersubr: Make the mac address generation more robust If we create two (vnet) jails and create a bridge interface in each we end up with the same mac address on both bridge interfaces. These very often conflicts, resulting in same mac address in both jails. Mitigate this problem by including the jail name in the mac address. Reviewed by: kevans, melifaro MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24383
|
#
c3188289 |
|
15-Apr-2020 |
Kyle Evans <kevans@FreeBSD.org> |
Preload hostuuid for early-boot use prison0's hostuuid will get set by the hostid rc script, either after generating it and saving it to /etc/hostid or by simply reading /etc/hostid. Some things (e.g. arbitrary MAC address generation) may use the hostuuid as a factor in early boot, so providing a way to read /etc/hostid (if it's available) and using it before userland starts up is desirable. The code is written such that the preload doesn't *have* to be /etc/hostid, thus not assuming that there will be newline at the end of the buffer or even the exact shape of the newline. White trailing whitespace/non-printables trimmed, the result will be validated as a valid uuid before it's used for early boot purposes. The preload can be turned off with hostuuid_load="NO" in /boot/loader.conf, just as other preloads; it's worth noting that this is a 37-byte file, the overhead is believed to be generally minimal. It doesn't seem necessary at this time to be concerned with kern.hostid. One does wonder if we should consider validating hostuuids coming in via jail_set(2); some bits seem to care about uuid form and we bother validating format of smbios-provided uuid and in-fact whatever uuid comes from /etc/hostid. Reviewed by: karels, delphij, jamie MFC after: 1 week (don't preload by default, probably) Differential Revision: https://reviews.freebsd.org/D24288
|
#
1b786d01 |
|
14-Mar-2020 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
kern_jail: missing \0 termination check on osrelease parameter If a user spplies a non-\0 terminated osrelease parameter reading it back may disclose kernel memory. This is a problem in case of nested jails (children.max > 0, which is not the default). Otherwise root outside the jail has access to kernel memory by other means and root inside a jail cannot create a child jail. Add the proper \0 check at the end of a supplied osrelease parameter and make sure any copies of the field will be \0-terminated. Submitted by: Hans Christian Woithe (chwoithe yahoo.com) MFC after: 3 days
|
#
7029da5c |
|
26-Feb-2020 |
Pawel Biernacki <kaktus@FreeBSD.org> |
Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718
|
#
7b2ff0dc |
|
13-Feb-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
Partially decompose priv_check by adding priv_check_cred_vfs_generation During buildkernel there are very frequent calls to priv_check and they all are for PRIV_VFS_GENERATION (coming from stat/fstat). This results in branching on several potential privileges checking if perhaps that's the one which has to be evaluated. Instead of the kitchen-sink approach provide a way to have commonly used privs directly evaluated.
|
#
e6081fe8 |
|
13-Feb-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
Inline jailed(). It is constantly called from priv_check.
|
#
3eb6b656 |
|
08-Feb-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: remove now useless ENODEV handling from vn_fullpath consumers Noted by: ngie
|
#
3ff65f71 |
|
30-Jan-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
Remove duplicated empty lines from kern/*.c No functional changes.
|
#
b249ce48 |
|
03-Jan-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
vfs: drop the mostly unused flags argument from VOP_UNLOCK Filesystems which want to use it in limited capacity can employ the VOP_UNLOCK_FLAGS macro. Reviewed by: kib (previous version) Differential Revision: https://reviews.freebsd.org/D21427
|
#
c83dda36 |
|
31-Dec-2019 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Split gigantic rtsock route_output() into smaller functions. Amount of changes to the original code has been intentionally minimised to ease diffing. The changes are mostly mechanical, with the following exceptions: * lltable handler is now called directly based of RTF_LLINFO flag presense. * "report" logic for updating rtm in RTM_GET/RTM_DELETE has been simplified, fixing several potential use-after-free cases in rt_addrinfo. * llable asserts has been replaced with error-returning, preventing kernel crashes when lltable gw af family is invalid (root required). MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22864
|
#
6ff4688b |
|
07-Dec-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
Replace hand-rolled unrefs if > 1 with refcount_release_if_not_last Sponsored by: The FreeBSD Foundation
|
#
b3079544 |
|
27-Nov-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl node is set, allow setting security.bsd.unprivileged_proc_debug per-jail. In part, this is needed to create jails in which the Address Sanitizer (ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address space. Instead of having to allow unprivileged process debugging for the entire system, allow setting it on a per-jail basis. The sysctl node is still security.bsd.unprivileged_proc_debug and the jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a sysctl proc rather than a sysctl int. This allows us to determine setting the flag for the corresponding jail (or prison0). As part of the change, the dynamic allow.* API needed to be modified to take into account pr_allow flags which may now be disabled in prison0. This prevents conflicts with new pr_allow flags (like that of vmm(4)) that are added (and removed) dynamically. Also teach the jail creation KPI to allow differences for certain pr_allow flags between the parent and child jail. This can happen when unprivileged process debugging is disabled in the parent prison, but enabled in the child. Submitted by: Shawn Webb <lattera at gmail.com> Obtained from: HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8) Relnotes: yes Sponsored by: HardenedBSD and G2, Inc Differential Revision: https://reviews.freebsd.org/D18319
|
#
389474c1 |
|
12-Nov-2018 |
Konstantin Belousov <kib@FreeBSD.org> |
Allow set ether/vlan PCP operation from the VNET jails. The vlan interfaces can be created from vnet jails, it seems, so it sounds logical to allow pcp configuration as well. Reviewed by: bz, hselasky (previous version) Sponsored by: Mellanox Technologies MFC after: 1 week Differential revision: https://reviews.freebsd.org/D17777
|
#
4520f617 |
|
18-Oct-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix typos from r339409. Reported by: maxim Approved by: re (gjb)
|
#
b19d66fd |
|
17-Oct-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Add a new jail permission, allow.read_msgbuf. When true, jailed processes can see the dmesg buffer (this is the current behavior). When false (the new default), dmesg will be unavailable to jailed users, whether root or not. The security.bsd.unprivileged_read_msgbuf sysctl still works as before, controlling system-wide whether non-root users can see the buffer. PR: 211580 Submitted by: bz Approved by: re@ (kib@) MFC after: 3 days
|
#
08b43333 |
|
05-Oct-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix the test prohibiting jails from sharing IP addresses. It's not supposed to be legal for two jails to contain the same IP address, unless both jails contain only that one address. This is the behavior documented in jail(8), and is there to prevent confusion when multiple jails are listening on IADDR_ANY. VIMAGE jails (now the default for GENERIC kernels) test this correctly, but non-VIMAGE jails have been performing an incomplete test when nested jails are used. Approved by: re@ (kib@) MFC after: 5 days
|
#
c542c43e |
|
16-Aug-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Revert r337922, except for some documention-only bits. This needs to wait until user is changed to stop using jail(2). Differential Revision: D14791
|
#
284001a2 |
|
16-Aug-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating jails since FreeBSD 7. Along with the system call, put the various security.jail.allow_foo and security.jail.foo_allowed sysctls partly under COMPAT_FREEBSD11 (or BURN_BRIDGES). These sysctls had two disparate uses: on the system side, they were global permissions for jails created via jail(2) which lacked fine-grained permission controls; inside a jail, they're read-only descriptions of what the current jail is allowed to do. The first use is obsolete along with jail(2), but keep them for the second-read-only use. Differential Revision: D14791
|
#
ccd6ac9f |
|
28-Jul-2018 |
Antoine Brodin <antoine@FreeBSD.org> |
Add allow.mlock to jail parameters It allows locking or unlocking physical pages in memory within a jail This allows running elasticsearch with "bootstrap.memory_lock" inside a jail Reviewed by: jamie@ Differential Revision: https://reviews.freebsd.org/D16342
|
#
0a172404 |
|
06-Jul-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Change prison_add_vfs() to the more generic prison_add_allow(), which can add any dynamic allow.* or allow.*.* parameter. Also keep prison_add_vfs() as a wrapper. Differential Revision: D16146
|
#
dbadb015 |
|
05-Jul-2018 |
Konstantin Belousov <kib@FreeBSD.org> |
Silence warnings about unused variables when RACCT is defined but RCTL is not. Reported by: Dries Michiels <driesm.michiels@gmail.com> Sponsored by: The FreeBSD Foundation MFC after: 3 days
|
#
7938a442 |
|
20-Jun-2018 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Instead of using hand-rolled loops where not needed switch them to FOREACH_PROC_IN_SYSTEM() to have a single pattern to look for. Reviewed by: kib MFC after: 2 weeks Sponsored by: iXsystems, Inc. Differential Revision: https://reviews.freebsd.org/D15916
|
#
bb8f1623 |
|
24-May-2018 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Try to be consistent and spell "vnet" lower case like all the other options (and as we do on command line). Sponsored by: iXsystems, Inc.
|
#
36b41cc3 |
|
24-May-2018 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Improve the KASSERT to also have the prison pointer. Helpful when debugging from ddb. Sponsored by: iXsystems, Inc.
|
#
0e5c6bd4 |
|
04-May-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Make it easier for filesystems to count themselves as jail-enabled, by doing most of the work in a new function prison_add_vfs in kern_jail.c Now a jail-enabled filesystem need only mark itself with VFCF_JAIL, and the rest is taken care of. This includes adding a jail parameter like allow.mount.foofs, and a sysctl like security.jail.mount_foofs_allowed. Both of these used to be a static list of known filesystems, with predefined permission bits. Reviewed by: kib Differential Revision: D14681
|
#
f87beb93 |
|
20-Apr-2018 |
Andriy Gapon <avg@FreeBSD.org> |
call racct_proc_ucred_changed() under the proc lock The lock is required to ensure that the switch to the new credentials and the transfer of the process's accounting data from the old credentials to the new ones is done atomically. Otherwise, some updates may be applied to the new credentials and then additionally transferred from the old credentials if the updates happen after proc_set_cred() and before racct_proc_ucred_changed(). The problem is especially pronounced for RACCT_RSS because - there is a strict accounting for this resource (it's reclaimable) - it's updated asynchronously by the vm daemon - it's updated by setting an absolute value instead of applying a delta I had to remove a call to rctl_proc_ucred_changed() from racct_proc_ucred_changed() and make all callers of latter call the former as well. The reason is that rctl_proc_ucred_changed, as it is implemented now, cannot be called while holding the proc lock, so the lock is dropped after calling racct_proc_ucred_changed. Additionally, I've added calls to crhold / crfree around the rctl call, because without the proc lock there is no gurantee that the new credentials, owned by the process, will stay stable. That does not eliminate a possibility that the credentials passed to the rctl will get stale. Ideally, rctl_proc_ucred_changed should be able to work under the proc lock. Many thanks to kib for pointing out the above problems. PR: 222027 Discussed with: kib No comment: trasz MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D15048
|
#
6469bdcd |
|
06-Apr-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Move most of the contents of opt_compat.h to opt_global.h. opt_compat.h is mentioned in nearly 180 files. In-progress network driver compabibility improvements may add over 100 more so this is closer to "just about everywhere" than "only some files" per the guidance in sys/conf/options. Keep COMPAT_LINUX32 in opt_compat.h as it is confined to a subset of sys/compat/linux/*.c. A fake _COMPAT_LINUX option ensure opt_compat.h is created on all architectures. Move COMPAT_LINUXKPI to opt_dontuse.h as it is only used to control the set of compiled files. Reviewed by: kib, cem, jhb, jtl Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14941
|
#
672756aa |
|
20-Mar-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Represent boolean jail options as an array of structures containing the flag and both the regular and "no" names, instead of two different string arrays whose indices need to match the flag's bit position. This makes them similar to the say "jailsys" options are represented. Loop through either kind of option array with a structure pointer rather then an integer index.
|
#
8a36da99 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/kern: adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts.
|
#
e28f9b7d |
|
05-Jun-2017 |
Allan Jude <allanjude@FreeBSD.org> |
Jails: Optionally prevent jailed root from binding to privileged ports You may now optionally specify allow.noreserved_ports to prevent root inside a jail from using privileged ports (less than 1024) PR: 217728 Submitted by: Matt Miller <mattm916@pulsar.neomailbox.ch> Reviewed by: jamie, cem, smh Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10202
|
#
8144690a |
|
16-Feb-2017 |
Eric van Gyzen <vangyzen@FreeBSD.org> |
Use inet_ntoa_r() instead of inet_ntoa() throughout the kernel inet_ntoa() cannot be used safely in a multithreaded environment because it uses a static local buffer. Instead, use inet_ntoa_r() with a buffer on the caller's stack. Suggested by: glebius, emaste Reviewed by: gnn MFC after: 2 weeks Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D9625
|
#
0ce1624d |
|
08-Aug-2016 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Move IPv4-specific jail functions to new file netinet/in_jail.c _prison_check_ip4 renamed to prison_check_ip4_locked Move IPv6-specific jail functions to new file netinet6/in6_jail.c _prison_check_ip6 renamed to prison_check_ip6_locked Add appropriate prototypes to sys/sys/jail.h Adjust kern_jail.c to call prison_check_ip4_locked and prison_check_ip6_locked accordingly. Add netinet/in_jail.c and netinet6/in6_jail.c to the list of files that need to be built when INET and INET6, respectively, are configured in the kernel configuration file. Reviewed by: jtl Approved by: sjg (mentor) Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D6799
|
#
932a6e43 |
|
09-Jun-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix a vnode leak when giving a child jail a too-long path when debug.disablefullpath=1.
|
#
cf0313c6 |
|
09-Jun-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Re-order some jail parameter reading to prevent a vnode leak.
|
#
176ff3a0 |
|
09-Jun-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Clean up some logic in jail error messages, replacing a missing test and a redundant test with a single correct test.
|
#
ef0ddea3 |
|
09-Jun-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Make sure the OSD methods for jail set and remove can't run concurrently, by holding allprison_lock exclusively (even if only for a moment before downgrading) on all paths that call PR_METHOD_REMOVE. Since they may run on a downgraded lock, it's still possible for them to run concurrently with PR_METHOD_GET, which will need to use the prison lock.
|
#
ee8d6bd3 |
|
29-May-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Mark jail(2), and the sysctls that it (and only it) uses as deprecated. jail(8) has long used jail_set(2), and those sysctl only cause confusion.
|
#
e3043798 |
|
29-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/kern: spelling fixes in comments. No functional change.
|
#
73d9e52d |
|
26-Apr-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Delay revmoing the last jail reference in prison_proc_free, and instead put it off into the pr_task. This is similar to prison_free, and in fact uses the same task even though they do something slightly different. This resolves a LOR between the process lock and allprison_lock, which came about in r298565. PR: 48471
|
#
1fb6767d |
|
26-Apr-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Use crcopysafe in jail_attach.
|
#
b6f47c23 |
|
24-Apr-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Pass the current/new jail to PR_METHOD_CHECK, which pushes the call until after the jail is found or created. This requires unlocking the jail for the call and re-locking it afterward, but that works because nothing in the jail has been changed yet, and other processes won't change the important fields as long as allprison_lock remains held. Keep better track of name vs namelc in kern_jail_set. Name should always be the hierarchical name (relative to the caller), and namelc the last component. PR: 48471 MFC after: 5 days
|
#
cc5fd8c7 |
|
24-Apr-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Add a new jail OSD method, PR_METHOD_REMOVE. It's called when a jail is removed from the user perspective, i.e. when the last pr_uref goes away, even though the jail mail still exist in the dying state. It will also be called if either PR_METHOD_CREATE or PR_METHOD_SET fail. PR: 48471 MFC after: 5 days
|
#
2a549507 |
|
24-Apr-2016 |
Jamie Gritton <jamie@FreeBSD.org> |
Remove the PR_REMOVE flag, which was meant as a temporary marker for a jail that might be seen mid-removal. It hasn't been doing the right thing since at least the ability to resurrect dying jails, and such resurrection also makes it unnecessary.
|
#
02abd400 |
|
19-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
kernel: use our nitems() macro when it is available through param.h. No functional change, only trivial cases are done in this sweep, Discussed in: freebsd-current
|
#
6ab6058e |
|
15-Dec-2015 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix jail name checking that disallowed anything that starts with '0'. The intention was to just limit leading zeroes on numeric names. That check is now improved to also catch the leading spaces and '+' that strtoul can pass through. PR: 204897 MFC after: 3 days
|
#
15db3c07 |
|
14-Nov-2015 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Speed up rctl operation with large rulesets, by holding the lock during iteration instead of relocking it for each traversed rule. Reviewed by: mjg@ MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D4110
|
#
f19e47d6 |
|
19-Jul-2015 |
Marcelo Araujo <araujo@FreeBSD.org> |
Add support to the jail framework to be able to mount linsysfs(5) and linprocfs(5). Differential Revision: D2846 Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com> Reviewed by: jamie
|
#
f0725a8e |
|
11-Jul-2015 |
Mateusz Guzik <mjg@FreeBSD.org> |
Move chdir/chroot-related fdp manipulation to kern_descrip.c Prefix exported functions with pwd_. Deduplicate some code by adding a helper for setting fd_cdir. Reviewed by: kib
|
#
af10bf05 |
|
17-Jun-2015 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Initialise pr_enforce_statfs from the "default" sysctl value and not from the compile time constant. The sysctl value is seeded from the compile time constant. MFC after: 2 weeks
|
#
4b5c9cf6 |
|
29-Apr-2015 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Add kern.racct.enable tunable and RACCT_DISABLED config option. The point of this is to be able to add RACCT (with RACCT_DISABLED) to GENERIC, to avoid having to rebuild the kernel to use rctl(8). Differential Revision: https://reviews.freebsd.org/D2369 Reviewed by: kib@ MFC after: 1 month Relnotes: yes Sponsored by: The FreeBSD Foundation
|
#
a2d4a7e4 |
|
24-Mar-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Do not include if_var.h and in6_var.h into kern_jail.c. It is now possible after r280444. Sponsored by: Nginx, Inc.
|
#
daf63fd2 |
|
15-Mar-2015 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: add proc_set_cred helper The goal here is to provide one place altering process credentials. This eases debugging and opens up posibilities to do additional work when such an action is performed.
|
#
bd96bd15 |
|
28-Feb-2015 |
Ian Lepore <ian@FreeBSD.org> |
Format the line properly (wrap before column 80).
|
#
a1a4c1b0 |
|
28-Feb-2015 |
Ian Lepore <ian@FreeBSD.org> |
Export the new osreldate and osrelease jail parms in jail_get(2).
|
#
b96bd95b |
|
27-Feb-2015 |
Ian Lepore <ian@FreeBSD.org> |
Allow the kern.osrelease and kern.osreldate sysctl values to be set in a jail's creation parameters. This allows the kernel version to be reliably spoofed within the jail whether examined directly with sysctl or indirectly with the uname -r and -K options. The values can only be set at jail creation time, to eliminate the need for any locking when accessing the values via sysctl. The overridden values are inherited by nested jails (unless the config for the nested jails also overrides the values). There is no sanity or range checking, other than disallowing an empty release string or a zero release date, by design. The system administrator is trusted to set sane values. Setting values that are newer than the actual running kernel will likely cause compatibility problems. Differential Revision: https://reviews.freebsd.org/D1948 Relnotes: yes
|
#
464aad14 |
|
28-Jan-2015 |
Jamie Gritton <jamie@FreeBSD.org> |
Add allow.mount.fdescfs jail flag. PR: 192951 Submitted by: ruben@verweg.com MFC after: 3 days
|
#
6a3f2779 |
|
13-Jan-2015 |
Jamie Gritton <jamie@FreeBSD.org> |
Remove the prison flags PR_IP4_DISABLE and PR_IP6_DISABLE, which have been write-only for as long as they've existed.
|
#
0e5e396e |
|
13-Jan-2015 |
Jamie Gritton <jamie@FreeBSD.org> |
Don't set prison's pr_ip4s or pr_ip6s to -1. PR: 196474 MFC after: 3 days
|
#
f514b97b |
|
09-Sep-2014 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Avoid unlocking unlocked mutex in RCTL jail code. Specific test case is attached to PR. PR: 193457 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
45c203fc |
|
14-Mar-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Remove AppleTalk support. AppleTalk was a network transport protocol for Apple Macintosh devices in 80s and then 90s. Starting with Mac OS X in 2000 the AppleTalk was a legacy protocol and primary networking protocol is TCP/IP. The last Mac OS X release to support AppleTalk happened in 2009. The same year routing equipment vendors (namely Cisco) end their support. Thus, AppleTalk won't be supported in FreeBSD 11.0-RELEASE.
|
#
2c284d93 |
|
13-Mar-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Remove IPX support. IPX was a network transport protocol in Novell's NetWare network operating system from late 80s and then 90s. The NetWare itself switched to TCP/IP as default transport in 1998. Later, in this century the Novell Open Enterprise Server became successor of Novell NetWare. The last release that claimed to still support IPX was OES 2 in 2007. Routing equipment vendors (e.g. Cisco) discontinued support for IPX in 2011. Thus, IPX won't be supported in FreeBSD 11.0-RELEASE.
|
#
f15444cc |
|
31-Jan-2014 |
Jamie Gritton <jamie@FreeBSD.org> |
Back out r261266 pending security buy-in. r261266: Add a jail parameter, allow.kmem, which lets jailed processes access /dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE). This in conjunction with changing the drm driver's permission check from PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
|
#
109ca2d5 |
|
29-Jan-2014 |
Jamie Gritton <jamie@FreeBSD.org> |
Add a jail parameter, allow.kmem, which lets jailed processes access /dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE). This in conjunction with changing the drm driver's permission check from PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server. Submitted by: netchild MFC after: 1 week
|
#
da0770bd |
|
17-Dec-2013 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix copy/paste typo. MFC after: 1 week
|
#
b5019bc4 |
|
28-Nov-2013 |
Peter Wemm <peter@FreeBSD.org> |
jail_v0.ip_number was always in host byte order. This was handled in one of the many layers of indirection and shims through stable/7 in jail_handle_ips(). When it was cleaned up and unified through kern_jail() for 8.x, the byte order swap was lost. This only matters for ancient binaries that call jail(2) themselves internally.
|
#
0d168b8d |
|
01-Nov-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
prison_check_ip4() can take const arguments.
|
#
76039bc8 |
|
26-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
bb56d716 |
|
06-Sep-2013 |
Jamie Gritton <jamie@FreeBSD.org> |
Keep PRIV_KMEM_READ permitted inside jails as it is on the outside.
|
#
2454886e |
|
23-Aug-2013 |
Xin LI <delphij@FreeBSD.org> |
Allow tmpfs be mounted inside jail.
|
#
761d2bb5 |
|
18-May-2013 |
Jamie Gritton <jamie@FreeBSD.org> |
Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't apply to most jails but do apply to vnet jails. This includes adding a new sysctl "security.jail.vnet" to identify vnet jails. PR: conf/149050 Submitted by: mdodd MFC after: 3 days
|
#
af3c786c |
|
18-Dec-2012 |
Mateusz Guzik <mjg@FreeBSD.org> |
prison_racct_detach can be called for not fully initialized jail, so make it check that the jail has racct before doing anything PR: kern/174436 Reviewed by: trasz MFC after: 3 days
|
#
5050aa86 |
|
22-Oct-2012 |
Konstantin Belousov <kib@FreeBSD.org> |
Remove the support for using non-mpsafe filesystem modules. In particular, do not lock Giant conditionally when calling into the filesystem module, remove the VFS_LOCK_GIANT() and related macros. Stop handling buffers belonging to non-mpsafe filesystems. The VFS_VERSION is bumped to indicate the interface change which does not result in the interface signatures changes. Conducted and reviewed by: attilio Tested by: pho
|
#
1fb24974 |
|
22-May-2012 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Fix use-after-free in kern_jail_set() triggered e.g. by attempts to clear "persist" flag from empty persistent jail, like this: jail -c persist=1 jail -n 1 -m persist=0 Submitted by: Mateusz Guzik <mjguzik at gmail dot com> MFC after: 2 weeks
|
#
e30345e7 |
|
22-May-2012 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Don't leak locks in prison_racct_modify(). Submitted by: Mateusz Guzik <mjguzik at gmail dot com> MFC after: 2 weeks
|
#
c34bbd2a |
|
06-Mar-2012 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Make racct and rctl correctly handle jail renaming. Previously they would continue using old name, the one jail was created with. PR: bin/165207
|
#
41c0675e |
|
28-Feb-2012 |
Martin Matuska <mm@FreeBSD.org> |
Add procfs to jail-mountable filesystems. Reviewed by: jamie MFC after: 1 week
|
#
e7af90ab |
|
26-Feb-2012 |
Martin Matuska <mm@FreeBSD.org> |
Analogous to r232059, add a parameter for the ZFS file system: allow.mount.zfs: allow mounting the zfs filesystem inside a jail This way the permssions for mounting all current VFCF_JAIL filesystems inside a jail are controlled wia allow.mount.* jail parameters. Update sysctl descriptions. Update jail(8) and zfs(8) manpages. TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel developers MFC after: 10 days
|
#
bf3db8aa |
|
23-Feb-2012 |
Martin Matuska <mm@FreeBSD.org> |
To improve control over the use of mount(8) inside a jail(8), introduce a new jail parameter node with the following parameters: allow.mount.devfs: allow mounting the devfs filesystem inside a jail allow.mount.nullfs: allow mounting the nullfs filesystem inside a jail Both parameters are disabled by default (equals the behavior before devfs and nullfs in jails). Administrators have to explicitly allow mounting devfs and nullfs for each jail. The value "-1" of the devfs_ruleset parameter is removed in favor of the new allow setting. Reviewed by: jamie Suggested by: pjd MFC after: 2 weeks
|
#
0cc207a6 |
|
09-Feb-2012 |
Martin Matuska <mm@FreeBSD.org> |
Add support for mounting devfs inside jails. A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules. Utilizes new functions introduced in r231265. Reviewed by: jamie MFC after: 1 month
|
#
6dfe0a3d |
|
20-Jan-2012 |
Martin Matuska <mm@FreeBSD.org> |
Use separate buffer for global path to avoid overflow of path buffer. Reviewed by: jamie@ MFC after: 3 weeks
|
#
9cbe30e1 |
|
15-Jan-2012 |
Martin Matuska <mm@FreeBSD.org> |
Fix missing in r230129: kern_jail.c: initialize fullpath_disabled to zero vfs_cache.c: add missing dot in comment Reported by: kib MFC after: 1 month
|
#
f6e633a9 |
|
14-Jan-2012 |
Martin Matuska <mm@FreeBSD.org> |
Introduce vn_path_to_global_path() This function updates path string to vnode's full global path and checks the size of the new path string against the pathlen argument. In vfs_domount(), sys_unmount() and kern_jail_set() this new function is used to update the supplied path argument to the respective global path. Unbreaks jailed zfs(8) with enforce_statfs set to 1. Reviewed by: kib MFC after: 1 month
|
#
6472ac3d |
|
07-Nov-2011 |
Ed Schouten <ed@FreeBSD.org> |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs. The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
#
d745c852 |
|
06-Nov-2011 |
Ed Schouten <ed@FreeBSD.org> |
Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs. This means that their use is restricted to a single C file.
|
#
8451d0dd |
|
16-Sep-2011 |
Kip Macy <kmacy@FreeBSD.org> |
In order to maximize the re-usability of kernel code in user space this patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls. Reviewed by: rwatson Approved by: re (bz)
|
#
e6d5cb63 |
|
26-Aug-2011 |
Jamie Gritton <jamie@FreeBSD.org> |
Delay the recursive decrement of pr_uref when jails are made invisible but not removed; decrement it instead when the child jail actually goes away. This avoids letting the counter go below zero in the case where dying (pr_uref==0) jails are "resurrected", and an associated KASSERT panic. Submitted by: Steven Hartland Approved by: re (bz) MFC after: 1 week
|
#
435d4667 |
|
02-Aug-2011 |
Martin Matuska <mm@FreeBSD.org> |
Always disable mount and unmount for jails with enforce_statfs==2. A working statfs(2) is required for umount(8) in jail. Reviewed by: pjd, kib Approved by: re (kib) MFC after: 2 weeks
|
#
6beb3bb4 |
|
24-Jul-2011 |
Kirk McKusick <mckusick@FreeBSD.org> |
This update changes the mnt_flag field in the mount structure from 32 bits to 64 bits and eliminates the unused mnt_xflag field. The existing mnt_flag field is completely out of bits, so this update gives us room to expand. Note that the f_flags field in the statfs structure is already 64 bits, so the expanded mnt_flag field can be exported without having to make any changes in the statfs structure. Approved by: re (bz)
|
#
35fd7bc0 |
|
02-Jul-2011 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add infrastructure to allow all frames/packets received on an interface to be assigned to a non-default FIB instance. You may need to recompile world or ports due to the change of struct ifnet. Submitted by: cjsp Submitted by: Alexander V. Chernikov (melifaro ipfw.ru) (original versions) Reviewed by: julian Reviewed by: Alexander V. Chernikov (melifaro ipfw.ru) MFC after: 2 weeks X-MFC: use spare in struct ifnet
|
#
a7ad07bf |
|
03-May-2011 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Change the way rctl interfaces with jails by introducing prison_racct structure, which acts as a proxy between them. This makes jail rules persistent, i.e. they can be added before jail gets created, and they don't disappear when the jail gets destroyed.
|
#
ec125fbb |
|
30-Mar-2011 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Add rctl. It's used by racct to take user-configurable actions based on the set of rules it maintains and the current resource usage. It also privides userland API to manage that ruleset. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
|
#
097055e2 |
|
29-Mar-2011 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Add racct. It's an API to keep per-process, per-jail, per-loginclass and per-loginclass resource accounting information, to be used by the new resource limits code. It's connected to the build, but the code that actually calls the new functions will come later. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
|
#
e4cd31dd |
|
21-Mar-2011 |
Jeff Roberson <jeff@FreeBSD.org> |
- Merge changes to the base system to support OFED. These include a wider arg2 for sysctl, updates to vlan code, IFT_INFINIBAND, and other miscellaneous small features.
|
#
2bfc50bc |
|
04-Mar-2011 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Add two new system calls, setloginclass(2) and getloginclass(2). This makes it possible for the kernel to track login class the process is assigned to, which is required for RCTL. This change also make setusercontext(3) call setloginclass(2) and makes it possible to retrieve current login class using id(1). Reviewed by: kib (as part of a larger patch)
|
#
a5c1afad |
|
26-Jan-2011 |
Dmitry Chagin <dchagin@FreeBSD.org> |
Add macro to test the sv_flags of any process. Change some places to test the flags instead of explicit comparing with address of known sysentvec structures. MFC after: 1 month
|
#
5cc70397 |
|
31-Dec-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Mfp4 CH177924: Add and export constants of array sizes of jail parameters as compiled into the kernel. This is the least intrusive way to allow kvm to read the (sparse) arrays independent of the options the kernel was compiled with. Reviewed by: jhb (originally) MFC after: 1 week Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
f337198d |
|
10-Sep-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Don't exit kern_jail_set without freeing options when enforce_statfs has an illegal value. MFC after: 3 days
|
#
4affa14c |
|
08-Aug-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Back out r210974. Any convenience of not typing "persist" is outweighed by the possibility of unintended partially-formed jails.
|
#
f4aad873 |
|
06-Aug-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
Implicitly make a new jail persistent if it's set not to attach. MFC after: 3 days
|
#
3beefaed |
|
04-Jun-2010 |
Colin Percival <cperciva@FreeBSD.org> |
Declare ip6 as (struct in6_addr *) instead of (struct in_addr *). This is a harmless bug since we never actually use ip6 as anything other than an opaque pointer. Found with: Coverty Prevent(tm) CID: 4319 MFC after: 1 month
|
#
4ccf64eb |
|
06-Apr-2010 |
Nathan Whitehorn <nwhitehorn@FreeBSD.org> |
MFC r205014,205015: Provide groundwork for 32-bit binary compatibility on non-x86 platforms, for upcoming 64-bit PowerPC and MIPS support. This renames the COMPAT_IA32 option to COMPAT_FREEBSD32, removes some IA32-specific code from MI parts of the kernel and enhances the freebsd32 compatibility code to support big-endian platforms. This MFC is required for MFCs of later changes to the freebsd32 compatibility from HEAD. Requested by: kib
|
#
cbd7567e |
|
27-Mar-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r202123: Change DDB show prison: - name some columns more closely to the user space variables, as we do for host.* or allow.* (in the listing) already. - print pr_childmax (children.max). - prefix hex values with 0x.
|
#
841c0c7e |
|
11-Mar-2010 |
Nathan Whitehorn <nwhitehorn@FreeBSD.org> |
Provide groundwork for 32-bit binary compatibility on non-x86 platforms, for upcoming 64-bit PowerPC and MIPS support. This renames the COMPAT_IA32 option to COMPAT_FREEBSD32, removes some IA32-specific code from MI parts of the kernel and enhances the freebsd32 compatibility code to support big-endian platforms. Reviewed by: kib, jhb
|
#
a5a931b3 |
|
25-Feb-2010 |
Xin LI <delphij@FreeBSD.org> |
MFC 203052: Add interface description capability as inspired by OpenBSD. Thanks for rwatson@, jhb@, brooks@ and others for feedback to the old implementation! Sponsored by: iXsystems, Inc.
|
#
e2b36efd |
|
29-Jan-2010 |
Antoine Brodin <antoine@FreeBSD.org> |
MFC r201145 to stable/8: (S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument. Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version)
|
#
215940b3 |
|
26-Jan-2010 |
Xin LI <delphij@FreeBSD.org> |
Revised revision 199201 (add interface description capability as inspired by OpenBSD), based on comments from many, including rwatson, jhb, brooks and others. Sponsored by: iXsystems, Inc. MFC after: 1 month
|
#
3bcceea4 |
|
23-Jan-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r202468: Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Reviewed by: jamie, hrs (ipv6 part) Pointed out by: hrs [1]
|
#
66cbfdf2 |
|
17-Jan-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r202116: Adjust a comment to reflect reality, as we have proper source address selection, even for IPv4, since r183571. Pointed out by: Jase Thew (bazerka beardz.net)
|
#
592bcae8 |
|
16-Jan-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Reviewed by: jamie, hrs (ipv6 part) Pointed out by: hrs [1] MFC After: 2 weeks Asked for by: Jase Thew (bazerka beardz.net)
|
#
fe0518e9 |
|
11-Jan-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Change DDB show prison: - name some columns more closely to the user space variables, as we do for host.* or allow.* (in the listing) already. - print pr_childmax (children.max). - prefix hex values with 0x. MFC after: 3 weeks
|
#
bef916f9 |
|
11-Jan-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Adjust a comment to reflect reality, as we have proper source address selection, even for IPv4, since r183571. Pointed out by: Jase Thew (bazerka beardz.net) MFC after: 3 days
|
#
13e403fd |
|
28-Dec-2009 |
Antoine Brodin <antoine@FreeBSD.org> |
(S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument. Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version) MFC after: 1 month
|
#
950cde50 |
|
28-Dec-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r200473: Throughout the network stack we have a few places of if (jailed(cred)) left. If you are running with a vnet (virtual network stack) those will return true and defer you to classic IP-jails handling and thus things will be "denied" or returned with an error. Work around this problem by introducing another "jailed()" function, jailed_without_vnet(), that also takes vnets into account, and permits the calls, should the jail from the given cred have its own virtual network stack. We cannot change the classic jailed() call to do that, as it is used outside the network stack as well. Discussed with: julian, zec, jamie, rwatson (back in Sept)
|
#
de0bd6f7 |
|
13-Dec-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Throughout the network stack we have a few places of if (jailed(cred)) left. If you are running with a vnet (virtual network stack) those will return true and defer you to classic IP-jails handling and thus things will be "denied" or returned with an error. Work around this problem by introducing another "jailed()" function, jailed_without_vnet(), that also takes vnets into account, and permits the calls, should the jail from the given cred have its own virtual network stack. We cannot change the classic jailed() call to do that, as it is used outside the network stack as well. Discussed with: julian, zec, jamie, rwatson (back in Sept) MFC after: 5 days
|
#
1a9d4dda |
|
12-Nov-2009 |
Xin LI <delphij@FreeBSD.org> |
Revert revision 199201 for now as it has introduced a kernel vulnerability and requires more polishing.
|
#
41c8c6e8 |
|
11-Nov-2009 |
Xin LI <delphij@FreeBSD.org> |
Add interface description capability as inspired by OpenBSD. MFC after: 3 months
|
#
3c7562c7 |
|
08-Sep-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
MFC r196835: Allow a jail's name to be the same as its jid (which is the default if no name is specified), and let a numeric name specify the jid for a new jail when the jid isn't otherwise set. Still disallow other numeric names. Reviewed by: zec Approved by: re (kib), bz (mentor)
|
#
67784314 |
|
08-Sep-2009 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Revert previous commit and add myself to the list of people who should know better than to commit with a cat in the area.
|
#
b34421bf |
|
08-Sep-2009 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add necessary include.
|
#
babbbb9c |
|
04-Sep-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Allow a jail's name to be the same as its jid (which is the default if no name is specified), but still disallow other numeric names. Reviewed by: zec Approved by: bz (mentor) MFC after: 3 days
|
#
f37b0a3d |
|
31-Aug-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
MFC r196592: Fix a LOR between allprison_lock and vnode locks by releasing allprison_lock before releasing a prison's root vnode. PR: kern/138004 Reviewed by: kib Approved by: re (rwatson), bz (mentor)
|
#
61268392 |
|
28-Aug-2009 |
Marko Zec <zec@FreeBSD.org> |
MFC r196505: When "jail -c vnet" request fails, the current code actually creates and leaves behind an orphaned vnet. This change ensures that such vnets get released. This change affects only options VIMAGE builds. Submitted by: jamie Discussed with: bz Approved by: re (rwatson), julian (mentor) Approved by: re (rwatson)
|
#
c4884ffa |
|
27-Aug-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix a LOR between allprison_lock and vnode locks by releasing allprison_lock before releasing a prison's root vnode. PR: kern/138004 Reviewed by: kib Approved by: bz (mentor) MFC after: 3 days
|
#
0cb8b6a9 |
|
24-Aug-2009 |
Marko Zec <zec@FreeBSD.org> |
When "jail -c vnet" request fails, the current code actually creates and leaves behind an orphaned vnet. This change ensures that such vnets get released. This change affects only options VIMAGE builds. Submitted by: jamie Discussed with: bz Approved by: re (rwatson), julian (mentor) MFC after: 3 days
|
#
da2a30fc |
|
13-Aug-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r196176: Make it possible to change the vnet sysctl variables on jails with their own virtual network stack. Jails only inheriting a network stack cannot change anything that cannot be changed from within a prison. Reviewed by: rwatson, zec Approved by: re (kib)
|
#
eb79e1c7 |
|
13-Aug-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Make it possible to change the vnet sysctl variables on jails with their own virtual network stack. Jails only inheriting a network stack cannot change anything that cannot be changed from within a prison. Reviewed by: rwatson, zec Approved by: re (kib)
|
#
abff5b8a |
|
11-Aug-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r196135: Make the kernel compile without IP networking by moving a variable under a proper #ifdef. Approved by: re (rwatson)
|
#
57aea6df |
|
11-Aug-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Make the kernel compile without IP networking by moving a variable under a proper #ifdef. Approved by: re (rwatson)
|
#
530c0060 |
|
01-Aug-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
|
#
42bebd82 |
|
31-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Make the "enforce_statfs" default 2 (most restrictive) in jail_set(2), instead of whatever the parent/system has (which is generally 0). This mirrors the old-style default used for jail(2) in conjunction with the security.jail.enforce_statfs sysctl. Approved by: re (kib), bz (mentor)
|
#
2b0d6f81 |
|
30-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Remove a LOR, where the the sleepable allprison_lock was being obtained in prison_equal_ip4/6 while an inp mutex was held. Locking allprison_lock can be avoided by making a restriction on the IP addresses associated with jails: Don't allow the "ip4" and "ip6" parameters to be changed after a jail is created. Setting the "ip4.addr" and "ip6.addr" parameters is allowed, but only if the jail was already created with either ip4/6=new or ip4/6=disable. With this restriction, the prison flags in question (PR_IP4_USER and PR_IP6_USER) become read-only and can be checked without locking. This also allows the simplification of a messy code path that was needed to handle an existing prison gaining an IP address list. PR: kern/136899 Reported by: Dirk Meyer Approved by: re (kib), bz (mentor)
|
#
bdfc8cc4 |
|
29-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Don't allow mixing the "vnet" and "ip4/6" jail parameters, since vnet jails have their own IP stack and don't have access to the parent IP addresses anyway. Note that a virtual network stack forms a break between prisons with regard to the list of allowed IP addresses. Approved by: re (kib), bz (mentor)
|
#
8986e3a0 |
|
29-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Change the default value of the "ip4" and "ip6" jail parameters to "disable", which only allows access to the parent/physical system's IP addresses when specifically directed. Change the default value of "host" to "new", and don't copy the parent host values, to insulate jails from the parent hostname et al. Approved by: re (kib), bz (mentor)
|
#
7cbf7213 |
|
25-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Some jail parameters (in particular, "ip4" and "ip6" for IP address restrictions) were found to be inadequately described by a boolean. Define a new parameter type with three values (disable, new, inherit) to handle these and future cases. Approved by: re (kib), bz (mentor) Discussed with: rwatson
|
#
7afcbc18 |
|
17-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Remove the interim vimage containers, struct vimage and struct procg, and the ioctl-based interface that supported them. Approved by: re (kib), bz (mentor)
|
#
499650a0 |
|
24-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Wrap a PR_VNET inside "#ifdef VIMAGE" since that the only place it applies. bz wants the blame for this. Noticed by: rwatson Approved by: bz (mentor)
|
#
6bb79563 |
|
24-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
In case of prisons with their own network stack, permit additional privileges as well as not restricting the type of sockets a user can open. Note: the VIMAGE/vnet fetaure of of jails is still considered experimental and cannot guarantee that privileged users can be kept imprisoned if enabled. Reviewed by: rwatson Approved by: bz (mentor)
|
#
b97457e2 |
|
23-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Add a limit for child jails via the "children.cur" and "children.max" parameters. This replaces the simple "allow.jails" permission. Approved by: bz (mentor)
|
#
679e1390 |
|
15-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Manage vnets via the jail system. If a jail is given the boolean parameter "vnet" when it is created, a new vnet instance will be created along with the jail. Networks interfaces can be moved between prisons with an ioctl similar to the one that moves them between vimages. For now vnets will co-exist under both jails and vimages, but soon struct vimage will be going away. Reviewed by: zec, julian Approved by: bz (mentor)
|
#
c1f19219 |
|
13-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Rename the host-related prison fields to be the same as the host.* parameters they represent, and the variables they replaced, instead of abbreviated versions of them. Approved by: bz (mentor)
|
#
7455b100 |
|
12-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Add counterparts to getcredhostname: getcreddomainname, getcredhostuuid, getcredhostid Suggested by: rmacklem Approved by: bz
|
#
e92e0574 |
|
09-Jun-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Fix some overflow errors: a signed allocation and an insufficiant array size. Reported by: pho Tested by: pho Approved by: bz (mentor)
|
#
bcf11e8d |
|
05-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include. Discussed with: pjd
|
#
76ca6f88 |
|
29-May-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Place hostnames and similar information fully under the prison system. The system hostname is now stored in prison0, and the global variable "hostname" has been removed, as has the hostname_mtx mutex. Jails may have their own host information, or they may inherit it from the parent/system. The proper way to read the hostname is via getcredhostname(), which will copy either the hostname associated with the passed cred, or the system hostname if you pass NULL. The system hostname can still be accessed directly (and without locking) at prison0.pr_host, but that should be avoided where possible. The "similar information" referred to is domainname, hostid, and hostuuid, which have also become prison parameters and had their associated global variables removed. Approved by: bz (mentor)
|
#
0304c731 |
|
27-May-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Add hierarchical jails. A jail may further virtualize its environment by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings. Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge(). Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call. Approved by: bz (mentor)
|
#
1e2a13e6 |
|
23-May-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Delay an error message until the variable it uses gets initialized. Found with: Coverity Prevent(tm) CID: 4316 Reported by: trasz Approved by: bz (mentor)
|
#
29b02909 |
|
08-May-2009 |
Marko Zec <zec@FreeBSD.org> |
Introduce a new virtualization container, provisionally named vprocg, to hold virtualized instances of hostname and domainname, as well as a new top-level virtualization struct vimage, which holds pointers to struct vnet and struct vprocg. Struct vprocg is likely to become replaced in the near future with a new jail management API import. As a consequence of this change, change struct ucred to point to a struct vimage, instead of directly pointing to a vnet. Merge vnet / vimage / ucred refcounting infrastructure from p4 / vimage branch. Permit kldload / kldunload operations to be executed only from the default vimage context. This change should have no functional impact on nooptions VIMAGE kernel builds. Reviewed by: bz Approved by: julian (mentor)
|
#
7ae27ff4 |
|
07-May-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Move the per-prison Linux MIB from a private one-off pointer to the new OSD-based jail extensions. This allows the Linux MIB to accessed via jail_set and jail_get, and serves as a demonstration of adding jail support to a module. Reviewed by: dchagin, kib Approved by: bz (mentor)
|
#
b38ff370 |
|
29-Apr-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Introduce the extensible jail framework, using the same "name=value" interface as nmount(2). Three new system calls are added: * jail_set, to create jails and change the parameters of existing jails. This replaces jail(2). * jail_get, to read the parameters of existing jails. This replaces the security.jail.list sysctl. * jail_remove to kill off a jail's processes and remove the jail. Most jail parameters may now be changed after creation, and jails may be set to exist without any attached processes. The current jail(2) system call still exists, though it is now a stub to jail_set(2). Approved by: bz (mentor)
|
#
af7bd9a4 |
|
29-Apr-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Some non-functional changes: whitespace, KASSERT strings, declaration order. Approved by: bz (mentor)
|
#
8571af59 |
|
27-Mar-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Whitespace/spelling fixes in advance of upcoming functional changes. Approved by: bz (mentor)
|
#
ca04ba64 |
|
05-Feb-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Don't allow creating a socket with a protocol family that the current jail doesn't support. This involves a new function prison_check_af, like prison_check_ip[46] but that checks only the family. With this change, most of the errors generated by jailed sockets shouldn't ever occur, at least until jails are changeable. Approved by: bz (mentor)
|
#
b89e82dd |
|
05-Feb-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Standardize the various prison_foo_ip[46] functions and prison_if to return zero on success and an error code otherwise. The possible errors are EADDRNOTAVAIL if an address being checked for doesn't match the prison, and EAFNOSUPPORT if the prison doesn't have any addresses in that address family. For most callers of these functions, use the returned error code instead of e.g. a hard-coded EADDRNOTAVAIL or EINVAL. Always include a jailed() check in these functions, where a non-jailed cred always returns success (and makes no changes). Remove the explicit jailed() checks that preceded many of the function calls. Approved by: bz (mentor)
|
#
f3b86a5f |
|
28-Jan-2009 |
Ed Schouten <ed@FreeBSD.org> |
Mark most often used sysctl's as MPSAFE. After running a `make buildkernel', I noticed most of the Giant locks in sysctl are only caused by a very small amount of sysctl's: - sysctl.name2oid. This one is locked by SYSCTL_LOCK, just like sysctl.oidfmt. - kern.ident, kern.osrelease, kern.version, etc. These are just constant strings. - kern.arandom, used by the stack protector. It is already protected by arc4_mtx. I also saw the following sysctl's show up. Not as often as the ones above, but still quite often: - security.jail.jailed. Also mark security.jail.list as MPSAFE. They don't need locking or already use allprison_lock. - kern.devname, used by devname(3), ttyname(3), etc. This seems to reduce Giant locking inside sysctl by ~75% in my primitive test setup.
|
#
1cecba0f |
|
25-Jan-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
For consistency with prison_{local,remote,check}_ipN rename prison_getipN to prison_get_ipN. Submitted by: jamie (as part of a larger patch) MFC after: 1 week
|
#
eb761565 |
|
03-Jan-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Back out r186615; the sanitizing of the pointers in the error case is not needed and seems that it will not be needed either. Pointy hat: mine, mine, mine and not pho's
|
#
1d347f06 |
|
30-Dec-2008 |
Peter Holm <pho@FreeBSD.org> |
Added missing second part of cleaning j->ip[46] as requested by bz Approved by: kib (mentor) Pointy hat: pho
|
#
bc971b2c |
|
30-Dec-2008 |
Peter Holm <pho@FreeBSD.org> |
Make sure that unused j->ip[46] are cleared Reviewed by: bz Approved by: kib (mentor)
|
#
0f1fe22d |
|
10-Dec-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Correctly check the number of prison states to not access anything outside the prison_states array. When checking if there is a name configured for the prison, check the first character to not be '\0' instead of checking if the char array is present, which it always is. Note, that this is different for the *jailname in the syscall. Found with: Coverity Prevent(tm) CID: 4156, 4155 MFC after: 4 weeks (just that I get the mail)
|
#
d465a41d |
|
29-Nov-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Unbreak the no-networks (no INET/6) build that I broke with the commit in r185435. Pointyhat: no, but I could need a ski cap for the winter
|
#
413628a7 |
|
29-Nov-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFp4: Bring in updated jail support from bz_jail branch. This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,.. SCTP support was updated and supports IPv6 in jails as well. Cpuset support permits jails to be bound to specific processor sets after creation. Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future. DDB 'show jails' command was added to aid debugging. Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities. Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years. Bump __FreeBSD_version for the afore mentioned and in kernel changes. Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this. Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible
|
#
b9f0b66c |
|
28-Nov-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
With the permissions of phk@ change the license on kern_jail.c to a 2 clause BSD license.
|
#
1ba4a712 |
|
17-Nov-2008 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Update ZFS from version 6 to 13 and bring some FreeBSD-specific changes. This bring huge amount of changes, I'll enumerate only user-visible changes: - Delegated Administration Allows regular users to perform ZFS operations, like file system creation, snapshot creation, etc. - L2ARC Level 2 cache for ZFS - allows to use additional disks for cache. Huge performance improvements mostly for random read of mostly static content. - slog Allow to use additional disks for ZFS Intent Log to speed up operations like fsync(2). - vfs.zfs.super_owner Allows regular users to perform privileged operations on files stored on ZFS file systems owned by him. Very careful with this one. - chflags(2) Not all the flags are supported. This still needs work. - ZFSBoot Support to boot off of ZFS pool. Not finished, AFAIK. Submitted by: dfr - Snapshot properties - New failure modes Before if write requested failed, system paniced. Now one can select from one of three failure modes: - panic - panic on write error - wait - wait for disk to reappear - continue - serve read requests if possible, block write requests - Refquota, refreservation properties Just quota and reservation properties, but don't count space consumed by children file systems, clones and snapshots. - Sparse volumes ZVOLs that don't reserve space in the pool. - External attributes Compatible with extattr(2). - NFSv4-ACLs Not sure about the status, might not be complete yet. Submitted by: trasz - Creation-time properties - Regression tests for zpool(8) command. Obtained from: OpenSolaris
|
#
1ede983c |
|
23-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the MALLOC and FREE macros. They are an abomination unto style(9). MFC after: 3 months
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
8b615593 |
|
02-Oct-2008 |
Marko Zec <zec@FreeBSD.org> |
Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
603724d3 |
|
17-Aug-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
|
#
45e48455 |
|
07-Jul-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFp4 144659: Plug a memory leak with jail services. PR: 125257 Submitted by: Mateusz Guzik <mjguzik gmail.com> MFC after: 6 days
|
#
4f7d1876 |
|
05-Jul-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce a new lock, hostname_mtx, and use it to synchronize access to global hostname and domainname variables. Where necessary, copy to or from a stack-local buffer before performing copyin() or copyout(). A few uses, such as in cd9660 and daemon_saver, remain under-synchronized and will require further updates. Correct a bug in which a failed copyin() of domainname would leave domainname potentially corrupted. MFC after: 3 weeks
|
#
2110d913 |
|
19-Jun-2008 |
Xin LI <delphij@FreeBSD.org> |
Revert rev. 178124 as requested by kris@. Having jail id not being reused too frequently is useful for script controlled environment.
|
#
31c50f53 |
|
11-Apr-2008 |
Xin LI <delphij@FreeBSD.org> |
Instead of rolling our own jail number allocation procedure, use alloc_unr() to do it. Submitted by: Ed Schouten <ed 80386 nl> PR: kern/122270 MFC after: 1 month
|
#
57b4252e |
|
30-Mar-2008 |
Konstantin Belousov <kib@FreeBSD.org> |
Add the support for the AT_FDCWD and fd-relative name lookups to the namei(9). Based on the submission by rdivacky, sponsored by Google Summer of Code 2007 Reviewed by: rwatson, rdivacky Tested by: pho
|
#
79ba3952 |
|
24-Jan-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Replace the last susers calls in netinet6/ with privilege checks. Introduce a new privilege allowing to set certain IP header options (hop-by-hop, routing headers). Leave a few comments to be addressed later. Reviewed by: rwatson (older version, before addressing his comments)
|
#
22db15c0 |
|
13-Jan-2008 |
Attilio Rao <attilio@FreeBSD.org> |
VOP_LOCK1() (and so VOP_LOCK()) and VOP_UNLOCK() are only used in conjuction with 'thread' argument passing which is always curthread. Remove the unuseful extra-argument and pass explicitly curthread to lower layer functions, when necessary. KPI results broken by this change, which should affect several ports, so version bumping and manpage update will be further committed. Tested by: kris, pho, Diego Sardina <siarodx at gmail dot com>
|
#
cb05b60a |
|
09-Jan-2008 |
Attilio Rao <attilio@FreeBSD.org> |
vn_lock() is currently only used with the 'curthread' passed as argument. Remove this argument and pass curthread directly to underlying VOP_LOCK1() VFS method. This modify makes the code cleaner and in particular remove an annoying dependence helping next lockmgr() cleanup. KPI results, obviously, changed. Manpage and FreeBSD_version will be updated through further commits. As a side note, would be valuable to say that next commits will address a similar cleanup about VFS methods, in particular vop_lock1 and vop_unlock. Tested by: Diego Sardina <siarodx at gmail dot com>, Andrea Di Pasquale <whyx dot it at gmail dot com>
|
#
30d239bc |
|
24-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
e41966dc |
|
21-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Add PRIV_VFS_STAT privilege, which will allow overriding policy limits on the right to stat() a file, such as in mac_bsdextended. Obtained from: TrustedBSD Project MFC after: 3 months
|
#
24b0502e |
|
13-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Fix jails and jail-friendly file systems handling: - We need to allow for PRIV_VFS_MOUNT_OWNER inside a jail. - Move security checks to vfs_suser() and deny unmounting and updating for jailed root from different jails, etc. OK'ed by: rwatson
|
#
4b084056 |
|
10-Apr-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Allow PRIV_NETINET_REUSEPORT in jail.
|
#
c2cda609 |
|
08-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
prison_free() can be called with a mutex held. This wasn't a problem until I converted allprison_mtx mutex to allprison_lock sx lock. To fix this LOR, move prison removal to prison_complete() entirely. To ensure that noone will reference this prison before it's beeing removed from the list skip prisons with 'pr_ref == 0' in prison_find() and assert that pr_ref has to greater than 0 in prison_hold(). Reported by: kris OK'ed by: rwatson
|
#
b63b0c65 |
|
08-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Only use prison mutex to protect the fields that need to be protected by it.
|
#
264de85e |
|
07-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
pr_list is protected by the allprison_lock.
|
#
dc68a633 |
|
05-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Implement functionality I called 'jail services'. It may be used for external modules to attach some data to jail's in-kernel structure. - Change allprison_mtx mutex to allprison_sx sx(9) lock. We will need to call external functions while holding this lock, which may want to allocate memory. Make use of the fact that this is shared-exclusive lock and use shared version when possible. - Implement the following functions: prison_service_register() - registers a service that wants to be noticed when a jail is created and destroyed prison_service_deregister() - deregisters service prison_service_data_add() - adds service-specific data to the jail structure prison_service_data_get() - takes service-specific data from the jail structure prison_service_data_del() - removes service-specific data from the jail structure Reviewed by: rwatson
|
#
54b369c1 |
|
05-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Make prison_find() globally accessible.
|
#
f3a8d2f9 |
|
05-Apr-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Add security.jail.mount_allowed sysctl, which allows to mount and unmount jail-friendly file systems from within a jail. Precisely it grants PRIV_VFS_MOUNT, PRIV_VFS_UNMOUNT and PRIV_VFS_MOUNT_NONUSER privileges for a jailed super-user. It is turned off by default. A jail-friendly file system is a file system which driver registers itself with VFCF_JAIL flag via VFS_SET(9) API. The lsvfs(1) command can be used to see which file systems are jail-friendly ones. There currently no jail-friendly file systems, ZFS will be the first one. In the future we may consider marking file systems like nullfs as jail-friendly. Reviewed by: rwatson
|
#
2709e890 |
|
08-Mar-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Minor simplification.
|
#
9e5dcf7b |
|
07-Mar-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
White space nits.
|
#
0c14ff0e |
|
04-Mar-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Remove 'MPSAFE' annotations from the comments above most system calls: all system calls now enter without Giant held, and then in some cases, acquire Giant explicitly. Remove a number of other MPSAFE annotations in the credential code and tweak one or two other adjacent comments.
|
#
bb531912 |
|
01-Mar-2007 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Rename PRIV_VFS_CLEARSUGID to PRIV_VFS_RETAINSUGID, which seems to better describe the privilege. OK'ed by: rwatson
|
#
95420afe |
|
19-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Remove unused PRIV_IPC_EXEC. Renumbers System V IPC privilege.
|
#
95b091d2 |
|
19-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Rename three quota privileges from the UFS privilege namespace to the VFS privilege namespace: exceedquota, getquota, and setquota. Leave UFS-specific quota configuration privileges in the UFS name space. This renumbers VFS and UFS privileges, so requires rebuilding modules if you are using security policies aware of privilege identifiers. This is likely no one at this point since none of the committed MAC policies use the privilege checks.
|
#
e82d0201 |
|
19-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Limit quota privileges in jail to PRIV_UFS_GETQUOTA and PRIV_UFS_SETQUOTA.
|
#
c3c1b5e6 |
|
19-Feb-2007 |
Robert Watson <rwatson@FreeBSD.org> |
For now, reflect practical reality that Audit system calls aren't allowed in Jail: return a privilege error.
|
#
800c9408 |
|
06-Nov-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new priv(9) kernel interface for checking the availability of privilege for threads and credentials. Unlike the existing suser(9) interface, priv(9) exposes a named privilege identifier to the privilege checking code, allowing more complex policies regarding the granting of privilege to be expressed. Two interfaces are provided, replacing the existing suser(9) interface: suser(td) -> priv_check(td, priv) suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags) A comprehensive list of currently available kernel privileges may be found in priv.h. New privileges are easily added as required, but the comments on adding privileges found in priv.h and priv(9) should be read before doing so. The new privilege interface exposed sufficient information to the privilege checking routine that it will now be possible for jail to determine whether a particular privilege is granted in the check routine, rather than relying on hints from the calling context via the SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail check function, prison_priv_check(), is exposed from kern_jail.c and used by the privilege check routine to determine if the privilege is permitted in jail. As a result, a centralized list of privileges permitted in jail is now present in kern_jail.c. The MAC Framework is now also able to instrument privilege checks, both to deny privileges otherwise granted (mac_priv_check()), and to grant privileges otherwise denied (mac_priv_grant()), permitting MAC Policy modules to implement privilege models, as well as control a much broader range of system behavior in order to constrain processes running with root privilege. The suser() and suser_cred() functions remain implemented, now in terms of priv_check() and the PRIV_ROOT privilege, for use during the transition and possibly continuing use by third party kernel modules that have not been updated. The PRIV_DRIVER privilege exists to allow device drivers to check privilege without adopting a more specific privilege identifier. This change does not modify the actual security policy, rather, it modifies the interface for privilege checks so changes to the security policy become more feasible. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
#
aed55708 |
|
22-Oct-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead. This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd. Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
5702e096 |
|
17-Sep-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Declare security and security.bsd sysctl hierarchies in sysctl.h along with other commonly used sysctl name spaces, rather than declaring them all over the place. MFC after: 1 month Sponsored by: nCircle Network Security, Inc.
|
#
453f7d53 |
|
27-Sep-2005 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Push Giant down in jails. Pass the MPSAFE flag to NDINIT, and keep track of whether or not Giant was picked up by the filesystem. Add VFS_LOCK_GIANT macros around vrele as it's possible that this can call in the VOP_INACTIVE filesystem specific code. Also while we are here, remove the Giant assertion. from the sysctl handler, we do not actually require Giant here so we shouldn't assert it. Doing so will just complicate things when Giant is removed from the sysctl framework.
|
#
06a13778 |
|
23-Jun-2005 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Actually only protect mount-point if security.jail.enforce_statfs is set to 2. If we don't return statistics about requested file systems, system tools may not work correctly or at all. Approved by: re (scottl)
|
#
820a0de9 |
|
09-Jun-2005 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Rename sysctl security.jail.getfsstatroot_only to security.jail.enforce_statfs and extend its functionality: value policy 0 show all mount-points without any restrictions 1 show only mount-points below jail's chroot and show only part of the mount-point's path (if jail's chroot directory is /jails/foo and mount-point is /jails/foo/usr/home only /usr/home will be shown) 2 show only mount-point where jail's chroot directory is placed. Default value is 2. Discussed with: rwatson
|
#
22fdc83f |
|
05-Apr-2005 |
Jeff Roberson <jeff@FreeBSD.org> |
- Use taskqueue_thread rather than taskqueue_swi since our task is going to vrele, which may vop lock. This is not safe in a software interrupt context.
|
#
2945387f |
|
31-Mar-2005 |
John Baldwin <jhb@FreeBSD.org> |
Drop a bogus mp_fixme(). Adding a lock would do nothing to reduce userland races regarding changing of jail-related sysctls.
|
#
79653046 |
|
08-Feb-2005 |
Colin Percival <cperciva@FreeBSD.org> |
Add a new sysctl, "security.jail.chflags_allowed", which controls the behaviour of chflags within a jail. If set to 0 (the default), then a jailed root user is treated as an unprivileged user; if set to 1, then a jailed root user is treated the same as an unjailed root user. This is necessary to allow "make installworld" to work inside a jail, since it attempts to manipulate the system immutable flag on certain files. Discussed with: csjp, rwatson MFC after: 2 weeks
|
#
9454b2d8 |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for copyright notices, minor format tweaks as necessary
|
#
46e3b1cb |
|
27-Jun-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Add two missing includes and remove two uneeded. This is quite serious fix, because even with MAC framework compiled in, MAC entry points in those two files were simply ignored.
|
#
2ff8a349 |
|
19-May-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Fix sysctl name: security.jail.getfsstate_getfsstatroot_only -> security.jail.getfsstatroot_only. Approved by: rwatson
|
#
5a59cefc |
|
26-Apr-2004 |
Bosko Milekic <bmilekic@FreeBSD.org> |
Give jail(8) the feature to allow raw sockets from within a jail, which is less restrictive but allows for more flexible jail usage (for those who are willing to make the sacrifice). The default is off, but allowing raw sockets within jails can now be accomplished by tuning security.jail.allow_raw_sockets to 1. Turning this on will allow you to use things like ping(8) or traceroute(8) from within a jail. The patch being committed is not identical to the patch in the PR. The committed version is more friendly to APIs which pjd is working on, so it should integrate into his work quite nicely. This change has also been presented and addressed on the freebsd-hackers mailing list. Submitted by: Christian S.J. Peron <maneo@bsdpro.com> PR: kern/65800
|
#
7f4704c0 |
|
14-Mar-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Remove sysctl security.jail.list_allowed. This functionality was a misfeature, sysctl was added and turned off by default just to check if nobody complains. Reviewed by: rwatson
|
#
57f22bd4 |
|
19-Feb-2004 |
Jacques Vidrine <nectar@FreeBSD.org> |
Rework jail_attach(2) so that an already jailed process cannot hop to another jail. Submitted by: rwatson
|
#
461167c2 |
|
19-Feb-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Added sysctl security.jail.jailed. It returns 1 is process is inside of jail and 0 if it is not. Information if we are in jail or not is not a secret, there is plenty of ways to discover it. Many people are using own hack to check this and this will be a legal way from now on. It will be great if our starting scripts will take advantage of this sysctl to allow clean "boot" inside jail. Approved by: rwatson, scottl (mentor)
|
#
679a1060 |
|
14-Feb-2004 |
Robert Watson <rwatson@FreeBSD.org> |
By default, don't allow processes in a jail to list the set of jails in the system. Previous behavior (allowed) may be restored by setting security.jail.list_allowed=1.
|
#
7e440242 |
|
14-Feb-2004 |
Robert Watson <rwatson@FreeBSD.org> |
Fix mismerge in last commit: check that cred->cr_prison is NULL before dereferencing the prison pointer.
|
#
f08df373 |
|
14-Feb-2004 |
Robert Watson <rwatson@FreeBSD.org> |
By default, when a process in jail calls getfsstat(), only return the data for the file system on which the jail's root vnode is located. Previous behavior (show data for all mountpoints) can be restored by setting security.jail.getfsstatroot_only to 0. Note: this also has the effect of hiding other mounts inside a jail, such as /dev, /tmp, and /proc, but errs on the side of leaking less information.
|
#
b3059e09 |
|
23-Jan-2004 |
Robert Watson <rwatson@FreeBSD.org> |
Defer the vrele() on a jail's root vnode reference from prison_free() to a new prison_complete() task run by a task queue. This removes a requirement for grabbing Giant in crfree(). Embed the 'struct task' in 'struct prison' so that we don't have to allocate memory from prison_free() (which means we also defer the FREE()). With this change, I believe grabbing Giant from crfree() can now be removed, but need to check the uidinfo code paths. To avoid header pollution, move the definition of 'struct task' to _task.h, and recursively include from taskqueue.h and jail.h; much preferably to all files including jail.h picking up a requirement to include taskqueue.h. Bumped into by: sam Reviewed by: bde, tjr
|
#
677b542e |
|
10-Jun-2003 |
David E. O'Brien <obrien@FreeBSD.org> |
Use __FBSDID().
|
#
9ddb7954 |
|
28-Apr-2003 |
Mike Barcroft <mike@FreeBSD.org> |
style(9)
|
#
69c4ee54 |
|
17-Apr-2003 |
John Baldwin <jhb@FreeBSD.org> |
- The prison mutex cannot possibly protect pointers to the prison it protects, so don't bother locking it while we assign it to a ucred's cr_prison. - Fully construct the new credential for a process before assigning it to p_ucred.
|
#
fd7a8150 |
|
08-Apr-2003 |
Mike Barcroft <mike@FreeBSD.org> |
o In struct prison, add an allprison linked list of prisons (protected by allprison_mtx), a unique prison/jail identifier field, two path fields (pr_path for reporting and pr_root vnode instance) to store the chroot() point of each jail. o Add jail_attach(2) to allow a process to bind to an existing jail. o Add change_root() to perform the chroot operation on a specified vnode. o Generalize change_dir() to accept a vnode, and move namei() calls to callers of change_dir(). o Add a new sysctl (security.jail.list) which is a group of struct xprison instances that represent a snapshot of active jails. Reviewed by: rwatson, tjr
|
#
a163d034 |
|
18-Feb-2003 |
Warner Losh <imp@FreeBSD.org> |
Back out M_* changes, per decision of the TRB. Approved by: trb
|
#
44956c98 |
|
21-Jan-2003 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
894db7b0 |
|
20-Dec-2002 |
Maxime Henrion <mux@FreeBSD.org> |
Don't forget to destroy the mutex if an error occurs in the jail() system call. Submitted by: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
|
#
b80521fe |
|
13-Dec-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
remove syscallarg(). Suggested by: peter
|
#
e80fb434 |
|
17-Oct-2002 |
Robert Drehmel <robert@FreeBSD.org> |
Use strlcpy() instead of strncpy() to copy NUL terminated strings for safety and consistency.
|
#
f2f2285a |
|
01-Jul-2002 |
Ian Dowse <iedowse@FreeBSD.org> |
The jail syscall calls chroot, which is not mpsafe, so put back a mtx_lock(&Giant) around that call. Reviewed by: arr
|
#
4e77f680 |
|
25-Jun-2002 |
Andrew R. Reiter <arr@FreeBSD.org> |
- Alleviate jail() from having the burden of acquiring Giant by simply removing. We can do this since we no longer need Giant to safely execute jail(). Reviewed by: rwatson, jhb
|
#
6008862b |
|
04-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
Change callers of mtx_init() to pass in an appropriate lock type name. In most cases NULL is passed, but in some cases such as network driver locks (which use the MTX_NETWORK_LOCK macro) and UMA zone locks, a name is used. Tested on: i386, alpha, sparc64
|
#
44731cab |
|
01-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag. Discussed on: smp@
|
#
ad1ff099 |
|
27-Feb-2002 |
Robert Drehmel <robert@FreeBSD.org> |
Make getcredhostname() take a buffer and the buffer's size as arguments. The correct hostname is copied into the buffer while having the prison's lock acquired in a jailed process' case. Reviewed by: jhb, rwatson
|
#
9484d0c0 |
|
27-Feb-2002 |
Robert Drehmel <robert@FreeBSD.org> |
Add a function which returns the correct hostname for a given credential. Reviewed by: phk
|
#
d0615c64 |
|
15-Jan-2002 |
Andrew R. Reiter <arr@FreeBSD.org> |
- Attempt to help declutter kern. sysctl by moving security out from beneath it. Reviewed by: rwatson
|
#
83aee5a8 |
|
11-Dec-2001 |
Andrew R. Reiter <arr@FreeBSD.org> |
- Move _jail sysctl node underneath _kern_security in order to standardize where our security related sysctl tuneables are located. Also, this will help if/when we move _security node out from under _kern as to help make _kern less cluttered. Approved by: rwatson Review by: rwatson
|
#
01137630 |
|
03-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce pr_mtx into struct prison, providing protection for the mutable contents of struct prison (hostname, securelevel, refcount, pr_linux, ...) o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/ so as to enforce these protections, in particular, in kern_mib.c protection sysctl access to the hostname and securelevel, as well as kern_prot.c access to the securelevel for access control purposes. o Rewrite linux emulator abstractions for accessing per-jail linux mib entries (osname, osrelease, osversion) so that they don't return a pointer to the text in the struct linux_prison, rather, a copy to an array passed into the calls. Likewise, update linprocfs to use these primitives. o Update in_pcb.c to always use prison_getip() rather than directly accessing struct prison. Reviewed by: jhb
|
#
fc5d29ef |
|
01-Nov-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Move suser() calls in kern/ to using suser_xxx() with an explicit credential selection, rather than reference via a thread or process pointer. This is part of a gradual migration to suser() accepting a struct ucred instead of a struct proc, simplifying the reference and locking semantics of suser(). Obtained from: TrustedBSD Project
|
#
a2f2b3af |
|
11-Oct-2001 |
John Baldwin <jhb@FreeBSD.org> |
- Catch up to the new ucred API. - Add proc locking to the jail() syscall. This mostly involved shuffling a few things around so that blockable things like malloc and copyin were performed before acquiring the lock and checking the existing ucred and then updating the ucred as one "atomic" change under the proc lock.
|
#
567931c8 |
|
26-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Initialize per-jail securelevel from global securelevel as part of jail creation. Obtained from: TrustedBSD Project
|
#
b40ce416 |
|
12-Sep-2001 |
Julian Elischer <julian@FreeBSD.org> |
KSE Milestone 2 Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process. Sorry john! (your next MFC will be a doosie!) Reviewed by: peter@freebsd.org, dillon@freebsd.org X-MFC after: ha ha ha ha
|
#
116734c4 |
|
31-Aug-2001 |
Matthew Dillon <dillon@FreeBSD.org> |
Pushdown Giant for acct(), kqueue(), kevent(), execve(), fork(), vfork(), rfork(), jail().
|
#
fd6aaf7f |
|
03-Aug-2001 |
Robert Watson <rwatson@FreeBSD.org> |
Anton kindly pointed out (and fixed) a bug in the Jail handling of the bind() call on IPv4 sockets: Currently, if one tries to bind a socket using INADDR_LOOPBACK inside a jail, it will fail because prison_ip() does not take this possibility into account. On the other hand, when one tries to connect(), for example, to localhost, prison_remote_ip() will silently convert INADDR_LOOPBACK to the jail's IP address. Therefore, it is desirable to make bind() to do this implicit conversion as well. Apart from this, the patch also replaces 0x7f000001 in prison_remote_ip() to a more correct INADDR_LOOPBACK. This is a 4.4-RELEASE "during the freeze, thanks" MFC candidate. Submitted by: Anton Berezin <tobez@FreeBSD.org> Discussed with at some point: phk MFC after: 3 days
|
#
91421ba2 |
|
20-Feb-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Move per-process jail pointer (p->pr_prison) to inside of the subject credential structure, ucred (cr->cr_prison). o Allow jail inheritence to be a function of credential inheritence. o Abstract prison structure reference counting behind pr_hold() and pr_free(), invoked by the similarly named credential reference management functions, removing this code from per-ABI fork/exit code. o Modify various jail() functions to use struct ucred arguments instead of struct proc arguments. o Introduce jailed() function to determine if a credential is jailed, rather than directly checking pointers all over the place. o Convert PRISON_CHECK() macro to prison_check() function. o Move jail() function prototypes to jail.h. o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the flag in the process flags field itself. o Eliminate that "const" qualifier from suser/p_can/etc to reflect mutex use. Notes: o Some further cleanup of the linux/jail code is still required. o It's now possible to consider resolving some of the process vs credential based permission checking confusion in the socket code. o Mutex protection of struct prison is still not present, and is required to protect the reference count plus some fields in the structure. Reviewed by: freebsd-arch Obtained from: TrustedBSD Project
|
#
7cc0979f |
|
08-Dec-2000 |
David Malone <dwmalone@FreeBSD.org> |
Convert more malloc+bzero to malloc+M_ZERO. Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
|
#
cb1f0db9 |
|
30-Oct-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Deny access to System V IPC from within jail by default, as in the current implementation, jail neither virtualizes the Sys V IPC namespace, nor provides inter-jail protections on IPC objects. o Support for System V IPC can be enabled by setting jail.sysvipc_allowed=1 using sysctl. o This is not the "real fix" which involves virtualizing the System V IPC namespace, but prevents processes within jail from influencing those outside of jail when not approved by the administrator. Reported by: Paulo Fragoso <paulo@nlink.com.br>
|
#
7cadc266 |
|
03-Jun-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Modify jail to limit creation of sockets to UNIX domain sockets, TCP/IP (v4) sockets, and routing sockets. Previously, interaction with IPv6 was not well-defined, and might be inappropriate for some environments. Similarly, sysctl MIB entries providing interface information also give out only addresses from those protocol domains. For the time being, this functionality is enabled by default, and toggleable using the sysctl variable jail.socket_unixiproute_only. In the future, protocol domains will be able to determine whether or not they are ``jail aware''. o Further limitations on process use of getpriority() and setpriority() by jailed processes. Addresses problem described in kern/17878. Reviewed by: phk, jmg
|
#
83f1e257 |
|
12-Feb-2000 |
Robert Watson <rwatson@FreeBSD.org> |
Yet-another-update: rename ``kern.prison'' to a new sysctl root entry, ``jail'', and move the set_hostname_allowed sysctl there, as well as fixing a bug in the sysctl that resulted in jails being over-limited (preventing them from reading as well as writing the hostname). Also, correct some formatting issues, courtesy bde :-). Reviewed by: phk Approved by: jkh
|
#
978f8d93 |
|
19-Sep-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add a version number field to the jail(2) argument so that future changes can be handled intelligently.
|
#
c3aac50f |
|
27-Aug-1999 |
Peter Wemm <peter@FreeBSD.org> |
$Id$ -> $FreeBSD$
|
#
07901f22 |
|
30-Apr-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Add beer-ware license and $Id$ Noticed by: dillon
|
#
430210c0 |
|
30-Apr-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Make BOOTP to work again. Submitted by: dillon Reviewed by: phk
|
#
75c13541 |
|
28-Apr-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
This Implements the mumbled about "Jail" feature. This is a seriously beefed up chroot kind of thing. The process is jailed along the same lines as a chroot does it, but with additional tough restrictions imposed on what the superuser can do. For all I know, it is safe to hand over the root bit inside a prison to the customer living in that prison, this is what it was developed for in fact: "real virtual servers". Each prison has an ip number associated with it, which all IP communications will be coerced to use and each prison has its own hostname. Needless to say, you need more RAM this way, but the advantage is that each customer can run their own particular version of apache and not stomp on the toes of their neighbors. It generally does what one would expect, but setting up a jail still takes a little knowledge. A few notes: I have no scripts for setting up a jail, don't ask me for them. The IP number should be an alias on one of the interfaces. mount a /proc in each jail, it will make ps more useable. /proc/<pid>/status tells the hostname of the prison for jailed processes. Quotas are only sensible if you have a mountpoint per prison. There are no privisions for stopping resource-hogging. Some "#ifdef INET" and similar may be missing (send patches!) If somebody wants to take it from here and develop it into more of a "virtual machine" they should be most welcome! Tools, comments, patches & documentation most welcome. Have fun... Sponsored by: http://www.rndassociates.com/ Run for almost a year by: http://www.servetheweb.com/
|