Date: Tue, 03 Feb 2026 04:38:07 +0000 From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 56b9de5484bc - stable/14 - jail: separate "statically valid allow flags" from "prison0 allow flags" Message-ID: <69817baf.45d28.45285012@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=56b9de5484bc035304290d83fb2dc92d55b98eb4 commit 56b9de5484bc035304290d83fb2dc92d55b98eb4 Author: Kyle Evans <kevans@FreeBSD.org> AuthorDate: 2026-02-03 04:37:23 +0000 Commit: Kyle Evans <kevans@FreeBSD.org> CommitDate: 2026-02-03 04:37:23 +0000 jail: separate "statically valid allow flags" from "prison0 allow flags" The current setup means that we can't add an allow flag in sys/jail.h that's disabled by default without removing it from the pr_flags assignment in kern_jail.c. That's technically fine, but I think it's better to make it more prevalent at the PR_ALLOW_* definition site so that it's top-of-mind when adding a new flag. This is a preparatory change for adding an allow flag that prison0 will also have disabled by default, but with an allow.* knob and sysctl to enable it. Reviewed by: jamie (cherry picked from commit 58c92776d1580717934e29ca2c0ef9bf2fbb7397) --- sys/kern/kern_jail.c | 5 ++++- sys/sys/jail.h | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 03a5eaabdf34..30b77090434e 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -117,8 +117,11 @@ struct prison prison0 = { #else .pr_flags = PR_HOST|_PR_IP_SADDRSEL, #endif - .pr_allow = PR_ALLOW_ALL_STATIC, + .pr_allow = PR_ALLOW_PRISON0, }; +_Static_assert((PR_ALLOW_PRISON0 & ~PR_ALLOW_ALL_STATIC) == 0, + "Bits enabled in PR_ALLOW_PRISON0 that are not statically reserved"); + MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); struct bool_flags { diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 0291d99ec5af..504dedc277df 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -257,7 +257,15 @@ struct prison_racct { #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 #define PR_ALLOW_ROUTING 0x00040000 + +/* + * PR_ALLOW_PRISON0 are the allow flags that we apply by default to prison0, + * while PR_ALLOW_ALL_STATIC are all of the allow bits that we have allocated at + * build time. PR_ALLOW_ALL_STATIC should contain any bit above that we expect + * to be used on the system, while PR_ALLOW_PRISON0 will be some subset of that. + */ #define PR_ALLOW_ALL_STATIC 0x000787ff +#define PR_ALLOW_PRISON0 (PR_ALLOW_ALL_STATIC) /* * PR_ALLOW_DIFFERENCES determines which flags are able to behome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69817baf.45d28.45285012>