Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Aug 2009 10:31:03 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r196178 - in stable/8/sys: . amd64/include/xen cddl/contrib/opensolaris contrib/dev/acpica contrib/pf dev/ata dev/cxgb dev/sound/usb dev/usb dev/usb/controller dev/usb/input dev/usb/mis...
Message-ID:  <200908131031.n7DAV3WZ097854@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bz
Date: Thu Aug 13 10:31:02 2009
New Revision: 196178
URL: http://svn.freebsd.org/changeset/base/196178

Log:
  MFC r196176:
  
    Make it possible to change the vnet sysctl variables on jails
    with their own virtual network stack. Jails only inheriting a
    network stack cannot change anything that cannot be changed from
    within a prison.
  
    Reviewed by:  rwatson, zec
  
  Approved by:	re (kib)

Modified:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/ata/   (props changed)
  stable/8/sys/dev/ata/ata-usb.c   (props changed)
  stable/8/sys/dev/cxgb/   (props changed)
  stable/8/sys/dev/sound/usb/uaudio.c   (props changed)
  stable/8/sys/dev/sound/usb/uaudio.h   (props changed)
  stable/8/sys/dev/sound/usb/uaudio_pcm.c   (props changed)
  stable/8/sys/dev/sound/usb/uaudioreg.h   (props changed)
  stable/8/sys/dev/usb/controller/at91dci.c   (props changed)
  stable/8/sys/dev/usb/controller/at91dci.h   (props changed)
  stable/8/sys/dev/usb/controller/at91dci_atmelarm.c   (props changed)
  stable/8/sys/dev/usb/controller/atmegadci.c   (props changed)
  stable/8/sys/dev/usb/controller/atmegadci.h   (props changed)
  stable/8/sys/dev/usb/controller/atmegadci_atmelarm.c   (props changed)
  stable/8/sys/dev/usb/controller/ehci.c   (props changed)
  stable/8/sys/dev/usb/controller/ehci.h   (props changed)
  stable/8/sys/dev/usb/controller/ehci_ixp4xx.c   (props changed)
  stable/8/sys/dev/usb/controller/ehci_mbus.c   (props changed)
  stable/8/sys/dev/usb/controller/ehci_pci.c   (props changed)
  stable/8/sys/dev/usb/controller/musb_otg.c   (props changed)
  stable/8/sys/dev/usb/controller/musb_otg.h   (props changed)
  stable/8/sys/dev/usb/controller/musb_otg_atmelarm.c   (props changed)
  stable/8/sys/dev/usb/controller/ohci.c   (props changed)
  stable/8/sys/dev/usb/controller/ohci.h   (props changed)
  stable/8/sys/dev/usb/controller/ohci_atmelarm.c   (props changed)
  stable/8/sys/dev/usb/controller/ohci_pci.c   (props changed)
  stable/8/sys/dev/usb/controller/uhci.c   (props changed)
  stable/8/sys/dev/usb/controller/uhci.h   (props changed)
  stable/8/sys/dev/usb/controller/uhci_pci.c   (props changed)
  stable/8/sys/dev/usb/controller/usb_controller.c   (props changed)
  stable/8/sys/dev/usb/controller/uss820dci.c   (props changed)
  stable/8/sys/dev/usb/controller/uss820dci.h   (props changed)
  stable/8/sys/dev/usb/controller/uss820dci_atmelarm.c   (props changed)
  stable/8/sys/dev/usb/input/uhid.c   (props changed)
  stable/8/sys/dev/usb/input/ukbd.c   (props changed)
  stable/8/sys/dev/usb/input/ums.c   (props changed)
  stable/8/sys/dev/usb/input/usb_rdesc.h   (props changed)
  stable/8/sys/dev/usb/misc/udbp.c   (props changed)
  stable/8/sys/dev/usb/misc/udbp.h   (props changed)
  stable/8/sys/dev/usb/misc/ufm.c   (props changed)
  stable/8/sys/dev/usb/net/if_aue.c   (props changed)
  stable/8/sys/dev/usb/net/if_auereg.h   (props changed)
  stable/8/sys/dev/usb/net/if_axe.c   (props changed)
  stable/8/sys/dev/usb/net/if_axereg.h   (props changed)
  stable/8/sys/dev/usb/net/if_cdce.c   (props changed)
  stable/8/sys/dev/usb/net/if_cdcereg.h   (props changed)
  stable/8/sys/dev/usb/net/if_cue.c   (props changed)
  stable/8/sys/dev/usb/net/if_cuereg.h   (props changed)
  stable/8/sys/dev/usb/net/if_kue.c   (props changed)
  stable/8/sys/dev/usb/net/if_kuefw.h   (props changed)
  stable/8/sys/dev/usb/net/if_kuereg.h   (props changed)
  stable/8/sys/dev/usb/net/if_rue.c   (props changed)
  stable/8/sys/dev/usb/net/if_ruereg.h   (props changed)
  stable/8/sys/dev/usb/net/if_udav.c   (props changed)
  stable/8/sys/dev/usb/net/if_udavreg.h   (props changed)
  stable/8/sys/dev/usb/net/usb_ethernet.c   (props changed)
  stable/8/sys/dev/usb/net/usb_ethernet.h   (props changed)
  stable/8/sys/dev/usb/quirk/usb_quirk.c   (props changed)
  stable/8/sys/dev/usb/quirk/usb_quirk.h   (props changed)
  stable/8/sys/dev/usb/serial/u3g.c   (props changed)
  stable/8/sys/dev/usb/serial/uark.c   (props changed)
  stable/8/sys/dev/usb/serial/ubsa.c   (props changed)
  stable/8/sys/dev/usb/serial/ubser.c   (props changed)
  stable/8/sys/dev/usb/serial/uchcom.c   (props changed)
  stable/8/sys/dev/usb/serial/ucycom.c   (props changed)
  stable/8/sys/dev/usb/serial/ufoma.c   (props changed)
  stable/8/sys/dev/usb/serial/uftdi.c   (props changed)
  stable/8/sys/dev/usb/serial/uftdi_reg.h   (props changed)
  stable/8/sys/dev/usb/serial/ugensa.c   (props changed)
  stable/8/sys/dev/usb/serial/uipaq.c   (props changed)
  stable/8/sys/dev/usb/serial/ulpt.c   (props changed)
  stable/8/sys/dev/usb/serial/umct.c   (props changed)
  stable/8/sys/dev/usb/serial/umodem.c   (props changed)
  stable/8/sys/dev/usb/serial/umoscom.c   (props changed)
  stable/8/sys/dev/usb/serial/uplcom.c   (props changed)
  stable/8/sys/dev/usb/serial/usb_serial.c   (props changed)
  stable/8/sys/dev/usb/serial/usb_serial.h   (props changed)
  stable/8/sys/dev/usb/serial/uslcom.c   (props changed)
  stable/8/sys/dev/usb/serial/uvisor.c   (props changed)
  stable/8/sys/dev/usb/serial/uvscom.c   (props changed)
  stable/8/sys/dev/usb/storage/rio500_usb.h   (props changed)
  stable/8/sys/dev/usb/storage/umass.c   (props changed)
  stable/8/sys/dev/usb/storage/urio.c   (props changed)
  stable/8/sys/dev/usb/storage/ustorage_fs.c   (props changed)
  stable/8/sys/dev/usb/template/usb_template.c   (props changed)
  stable/8/sys/dev/usb/template/usb_template.h   (props changed)
  stable/8/sys/dev/usb/template/usb_template_cdce.c   (props changed)
  stable/8/sys/dev/usb/template/usb_template_msc.c   (props changed)
  stable/8/sys/dev/usb/template/usb_template_mtp.c   (props changed)
  stable/8/sys/dev/usb/ufm_ioctl.h   (props changed)
  stable/8/sys/dev/usb/usb.h   (props changed)
  stable/8/sys/dev/usb/usb_bus.h   (props changed)
  stable/8/sys/dev/usb/usb_busdma.c   (props changed)
  stable/8/sys/dev/usb/usb_busdma.h   (props changed)
  stable/8/sys/dev/usb/usb_cdc.h   (props changed)
  stable/8/sys/dev/usb/usb_compat_linux.c   (props changed)
  stable/8/sys/dev/usb/usb_compat_linux.h   (props changed)
  stable/8/sys/dev/usb/usb_controller.h   (props changed)
  stable/8/sys/dev/usb/usb_core.c   (props changed)
  stable/8/sys/dev/usb/usb_core.h   (props changed)
  stable/8/sys/dev/usb/usb_debug.c   (props changed)
  stable/8/sys/dev/usb/usb_debug.h   (props changed)
  stable/8/sys/dev/usb/usb_dev.c   (props changed)
  stable/8/sys/dev/usb/usb_dev.h   (props changed)
  stable/8/sys/dev/usb/usb_device.c   (props changed)
  stable/8/sys/dev/usb/usb_device.h   (props changed)
  stable/8/sys/dev/usb/usb_dynamic.c   (props changed)
  stable/8/sys/dev/usb/usb_dynamic.h   (props changed)
  stable/8/sys/dev/usb/usb_endian.h   (props changed)
  stable/8/sys/dev/usb/usb_error.c   (props changed)
  stable/8/sys/dev/usb/usb_generic.c   (props changed)
  stable/8/sys/dev/usb/usb_generic.h   (props changed)
  stable/8/sys/dev/usb/usb_handle_request.c   (props changed)
  stable/8/sys/dev/usb/usb_hid.c   (props changed)
  stable/8/sys/dev/usb/usb_hub.c   (props changed)
  stable/8/sys/dev/usb/usb_hub.h   (props changed)
  stable/8/sys/dev/usb/usb_if.m   (props changed)
  stable/8/sys/dev/usb/usb_ioctl.h   (props changed)
  stable/8/sys/dev/usb/usb_lookup.c   (props changed)
  stable/8/sys/dev/usb/usb_mbuf.c   (props changed)
  stable/8/sys/dev/usb/usb_mbuf.h   (props changed)
  stable/8/sys/dev/usb/usb_msctest.c   (props changed)
  stable/8/sys/dev/usb/usb_msctest.h   (props changed)
  stable/8/sys/dev/usb/usb_parse.c   (props changed)
  stable/8/sys/dev/usb/usb_pci.h   (props changed)
  stable/8/sys/dev/usb/usb_process.c   (props changed)
  stable/8/sys/dev/usb/usb_process.h   (props changed)
  stable/8/sys/dev/usb/usb_request.c   (props changed)
  stable/8/sys/dev/usb/usb_request.h   (props changed)
  stable/8/sys/dev/usb/usb_transfer.c   (props changed)
  stable/8/sys/dev/usb/usb_transfer.h   (props changed)
  stable/8/sys/dev/usb/usb_util.c   (props changed)
  stable/8/sys/dev/usb/usb_util.h   (props changed)
  stable/8/sys/dev/usb/usbdevs   (props changed)
  stable/8/sys/dev/usb/usbhid.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_rum.c   (props changed)
  stable/8/sys/dev/usb/wlan/if_rumfw.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_rumreg.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_rumvar.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_ural.c   (props changed)
  stable/8/sys/dev/usb/wlan/if_uralreg.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_uralvar.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_zyd.c   (props changed)
  stable/8/sys/dev/usb/wlan/if_zydfw.h   (props changed)
  stable/8/sys/dev/usb/wlan/if_zydreg.h   (props changed)
  stable/8/sys/dev/xen/netfront/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)
  stable/8/sys/kern/kern_jail.c
  stable/8/sys/kern/kern_sysctl.c
  stable/8/sys/modules/dtrace/dtnfsclient/   (props changed)
  stable/8/sys/modules/ip6_mroute_mod/   (props changed)
  stable/8/sys/modules/ipmi/ipmi_linux/   (props changed)
  stable/8/sys/net/vnet.h
  stable/8/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c   (props changed)
  stable/8/sys/netgraph/bluetooth/drivers/ubt/ng_ubt_var.h   (props changed)
  stable/8/sys/netgraph/bluetooth/drivers/ubtbcmfw/ubtbcmfw.c   (props changed)
  stable/8/sys/netinet/ipfw/ip_dummynet.c   (props changed)
  stable/8/sys/netinet/ipfw/ip_fw2.c   (props changed)
  stable/8/sys/netinet/ipfw/ip_fw_nat.c   (props changed)
  stable/8/sys/netinet/ipfw/ip_fw_pfil.c   (props changed)
  stable/8/sys/netipx/spx_reass.c   (props changed)
  stable/8/sys/sys/jail.h
  stable/8/sys/sys/sysctl.h
  stable/8/sys/xen/evtchn.h   (props changed)
  stable/8/sys/xen/hypervisor.h   (props changed)
  stable/8/sys/xen/xen_intr.h   (props changed)

Modified: stable/8/sys/kern/kern_jail.c
==============================================================================
--- stable/8/sys/kern/kern_jail.c	Thu Aug 13 10:27:22 2009	(r196177)
+++ stable/8/sys/kern/kern_jail.c	Thu Aug 13 10:31:02 2009	(r196178)
@@ -88,7 +88,11 @@ struct prison prison0 = {
 	.pr_childmax	= JAIL_MAX,
 	.pr_hostuuid	= DEFAULT_HOSTUUID,
 	.pr_children	= LIST_HEAD_INITIALIZER(&prison0.pr_children),
+#ifdef VIMAGE
+	.pr_flags	= PR_HOST|PR_VNET,
+#else
 	.pr_flags	= PR_HOST,
+#endif
 	.pr_allow	= PR_ALLOW_ALL,
 };
 MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);
@@ -3308,6 +3312,25 @@ getcredhostid(struct ucred *cred, unsign
 	mtx_unlock(&cred->cr_prison->pr_mtx);
 }
 
+#ifdef VIMAGE
+/*
+ * Determine whether the prison represented by cred owns
+ * its vnet rather than having it inherited.
+ *
+ * Returns 1 in case the prison owns the vnet, 0 otherwise.
+ */
+int
+prison_owns_vnet(struct ucred *cred)
+{
+
+	/*
+	 * vnets cannot be added/removed after jail creation,
+	 * so no need to lock here.
+	 */
+	return (cred->cr_prison->pr_flags & PR_VNET ? 1 : 0);
+}
+#endif
+
 /*
  * Determine whether the subject represented by cred can "see"
  * status of a mount point.

Modified: stable/8/sys/kern/kern_sysctl.c
==============================================================================
--- stable/8/sys/kern/kern_sysctl.c	Thu Aug 13 10:27:22 2009	(r196177)
+++ stable/8/sys/kern/kern_sysctl.c	Thu Aug 13 10:31:02 2009	(r196178)
@@ -1381,10 +1381,18 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
 
 	/* Is this sysctl writable by only privileged users? */
 	if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) {
+		int priv;
+
 		if (oid->oid_kind & CTLFLAG_PRISON)
-			error = priv_check(req->td, PRIV_SYSCTL_WRITEJAIL);
+			priv = PRIV_SYSCTL_WRITEJAIL;
+#ifdef VIMAGE
+		else if ((oid->oid_kind & CTLFLAG_VNET) &&
+		     prison_owns_vnet(req->td->td_ucred))
+			priv = PRIV_SYSCTL_WRITEJAIL;
+#endif
 		else
-			error = priv_check(req->td, PRIV_SYSCTL_WRITE);
+			priv = PRIV_SYSCTL_WRITE;
+		error = priv_check(req->td, priv);
 		if (error)
 			return (error);
 	}

Modified: stable/8/sys/net/vnet.h
==============================================================================
--- stable/8/sys/net/vnet.h	Thu Aug 13 10:27:22 2009	(r196177)
+++ stable/8/sys/net/vnet.h	Thu Aug 13 10:31:02 2009	(r196178)
@@ -232,21 +232,25 @@ int	vnet_sysctl_handle_string(SYSCTL_HAN
 int	vnet_sysctl_handle_uint(SYSCTL_HANDLER_ARGS);
 
 #define	SYSCTL_VNET_INT(parent, nbr, name, access, ptr, val, descr)	\
-	SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|CTLFLAG_MPSAFE|(access), \
+	SYSCTL_OID(parent, nbr, name,					\
+	    CTLTYPE_INT|CTLFLAG_MPSAFE|CTLFLAG_VNET|(access),		\
 	    ptr, val, vnet_sysctl_handle_int, "I", descr)
 #define	SYSCTL_VNET_PROC(parent, nbr, name, access, ptr, arg, handler,	\
 	    fmt, descr)							\
-	SYSCTL_OID(parent, nbr, name, access, ptr, arg, handler, fmt,	\
-	    descr)
+	SYSCTL_OID(parent, nbr, name, CTLFLAG_VNET|(access), ptr, arg, 	\
+	    handler, fmt, descr)
 #define	SYSCTL_VNET_STRING(parent, nbr, name, access, arg, len, descr)	\
-	SYSCTL_OID(parent, nbr, name, CTLTYPE_STRING|(access), arg,	\
-	    len, vnet_sysctl_handle_string, "A", descr)
+	SYSCTL_OID(parent, nbr, name,					\
+	    CTLTYPE_STRING|CTLFLAG_VNET|(access),			\
+	    arg, len, vnet_sysctl_handle_string, "A", descr)
 #define	SYSCTL_VNET_STRUCT(parent, nbr, name, access, ptr, type, descr)	\
-	SYSCTL_OID(parent, nbr, name, CTLTYPE_OPAQUE|(access), ptr,	\
+	SYSCTL_OID(parent, nbr, name,					\
+	    CTLTYPE_OPAQUE|CTLFLAG_VNET|(access), ptr,			\
 	    sizeof(struct type), vnet_sysctl_handle_opaque, "S," #type,	\
 	    descr)
 #define	SYSCTL_VNET_UINT(parent, nbr, name, access, ptr, val, descr)	\
-	SYSCTL_OID(parent, nbr, name, CTLTYPE_UINT|CTLFLAG_MPSAFE|(access), \
+	SYSCTL_OID(parent, nbr, name,					\
+	    CTLTYPE_UINT|CTLFLAG_MPSAFE|CTLFLAG_VNET|(access),		\
 	    ptr, val, vnet_sysctl_handle_uint, "IU", descr)
 #define	VNET_SYSCTL_ARG(req, arg1) do {					\
 	if (arg1 != NULL)						\

Modified: stable/8/sys/sys/jail.h
==============================================================================
--- stable/8/sys/sys/jail.h	Thu Aug 13 10:27:22 2009	(r196177)
+++ stable/8/sys/sys/jail.h	Thu Aug 13 10:31:02 2009	(r196178)
@@ -341,6 +341,7 @@ void getcredhostuuid(struct ucred *, cha
 void getcredhostid(struct ucred *, unsigned long *);
 int prison_allow(struct ucred *, unsigned);
 int prison_check(struct ucred *cred1, struct ucred *cred2);
+int prison_owns_vnet(struct ucred *);
 int prison_canseemount(struct ucred *cred, struct mount *mp);
 void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
     struct statfs *sp);

Modified: stable/8/sys/sys/sysctl.h
==============================================================================
--- stable/8/sys/sys/sysctl.h	Thu Aug 13 10:27:22 2009	(r196177)
+++ stable/8/sys/sys/sysctl.h	Thu Aug 13 10:31:02 2009	(r196178)
@@ -85,6 +85,7 @@ struct ctlname {
 #define CTLMASK_SECURE	0x00F00000	/* Secure level */
 #define CTLFLAG_TUN	0x00080000	/* Tunable variable */
 #define CTLFLAG_MPSAFE	0x00040000	/* Handler is MP safe */
+#define CTLFLAG_VNET	0x00020000	/* Prisons with vnet can fiddle */
 #define CTLFLAG_RDTUN	(CTLFLAG_RD|CTLFLAG_TUN)
 
 /*



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908131031.n7DAV3WZ097854>