From owner-p4-projects@FreeBSD.ORG Tue Aug 11 15:28:59 2009 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 986391065677; Tue, 11 Aug 2009 15:28:58 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 503F3106566B for ; Tue, 11 Aug 2009 15:28:58 +0000 (UTC) (envelope-from zec@fer.hr) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 3501F8FC44 for ; Tue, 11 Aug 2009 15:28:58 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n7BFSwoN036219 for ; Tue, 11 Aug 2009 15:28:58 GMT (envelope-from zec@fer.hr) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n7BFSwG1036217 for perforce@freebsd.org; Tue, 11 Aug 2009 15:28:58 GMT (envelope-from zec@fer.hr) Date: Tue, 11 Aug 2009 15:28:58 GMT Message-Id: <200908111528.n7BFSwG1036217@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to zec@fer.hr using -f From: Marko Zec To: Perforce Change Reviews Cc: Subject: PERFORCE change 167213 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2009 15:29:00 -0000 http://perforce.freebsd.org/chv.cgi?CH=167213 Change 167213 by zec@zec_tpx32 on 2009/08/11 15:28:53 Merge for further testing bz's patch for (re)enabling sysctls to operate on VNET V_irtualized state in jails. Submitted by: bz Affected files ... .. //depot/projects/vimage-commit2/src/sys/kern/kern_jail.c#30 edit .. //depot/projects/vimage-commit2/src/sys/kern/kern_sysctl.c#16 edit .. //depot/projects/vimage-commit2/src/sys/net/vnet.h#31 edit .. //depot/projects/vimage-commit2/src/sys/sys/jail.h#16 edit .. //depot/projects/vimage-commit2/src/sys/sys/sysctl.h#26 edit Differences ... ==== //depot/projects/vimage-commit2/src/sys/kern/kern_jail.c#30 (text+ko) ==== @@ -88,7 +88,11 @@ .pr_childmax = JAIL_MAX, .pr_hostuuid = DEFAULT_HOSTUUID, .pr_children = LIST_HEAD_INITIALIZER(&prison0.pr_children), +#ifdef VIMAGE + .pr_flags = PR_HOST|PR_VNET, +#else .pr_flags = PR_HOST, +#endif .pr_allow = PR_ALLOW_ALL, }; MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); @@ -3307,6 +3311,25 @@ mtx_unlock(&cred->cr_prison->pr_mtx); } +#ifdef VIMAGE +/* + * Determine wheter the prison represented by cred owns + * its vnet rather than having it inherited. + * + * Returns 1 in case the prison owns the vnet, 0 otherwise. + */ +int +prison_owns_vnet(struct ucred *cred) +{ + + /* + * vnets cannot be added/removed after jail creation, + * so no need to lock here. + */ + return (cred->cr_prison->pr_flags & PR_VNET ? 1 : 0); +} +#endif + /* * Determine whether the subject represented by cred can "see" * status of a mount point. ==== //depot/projects/vimage-commit2/src/sys/kern/kern_sysctl.c#16 (text+ko) ==== @@ -1381,10 +1381,18 @@ /* Is this sysctl writable by only privileged users? */ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) { + int priv; + if (oid->oid_kind & CTLFLAG_PRISON) - error = priv_check(req->td, PRIV_SYSCTL_WRITEJAIL); + priv = PRIV_SYSCTL_WRITEJAIL; +#ifdef VIMAGE + else if ((oid->oid_kind & CTLFLAG_VNET) && + prison_owns_vnet(req->td->td_ucred)) + priv = PRIV_SYSCTL_WRITEJAIL; +#endif else - error = priv_check(req->td, PRIV_SYSCTL_WRITE); + priv = PRIV_SYSCTL_WRITE; + error = priv_check(req->td, priv); if (error) return (error); } ==== //depot/projects/vimage-commit2/src/sys/net/vnet.h#31 (text+ko) ==== @@ -227,21 +227,25 @@ int vnet_sysctl_handle_uint(SYSCTL_HANDLER_ARGS); #define SYSCTL_VNET_INT(parent, nbr, name, access, ptr, val, descr) \ - SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|CTLFLAG_MPSAFE|(access), \ + SYSCTL_OID(parent, nbr, name, \ + CTLTYPE_INT|CTLFLAG_MPSAFE|CTLFLAG_VNET|(access), \ ptr, val, vnet_sysctl_handle_int, "I", descr) #define SYSCTL_VNET_PROC(parent, nbr, name, access, ptr, arg, handler, \ fmt, descr) \ - SYSCTL_OID(parent, nbr, name, access, ptr, arg, handler, fmt, \ - descr) + SYSCTL_OID(parent, nbr, name, CTLFLAG_VNET|(access), ptr, arg, \ + handler, fmt, descr) #define SYSCTL_VNET_STRING(parent, nbr, name, access, arg, len, descr) \ - SYSCTL_OID(parent, nbr, name, CTLTYPE_STRING|(access), arg, \ - len, vnet_sysctl_handle_string, "A", descr) + SYSCTL_OID(parent, nbr, name, \ + CTLTYPE_STRING|CTLFLAG_VNET|(access), \ + arg, len, vnet_sysctl_handle_string, "A", descr) #define SYSCTL_VNET_STRUCT(parent, nbr, name, access, ptr, type, descr) \ - SYSCTL_OID(parent, nbr, name, CTLTYPE_OPAQUE|(access), ptr, \ + SYSCTL_OID(parent, nbr, name, \ + CTLTYPE_OPAQUE|CTLFLAG_VNET|(access), ptr, \ sizeof(struct type), vnet_sysctl_handle_opaque, "S," #type, \ descr) #define SYSCTL_VNET_UINT(parent, nbr, name, access, ptr, val, descr) \ - SYSCTL_OID(parent, nbr, name, CTLTYPE_UINT|CTLFLAG_MPSAFE|(access), \ + SYSCTL_OID(parent, nbr, name, \ + CTLTYPE_UINT|CTLFLAG_MPSAFE|CTLFLAG_VNET|(access), \ ptr, val, vnet_sysctl_handle_uint, "IU", descr) #define VNET_SYSCTL_ARG(req, arg1) do { \ if (arg1 != NULL) \ ==== //depot/projects/vimage-commit2/src/sys/sys/jail.h#16 (text+ko) ==== @@ -341,6 +341,7 @@ void getcredhostid(struct ucred *, unsigned long *); int prison_allow(struct ucred *, unsigned); int prison_check(struct ucred *cred1, struct ucred *cred2); +int prison_owns_vnet(struct ucred *); int prison_canseemount(struct ucred *cred, struct mount *mp); void prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp); ==== //depot/projects/vimage-commit2/src/sys/sys/sysctl.h#26 (text+ko) ==== @@ -85,6 +85,7 @@ #define CTLMASK_SECURE 0x00F00000 /* Secure level */ #define CTLFLAG_TUN 0x00080000 /* Tunable variable */ #define CTLFLAG_MPSAFE 0x00040000 /* Handler is MP safe */ +#define CTLFLAG_VNET 0x00020000 /* Prisons with vnet can fiddle */ #define CTLFLAG_RDTUN (CTLFLAG_RD|CTLFLAG_TUN) /*