Page MenuHomeFreeBSD
Differential D43565

kern_jail: add security.jail.children.max and .cur sysctl
ClosedPublic
Actions

Authored by igoro on Jan 23 2024, 10:46 PM.
Tags
None
Referenced Files
F102806413: D43565.diff
Sun, Nov 17, 10:34 AM
Unknown Object (File)
Sun, Oct 20, 10:33 PM
Unknown Object (File)
Sun, Oct 20, 10:33 PM
Unknown Object (File)
Sun, Oct 20, 10:33 PM
Unknown Object (File)
Oct 13 2024, 11:46 PM
Unknown Object (File)
Oct 2 2024, 7:07 PM
Unknown Object (File)
Oct 2 2024, 1:58 PM
Unknown Object (File)
Oct 1 2024, 2:41 PM
View All 37 Files
Subscribers
imp
kevans

Details

Reviewers
jamie
kevans
Group Reviewers
Jails
Test Plan

kyua test -k /usr/tests/sys/kern/Kyuafile sysctl_security_jail_children

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

igoro created this revision.Jan 23 2024, 10:46 PM
Herald added a subscriber: imp. · View Herald TranscriptJan 23 2024, 10:46 PM
igoro requested review of this revision.Jan 23 2024, 10:46 PM

The purpose reasoning and initial discussion was in https://reviews.freebsd.org/D43476.

igoro mentioned this in D43476: sys/jail.h: expose JAIL_MAX constant to applications.Jan 23 2024, 10:55 PM
jamie added a comment.Jan 23 2024, 10:57 PM

You'll want to add CTLFLAG_PRISON to the sysctl flags.

igoro added a comment.Jan 24 2024, 9:07 PM
In D43565#993561, @jamie wrote:

You'll want to add CTLFLAG_PRISON to the sysctl flags.

The leafs are meant to be read-only (flagged with CTLFLAG_RD), i.e. it looks like we do not need CTLFLAG_PRISON here.

a) Do you mean to add it for possible future upgrades when some leafs could be changed to read-write?
b) Probably, it was meant to add CTLFLAG_PRISON to the children branch node which is marked with CTLFLAG_RW? As I understand it would not make much sense for a branch node.
c) Or something else what I have not spotted yet :)

jamie added a comment.Jan 25 2024, 12:21 AM

c) Or something else what I have not spotted yet :)

c) Jamie wasn't thinking and of course you don't need it for read-only.

igoro updated this revision to Diff 133346.Jan 25 2024, 1:48 PM

A little test improvement with additional comment about the magic numbers.

igoro added a comment.Jan 25 2024, 1:52 PM
In D43565#994045, @jamie wrote:

c) Or something else what I have not spotted yet :)

c) Jamie wasn't thinking and of course you don't need it for read-only.

No problem, a usual thing for us, non-robots. Thanks for the confirmation.

I've tested it for AArch64 and AMD64 on my side. Do we need anything else for the patch? Or it's ready to hit the main?

jamie accepted this revision.Jan 25 2024, 10:28 PM

Looks good to me!

This revision is now accepted and ready to land.Jan 25 2024, 10:28 PM
kevans accepted this revision.Jan 25 2024, 10:36 PM
kevans added a subscriber: kevans.

Is the plan still to use JAIL_MAX in the test work, or to switch to this since tests can be executed started in non-prison0?

igoro added a comment.Jan 25 2024, 11:52 PM
In D43565#994366, @kevans wrote:

Is the plan still to use JAIL_MAX in the test work, or to switch to this since tests can be executed started in non-prison0?

Yes, the idea is to use this approach introduced by this patch.

igoro added a comment.Jan 26 2024, 11:54 AM

May I ask for the help? To land the commit itself.

igoro closed this revision.Jan 26 2024, 6:43 PM

@jamie, thanks for the commit.

igoro mentioned this in D42350: kyua: add jail execution environment.Jan 27 2024, 4:47 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
29 lines
tests/
sys/
kern/
2 lines
80 lines

Diff 133346

View Options

sys/kern/kern_jail.c

Loading...
View Options

tests/sys/kern/Makefile

Loading...
View Options

tests/sys/kern/sysctl_security_jail_children.sh

Loading...