Date: Wed, 28 Jan 2015 21:40:23 +0000 (UTC) From: Dimitry Andric <dim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r277858 - in projects/clang360-import: etc/rc.d sys/fs/fdescfs sys/kern sys/sys usr.sbin/binmiscctl usr.sbin/jail usr.sbin/pciconf usr.sbin/ppp Message-ID: <201501282140.t0SLeNeT073214@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dim Date: Wed Jan 28 21:40:22 2015 New Revision: 277858 URL: https://svnweb.freebsd.org/changeset/base/277858 Log: Merge ^/head r277844 through r277857. Modified: projects/clang360-import/etc/rc.d/ipfilter projects/clang360-import/sys/fs/fdescfs/fdesc_vfsops.c projects/clang360-import/sys/kern/kern_jail.c projects/clang360-import/sys/sys/jail.h projects/clang360-import/usr.sbin/binmiscctl/binmiscctl.c projects/clang360-import/usr.sbin/jail/jail.8 projects/clang360-import/usr.sbin/pciconf/pciconf.c projects/clang360-import/usr.sbin/ppp/command.c projects/clang360-import/usr.sbin/ppp/ipcp.c projects/clang360-import/usr.sbin/ppp/ipv6cp.c projects/clang360-import/usr.sbin/ppp/radius.c projects/clang360-import/usr.sbin/ppp/server.c Directory Properties: projects/clang360-import/ (props changed) projects/clang360-import/etc/ (props changed) projects/clang360-import/sys/ (props changed) projects/clang360-import/usr.sbin/jail/ (props changed) Modified: projects/clang360-import/etc/rc.d/ipfilter ============================================================================== --- projects/clang360-import/etc/rc.d/ipfilter Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/etc/rc.d/ipfilter Wed Jan 28 21:40:22 2015 (r277858) @@ -65,7 +65,6 @@ ipfilter_reload() err 1 'Load of rules into alternate set failed; aborting reload' fi fi - ${ipfilter_program:-/sbin/ipf} -I -6 -Fa if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} Modified: projects/clang360-import/sys/fs/fdescfs/fdesc_vfsops.c ============================================================================== --- projects/clang360-import/sys/fs/fdescfs/fdesc_vfsops.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/sys/fs/fdescfs/fdesc_vfsops.c Wed Jan 28 21:40:22 2015 (r277858) @@ -42,6 +42,7 @@ #include <sys/systm.h> #include <sys/filedesc.h> #include <sys/kernel.h> +#include <sys/jail.h> #include <sys/lock.h> #include <sys/mutex.h> #include <sys/malloc.h> @@ -78,8 +79,12 @@ fdesc_mount(struct mount *mp) { int error = 0; struct fdescmount *fmp; + struct thread *td = curthread; struct vnode *rvp; + if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS)) + return (EPERM); + /* * Update is a no-op */ @@ -237,4 +242,4 @@ static struct vfsops fdesc_vfsops = { .vfs_unmount = fdesc_unmount, }; -VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC); +VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL); Modified: projects/clang360-import/sys/kern/kern_jail.c ============================================================================== --- projects/clang360-import/sys/kern/kern_jail.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/sys/kern/kern_jail.c Wed Jan 28 21:40:22 2015 (r277858) @@ -208,6 +208,7 @@ static char *pr_allow_names[] = { "allow.mount.zfs", "allow.mount.procfs", "allow.mount.tmpfs", + "allow.mount.fdescfs", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -224,6 +225,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nozfs", "allow.mount.noprocfs", "allow.mount.notmpfs", + "allow.mount.nofdescfs", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4213,6 +4215,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mo CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the devfs file system"); +SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I", + "Processes in jail can mount the fdescfs file system"); SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", @@ -4373,6 +4379,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYP "B", "Jail may mount/unmount jail-friendly file systems in general"); SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the devfs file system"); +SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may mount the fdescfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may mount the nullfs file system"); SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, Modified: projects/clang360-import/sys/sys/jail.h ============================================================================== --- projects/clang360-import/sys/sys/jail.h Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/sys/sys/jail.h Wed Jan 28 21:40:22 2015 (r277858) @@ -226,7 +226,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_ZFS 0x0200 #define PR_ALLOW_MOUNT_PROCFS 0x0400 #define PR_ALLOW_MOUNT_TMPFS 0x0800 -#define PR_ALLOW_ALL 0x0fff +#define PR_ALLOW_MOUNT_FDESCFS 0x1000 +#define PR_ALLOW_ALL 0x1fff /* * OSD methods Modified: projects/clang360-import/usr.sbin/binmiscctl/binmiscctl.c ============================================================================== --- projects/clang360-import/usr.sbin/binmiscctl/binmiscctl.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/binmiscctl/binmiscctl.c Wed Jan 28 21:40:22 2015 (r277858) @@ -363,7 +363,7 @@ add_cmd(__unused int argc, char *argv[], usage("Error: Missing magic argument"); } - if (!xbe->xbe_interpreter) { + if (!strnlen(xbe->xbe_interpreter, IBE_INTERP_LEN_MAX)) { usage("Error: Missing 'interpreter' argument"); } Modified: projects/clang360-import/usr.sbin/jail/jail.8 ============================================================================== --- projects/clang360-import/usr.sbin/jail/jail.8 Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/jail/jail.8 Wed Jan 28 21:40:22 2015 (r277858) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 4, 2014 +.Dd January 28, 2015 .Dt JAIL 8 .Os .Sh NAME @@ -362,7 +362,7 @@ A set of IPv6 options for the jail, the and .Va ip4 above. -.It vnet +.It Va vnet Create the jail with its own virtual network stack, with its own network interfaces, addresses, routing table, etc. The kernel must have been compiled with the @@ -531,6 +531,14 @@ is set to a value lower than 2. The devfs ruleset should be restricted from the default by using the .Va devfs_ruleset option. +.It Va allow.mount.fdescfs +privileged users inside the jail will be able to mount and unmount the +fdescfs file system. +This permission is effective only together with +.Va allow.mount +and only when +.Va enforce_statfs +is set to a value lower than 2. .It Va allow.mount.nullfs privileged users inside the jail will be able to mount and unmount the nullfs file system. Modified: projects/clang360-import/usr.sbin/pciconf/pciconf.c ============================================================================== --- projects/clang360-import/usr.sbin/pciconf/pciconf.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/pciconf/pciconf.c Wed Jan 28 21:40:22 2015 (r277858) @@ -234,9 +234,9 @@ list_devs(const char *name, int verbose, for (p = conf; p < &conf[pc.num_matches]; p++) { printf("%s%d@pci%d:%d:%d:%d:\tclass=0x%06x card=0x%08x " "chip=0x%08x rev=0x%02x hdr=0x%02x\n", - (p->pd_name && *p->pd_name) ? p->pd_name : + *p->pd_name ? p->pd_name : "none", - (p->pd_name && *p->pd_name) ? (int)p->pd_unit : + *p->pd_name ? (int)p->pd_unit : none_count++, p->pc_sel.pc_domain, p->pc_sel.pc_bus, p->pc_sel.pc_dev, p->pc_sel.pc_func, (p->pc_class << 16) | Modified: projects/clang360-import/usr.sbin/ppp/command.c ============================================================================== --- projects/clang360-import/usr.sbin/ppp/command.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/ppp/command.c Wed Jan 28 21:40:22 2015 (r277858) @@ -2051,7 +2051,7 @@ SetVariable(struct cmdargs const *arg) res = 1; } else { arg->bundle->radius.alive.interval = atoi(argp); - if (arg->bundle->radius.alive.interval && !arg->bundle->radius.cfg.file) { + if (arg->bundle->radius.alive.interval && !*arg->bundle->radius.cfg.file) { log_Printf(LogWARN, "rad_alive requires radius to be configured\n"); res = 1; } else if (arg->bundle->ncp.ipcp.fsm.state == ST_OPENED) { @@ -2335,7 +2335,7 @@ SetVariable(struct cmdargs const *arg) res = 1; } - if (arg->bundle->radius.port_id_type && !arg->bundle->radius.cfg.file) { + if (arg->bundle->radius.port_id_type && !*arg->bundle->radius.cfg.file) { log_Printf(LogWARN, "rad_port_id requires radius to be configured\n"); res = 1; } Modified: projects/clang360-import/usr.sbin/ppp/ipcp.c ============================================================================== --- projects/clang360-import/usr.sbin/ppp/ipcp.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/ppp/ipcp.c Wed Jan 28 21:40:22 2015 (r277858) @@ -880,7 +880,7 @@ IpcpLayerDown(struct fsm *fp) radius_Account(&fp->bundle->radius, &fp->bundle->radacct, fp->bundle->links, RAD_STOP, &ipcp->throughput); - if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) + if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) system_Select(fp->bundle, fp->bundle->radius.filterid, LINKDOWNFILE, NULL, NULL); radius_StopTimer(&fp->bundle->radius); @@ -949,7 +949,7 @@ IpcpLayerUp(struct fsm *fp) radius_Account(&fp->bundle->radius, &fp->bundle->radacct, fp->bundle->links, RAD_START, &ipcp->throughput); - if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) + if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) system_Select(fp->bundle, fp->bundle->radius.filterid, LINKUPFILE, NULL, NULL); radius_StartTimer(fp->bundle); Modified: projects/clang360-import/usr.sbin/ppp/ipv6cp.c ============================================================================== --- projects/clang360-import/usr.sbin/ppp/ipv6cp.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/ppp/ipv6cp.c Wed Jan 28 21:40:22 2015 (r277858) @@ -486,7 +486,7 @@ ipv6cp_LayerUp(struct fsm *fp) * evaluated. */ if (!Enabled(fp->bundle, OPT_IPCP)) { - if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) + if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) system_Select(fp->bundle, fp->bundle->radius.filterid, LINKUPFILE, NULL, NULL); } @@ -539,7 +539,7 @@ ipv6cp_LayerDown(struct fsm *fp) * evaluated. */ if (!Enabled(fp->bundle, OPT_IPCP)) { - if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) + if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid) system_Select(fp->bundle, fp->bundle->radius.filterid, LINKDOWNFILE, NULL, NULL); } Modified: projects/clang360-import/usr.sbin/ppp/radius.c ============================================================================== --- projects/clang360-import/usr.sbin/ppp/radius.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/ppp/radius.c Wed Jan 28 21:40:22 2015 (r277858) @@ -1345,7 +1345,7 @@ radius_alive(void *v) void radius_StartTimer(struct bundle *bundle) { - if (bundle->radius.cfg.file && bundle->radius.alive.interval) { + if (*bundle->radius.cfg.file && bundle->radius.alive.interval) { bundle->radius.alive.timer.func = radius_alive; bundle->radius.alive.timer.name = "radius alive"; bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS; Modified: projects/clang360-import/usr.sbin/ppp/server.c ============================================================================== --- projects/clang360-import/usr.sbin/ppp/server.c Wed Jan 28 21:33:49 2015 (r277857) +++ projects/clang360-import/usr.sbin/ppp/server.c Wed Jan 28 21:40:22 2015 (r277858) @@ -248,7 +248,7 @@ server_LocalOpen(struct bundle *bundle, oldmask = (mode_t)-1; /* Silence compiler */ - if (server.cfg.sockname && !strcmp(server.cfg.sockname, name)) + if (server.cfg.sockname[0] != '\0' && !strcmp(server.cfg.sockname, name)) server_Close(bundle); memset(&ifsun, '\0', sizeof ifsun);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501282140.t0SLeNeT073214>