From owner-freebsd-bugs@FreeBSD.ORG  Mon Apr 27 19:10:01 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6A1281065670
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 27 Apr 2009 19:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 44A778FC12
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 27 Apr 2009 19:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3RJA10D052106
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 27 Apr 2009 19:10:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3RJA11t052105;
	Mon, 27 Apr 2009 19:10:01 GMT (envelope-from gnats)
Resent-Date: Mon, 27 Apr 2009 19:10:01 GMT
Resent-Message-Id: <200904271910.n3RJA11t052105@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Miroslav Lachman <000.fbsd@quip.cz>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 703B5106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 27 Apr 2009 19:02:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5DE9A8FC19
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 27 Apr 2009 19:02:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n3RJ2942024523
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 Apr 2009 19:02:09 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n3RJ29at024522;
	Mon, 27 Apr 2009 19:02:09 GMT (envelope-from nobody)
Message-Id: <200904271902.n3RJ29at024522@www.freebsd.org>
Date: Mon, 27 Apr 2009 19:02:09 GMT
From: Miroslav Lachman <000.fbsd@quip.cz>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/134050: cpuset allows change of the jail's set from inside the
	jail
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2009 19:10:01 -0000


>Number:         134050
>Category:       kern
>Synopsis:       cpuset allows change of the jail's set from inside the jail
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 27 19:10:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Miroslav Lachman
>Release:        FreeBSD 7.2-RC1 i386 GENERIC
>Organization:
codeLab.cz
>Environment:
7.2-RC1 FreeBSD 7.2-RC1 #0: Wed Apr 15 20:34:10 UTC 2009     root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
If some jail is bound to specified core(s) by cpuset command (by root user of the host system), this can be changed from inside the jail (by root user inside the jail).


>How-To-Repeat:
Start the jail on multi-core machine and set it to run on one CPU core:

root@host# cpuset -l 0 -j 1

Now login to the jail as root and run cpuset command

root@injail# cpuset -l 0,1 -j 1

The jail is running on two cores

root@host# cpuset -g -j 1
jail 1 mask: 0, 1
>Fix:
Bjoern A. Zeeb posted attached patch which works for me.

http://lists.freebsd.org/pipermail/freebsd-jail/2009-April/000833.html

root@72-rc1 ~/# jls
   JID  IP Address      Hostname                      Path
     1                  alpha.test                    /usr/jail/alpha

root@72-rc1 ~/# jexec 1 tcsh

root@alpha //# cpuset -l 0 -j 1
cpuset: setaffinity: Operation not permitted

root@alpha //# cpuset -l 0 -r -j 1
cpuset: setaffinity: Operation not permitted 

Patch attached with submission follows:

Index: sys/kern/kern_cpuset.c
===================================================================
--- sys/kern/kern_cpuset.c	(revision 190341)
+++ sys/kern/kern_cpuset.c	(working copy)
@@ -357,6 +357,15 @@
 	if (error)
 		return (error);
 	/*
+	 * In case we are called from within the jail
+	 * we do not allow modifying the dedicated root
+	 * cpuset of the jail but may still allow to
+	 * change child sets.
+	 */
+	if (jailed(curthread->td_ucred) &&
+	    set->cs_flags & CPU_SET_ROOT)
+		return (EPERM);
+	/*
 	 * Verify that we have access to this set of
 	 * cpus.
 	 */


>Release-Note:
>Audit-Trail:
>Unformatted: