From owner-cvs-src-old@FreeBSD.ORG Sat Jun 20 14:51:25 2009 Return-Path: Delivered-To: cvs-src-old@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 863521065670 for ; Sat, 20 Jun 2009 14:51:25 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 729458FC1D for ; Sat, 20 Jun 2009 14:51:25 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id n5KEpPrZ017678 for ; Sat, 20 Jun 2009 14:51:25 GMT (envelope-from ed@repoman.freebsd.org) Received: (from svn2cvs@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id n5KEpPKD017677 for cvs-src-old@freebsd.org; Sat, 20 Jun 2009 14:51:25 GMT (envelope-from ed@repoman.freebsd.org) Message-Id: <200906201451.n5KEpPKD017677@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to ed@repoman.freebsd.org using -f From: Ed Schouten Date: Sat, 20 Jun 2009 14:50:32 +0000 (UTC) To: cvs-src-old@freebsd.org X-FreeBSD-CVS-Branch: HEAD Subject: cvs commit: src/sys/fs/devfs devfs_vnops.c src/sys/kern tty.c src/sys/sys priv.h X-BeenThere: cvs-src-old@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jun 2009 14:51:25 -0000 ed 2009-06-20 14:50:32 UTC FreeBSD src repository Modified files: sys/fs/devfs devfs_vnops.c sys/kern tty.c sys/sys priv.h Log: SVN rev 194532 on 2009-06-20 14:50:32Z by ed Improve nested jail awareness of devfs by handling credentials. Now that we start to use credentials on character devices more often (because of MPSAFE TTY), move the prison-checks that are in place in the TTY code into devfs. Instead of strictly comparing the prisons, use the more common prison_check() function to compare credentials. This means that pseudo-terminals are only visible in devfs by processes within the same jail and parent jails. Even though regular users in parent jails can now interact with pseudo-terminals from child jails, this seems to be the right approach. These processes are also capable of interacting with the jailed processes anyway, through signals for example. Reviewed by: kib, rwatson (older version) Revision Changes Path 1.181 +22 -0 src/sys/fs/devfs/devfs_vnops.c 1.324 +0 -7 src/sys/kern/tty.c 1.33 +0 -1 src/sys/sys/priv.h