diff options
| author | bz <bz@FreeBSD.org> | 2009-08-13 10:26:34 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2009-08-13 10:26:34 +0000 |
| commit | 5307a46b8beef9afe39e5882ad38f5fe90f708a0 (patch) | |
| tree | da85107d22a96dc6fa0f87abc22d5684fb84f53c /sys/kern | |
| parent | b6a41509dfb07cf1dbc04a5b73c4a2bf7219e4db (diff) | |
| download | FreeBSD-src-5307a46b8beef9afe39e5882ad38f5fe90f708a0.zip FreeBSD-src-5307a46b8beef9afe39e5882ad38f5fe90f708a0.tar.gz | |
Make it possible to change the vnet sysctl variables on jails
with their own virtual network stack. Jails only inheriting a
network stack cannot change anything that cannot be changed from
within a prison.
Reviewed by: rwatson, zec
Approved by: re (kib)
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_jail.c | 23 | ||||
| -rw-r--r-- | sys/kern/kern_sysctl.c | 12 |
2 files changed, 33 insertions, 2 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 282a4d8..8f18583 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -88,7 +88,11 @@ struct prison prison0 = { .pr_childmax = JAIL_MAX, .pr_hostuuid = DEFAULT_HOSTUUID, .pr_children = LIST_HEAD_INITIALIZER(&prison0.pr_children), +#ifdef VIMAGE + .pr_flags = PR_HOST|PR_VNET, +#else .pr_flags = PR_HOST, +#endif .pr_allow = PR_ALLOW_ALL, }; MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); @@ -3308,6 +3312,25 @@ getcredhostid(struct ucred *cred, unsigned long *hostid) mtx_unlock(&cred->cr_prison->pr_mtx); } +#ifdef VIMAGE +/* + * Determine whether the prison represented by cred owns + * its vnet rather than having it inherited. + * + * Returns 1 in case the prison owns the vnet, 0 otherwise. + */ +int +prison_owns_vnet(struct ucred *cred) +{ + + /* + * vnets cannot be added/removed after jail creation, + * so no need to lock here. + */ + return (cred->cr_prison->pr_flags & PR_VNET ? 1 : 0); +} +#endif + /* * Determine whether the subject represented by cred can "see" * status of a mount point. diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index bb5b6a0..b83502c 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1381,10 +1381,18 @@ sysctl_root(SYSCTL_HANDLER_ARGS) /* Is this sysctl writable by only privileged users? */ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) { + int priv; + if (oid->oid_kind & CTLFLAG_PRISON) - error = priv_check(req->td, PRIV_SYSCTL_WRITEJAIL); + priv = PRIV_SYSCTL_WRITEJAIL; +#ifdef VIMAGE + else if ((oid->oid_kind & CTLFLAG_VNET) && + prison_owns_vnet(req->td->td_ucred)) + priv = PRIV_SYSCTL_WRITEJAIL; +#endif else - error = priv_check(req->td, PRIV_SYSCTL_WRITE); + priv = PRIV_SYSCTL_WRITE; + error = priv_check(req->td, priv); if (error) return (error); } |
