From mdodd@FreeBSD.org  Thu Jul 29 02:52:09 2010
Return-Path: <mdodd@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7B2BA1065675
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Jul 2010 02:52:09 +0000 (UTC)
	(envelope-from mdodd@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A0738FC15
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Jul 2010 02:52:09 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6T2q9QC009623
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 29 Jul 2010 02:52:09 GMT
	(envelope-from mdodd@freefall.freebsd.org)
Received: (from mdodd@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6T2q9lU009622;
	Thu, 29 Jul 2010 02:52:09 GMT
	(envelope-from mdodd)
Message-Id: <201007290252.o6T2q9lU009622@freefall.freebsd.org>
Date: Thu, 29 Jul 2010 02:52:09 GMT
From: "Matthew N. Dodd" <mdodd@FreeBSD.org>
Reply-To: "Matthew N. Dodd" <mdodd@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: rcorder ``nojail'' too coarse for Jail+VNET 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         149050
>Category:       conf
>Synopsis:       [jail] rcorder ``nojail'' too coarse for Jail+VNET
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jamie
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 29 03:00:15 UTC 2010
>Closed-Date:    Wed May 22 18:26:51 UTC 2013
>Last-Modified:  Wed May 22 18:30:00 UTC 2013
>Originator:     Matthew N. Dodd
>Release:        
>Organization:
>Environment:
>Description:
	When using jail & vnet the init script KEYWORD ``nojail''
	is not fine grained enough to control selection of 
	startup scripts.
>How-To-Repeat:
	
>Fix:
	Patch exposes PR_VNET flag via sysctl 'security.jail.vnet'
	in the same manner as 'security.jail.jailed.'

	rc & rc.shutdown updated to emit 'nojailvnet' for jails
	without vnets.

	Select init scripts altered nojail->nojailvnet.

--- src/etc/rc.orig	2009-08-03 04:13:06.000000000 -0400
+++ src/etc/rc	2010-07-28 21:48:48.000000000 -0400
@@ -77,6 +77,9 @@
 	if [ "$early_late_divider" = "FILESYSTEMS" ]; then
 		early_late_divider=NETWORKING
 	fi
+	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+		skip="$skip -s nojailvnet"
+	fi
 fi
 
 # Do a first pass to get everything up to $early_late_divider so that
--- src/etc/rc.d/ipfw.orig	2010-05-14 15:28:16.000000000 -0400
+++ src/etc/rc.d/ipfw	2010-07-28 21:47:46.000000000 -0400
@@ -5,7 +5,7 @@
 
 # PROVIDE: ipfw
 # REQUIRE: ppp
-# KEYWORD: nojail
+# KEYWORD: nojailvnet
 
 . /etc/rc.subr
 . /etc/network.subr
--- src/etc/rc.d/netif.orig	2009-10-15 20:17:09.000000000 -0400
+++ src/etc/rc.d/netif	2010-07-28 21:47:54.000000000 -0400
@@ -28,7 +28,7 @@
 # PROVIDE: netif
 # REQUIRE: atm1 cleanvar FILESYSTEMS serial sppp sysctl
 # REQUIRE: ipfilter ipfs
-# KEYWORD: nojail
+# KEYWORD: nojailvnet
 
 . /etc/rc.subr
 . /etc/network.subr
--- src/etc/rc.d/routing.orig	2009-08-03 04:13:06.000000000 -0400
+++ src/etc/rc.d/routing	2010-07-28 21:47:59.000000000 -0400
@@ -7,7 +7,7 @@
 
 # PROVIDE: routing
 # REQUIRE: netif ppp
-# KEYWORD: nojail
+# KEYWORD: nojailvnet
 
 . /etc/rc.subr
 . /etc/network.subr
--- src/etc/rc.shutdown.orig	2009-08-03 04:13:06.000000000 -0400
+++ src/etc/rc.shutdown	2010-07-28 22:08:32.000000000 -0400
@@ -81,7 +81,13 @@
 # and perform the operation
 #
 rcorder_opts="-k shutdown"
-[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail"
+if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+	rcorder_opts="$rcorder_opts -s nojail"
+
+	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+		rcorder_opts="$rcorder_opts -s nojailvnet"
+	fi
+fi
 
 case ${local_startup} in
 [Nn][Oo] | '') ;;
--- src/sys/kern/kern_jail.c.orig	2010-04-06 22:24:41.000000000 -0400
+++ src/sys/kern/kern_jail.c	2010-07-28 22:29:17.000000000 -0400
@@ -4050,6 +4050,21 @@
     CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
     sysctl_jail_jailed, "I", "Process in jail?");
 
+static int
+sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
+{
+	int error, havevnet;
+	struct ucred *cred = req->td->td_ucred;
+
+	havevnet = jailed(cred) & prison_owns_vnet(cred);
+	error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
+
+	return (error);
+}
+SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
+    sysctl_jail_vnet, "I", "Jail owns VNET");
+
 #if defined(INET) || defined(INET6)
 SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
     &jail_max_af_ips, 0,

	
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: mdodd 
Responsible-Changed-When: Thu Jul 29 03:01:17 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=149050 
State-Changed-From-To: open->patched 
State-Changed-By: jamie 
State-Changed-When: Sun May 19 04:13:36 UTC 2013 
State-Changed-Why:  
Applied a slightly modified version of the patch. 


Responsible-Changed-From-To: freebsd-jail->jamie 
Responsible-Changed-By: jamie 
Responsible-Changed-When: Sun May 19 04:13:36 UTC 2013 
Responsible-Changed-Why:  
Applied a slightly modified version of the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=149050 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/149050: commit references a PR
Date: Sun, 19 May 2013 04:10:53 +0000 (UTC)

 Author: jamie
 Date: Sun May 19 04:10:34 2013
 New Revision: 250804
 URL: http://svnweb.freebsd.org/changeset/base/250804
 
 Log:
   Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
   apply to most jails but do apply to vnet jails.  This includes adding
   a new sysctl "security.jail.vnet" to identify vnet jails.
   
   PR:		conf/149050
   Submitted by:	mdodd
   MFC after:	3 days
 
 Modified:
   head/etc/rc
   head/etc/rc.d/ipfw
   head/etc/rc.d/netif
   head/etc/rc.d/routing
   head/etc/rc.shutdown
   head/sys/kern/kern_jail.c
 
 Modified: head/etc/rc
 ==============================================================================
 --- head/etc/rc	Sun May 19 03:04:34 2013	(r250803)
 +++ head/etc/rc	Sun May 19 04:10:34 2013	(r250804)
 @@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jail
  	if [ "$early_late_divider" = "FILESYSTEMS" ]; then
  		early_late_divider=NETWORKING
  	fi
 +	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
 +		skip="$skip -s nojailvnet"
 +	fi
  fi
  
  # Do a first pass to get everything up to $early_late_divider so that
 
 Modified: head/etc/rc.d/ipfw
 ==============================================================================
 --- head/etc/rc.d/ipfw	Sun May 19 03:04:34 2013	(r250803)
 +++ head/etc/rc.d/ipfw	Sun May 19 04:10:34 2013	(r250804)
 @@ -5,7 +5,7 @@
  
  # PROVIDE: ipfw
  # REQUIRE: ppp
 -# KEYWORD: nojail
 +# KEYWORD: nojailvnet
  
  . /etc/rc.subr
  . /etc/network.subr
 
 Modified: head/etc/rc.d/netif
 ==============================================================================
 --- head/etc/rc.d/netif	Sun May 19 03:04:34 2013	(r250803)
 +++ head/etc/rc.d/netif	Sun May 19 04:10:34 2013	(r250804)
 @@ -28,7 +28,7 @@
  # PROVIDE: netif
  # REQUIRE: atm1 FILESYSTEMS serial sppp sysctl
  # REQUIRE: ipfilter ipfs
 -# KEYWORD: nojail
 +# KEYWORD: nojailvnet
  
  . /etc/rc.subr
  . /etc/network.subr
 
 Modified: head/etc/rc.d/routing
 ==============================================================================
 --- head/etc/rc.d/routing	Sun May 19 03:04:34 2013	(r250803)
 +++ head/etc/rc.d/routing	Sun May 19 04:10:34 2013	(r250804)
 @@ -7,7 +7,7 @@
  
  # PROVIDE: routing
  # REQUIRE: faith netif ppp stf
 -# KEYWORD: nojail
 +# KEYWORD: nojailvnet
  
  . /etc/rc.subr
  . /etc/network.subr
 
 Modified: head/etc/rc.shutdown
 ==============================================================================
 --- head/etc/rc.shutdown	Sun May 19 03:04:34 2013	(r250803)
 +++ head/etc/rc.shutdown	Sun May 19 04:10:34 2013	(r250804)
 @@ -81,7 +81,12 @@ fi
  # and perform the operation
  #
  rcorder_opts="-k shutdown"
 -[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail"
 +if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
 +	rcorder_opts="$rcorder_opts -s nojail"
 +	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
 +		rcorder_opts="$rcorder_opts -s nojailvnet"
 +	fi
 +fi
  
  case ${local_startup} in
  [Nn][Oo] | '') ;;
 
 Modified: head/sys/kern/kern_jail.c
 ==============================================================================
 --- head/sys/kern/kern_jail.c	Sun May 19 03:04:34 2013	(r250803)
 +++ head/sys/kern/kern_jail.c	Sun May 19 04:10:34 2013	(r250804)
 @@ -4132,6 +4132,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, ja
      CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
      sysctl_jail_jailed, "I", "Process in jail?");
  
 +static int
 +sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
 +{
 +	int error, havevnet;
 +#ifdef VIMAGE
 +	struct ucred *cred = req->td->td_ucred;
 +
 +	havevnet = jailed(cred) && prison_owns_vnet(cred);
 +#else
 +	havevnet = 0;
 +#endif
 +	error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
 +
 +	return (error);
 +}
 +
 +SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
 +    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
 +    sysctl_jail_vnet, "I", "Jail owns VNET?");
 +
  #if defined(INET) || defined(INET6)
  SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
      &jail_max_af_ips, 0,
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jamie 
State-Changed-When: Wed May 22 18:26:35 UTC 2013 
State-Changed-Why:  
MFC to 9 

http://www.freebsd.org/cgi/query-pr.cgi?pr=149050 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/149050: commit references a PR
Date: Wed, 22 May 2013 18:26:20 +0000 (UTC)

 Author: jamie
 Date: Wed May 22 18:26:12 2013
 New Revision: 250915
 URL: http://svnweb.freebsd.org/changeset/base/250915
 
 Log:
   MFC r250804:
   
     Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
     apply to most jails but do apply to vnet jails.  This includes adding
     a new sysctl "security.jail.vnet" to identify vnet jails.
   
   PR:		conf/149050
   Submitted by:	mdodd
 
 Modified:
   stable/9/etc/rc
   stable/9/etc/rc.d/ipfw
   stable/9/etc/rc.d/netif
   stable/9/etc/rc.d/routing
   stable/9/etc/rc.shutdown
   stable/9/sys/kern/kern_jail.c
 Directory Properties:
   stable/9/etc/   (props changed)
   stable/9/etc/rc.d/   (props changed)
   stable/9/sys/   (props changed)
 
 Modified: stable/9/etc/rc
 ==============================================================================
 --- stable/9/etc/rc	Wed May 22 17:47:45 2013	(r250914)
 +++ stable/9/etc/rc	Wed May 22 18:26:12 2013	(r250915)
 @@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jail
  	if [ "$early_late_divider" = "FILESYSTEMS" ]; then
  		early_late_divider=NETWORKING
  	fi
 +	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
 +		skip="$skip -s nojailvnet"
 +	fi
  fi
  
  # Do a first pass to get everything up to $early_late_divider so that
 
 Modified: stable/9/etc/rc.d/ipfw
 ==============================================================================
 --- stable/9/etc/rc.d/ipfw	Wed May 22 17:47:45 2013	(r250914)
 +++ stable/9/etc/rc.d/ipfw	Wed May 22 18:26:12 2013	(r250915)
 @@ -5,7 +5,7 @@
  
  # PROVIDE: ipfw
  # REQUIRE: ppp
 -# KEYWORD: nojail
 +# KEYWORD: nojailvnet
  
  . /etc/rc.subr
  . /etc/network.subr
 
 Modified: stable/9/etc/rc.d/netif
 ==============================================================================
 --- stable/9/etc/rc.d/netif	Wed May 22 17:47:45 2013	(r250914)
 +++ stable/9/etc/rc.d/netif	Wed May 22 18:26:12 2013	(r250915)
 @@ -28,7 +28,7 @@
  # PROVIDE: netif
  # REQUIRE: atm1 FILESYSTEMS serial sppp sysctl
  # REQUIRE: ipfilter ipfs
 -# KEYWORD: nojail
 +# KEYWORD: nojailvnet
  
  . /etc/rc.subr
  . /etc/network.subr
 
 Modified: stable/9/etc/rc.d/routing
 ==============================================================================
 --- stable/9/etc/rc.d/routing	Wed May 22 17:47:45 2013	(r250914)
 +++ stable/9/etc/rc.d/routing	Wed May 22 18:26:12 2013	(r250915)
 @@ -7,7 +7,7 @@
  
  # PROVIDE: routing
  # REQUIRE: faith netif ppp stf
 -# KEYWORD: nojail
 +# KEYWORD: nojailvnet
  
  . /etc/rc.subr
  . /etc/network.subr
 
 Modified: stable/9/etc/rc.shutdown
 ==============================================================================
 --- stable/9/etc/rc.shutdown	Wed May 22 17:47:45 2013	(r250914)
 +++ stable/9/etc/rc.shutdown	Wed May 22 18:26:12 2013	(r250915)
 @@ -81,7 +81,12 @@ fi
  # and perform the operation
  #
  rcorder_opts="-k shutdown"
 -[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail"
 +if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
 +	rcorder_opts="$rcorder_opts -s nojail"
 +	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
 +		rcorder_opts="$rcorder_opts -s nojailvnet"
 +	fi
 +fi
  
  case ${local_startup} in
  [Nn][Oo] | '') ;;
 
 Modified: stable/9/sys/kern/kern_jail.c
 ==============================================================================
 --- stable/9/sys/kern/kern_jail.c	Wed May 22 17:47:45 2013	(r250914)
 +++ stable/9/sys/kern/kern_jail.c	Wed May 22 18:26:12 2013	(r250915)
 @@ -4147,6 +4147,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, ja
      CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
      sysctl_jail_jailed, "I", "Process in jail?");
  
 +static int
 +sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
 +{
 +	int error, havevnet;
 +#ifdef VIMAGE
 +	struct ucred *cred = req->td->td_ucred;
 +
 +	havevnet = jailed(cred) && prison_owns_vnet(cred);
 +#else
 +	havevnet = 0;
 +#endif
 +	error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
 +
 +	return (error);
 +}
 +
 +SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
 +    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
 +    sysctl_jail_vnet, "I", "Jail owns VNET?");
 +
  #if defined(INET) || defined(INET6)
  SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
      &jail_max_af_ips, 0,
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
 Release:	FreeBSD 8.1-STABLE i386
 >System: FreeBSD neo-sasami.jurai.net 8.1-STABLE FreeBSD 8.1-STABLE #7: Wed Jul 28 21:31:22 EDT 2010     root@neo-sasami.jurai.net:/usr/src/sys/i386/compile/DL380G3  i386
 
 	<machine, os, target, libraries (multiple lines)>
