From owner-p4-projects@FreeBSD.ORG Mon Aug 3 12:37:55 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 135F410656C5; Mon, 3 Aug 2009 12:37:55 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2638106564A for ; Mon, 3 Aug 2009 12:37:54 +0000 (UTC) (envelope-from zec@fer.hr) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 2BD2C8FC13 for ; Mon, 3 Aug 2009 12:37:51 +0000 (UTC) (envelope-from zec@fer.hr) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n73Cbp3O034522 for ; Mon, 3 Aug 2009 12:37:51 GMT (envelope-from zec@fer.hr) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n73CboGC034520 for perforce@freebsd.org; Mon, 3 Aug 2009 12:37:50 GMT (envelope-from zec@fer.hr) Date: Mon, 3 Aug 2009 12:37:50 GMT Message-Id: <200908031237.n73CboGC034520@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to zec@fer.hr using -f From: Marko Zec To: Perforce Change Reviews Cc: Subject: PERFORCE change 166961 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Aug 2009 12:37:57 -0000 http://perforce.freebsd.org/chv.cgi?CH=166961 Change 166961 by zec@zec_tpx32 on 2009/08/03 12:37:40 Introduce socreate_vnet() function, which allows for sockets to be created in a vnet different from the current administrative vnet, i.e. the one defined by the curthread's ucred. Force RPC sockets to always beceme open in vnet0, which should allow NFS client mounts created in vnet0 to be accessible from non-default vnets. Ideally, NFS mounts would keep track in which vnet they have been created, in which case we wouldn't have to hardcode NFS to vnet0. Note that there's still nothing to prevent NFS mounts to be requested from non-default vnets, which will most probably never succed, and / or lead to cross-vnet leaks, and / or may lead to panics. Hence, we should impose some barriers to jailed processes from requesting any NFS mount / export operations. Affected files ... .. //depot/projects/vimage-commit2/src/sys/kern/uipc_socket.c#30 edit .. //depot/projects/vimage-commit2/src/sys/rpc/rpc_generic.c#5 edit .. //depot/projects/vimage-commit2/src/sys/sys/socketvar.h#9 edit Differences ... ==== //depot/projects/vimage-commit2/src/sys/kern/uipc_socket.c#30 (text+ko) ==== @@ -342,6 +342,24 @@ socreate(int dom, struct socket **aso, int type, int proto, struct ucred *cred, struct thread *td) { + +#ifndef VIMAGE + return (socreate_vnet(dom, aso, type, proto, cred, td, NULL); +#else + return (socreate_vnet(dom, aso, type, proto, cred, td, + CRED_TO_VNET(cred))); +#endif +} + +/* + * socreate_vnet returns a socket with a ref count of 1 in a vnet possibly + * different from CRED_TO_VNET(cred). The socket should be closed with + * soclose(). + */ +int +socreate_vnet(int dom, struct socket **aso, int type, int proto, + struct ucred *cred, struct thread *td, struct vnet *vnet) +{ struct protosw *prp; struct socket *so; int error; @@ -360,7 +378,7 @@ if (prp->pr_type != type) return (EPROTOTYPE); - so = soalloc(CRED_TO_VNET(cred)); + so = soalloc(vnet); if (so == NULL) return (ENOBUFS); ==== //depot/projects/vimage-commit2/src/sys/rpc/rpc_generic.c#5 (text+ko) ==== @@ -258,8 +258,8 @@ return 0; so = NULL; - error = socreate(si.si_af, &so, si.si_socktype, si.si_proto, - curthread->td_ucred, curthread); + error = socreate_vnet(si.si_af, &so, si.si_socktype, si.si_proto, + curthread->td_ucred, curthread, vnet0); if (error) return NULL; ==== //depot/projects/vimage-commit2/src/sys/sys/socketvar.h#9 (text+ko) ==== @@ -329,6 +329,8 @@ int socow_setup(struct mbuf *m0, struct uio *uio); int socreate(int dom, struct socket **aso, int type, int proto, struct ucred *cred, struct thread *td); +int socreate_vnet(int dom, struct socket **aso, int type, int proto, + struct ucred *cred, struct thread *td, struct vnet *vnet); int sodisconnect(struct socket *so); struct sockaddr *sodupsockaddr(const struct sockaddr *sa, int mflags); void sofree(struct socket *so);