If some jail is bound to specified core(s) by cpuset command (by root user of the host system), this can be changed from inside the jail (by root user inside the jail). Fix: Bjoern A. Zeeb posted attached patch which works for me. http://lists.freebsd.org/pipermail/freebsd-jail/2009-April/000833.html root@72-rc1 ~/# jls JID IP Address Hostname Path 1 alpha.test /usr/jail/alpha root@72-rc1 ~/# jexec 1 tcsh root@alpha //# cpuset -l 0 -j 1 cpuset: setaffinity: Operation not permitted root@alpha //# cpuset -l 0 -r -j 1 cpuset: setaffinity: Operation not permitted Patch attached with submission follows: How-To-Repeat: Start the jail on multi-core machine and set it to run on one CPU core: root@host# cpuset -l 0 -j 1 Now login to the jail as root and run cpuset command root@injail# cpuset -l 0,1 -j 1 The jail is running on two cores root@host# cpuset -g -j 1 jail 1 mask: 0, 1
Responsible Changed From-To: freebsd-bugs->bz Mine, been mine, will be mine, been handling this already.
Author: bz Date: Tue Apr 28 21:00:50 2009 New Revision: 191639 URL: http://svn.freebsd.org/changeset/base/191639 Log: Prevent a superuser inside a jail from modifying the dedicated root cpuset of that jail. Processes inside the jail will still be able to change child sets. A superuser outside of a jail will still be able to change the jail cpuset and thus limit the number of cpus available to the jail. Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman) PR: kern/134050 Reviewed by: jeff MFC after: 3 weeks X-MFC: backout r191596 Modified: head/sys/kern/kern_cpuset.c Modified: head/sys/kern/kern_cpuset.c ============================================================================== --- head/sys/kern/kern_cpuset.c Tue Apr 28 20:49:47 2009 (r191638) +++ head/sys/kern/kern_cpuset.c Tue Apr 28 21:00:50 2009 (r191639) @@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset if (error) return (error); /* + * In case we are called from within the jail + * we do not allow modifying the dedicated root + * cpuset of the jail but may still allow to + * change child sets. + */ + if (jailed(curthread->td_ucred) && + set->cs_flags & CPU_SET_ROOT) + return (EPERM); + /* * Verify that we have access to this set of * cpus. */ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched Patch comitted to HEAD; MFC after 7.2-R.
Author: bz Date: Tue Aug 25 15:54:52 2009 New Revision: 196544 URL: http://svn.freebsd.org/changeset/base/196544 Log: Backout r191596: Document an issue of jail(8) in conjunction with cpuset(1). MFC r191639: Prevent a superuser inside a jail from modifying the dedicated root cpuset of that jail. Processes inside the jail will still be able to change child sets. A superuser outside of a jail will still be able to change the jail cpuset and thus limit the number of cpus available to the jail. Problem reported by: 000.fbsd@quip.cz (Miroslav Lachman) PR: kern/134050 Reviewed by: jeff Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/kern/kern_cpuset.c stable/7/usr.bin/cpuset/cpuset.1 stable/7/usr.sbin/jail/jail.8 Modified: stable/7/sys/kern/kern_cpuset.c ============================================================================== --- stable/7/sys/kern/kern_cpuset.c Tue Aug 25 14:08:33 2009 (r196543) +++ stable/7/sys/kern/kern_cpuset.c Tue Aug 25 15:54:52 2009 (r196544) @@ -357,6 +357,15 @@ cpuset_modify(struct cpuset *set, cpuset if (error) return (error); /* + * In case we are called from within the jail + * we do not allow modifying the dedicated root + * cpuset of the jail but may still allow to + * change child sets. + */ + if (jailed(curthread->td_ucred) && + set->cs_flags & CPU_SET_ROOT) + return (EPERM); + /* * Verify that we have access to this set of * cpus. */ Modified: stable/7/usr.bin/cpuset/cpuset.1 ============================================================================== --- stable/7/usr.bin/cpuset/cpuset.1 Tue Aug 25 14:08:33 2009 (r196543) +++ stable/7/usr.bin/cpuset/cpuset.1 Tue Aug 25 15:54:52 2009 (r196544) @@ -177,9 +177,3 @@ command first appeared in .Fx 7.1 . .Sh AUTHORS .An Jeffrey Roberson Aq jeff@FreeBSD.org -.Sh BUGS -At the moment it is possible for a superuser inside a -.Xr jail 8 -to modify the root -.Xr cpuset 2 -of that jail. Modified: stable/7/usr.sbin/jail/jail.8 ============================================================================== --- stable/7/usr.sbin/jail/jail.8 Tue Aug 25 14:08:33 2009 (r196543) +++ stable/7/usr.sbin/jail/jail.8 Tue Aug 25 15:54:52 2009 (r196544) @@ -699,9 +699,3 @@ Currently, the simplest answer is to min offered on the host, possibly limiting it to services offered from .Xr inetd 8 which is easily configurable. -.Pp -At the moment it is possible for a superuser inside a -.Nm -to modify the root -.Xr cpuset 2 -of that jail. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed Change MFCed (sorry for the delay). Thanks a lot for reporting and testing.