From nobody@FreeBSD.org  Mon Apr 27 19:02:11 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 703B5106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 Apr 2009 19:02:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5DE9A8FC19
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 Apr 2009 19:02:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n3RJ2942024523
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 Apr 2009 19:02:09 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n3RJ29at024522;
	Mon, 27 Apr 2009 19:02:09 GMT
	(envelope-from nobody)
Message-Id: <200904271902.n3RJ29at024522@www.freebsd.org>
Date: Mon, 27 Apr 2009 19:02:09 GMT
From: Miroslav Lachman <000.fbsd@quip.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: cpuset allows change of the jail's set from inside the jail
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         134050
>Category:       kern
>Synopsis:       cpuset allows change of the jail's set from inside the jail
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 27 19:10:00 UTC 2009
>Closed-Date:    Tue Aug 25 16:12:31 UTC 2009
>Last-Modified:  Tue Aug 25 16:12:31 UTC 2009
>Originator:     Miroslav Lachman
>Release:        FreeBSD 7.2-RC1 i386 GENERIC
>Organization:
codeLab.cz
>Environment:
7.2-RC1 FreeBSD 7.2-RC1 #0: Wed Apr 15 20:34:10 UTC 2009     root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
If some jail is bound to specified core(s) by cpuset command (by root user of the host system), this can be changed from inside the jail (by root user inside the jail).


>How-To-Repeat:
Start the jail on multi-core machine and set it to run on one CPU core:

root@host# cpuset -l 0 -j 1

Now login to the jail as root and run cpuset command

root@injail# cpuset -l 0,1 -j 1

The jail is running on two cores

root@host# cpuset -g -j 1
jail 1 mask: 0, 1
>Fix:
Bjoern A. Zeeb posted attached patch which works for me.

http://lists.freebsd.org/pipermail/freebsd-jail/2009-April/000833.html

root@72-rc1 ~/# jls
   JID  IP Address      Hostname                      Path
     1                  alpha.test                    /usr/jail/alpha

root@72-rc1 ~/# jexec 1 tcsh

root@alpha //# cpuset -l 0 -j 1
cpuset: setaffinity: Operation not permitted

root@alpha //# cpuset -l 0 -r -j 1
cpuset: setaffinity: Operation not permitted 

Patch attached with submission follows:

Index: sys/kern/kern_cpuset.c
===================================================================
--- sys/kern/kern_cpuset.c	(revision 190341)
+++ sys/kern/kern_cpuset.c	(working copy)
@@ -357,6 +357,15 @@
 	if (error)
 		return (error);
 	/*
+	 * In case we are called from within the jail
+	 * we do not allow modifying the dedicated root
+	 * cpuset of the jail but may still allow to
+	 * change child sets.
+	 */
+	if (jailed(curthread->td_ucred) &&
+	    set->cs_flags & CPU_SET_ROOT)
+		return (EPERM);
+	/*
 	 * Verify that we have access to this set of
 	 * cpus.
 	 */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Mon Apr 27 21:10:15 UTC 2009 
Responsible-Changed-Why:  
Mine, been mine, will be mine, been handling this already. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134050 
State-Changed-From-To: open->patched 
State-Changed-By: bz 
State-Changed-When: Tue Apr 28 21:07:18 UTC 2009 
State-Changed-Why:  
Patch comitted to HEAD; MFC after 7.2-R. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134050 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/134050: commit references a PR
Date: Tue, 28 Apr 2009 21:01:02 +0000 (UTC)

 Author: bz
 Date: Tue Apr 28 21:00:50 2009
 New Revision: 191639
 URL: http://svn.freebsd.org/changeset/base/191639
 
 Log:
   Prevent a superuser inside a jail from modifying the dedicated
   root cpuset of that jail.
   Processes inside the jail will still be able to change child sets.
   A superuser outside of a jail will still be able to change the jail cpuset
   and thus limit the number of cpus available to the jail.
   
   Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman)
   PR:		kern/134050
   Reviewed by:	jeff
   MFC after:	3 weeks
   X-MFC:		backout r191596
 
 Modified:
   head/sys/kern/kern_cpuset.c
 
 Modified: head/sys/kern/kern_cpuset.c
 ==============================================================================
 --- head/sys/kern/kern_cpuset.c	Tue Apr 28 20:49:47 2009	(r191638)
 +++ head/sys/kern/kern_cpuset.c	Tue Apr 28 21:00:50 2009	(r191639)
 @@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset
  	if (error)
  		return (error);
  	/*
 +	 * In case we are called from within the jail
 +	 * we do not allow modifying the dedicated root
 +	 * cpuset of the jail but may still allow to
 +	 * change child sets.
 +	 */
 +	if (jailed(curthread->td_ucred) &&
 +	    set->cs_flags & CPU_SET_ROOT)
 +		return (EPERM);
 +	/*
  	 * Verify that we have access to this set of
  	 * cpus.
  	 */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/134050: commit references a PR
Date: Tue, 25 Aug 2009 15:55:15 +0000 (UTC)

 Author: bz
 Date: Tue Aug 25 15:54:52 2009
 New Revision: 196544
 URL: http://svn.freebsd.org/changeset/base/196544
 
 Log:
   Backout r191596:
     Document an issue of jail(8) in conjunction with cpuset(1).
   
   MFC r191639:
     Prevent a superuser inside a jail from modifying the dedicated
     root cpuset of that jail.
     Processes inside the jail will still be able to change child sets.
     A superuser outside of a jail will still be able to change the jail cpuset
     and thus limit the number of cpus available to the jail.
   
     Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman)
     PR:           kern/134050
     Reviewed by:  jeff
 
 Modified:
   stable/7/sys/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
   stable/7/sys/kern/kern_cpuset.c
   stable/7/usr.bin/cpuset/cpuset.1
   stable/7/usr.sbin/jail/jail.8
 
 Modified: stable/7/sys/kern/kern_cpuset.c
 ==============================================================================
 --- stable/7/sys/kern/kern_cpuset.c	Tue Aug 25 14:08:33 2009	(r196543)
 +++ stable/7/sys/kern/kern_cpuset.c	Tue Aug 25 15:54:52 2009	(r196544)
 @@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset
  	if (error)
  		return (error);
  	/*
 +	 * In case we are called from within the jail
 +	 * we do not allow modifying the dedicated root
 +	 * cpuset of the jail but may still allow to
 +	 * change child sets.
 +	 */
 +	if (jailed(curthread->td_ucred) &&
 +	    set->cs_flags & CPU_SET_ROOT)
 +		return (EPERM);
 +	/*
  	 * Verify that we have access to this set of
  	 * cpus.
  	 */
 
 Modified: stable/7/usr.bin/cpuset/cpuset.1
 ==============================================================================
 --- stable/7/usr.bin/cpuset/cpuset.1	Tue Aug 25 14:08:33 2009	(r196543)
 +++ stable/7/usr.bin/cpuset/cpuset.1	Tue Aug 25 15:54:52 2009	(r196544)
 @@ -177,9 +177,3 @@ command first appeared in
  .Fx 7.1 .
  .Sh AUTHORS
  .An Jeffrey Roberson Aq jeff@FreeBSD.org
 -.Sh BUGS
 -At the moment it is possible for a superuser inside a
 -.Xr jail 8
 -to modify the root
 -.Xr cpuset 2
 -of that jail.
 
 Modified: stable/7/usr.sbin/jail/jail.8
 ==============================================================================
 --- stable/7/usr.sbin/jail/jail.8	Tue Aug 25 14:08:33 2009	(r196543)
 +++ stable/7/usr.sbin/jail/jail.8	Tue Aug 25 15:54:52 2009	(r196544)
 @@ -699,9 +699,3 @@ Currently, the simplest answer is to min
  offered on the host, possibly limiting it to services offered from
  .Xr inetd 8
  which is easily configurable.
 -.Pp
 -At the moment it is possible for a superuser inside a
 -.Nm
 -to modify the root
 -.Xr cpuset 2
 -of that jail.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Tue Aug 25 16:11:23 UTC 2009 
State-Changed-Why:  
Change MFCed (sorry for the delay). Thanks a lot for reporting and testing. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134050 
>Unformatted:
