Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Aug 2018 12:58:49 -0700 (PDT)
From:      "Rodney W. Grimes" <freebsd@pdx.rh.CN85.dnsmgr.net>
To:        James Gritton <jamie@freebsd.org>
Cc:        rgrimes@freebsd.org, src-committers@freebsd.org, svn-src-all@freebsd.org,  svn-src-head@freebsd.org
Subject:   Re: svn commit: r337925 - in head: lib/libc/sys sys/compat/freebsd32 sys/kern sys/sys
Message-ID:  <201808161958.w7GJwnpl055610@pdx.rh.CN85.dnsmgr.net>
In-Reply-To: <4ff9cbb56df7a7467f0a66746fe0af5e@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
> On 2018-08-16 13:36, Rodney W. Grimes wrote:
> >> OK, so noted.  But seeing as I've already done the partial in this 
> >> case,
> >> what's best to do now?  Should I add another commit to revert the 
> >> so-far
> >> unreverted files?
> > 
> > Thats a mixed bag, how many files is it, and what would the
> > commit message before for them?
                   be for them?

> > 
> > Usually these are seperable changes that should not of been combined
> > with the original commit.
> 
> There are five files I didn't revert: two man pages, and two code files 
> with a changed comment.  The changes being the docs up to date, with or 
                                       bring?
> without the other deprecation changes, so at this point they're correct 
> whether they're changed or not.
> 
> The commit message would be something like:
> 
>    Revert the remainder of r337922 that I didn't revert in r337925, until 
> such point as I re-commit the whole thing.

I was more asking for what would the commit for this two man pages
and two code files look like?

It sounds like these are standalone changes that should of probably
been done in there own commit anyway?  Or are they some how integral
to r337922?

I guess just leave it be for now, and try to avoid
these types of situations in the future.

> >> - Jamie
> >> 
> >> 
> >> On 2018-08-16 13:27, Rodney W. Grimes wrote:
> >> >> Author: jamie
> >> >> Date: Thu Aug 16 19:09:43 2018
> >> >> New Revision: 337925
> >> >> URL: https://svnweb.freebsd.org/changeset/base/337925
> >> >>
> >> >> Log:
> >> >>   Revert r337922, except for some documention-only bits.  This needs
> >> >> to wait
> >> >>   until user is changed to stop using jail(2).
> >> >
> >> > Can we please stop doing "partial" reverts, it makes log
> >> > tracking and sorting out stuff later more difficult.
> >> >
> >> > If something is seperable and needs to stay it is best
> >> > to revert the whole commit, and then commit with a proper
> >> > log exactly what it is that you did not want to revert.
> >> >
> >> >>
> >> >>   Differential Revision:	D14791
> >> >>
> >> >> Modified:
> >> >>   head/lib/libc/sys/jail.2
> >> >>   head/sys/compat/freebsd32/freebsd32_misc.c
> >> >>   head/sys/compat/freebsd32/freebsd32_proto.h
> >> >>   head/sys/compat/freebsd32/freebsd32_syscall.h
> >> >>   head/sys/compat/freebsd32/freebsd32_syscalls.c
> >> >>   head/sys/compat/freebsd32/freebsd32_sysent.c
> >> >>   head/sys/compat/freebsd32/freebsd32_systrace_args.c
> >> >>   head/sys/compat/freebsd32/syscalls.master
> >> >>   head/sys/kern/init_sysent.c
> >> >>   head/sys/kern/kern_jail.c
> >> >>   head/sys/kern/syscalls.c
> >> >>   head/sys/kern/syscalls.master
> >> >>   head/sys/kern/systrace_args.c
> >> >>   head/sys/sys/jail.h
> >> >>   head/sys/sys/syscall.h
> >> >>   head/sys/sys/syscall.mk
> >> >>   head/sys/sys/syscallsubr.h
> >> >>   head/sys/sys/sysproto.h
> >> >>
> >> >> Modified: head/lib/libc/sys/jail.2
> >> >> ==============================================================================
> >> >> --- head/lib/libc/sys/jail.2	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/lib/libc/sys/jail.2	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -25,10 +25,11 @@
> >> >>  .\"
> >> >>  .\" $FreeBSD$
> >> >>  .\"
> >> >> -.Dd August 16, 2018
> >> >> +.Dd February 8, 2012
> >> >>  .Dt JAIL 2
> >> >>  .Os
> >> >>  .Sh NAME
> >> >> +.Nm jail ,
> >> >>  .Nm jail_get ,
> >> >>  .Nm jail_set ,
> >> >>  .Nm jail_remove ,
> >> >> @@ -40,6 +41,8 @@
> >> >>  .In sys/param.h
> >> >>  .In sys/jail.h
> >> >>  .Ft int
> >> >> +.Fn jail "struct jail *jail"
> >> >> +.Ft int
> >> >>  .Fn jail_attach "int jid"
> >> >>  .Ft int
> >> >>  .Fn jail_remove "int jid"
> >> >> @@ -50,7 +53,74 @@
> >> >>  .Fn jail_set "struct iovec *iov" "u_int niov" "int flags"
> >> >>  .Sh DESCRIPTION
> >> >>  The
> >> >> +.Fn jail
> >> >> +system call sets up a jail and locks the current process in it.
> >> >> +.Pp
> >> >> +The argument is a pointer to a structure describing the prison:
> >> >> +.Bd -literal -offset indent
> >> >> +struct jail {
> >> >> +	uint32_t	version;
> >> >> +	char		*path;
> >> >> +	char		*hostname;
> >> >> +	char		*jailname;
> >> >> +	unsigned int	ip4s;
> >> >> +	unsigned int	ip6s;
> >> >> +	struct in_addr	*ip4;
> >> >> +	struct in6_addr	*ip6;
> >> >> +};
> >> >> +.Ed
> >> >> +.Pp
> >> >> +.Dq Li version
> >> >> +defines the version of the API in use.
> >> >> +.Dv JAIL_API_VERSION
> >> >> +is defined for the current version.
> >> >> +.Pp
> >> >> +The
> >> >> +.Dq Li path
> >> >> +pointer should be set to the directory which is to be the root of the
> >> >> +prison.
> >> >> +.Pp
> >> >> +The
> >> >> +.Dq Li hostname
> >> >> +pointer can be set to the hostname of the prison.
> >> >> +This can be changed
> >> >> +from the inside of the prison.
> >> >> +.Pp
> >> >> +The
> >> >> +.Dq Li jailname
> >> >> +pointer is an optional name that can be assigned to the jail
> >> >> +for example for management purposes.
> >> >> +.Pp
> >> >> +The
> >> >> +.Dq Li ip4s
> >> >> +and
> >> >> +.Dq Li ip6s
> >> >> +give the numbers of IPv4 and IPv6 addresses that will be passed
> >> >> +via their respective pointers.
> >> >> +.Pp
> >> >> +The
> >> >> +.Dq Li ip4
> >> >> +and
> >> >> +.Dq Li ip6
> >> >> +pointers can be set to an arrays of IPv4 and IPv6 addresses to be
> >> >> assigned to
> >> >> +the prison, or NULL if none.
> >> >> +IPv4 addresses must be in network byte order.
> >> >> +.Pp
> >> >> +This is equivalent to, and deprecated in favor of, the
> >> >>  .Fn jail_set
> >> >> +system call (see below), with the parameters
> >> >> +.Va path ,
> >> >> +.Va host.hostname ,
> >> >> +.Va name ,
> >> >> +.Va ip4.addr ,
> >> >> +and
> >> >> +.Va ip6.addr ,
> >> >> +and with the
> >> >> +.Dv JAIL_ATTACH
> >> >> +flag.
> >> >> +.Pp
> >> >> +The
> >> >> +.Fn jail_set
> >> >>  system call creates a new jail, or modifies an existing one, and
> >> >> optionally
> >> >>  locks the current process in it.
> >> >>  Jail parameters are passed as an array of name-value pairs in the
> >> >> array
> >> >> @@ -76,19 +146,13 @@ The current set of available parameters, and
> >> >> their for
> >> >>  retrieved via the
> >> >>  .Va security.jail.param
> >> >>  sysctl MIB entry.
> >> >> -Notable parameters include
> >> >> +Notable parameters include those mentioned in the
> >> >> +.Fn jail
> >> >> +description above, as well as
> >> >>  .Va jid
> >> >>  and
> >> >> -.Va name
> >> >> -which identify the jail being created or modified,
> >> >> -.Va path
> >> >> -(the root directory of the jail),
> >> >> -.Va host.hostname
> >> >> -(the hostname of the jail), and
> >> >> -.Va ip4.addr
> >> >> -and
> >> >> -.Va ip6.addr
> >> >> -(IP addresses to assign to the jail).
> >> >> +.Va name ,
> >> >> +which identify the jail being created or modified.
> >> >>  See
> >> >>  .Xr jail 8
> >> >>  for more information on the core jail parameters.
> >> >> @@ -173,7 +237,8 @@ It will kill all processes belonging to the jail,
> >> >> and
> >> >>  of that jail.
> >> >>  .Sh RETURN VALUES
> >> >>  If successful,
> >> >> -.Fn jail_set
> >> >> +.Fn jail ,
> >> >> +.Fn jail_set ,
> >> >>  and
> >> >>  .Fn jail_get
> >> >>  return a non-negative integer, termed the jail identifier (JID).
> >> >> @@ -184,6 +249,25 @@ to indicate the error.
> >> >>  .Rv -std jail_attach jail_remove
> >> >>  .Sh ERRORS
> >> >>  The
> >> >> +.Fn jail
> >> >> +system call
> >> >> +will fail if:
> >> >> +.Bl -tag -width Er
> >> >> +.It Bq Er EPERM
> >> >> +This process is not allowed to create a jail, either because it is
> >> >> not
> >> >> +the super-user, or because it would exceed the jail's
> >> >> +.Va children.max
> >> >> +limit.
> >> >> +.It Bq Er EFAULT
> >> >> +.Fa jail
> >> >> +points to an address outside the allocated address space of the
> >> >> process.
> >> >> +.It Bq Er EINVAL
> >> >> +The version number of the argument is not correct.
> >> >> +.It Bq Er EAGAIN
> >> >> +No free JID could be found.
> >> >> +.El
> >> >> +.Pp
> >> >> +The
> >> >>  .Fn jail_set
> >> >>  system call
> >> >>  will fail if:
> >> >> @@ -287,7 +371,8 @@ does not exist.
> >> >>  .El
> >> >>  .Pp
> >> >>  Further
> >> >> -.Fn jail_set
> >> >> +.Fn jail ,
> >> >> +.Fn jail_set ,
> >> >>  and
> >> >>  .Fn jail_attach
> >> >>  call
> >> >> @@ -301,7 +386,7 @@ manual page for details.
> >> >>  .Xr chroot 2 ,
> >> >>  .Xr jail 8
> >> >>  .Sh HISTORY
> >> >> -The now-deprecated
> >> >> +The
> >> >>  .Fn jail
> >> >>  system call appeared in
> >> >>  .Fx 4.0 .
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/freebsd32_misc.c
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/freebsd32_misc.c	Thu Aug 16 18:58:34
> >> >> 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/freebsd32_misc.c	Thu Aug 16 19:09:43
> >> >> 2018	(r337925)
> >> >> @@ -2289,10 +2289,8 @@ freebsd32_sysctl(struct thread *td, struct
> >> >> freebsd32_s
> >> >>  	return (0);
> >> >>  }
> >> >>
> >> >> -#ifdef COMPAT_FREEBSD11
> >> >>  int
> >> >> -freebsd11_freebsd32_jail(struct thread *td,
> >> >> -    struct freebsd11_freebsd32_jail_args *uap)
> >> >> +freebsd32_jail(struct thread *td, struct freebsd32_jail_args *uap)
> >> >>  {
> >> >>  	uint32_t version;
> >> >>  	int error;
> >> >> @@ -2349,9 +2347,8 @@ freebsd11_freebsd32_jail(struct thread *td,
> >> >>  		/* Sci-Fi jails are not supported, sorry. */
> >> >>  		return (EINVAL);
> >> >>  	}
> >> >> -	return (freebsd11_kern_jail(td, &j));
> >> >> +	return (kern_jail(td, &j));
> >> >>  }
> >> >> -#endif /* COMPAT_FREEBSD11 */
> >> >>
> >> >>  int
> >> >>  freebsd32_jail_set(struct thread *td, struct freebsd32_jail_set_args
> >> >> *uap)
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/freebsd32_proto.h
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/freebsd32_proto.h	Thu Aug 16 18:58:34
> >> >> 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/freebsd32_proto.h	Thu Aug 16 19:09:43
> >> >> 2018	(r337925)
> >> >> @@ -283,6 +283,9 @@ struct freebsd32_sched_rr_get_interval_args {
> >> >>  	char pid_l_[PADL_(pid_t)]; pid_t pid; char pid_r_[PADR_(pid_t)];
> >> >>  	char interval_l_[PADL_(struct timespec32 *)]; struct timespec32 *
> >> >> interval; char interval_r_[PADR_(struct timespec32 *)];
> >> >>  };
> >> >> +struct freebsd32_jail_args {
> >> >> +	char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char
> >> >> jail_r_[PADR_(struct jail32 *)];
> >> >> +};
> >> >>  struct freebsd32_sigtimedwait_args {
> >> >>  	char set_l_[PADL_(const sigset_t *)]; const sigset_t * set; char
> >> >> set_r_[PADR_(const sigset_t *)];
> >> >>  	char info_l_[PADL_(siginfo_t *)]; siginfo_t * info; char
> >> >> info_r_[PADR_(siginfo_t *)];
> >> >> @@ -758,6 +761,7 @@ int	freebsd32_aio_return(struct thread *, struct
> >> >> freeb
> >> >>  int	freebsd32_aio_suspend(struct thread *, struct
> >> >> freebsd32_aio_suspend_args *);
> >> >>  int	freebsd32_aio_error(struct thread *, struct
> >> >> freebsd32_aio_error_args *);
> >> >>  int	freebsd32_sched_rr_get_interval(struct thread *, struct
> >> >> freebsd32_sched_rr_get_interval_args *);
> >> >> +int	freebsd32_jail(struct thread *, struct freebsd32_jail_args *);
> >> >>  int	freebsd32_sigtimedwait(struct thread *, struct
> >> >> freebsd32_sigtimedwait_args *);
> >> >>  int	freebsd32_sigwaitinfo(struct thread *, struct
> >> >> freebsd32_sigwaitinfo_args *);
> >> >>  int	freebsd32_aio_waitcomplete(struct thread *, struct
> >> >> freebsd32_aio_waitcomplete_args *);
> >> >> @@ -1180,9 +1184,6 @@ struct freebsd11_freebsd32_fhstat_args {
> >> >>  	char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle *
> >> >> u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
> >> >>  	char sb_l_[PADL_(struct freebsd11_stat32 *)]; struct
> >> >> freebsd11_stat32 * sb; char sb_r_[PADR_(struct freebsd11_stat32 *)];
> >> >>  };
> >> >> -struct freebsd11_freebsd32_jail_args {
> >> >> -	char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char
> >> >> jail_r_[PADR_(struct jail32 *)];
> >> >> -};
> >> >>  struct freebsd11_freebsd32_kevent_args {
> >> >>  	char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
> >> >>  	char changelist_l_[PADL_(const struct kevent32_freebsd11 *)]; const
> >> >> struct kevent32_freebsd11 * changelist; char changelist_r_[PADR_(const
> >> >> struct kevent32_freebsd11 *)];
> >> >> @@ -1222,7 +1223,6 @@ int	freebsd11_freebsd32_lstat(struct thread *,
> >> >> struct
> >> >>  int	freebsd11_freebsd32_getdirentries(struct thread *, struct
> >> >> freebsd11_freebsd32_getdirentries_args *);
> >> >>  int	freebsd11_freebsd32_getdents(struct thread *, struct
> >> >> freebsd11_freebsd32_getdents_args *);
> >> >>  int	freebsd11_freebsd32_fhstat(struct thread *, struct
> >> >> freebsd11_freebsd32_fhstat_args *);
> >> >> -int	freebsd11_freebsd32_jail(struct thread *, struct
> >> >> freebsd11_freebsd32_jail_args *);
> >> >>  int	freebsd11_freebsd32_kevent(struct thread *, struct
> >> >> freebsd11_freebsd32_kevent_args *);
> >> >>  int	freebsd11_freebsd32_fstatat(struct thread *, struct
> >> >> freebsd11_freebsd32_fstatat_args *);
> >> >>  int	freebsd11_freebsd32_mknodat(struct thread *, struct
> >> >> freebsd11_freebsd32_mknodat_args *);
> >> >> @@ -1317,7 +1317,7 @@ int	freebsd11_freebsd32_mknodat(struct thread *,
> >> >> struc
> >> >>
> >> >> #define	FREEBSD32_SYS_AUE_freebsd6_freebsd32_lio_listio	AUE_LIO_LISTIO
> >> >>  #define	FREEBSD32_SYS_AUE_freebsd32_sched_rr_get_interval	AUE_NULL
> >> >>  #define	FREEBSD32_SYS_AUE_freebsd4_freebsd32_sendfile	AUE_SENDFILE
> >> >> -#define	FREEBSD32_SYS_AUE_freebsd11_freebsd32_jail	AUE_JAIL
> >> >> +#define	FREEBSD32_SYS_AUE_freebsd32_jail	AUE_JAIL
> >> >>  #define	FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigaction	AUE_SIGACTION
> >> >>  #define	FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigreturn	AUE_SIGRETURN
> >> >>  #define	FREEBSD32_SYS_AUE_freebsd32_sigtimedwait	AUE_SIGWAIT
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/freebsd32_syscall.h
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/freebsd32_syscall.h	Thu Aug 16 18:58:34
> >> >> 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/freebsd32_syscall.h	Thu Aug 16 19:09:43
> >> >> 2018	(r337925)
> >> >> @@ -275,7 +275,7 @@
> >> >>  #define	FREEBSD32_SYS_utrace	335
> >> >>  				/* 336 is freebsd4 freebsd32_sendfile */
> >> >>  #define	FREEBSD32_SYS_kldsym	337
> >> >> -#define	FREEBSD32_SYS_freebsd11_freebsd32_jail	338
> >> >> +#define	FREEBSD32_SYS_freebsd32_jail	338
> >> >>  #define	FREEBSD32_SYS_sigprocmask	340
> >> >>  #define	FREEBSD32_SYS_sigsuspend	341
> >> >>  				/* 342 is freebsd4 freebsd32_sigaction */
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/freebsd32_syscalls.c
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/freebsd32_syscalls.c	Thu Aug 16 18:58:34
> >> >> 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/freebsd32_syscalls.c	Thu Aug 16 19:09:43
> >> >> 2018	(r337925)
> >> >> @@ -347,7 +347,7 @@ const char *freebsd32_syscallnames[] = {
> >> >>  	"utrace",			/* 335 = utrace */
> >> >>  	"compat4.freebsd32_sendfile",		/* 336 = freebsd4 freebsd32_sendfile
> >> >> */
> >> >>  	"kldsym",			/* 337 = kldsym */
> >> >> -	"compat11.freebsd32_jail",		/* 338 = freebsd11 freebsd32_jail */
> >> >> +	"freebsd32_jail",			/* 338 = freebsd32_jail */
> >> >>  	"#339",			/* 339 = pioctl */
> >> >>  	"sigprocmask",			/* 340 = sigprocmask */
> >> >>  	"sigsuspend",			/* 341 = sigsuspend */
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/freebsd32_sysent.c
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/freebsd32_sysent.c	Thu Aug 16 18:58:34
> >> >> 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/freebsd32_sysent.c	Thu Aug 16 19:09:43
> >> >> 2018	(r337925)
> >> >> @@ -394,7 +394,7 @@ struct sysent freebsd32_sysent[] = {
> >> >>  	{ AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0,
> >> >> SYF_CAPENABLED, SY_THR_STATIC },	/* 335 = utrace */
> >> >>  	{ compat4(AS(freebsd4_freebsd32_sendfile_args),freebsd32_sendfile),
> >> >> AUE_SENDFILE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 336 =
> >> >> freebsd4 freebsd32_sendfile */
> >> >>  	{ AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0,
> >> >> SY_THR_STATIC },	/* 337 = kldsym */
> >> >> -	{ compat11(AS(freebsd11_freebsd32_jail_args),freebsd32_jail),
> >> >> AUE_JAIL, NULL, 0, 0, 0, SY_THR_STATIC },	/* 338 = freebsd11
> >> >> freebsd32_jail */
> >> >> +	{ AS(freebsd32_jail_args), (sy_call_t *)freebsd32_jail, AUE_JAIL,
> >> >> NULL, 0, 0, 0, SY_THR_STATIC },	/* 338 = freebsd32_jail */
> >> >>  	{ 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_ABSENT
> >> >> },			/* 339 = pioctl */
> >> >>  	{ AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask,
> >> >> AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 340 =
> >> >> sigprocmask */
> >> >>  	{ AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND,
> >> >> NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 341 = sigsuspend */
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/freebsd32_systrace_args.c
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/freebsd32_systrace_args.c	Thu Aug 16
> >> >> 18:58:34 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/freebsd32_systrace_args.c	Thu Aug 16
> >> >> 19:09:43 2018	(r337925)
> >> >> @@ -1559,6 +1559,13 @@ systrace_args(int sysnum, void *params,
> >> >> uint64_t *uarg
> >> >>  		*n_args = 3;
> >> >>  		break;
> >> >>  	}
> >> >> +	/* freebsd32_jail */
> >> >> +	case 338: {
> >> >> +		struct freebsd32_jail_args *p = params;
> >> >> +		uarg[0] = (intptr_t) p->jail; /* struct jail32 * */
> >> >> +		*n_args = 1;
> >> >> +		break;
> >> >> +	}
> >> >>  	/* sigprocmask */
> >> >>  	case 340: {
> >> >>  		struct sigprocmask_args *p = params;
> >> >> @@ -5704,6 +5711,16 @@ systrace_entry_setargdesc(int sysnum, int ndx,
> >> >> char *d
> >> >>  			break;
> >> >>  		};
> >> >>  		break;
> >> >> +	/* freebsd32_jail */
> >> >> +	case 338:
> >> >> +		switch(ndx) {
> >> >> +		case 0:
> >> >> +			p = "userland struct jail32 *";
> >> >> +			break;
> >> >> +		default:
> >> >> +			break;
> >> >> +		};
> >> >> +		break;
> >> >>  	/* sigprocmask */
> >> >>  	case 340:
> >> >>  		switch(ndx) {
> >> >> @@ -9653,6 +9670,11 @@ systrace_return_setargdesc(int sysnum, int ndx,
> >> >> char *
> >> >>  		break;
> >> >>  	/* kldsym */
> >> >>  	case 337:
> >> >> +		if (ndx == 0 || ndx == 1)
> >> >> +			p = "int";
> >> >> +		break;
> >> >> +	/* freebsd32_jail */
> >> >> +	case 338:
> >> >>  		if (ndx == 0 || ndx == 1)
> >> >>  			p = "int";
> >> >>  		break;
> >> >>
> >> >> Modified: head/sys/compat/freebsd32/syscalls.master
> >> >> ==============================================================================
> >> >> --- head/sys/compat/freebsd32/syscalls.master	Thu Aug 16 18:58:34
> >> >> 2018	(r337924)
> >> >> +++ head/sys/compat/freebsd32/syscalls.master	Thu Aug 16 19:09:43
> >> >> 2018	(r337925)
> >> >> @@ -601,7 +601,7 @@
> >> >>  				    off_t *sbytes, int flags); }
> >> >>  337	AUE_NULL	NOPROTO	{ int kldsym(int fileid, int cmd, \
> >> >>  				    void *data); }
> >> >> -338	AUE_JAIL	COMPAT11 { int freebsd32_jail(struct jail32 *jail); }
> >> >> +338	AUE_JAIL	STD	{ int freebsd32_jail(struct jail32 *jail); }
> >> >>  339	AUE_NULL	UNIMPL	pioctl
> >> >>  340	AUE_SIGPROCMASK	NOPROTO	{ int sigprocmask(int how, \
> >> >>  				    const sigset_t *set, sigset_t *oset); }
> >> >>
> >> >> Modified: head/sys/kern/init_sysent.c
> >> >> ==============================================================================
> >> >> --- head/sys/kern/init_sysent.c	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/kern/init_sysent.c	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -387,7 +387,7 @@ struct sysent sysent[] = {
> >> >>  	{ AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0,
> >> >> SYF_CAPENABLED, SY_THR_STATIC },	/* 335 = utrace */
> >> >>  	{ compat4(AS(freebsd4_sendfile_args),sendfile), AUE_SENDFILE, NULL,
> >> >> 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 336 = freebsd4 sendfile */
> >> >>  	{ AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0,
> >> >> SY_THR_STATIC },	/* 337 = kldsym */
> >> >> -	{ compat11(AS(freebsd11_jail_args),jail), AUE_JAIL, NULL, 0, 0, 0,
> >> >> SY_THR_STATIC },	/* 338 = freebsd11 jail */
> >> >> +	{ AS(jail_args), (sy_call_t *)sys_jail, AUE_JAIL, NULL, 0, 0, 0,
> >> >> SY_THR_STATIC },	/* 338 = jail */
> >> >>  	{ AS(nnpfs_syscall_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0,
> >> >> 0, 0, SY_THR_ABSENT },	/* 339 = nnpfs_syscall */
> >> >>  	{ AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask,
> >> >> AUE_SIGPROCMASK, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 340 =
> >> >> sigprocmask */
> >> >>  	{ AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND,
> >> >> NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },	/* 341 = sigsuspend */
> >> >>
> >> >> Modified: head/sys/kern/kern_jail.c
> >> >> ==============================================================================
> >> >> --- head/sys/kern/kern_jail.c	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/kern/kern_jail.c	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -74,14 +74,6 @@ __FBSDID("$FreeBSD$");
> >> >>
> >> >>  #include <security/mac/mac_framework.h>
> >> >>
> >> >> -/*
> >> >> - * The old jail(2) interface will exist under COMPAT_FREEBSD11, but
> >> >> the global
> >> >> - * permission sysctls are slated to go away sometime (even with
> >> >> COMPAT).
> >> >> - */
> >> >> -#if defined(COMPAT_FREEBSD11) && !defined(BURN_BRIDGES)
> >> >> -#define PR_GLOBAL_ALLOW
> >> >> -#endif
> >> >> -
> >> >>  #define	DEFAULT_HOSTUUID	"00000000-0000-0000-0000-000000000000"
> >> >>
> >> >>  MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
> >> >> @@ -207,11 +199,9 @@ const size_t pr_flag_allow_size =
> >> >> sizeof(pr_flag_allow
> >> >>  #define	JAIL_DEFAULT_ALLOW		(PR_ALLOW_SET_HOSTNAME |
> >> >> PR_ALLOW_RESERVED_PORTS)
> >> >>  #define	JAIL_DEFAULT_ENFORCE_STATFS	2
> >> >>  #define	JAIL_DEFAULT_DEVFS_RSNUM	0
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >>  static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
> >> >>  static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
> >> >>  static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM;
> >> >> -#endif
> >> >>  #if defined(INET) || defined(INET6)
> >> >>  static unsigned jail_max_af_ips = 255;
> >> >>  #endif
> >> >> @@ -229,14 +219,13 @@ prison0_init(void)
> >> >>  	strlcpy(prison0.pr_osrelease, osrelease,
> >> >> sizeof(prison0.pr_osrelease));
> >> >>  }
> >> >>
> >> >> -#ifdef COMPAT_FREEBSD11
> >> >>  /*
> >> >>   * struct jail_args {
> >> >>   *	struct jail *jail;
> >> >>   * };
> >> >>   */
> >> >>  int
> >> >> -freebsd11_jail(struct thread *td, struct freebsd11_jail_args *uap)
> >> >> +sys_jail(struct thread *td, struct jail_args *uap)
> >> >>  {
> >> >>  	uint32_t version;
> >> >>  	int error;
> >> >> @@ -281,16 +270,13 @@ freebsd11_jail(struct thread *td, struct
> >> >> freebsd11_jai
> >> >>  		/* Sci-Fi jails are not supported, sorry. */
> >> >>  		return (EINVAL);
> >> >>  	}
> >> >> -	return (freebsd11_kern_jail(td, &j));
> >> >> +	return (kern_jail(td, &j));
> >> >>  }
> >> >>
> >> >>  int
> >> >> -freebsd11_kern_jail(struct thread *td, struct jail *j)
> >> >> +kern_jail(struct thread *td, struct jail *j)
> >> >>  {
> >> >> -	struct iovec optiov[2 * (3
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >> -			    + 1 + nitems(pr_flag_allow)
> >> >> -#endif
> >> >> +	struct iovec optiov[2 * (4 + nitems(pr_flag_allow)
> >> >>  #ifdef INET
> >> >>  			    + 1
> >> >>  #endif
> >> >> @@ -300,10 +286,7 @@ freebsd11_kern_jail(struct thread *td, struct
> >> >> jail *j)
> >> >>  			    )];
> >> >>  	struct uio opt;
> >> >>  	char *u_path, *u_hostname, *u_name;
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >>  	struct bool_flags *bf;
> >> >> -	int enforce_statfs;
> >> >> -#endif
> >> >>  #ifdef INET
> >> >>  	uint32_t ip4s;
> >> >>  	struct in_addr *u_ip4;
> >> >> @@ -312,7 +295,7 @@ freebsd11_kern_jail(struct thread *td, struct jail
> >> >> *j)
> >> >>  	struct in6_addr *u_ip6;
> >> >>  #endif
> >> >>  	size_t tmplen;
> >> >> -	int error;
> >> >> +	int error, enforce_statfs;
> >> >>
> >> >>  	bzero(&optiov, sizeof(optiov));
> >> >>  	opt.uio_iov = optiov;
> >> >> @@ -323,7 +306,6 @@ freebsd11_kern_jail(struct thread *td, struct jail
> >> >> *j)
> >> >>  	opt.uio_rw = UIO_READ;
> >> >>  	opt.uio_td = td;
> >> >>
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >>  	/* Set permissions for top-level jails from sysctls. */
> >> >>  	if (!jailed(td->td_ucred)) {
> >> >>  		for (bf = pr_flag_allow;
> >> >> @@ -345,7 +327,6 @@ freebsd11_kern_jail(struct thread *td, struct jail
> >> >> *j)
> >> >>  		optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs);
> >> >>  		opt.uio_iovcnt++;
> >> >>  	}
> >> >> -#endif
> >> >>
> >> >>  	tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN;
> >> >>  #ifdef INET
> >> >> @@ -449,7 +430,6 @@ freebsd11_kern_jail(struct thread *td, struct jail
> >> >> *j)
> >> >>  	free(u_path, M_TEMP);
> >> >>  	return (error);
> >> >>  }
> >> >> -#endif /* COMPAT_FREEBSD11 */
> >> >>
> >> >>
> >> >>  /*
> >> >> @@ -1267,11 +1247,7 @@ kern_jail_set(struct thread *td, struct uio
> >> >> *optuio, i
> >> >>
> >> >>  		pr->pr_securelevel = ppr->pr_securelevel;
> >> >>  		pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >>  		pr->pr_enforce_statfs = jail_default_enforce_statfs;
> >> >> -#else
> >> >> -		pr->pr_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
> >> >> -#endif
> >> >>  		pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum;
> >> >>
> >> >>  		pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
> >> >> @@ -3439,7 +3415,6 @@ prison_path(struct prison *pr1, struct prison
> >> >> *pr2)
> >> >>  static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
> >> >>      "Jails");
> >> >>
> >> >> -#ifdef COMPAT_FREEBSD11
> >> >>  static int
> >> >>  sysctl_jail_list(SYSCTL_HANDLER_ARGS)
> >> >>  {
> >> >> @@ -3543,7 +3518,6 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS)
> >> >>  SYSCTL_OID(_security_jail, OID_AUTO, list,
> >> >>      CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
> >> >>      sysctl_jail_list, "S", "List of active jails");
> >> >> -#endif /* COMPAT_FREEBSD11 */
> >> >>
> >> >>  static int
> >> >>  sysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
> >> >> @@ -3583,14 +3557,13 @@ SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
> >> >>  #if defined(INET) || defined(INET6)
> >> >>  SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
> >> >>      &jail_max_af_ips, 0,
> >> >> -    "Number of IP addresses a jail may have at most per address
> >> >> family");
> >> >> +    "Number of IP addresses a jail may have at most per address
> >> >> family (deprecated)");
> >> >>  #endif
> >> >>
> >> >>  /*
> >> >> - * Jail permissions - jailed processes can read these to find out
> >> >> what they are
> >> >> - * allowed to do.  A deprecated use is to set default permissions for
> >> >> prisons
> >> >> - * created via jail(2).  For historical reasons, the sysctl names
> >> >> have varying
> >> >> - * similarity to the parameter names.
> >> >> + * Default parameters for jail(2) compatibility.  For historical
> >> >> reasons,
> >> >> + * the sysctl names have varying similarity to the parameter names.
> >> >> Prisons
> >> >> + * just see their own parameters, and can't change them.
> >> >>   */
> >> >>  static int
> >> >>  sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
> >> >> @@ -3599,68 +3572,52 @@ sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
> >> >>  	int allow, error, i;
> >> >>
> >> >>  	pr = req->td->td_ucred->cr_prison;
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >>  	allow = (pr == &prison0) ? jail_default_allow : pr->pr_allow;
> >> >> -#else
> >> >> -	allow = pr->pr_allow;
> >> >> -#endif
> >> >>
> >> >>  	/* Get the current flag value, and convert it to a boolean. */
> >> >>  	i = (allow & arg2) ? 1 : 0;
> >> >>  	if (arg1 != NULL)
> >> >>  		i = !i;
> >> >>  	error = sysctl_handle_int(oidp, &i, 0, req);
> >> >> -	if (error)
> >> >> +	if (error || !req->newptr)
> >> >>  		return (error);
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >> -	if (req->newptr) {
> >> >> -		i = i ? arg2 : 0;
> >> >> -		if (arg1 != NULL)
> >> >> -			i ^= arg2;
> >> >> -		/*
> >> >> -		 * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
> >> >> -		 * for writing.
> >> >> -		 */
> >> >> -		mtx_lock(&prison0.pr_mtx);
> >> >> -		jail_default_allow = (jail_default_allow & ~arg2) | i;
> >> >> -		mtx_unlock(&prison0.pr_mtx);
> >> >> -	}
> >> >> -#endif
> >> >> +	i = i ? arg2 : 0;
> >> >> +	if (arg1 != NULL)
> >> >> +		i ^= arg2;
> >> >> +	/*
> >> >> +	 * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
> >> >> +	 * for writing.
> >> >> +	 */
> >> >> +	mtx_lock(&prison0.pr_mtx);
> >> >> +	jail_default_allow = (jail_default_allow & ~arg2) | i;
> >> >> +	mtx_unlock(&prison0.pr_mtx);
> >> >>  	return (0);
> >> >>  }
> >> >>
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >> -#define CTLFLAG_GLOBAL_ALLOW	(CTLFLAG_RW | CTLFLAG_MPSAFE)
> >> >> -#define ADDR_GLOBAL_ALLOW(i)	&i
> >> >> -#else
> >> >> -#define CTLFLAG_GLOBAL_ALLOW	(CTLFLAG_RD | CTLFLAG_MPSAFE)
> >> >> -#define ADDR_GLOBAL_ALLOW(i)	NULL
> >> >> -#endif
> >> >> -
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, set_hostname_allowed,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >>      NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow, "I",
> >> >> -    "Processes in jail can set their hostnames");
> >> >> +    "Processes in jail can set their hostnames (deprecated)");
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, socket_unixiproute_only,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >>      (void *)1, PR_ALLOW_SOCKET_AF, sysctl_jail_default_allow, "I",
> >> >> -    "Processes in jail are limited to creating UNIX/IP/route sockets
> >> >> only");
> >> >> +    "Processes in jail are limited to creating UNIX/IP/route sockets
> >> >> only (deprecated)");
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, sysvipc_allowed,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >>      NULL, PR_ALLOW_SYSVIPC, sysctl_jail_default_allow, "I",
> >> >> -    "Processes in jail can use System V IPC primitives");
> >> >> +    "Processes in jail can use System V IPC primitives
> >> >> (deprecated)");
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, allow_raw_sockets,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >>      NULL, PR_ALLOW_RAW_SOCKETS, sysctl_jail_default_allow, "I",
> >> >> -    "Prison root can create raw sockets");
> >> >> +    "Prison root can create raw sockets (deprecated)");
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >>      NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I",
> >> >> -    "Processes in jail can alter system file flags");
> >> >> +    "Processes in jail can alter system file flags (deprecated)");
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >>      NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
> >> >> -    "Processes in jail can mount/unmount jail-friendly file
> >> >> systems");
> >> >> +    "Processes in jail can mount/unmount jail-friendly file systems
> >> >> (deprecated)");
> >> >>
> >> >>  static int
> >> >>  sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
> >> >> @@ -3669,33 +3626,25 @@ sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
> >> >>  	int level, error;
> >> >>
> >> >>  	pr = req->td->td_ucred->cr_prison;
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >>  	level = (pr == &prison0) ? *(int *)arg1 : *(int *)((char *)pr +
> >> >> arg2);
> >> >> -#else
> >> >> -	level = *(int *)((char *)pr + arg2);
> >> >> -#endif
> >> >>  	error = sysctl_handle_int(oidp, &level, 0, req);
> >> >> -	if (error)
> >> >> +	if (error || !req->newptr)
> >> >>  		return (error);
> >> >> -#ifdef PR_GLOBAL_ALLOW
> >> >> -	if (req->newptr)
> >> >> -		*(int *)arg1 = level;
> >> >> -#endif
> >> >> +	*(int *)arg1 = level;
> >> >>  	return (0);
> >> >>  }
> >> >>
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, enforce_statfs,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> -    ADDR_GLOBAL_ALLOW(jail_default_enforce_statfs),
> >> >> -    offsetof(struct prison, pr_enforce_statfs),
> >> >> +    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
> >> >> +    &jail_default_enforce_statfs, offsetof(struct prison,
> >> >> pr_enforce_statfs),
> >> >>      sysctl_jail_default_level, "I",
> >> >> -    "Processes in jail cannot see all mounted file systems");
> >> >> +    "Processes in jail cannot see all mounted file systems
> >> >> (deprecated)");
> >> >> +
> >> >>  SYSCTL_PROC(_security_jail, OID_AUTO, devfs_ruleset,
> >> >> -    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
> >> >> -    ADDR_GLOBAL_ALLOW(jail_default_devfs_rsnum),
> >> >> -    offsetof(struct prison, pr_devfs_rsnum),
> >> >> +    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
> >> >> +    &jail_default_devfs_rsnum, offsetof(struct prison,
> >> >> pr_devfs_rsnum),
> >> >>      sysctl_jail_default_level, "I",
> >> >> -    "Ruleset for the devfs filesystem in jail");
> >> >> +    "Ruleset for the devfs filesystem in jail (deprecated)");
> >> >>
> >> >>  /*
> >> >>   * Nodes to describe jail parameters.  Maximum length of string
> >> >> parameters
> >> >> @@ -3836,6 +3785,9 @@ prison_add_allow(const char *prefix, const char
> >> >> *name,
> >> >>  	struct bool_flags *bf;
> >> >>  	struct sysctl_oid *parent;
> >> >>  	char *allow_name, *allow_noname, *allowed;
> >> >> +#ifndef NO_SYSCTL_DESCR
> >> >> +	char *descr_deprecated;
> >> >> +#endif
> >> >>  	unsigned allow_flag;
> >> >>
> >> >>  	if (prefix
> >> >> @@ -3892,7 +3844,10 @@ prison_add_allow(const char *prefix, const char
> >> >> *name,
> >> >>  	bf->flag = allow_flag;
> >> >>  	mtx_unlock(&prison0.pr_mtx);
> >> >>
> >> >> -	/* Create sysctls for the paramter, and the current permission. */
> >> >> +	/*
> >> >> +	 * Create sysctls for the paramter, and the back-compat global
> >> >> +	 * permission.
> >> >> +	 */
> >> >>  	parent = prefix
> >> >>  	    ? SYSCTL_ADD_NODE(NULL,
> >> >>  		  SYSCTL_CHILDREN(&sysctl___security_jail_param_allow),
> >> >> @@ -3904,10 +3859,17 @@ prison_add_allow(const char *prefix, const
> >> >> char *name,
> >> >>  	if ((prefix
> >> >>  	     ? asprintf(&allowed, M_TEMP, "%s_%s_allowed", prefix, name)
> >> >>  	     : asprintf(&allowed, M_TEMP, "%s_allowed", name)) >= 0) {
> >> >> +#ifndef NO_SYSCTL_DESCR
> >> >> +		(void)asprintf(&descr_deprecated, M_TEMP, "%s (deprecated)",
> >> >> +		    descr);
> >> >> +#endif
> >> >>  		(void)SYSCTL_ADD_PROC(NULL,
> >> >>  		    SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO, allowed,
> >> >> -		    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW, NULL, allow_flag,
> >> >> -		    sysctl_jail_default_allow, "I", descr);
> >> >> +		    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, allow_flag,
> >> >> +		    sysctl_jail_default_allow, "I", descr_deprecated);
> >> >> +#ifndef NO_SYSCTL_DESCR
> >> >> +		free(descr_deprecated, M_TEMP);
> >> >> +#endif
> >> >>  		free(allowed, M_TEMP);
> >> >>  	}
> >> >>  	return allow_flag;
> >> >>
> >> >> Modified: head/sys/kern/syscalls.c
> >> >> ==============================================================================
> >> >> --- head/sys/kern/syscalls.c	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/kern/syscalls.c	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -344,7 +344,7 @@ const char *syscallnames[] = {
> >> >>  	"utrace",			/* 335 = utrace */
> >> >>  	"compat4.sendfile",		/* 336 = freebsd4 sendfile */
> >> >>  	"kldsym",			/* 337 = kldsym */
> >> >> -	"compat11.jail",		/* 338 = freebsd11 jail */
> >> >> +	"jail",			/* 338 = jail */
> >> >>  	"nnpfs_syscall",			/* 339 = nnpfs_syscall */
> >> >>  	"sigprocmask",			/* 340 = sigprocmask */
> >> >>  	"sigsuspend",			/* 341 = sigsuspend */
> >> >>
> >> >> Modified: head/sys/kern/syscalls.master
> >> >> ==============================================================================
> >> >> --- head/sys/kern/syscalls.master	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/kern/syscalls.master	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -738,7 +738,7 @@
> >> >>  				    _Out_opt_ off_t *sbytes, int flags); }
> >> >>  337	AUE_NULL	STD	{ int kldsym(int fileid, int cmd, \
> >> >>  				    _In_ void *data); }
> >> >> -338	AUE_JAIL	COMPAT11 { int jail( \
> >> >> +338	AUE_JAIL	STD	{ int jail( \
> >> >>  				    _In_ struct jail *jail); }
> >> >>
> >> >>  339	AUE_NULL	NOSTD|NOTSTATIC	{ int nnpfs_syscall(int operation, \
> >> >>
> >> >> Modified: head/sys/kern/systrace_args.c
> >> >> ==============================================================================
> >> >> --- head/sys/kern/systrace_args.c	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/kern/systrace_args.c	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -1593,6 +1593,13 @@ systrace_args(int sysnum, void *params,
> >> >> uint64_t *uarg
> >> >>  		*n_args = 3;
> >> >>  		break;
> >> >>  	}
> >> >> +	/* jail */
> >> >> +	case 338: {
> >> >> +		struct jail_args *p = params;
> >> >> +		uarg[0] = (intptr_t) p->jail; /* struct jail * */
> >> >> +		*n_args = 1;
> >> >> +		break;
> >> >> +	}
> >> >>  	/* nnpfs_syscall */
> >> >>  	case 339: {
> >> >>  		struct nnpfs_syscall_args *p = params;
> >> >> @@ -5765,6 +5772,16 @@ systrace_entry_setargdesc(int sysnum, int ndx,
> >> >> char *d
> >> >>  			break;
> >> >>  		};
> >> >>  		break;
> >> >> +	/* jail */
> >> >> +	case 338:
> >> >> +		switch(ndx) {
> >> >> +		case 0:
> >> >> +			p = "userland struct jail *";
> >> >> +			break;
> >> >> +		default:
> >> >> +			break;
> >> >> +		};
> >> >> +		break;
> >> >>  	/* nnpfs_syscall */
> >> >>  	case 339:
> >> >>  		switch(ndx) {
> >> >> @@ -9627,6 +9644,11 @@ systrace_return_setargdesc(int sysnum, int ndx,
> >> >> char *
> >> >>  		break;
> >> >>  	/* kldsym */
> >> >>  	case 337:
> >> >> +		if (ndx == 0 || ndx == 1)
> >> >> +			p = "int";
> >> >> +		break;
> >> >> +	/* jail */
> >> >> +	case 338:
> >> >>  		if (ndx == 0 || ndx == 1)
> >> >>  			p = "int";
> >> >>  		break;
> >> >>
> >> >> Modified: head/sys/sys/jail.h
> >> >> ==============================================================================
> >> >> --- head/sys/sys/jail.h	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/sys/jail.h	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -32,7 +32,6 @@
> >> >>  #ifndef _SYS_JAIL_H_
> >> >>  #define _SYS_JAIL_H_
> >> >>
> >> >> -#ifdef COMPAT_FREEBSD11
> >> >>  #ifdef _KERNEL
> >> >>  struct jail_v0 {
> >> >>  	u_int32_t	version;
> >> >> @@ -58,6 +57,16 @@ struct jail {
> >> >>   * For all xprison structs, always keep the pr_version an int and
> >> >>   * the first variable so userspace can easily distinguish them.
> >> >>   */
> >> >> +#ifndef _KERNEL
> >> >> +struct xprison_v1 {
> >> >> +	int		 pr_version;
> >> >> +	int		 pr_id;
> >> >> +	char		 pr_path[MAXPATHLEN];
> >> >> +	char		 pr_host[MAXHOSTNAMELEN];
> >> >> +	u_int32_t	 pr_ip;
> >> >> +};
> >> >> +#endif
> >> >> +
> >> >>  struct xprison {
> >> >>  	int		 pr_version;
> >> >>  	int		 pr_id;
> >> >> @@ -82,7 +91,6 @@ struct xprison {
> >> >>  #define	PRISON_STATE_INVALID	0
> >> >>  #define	PRISON_STATE_ALIVE	1
> >> >>  #define	PRISON_STATE_DYING	2
> >> >> -#endif /* COMPAT_FREEBSD11 */
> >> >>
> >> >>  /*
> >> >>   * Flags for jail_set and jail_get.
> >> >> @@ -102,6 +110,7 @@ struct xprison {
> >> >>
> >> >>  struct iovec;
> >> >>
> >> >> +int jail(struct jail *);
> >> >>  int jail_set(struct iovec *, unsigned int, int);
> >> >>  int jail_get(struct iovec *, unsigned int, int);
> >> >>  int jail_attach(int);
> >> >>
> >> >> Modified: head/sys/sys/syscall.h
> >> >> ==============================================================================
> >> >> --- head/sys/sys/syscall.h	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/sys/syscall.h	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -280,7 +280,7 @@
> >> >>  #define	SYS_utrace	335
> >> >>  				/* 336 is freebsd4 sendfile */
> >> >>  #define	SYS_kldsym	337
> >> >> -#define	SYS_freebsd11_jail	338
> >> >> +#define	SYS_jail	338
> >> >>  #define	SYS_nnpfs_syscall	339
> >> >>  #define	SYS_sigprocmask	340
> >> >>  #define	SYS_sigsuspend	341
> >> >>
> >> >> Modified: head/sys/sys/syscall.mk
> >> >> ==============================================================================
> >> >> --- head/sys/sys/syscall.mk	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/sys/syscall.mk	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -209,7 +209,7 @@ MIASM =  \
> >> >>  	sched_rr_get_interval.o \
> >> >>  	utrace.o \
> >> >>  	kldsym.o \
> >> >> -	freebsd11_jail.o \
> >> >> +	jail.o \
> >> >>  	nnpfs_syscall.o \
> >> >>  	sigprocmask.o \
> >> >>  	sigsuspend.o \
> >> >>
> >> >> Modified: head/sys/sys/syscallsubr.h
> >> >> ==============================================================================
> >> >> --- head/sys/sys/syscallsubr.h	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/sys/syscallsubr.h	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -143,6 +143,7 @@ int	kern_getsockname(struct thread *td, int fd,
> >> >> struct
> >> >>  int	kern_getsockopt(struct thread *td, int s, int level, int name,
> >> >>  	    void *optval, enum uio_seg valseg, socklen_t *valsize);
> >> >>  int	kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data);
> >> >> +int	kern_jail(struct thread *td, struct jail *j);
> >> >>  int	kern_jail_get(struct thread *td, struct uio *options, int flags);
> >> >>  int	kern_jail_set(struct thread *td, struct uio *options, int flags);
> >> >>  int	kern_kevent(struct thread *td, int fd, int nchanges, int nevents,
> >> >> @@ -307,6 +308,5 @@ struct freebsd11_dirent;
> >> >>
> >> >>  int	freebsd11_kern_getdirentries(struct thread *td, int fd, char
> >> >> *ubuf, u_int
> >> >>  	    count, long *basep, void (*func)(struct freebsd11_dirent *));
> >> >> -int	freebsd11_kern_jail(struct thread *td, struct jail *j);
> >> >>
> >> >>  #endif /* !_SYS_SYSCALLSUBR_H_ */
> >> >>
> >> >> Modified: head/sys/sys/sysproto.h
> >> >> ==============================================================================
> >> >> --- head/sys/sys/sysproto.h	Thu Aug 16 18:58:34 2018	(r337924)
> >> >> +++ head/sys/sys/sysproto.h	Thu Aug 16 19:09:43 2018	(r337925)
> >> >> @@ -849,6 +849,9 @@ struct kldsym_args {
> >> >>  	char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)];
> >> >>  	char data_l_[PADL_(void *)]; void * data; char data_r_[PADR_(void
> >> >> *)];
> >> >>  };
> >> >> +struct jail_args {
> >> >> +	char jail_l_[PADL_(struct jail *)]; struct jail * jail; char
> >> >> jail_r_[PADR_(struct jail *)];
> >> >> +};
> >> >>  struct nnpfs_syscall_args {
> >> >>  	char operation_l_[PADL_(int)]; int operation; char
> >> >> operation_r_[PADR_(int)];
> >> >>  	char a_pathP_l_[PADL_(char *)]; char * a_pathP; char
> >> >> a_pathP_r_[PADR_(char *)];
> >> >> @@ -1958,6 +1961,7 @@ int	sys_sched_get_priority_min(struct thread *,
> >> >> struct
> >> >>  int	sys_sched_rr_get_interval(struct thread *, struct
> >> >> sched_rr_get_interval_args *);
> >> >>  int	sys_utrace(struct thread *, struct utrace_args *);
> >> >>  int	sys_kldsym(struct thread *, struct kldsym_args *);
> >> >> +int	sys_jail(struct thread *, struct jail_args *);
> >> >>  int	sys_nnpfs_syscall(struct thread *, struct nnpfs_syscall_args *);
> >> >>  int	sys_sigprocmask(struct thread *, struct sigprocmask_args *);
> >> >>  int	sys_sigsuspend(struct thread *, struct sigsuspend_args *);
> >> >> @@ -2527,9 +2531,6 @@ struct freebsd11_fhstat_args {
> >> >>  	char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle *
> >> >> u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
> >> >>  	char sb_l_[PADL_(struct freebsd11_stat *)]; struct freebsd11_stat *
> >> >> sb; char sb_r_[PADR_(struct freebsd11_stat *)];
> >> >>  };
> >> >> -struct freebsd11_jail_args {
> >> >> -	char jail_l_[PADL_(struct jail *)]; struct jail * jail; char
> >> >> jail_r_[PADR_(struct jail *)];
> >> >> -};
> >> >>  struct freebsd11_kevent_args {
> >> >>  	char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
> >> >>  	char changelist_l_[PADL_(struct kevent_freebsd11 *)]; struct
> >> >> kevent_freebsd11 * changelist; char changelist_r_[PADR_(struct
> >> >> kevent_freebsd11 *)];
> >> >> @@ -2578,7 +2579,6 @@ int	freebsd11_nstat(struct thread *, struct
> >> >> freebsd11_
> >> >>  int	freebsd11_nfstat(struct thread *, struct freebsd11_nfstat_args
> >> >> *);
> >> >>  int	freebsd11_nlstat(struct thread *, struct freebsd11_nlstat_args
> >> >> *);
> >> >>  int	freebsd11_fhstat(struct thread *, struct freebsd11_fhstat_args
> >> >> *);
> >> >> -int	freebsd11_jail(struct thread *, struct freebsd11_jail_args *);
> >> >>  int	freebsd11_kevent(struct thread *, struct freebsd11_kevent_args
> >> >> *);
> >> >>  int	freebsd11_getfsstat(struct thread *, struct
> >> >> freebsd11_getfsstat_args *);
> >> >>  int	freebsd11_statfs(struct thread *, struct freebsd11_statfs_args
> >> >> *);
> >> >> @@ -2849,7 +2849,7 @@ int	freebsd11_mknodat(struct thread *, struct
> >> >> freebsd1
> >> >>  #define	SYS_AUE_utrace	AUE_NULL
> >> >>  #define	SYS_AUE_freebsd4_sendfile	AUE_SENDFILE
> >> >>  #define	SYS_AUE_kldsym	AUE_NULL
> >> >> -#define	SYS_AUE_freebsd11_jail	AUE_JAIL
> >> >> +#define	SYS_AUE_jail	AUE_JAIL
> >> >>  #define	SYS_AUE_nnpfs_syscall	AUE_NULL
> >> >>  #define	SYS_AUE_sigprocmask	AUE_SIGPROCMASK
> >> >>  #define	SYS_AUE_sigsuspend	AUE_SIGSUSPEND
> >> >>
> >> >>
> >> 
> 

-- 
Rod Grimes                                                 rgrimes@freebsd.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808161958.w7GJwnpl055610>