diff options
| author | rwatson <rwatson@FreeBSD.org> | 2000-06-04 04:28:31 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2000-06-04 04:28:31 +0000 |
| commit | e08a87a21b5ed1bf4a066c22e2928b92fe31e4af (patch) | |
| tree | c6932963e6e68891531394b83370c1f675af2c8a /sys/kern/kern_resource.c | |
| parent | aa01bf29bde9e8389bb998fc87d752c6a2cfb018 (diff) | |
| download | FreeBSD-src-e08a87a21b5ed1bf4a066c22e2928b92fe31e4af.zip FreeBSD-src-e08a87a21b5ed1bf4a066c22e2928b92fe31e4af.tar.gz | |
o Modify jail to limit creation of sockets to UNIX domain sockets,
TCP/IP (v4) sockets, and routing sockets. Previously, interaction
with IPv6 was not well-defined, and might be inappropriate for some
environments. Similarly, sysctl MIB entries providing interface
information also give out only addresses from those protocol domains.
For the time being, this functionality is enabled by default, and
toggleable using the sysctl variable jail.socket_unixiproute_only.
In the future, protocol domains will be able to determine whether or
not they are ``jail aware''.
o Further limitations on process use of getpriority() and setpriority()
by jailed processes. Addresses problem described in kern/17878.
Reviewed by: phk, jmg
Diffstat (limited to 'sys/kern/kern_resource.c')
| -rw-r--r-- | sys/kern/kern_resource.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 2c6478d..11039ad 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -88,6 +88,8 @@ getpriority(curp, uap) p = pfind(uap->who); if (p == 0) break; + if (!PRISON_CHECK(curp, p)) + break; low = p->p_nice; break; @@ -99,7 +101,7 @@ getpriority(curp, uap) else if ((pg = pgfind(uap->who)) == NULL) break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { - if (p->p_nice < low) + if ((PRISON_CHECK(curp, p) && p->p_nice < low)) low = p->p_nice; } break; @@ -109,7 +111,8 @@ getpriority(curp, uap) if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who && + if (PRISON_CHECK(curp, p) && + p->p_ucred->cr_uid == uap->who && p->p_nice < low) low = p->p_nice; break; @@ -148,6 +151,8 @@ setpriority(curp, uap) p = pfind(uap->who); if (p == 0) break; + if (!PRISON_CHECK(curp, p)) + break; error = donice(curp, p, uap->prio); found++; break; @@ -160,8 +165,10 @@ setpriority(curp, uap) else if ((pg = pgfind(uap->who)) == NULL) break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { - error = donice(curp, p, uap->prio); - found++; + if (PRISON_CHECK(curp, p)) { + error = donice(curp, p, uap->prio); + found++; + } } break; } @@ -170,7 +177,8 @@ setpriority(curp, uap) if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who) { + if (p->p_ucred->cr_uid == uap->who && + PRISON_CHECK(curp, p)) { error = donice(curp, p, uap->prio); found++; } |
