Prevent a superuser inside a jail from modifying the dedicated

root cpuset of that jail. Processes inside the jail will still be able to change child sets. A superuser outside of a jail will still be able to change the jail cpuset and thus limit the number of cpus available to the jail. Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman) PR: kern/134050 Reviewed by: jeff MFC after: 3 weeks X-MFC: backout r191596
author: bz <bz@FreeBSD.org> 2009-04-28 21:00:50 +0000
committer: bz <bz@FreeBSD.org> 2009-04-28 21:00:50 +0000
commit: 1507f5bd4dc89d7b55b8e3f74a4048583619a504 (patch)
tree: ad724e7c97ecea17b980e8a5d3c31967e1313593 /sys/kern/kern_cpuset.c
parent: 27e2954fe37363d1e00b3cb21a60b438c2e83515 (diff)
download: FreeBSD-src-1507f5bd4dc89d7b55b8e3f74a4048583619a504.zip
FreeBSD-src-1507f5bd4dc89d7b55b8e3f74a4048583619a504.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c
index a319ecc..fc2e51b 100644
--- a/sys/kern/kern_cpuset.c
+++ b/sys/kern/kern_cpuset.c
@@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset_t *mask)
 	if (error)
 		return (error);
 	/*
+	 * In case we are called from within the jail
+	 * we do not allow modifying the dedicated root
+	 * cpuset of the jail but may still allow to
+	 * change child sets.
+	 */
+	if (jailed(curthread->td_ucred) &&
+	    set->cs_flags & CPU_SET_ROOT)
+		return (EPERM);
+	/*
 	 * Verify that we have access to this set of
 	 * cpus.
 	 */
author	bz <bz@FreeBSD.org>	2009-04-28 21:00:50 +0000
committer	bz <bz@FreeBSD.org>	2009-04-28 21:00:50 +0000
commit	1507f5bd4dc89d7b55b8e3f74a4048583619a504 (patch)
tree	ad724e7c97ecea17b980e8a5d3c31967e1313593 /sys/kern/kern_cpuset.c
parent	27e2954fe37363d1e00b3cb21a60b438c2e83515 (diff)
download	FreeBSD-src-1507f5bd4dc89d7b55b8e3f74a4048583619a504.zip FreeBSD-src-1507f5bd4dc89d7b55b8e3f74a4048583619a504.tar.gz