- casper service system.sysctl was extended to provide a cap_sysctl() function
- new casper service system.jail provides cap_jail_get() function
- libjail changed to use these services
Details
Diff Detail
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
I removed to kernel changes and used libcasper to obtain sysctl and jail_get functionality needed for jls(1).
TODOS:
- RESCUE build does not work, i found build env tooling that deals with casper and rescue in programs but was not able to get this working with libjail (any help appreciated)
- cap_sysctl changes need improvement (sysctl calls to check limits could be avoided by keeping the resolved names in the service)
- cap_jail_get documentation (and naming?)
- document jail_cap_init in jail(3)
the massaging from struct iovec* to nvlist and back again in cap_jail_get.c is rather ugly
WOW! Thank you for working on that!
lib/libcasper/services/Makefile | ||
---|---|---|
7 ↗ | (On Diff #42347) | Maybe just cap_jail ? |
lib/libcasper/services/cap_jail_get/cap_jail_get.c | ||
7 ↗ | (On Diff #42347) | Yup still not Pawel. |
61 ↗ | (On Diff #42347) | style(9). |
83 ↗ | (On Diff #42347) | Extra space. |
99 ↗ | (On Diff #42347) | Maybe |
101 ↗ | (On Diff #42347) | If you are using NV_FLAG_NO_UNIQ all nvlist need to be NO_UNIQ and service need to be define as CASPER_SERVICE_NO_UNIQ_LIMITS. |
104 ↗ | (On Diff #42347) | style(9) |
175 ↗ | (On Diff #42347) | I think you can optimize exists/get using dnvilist |
lib/libcasper/services/cap_jail_get/cap_jail_get.h | ||
5 ↗ | (On Diff #42347) | Pawel didn't implement that. |
lib/libcasper/services/cap_sysctl/cap_sysctl.c | ||
169 ↗ | (On Diff #42347) | style. |
lib/libjail/jail.c | ||
150 ↗ | (On Diff #42347) | tyle. |
usr.sbin/jls/jls.c | ||
97 | caph_enter_casper Instead of using cap_enter() and errno. |
- rename cap_jail_get -> cap_jail and system.cap_jail_get -> system.cap_jail
- cap_jail:
- fix copyright
- add man page
- cap_jail.c:
- style(9) changes
- use dnvlist_* in service command
- split nvlist -> iov function in two: nvl_to_iov_s is used by the service and makes sure there is space before memcpy
- jls.c: use caph_enter_casper
- cap_sysctl.c: style
- cap_sysclt.3: reference sysctl(3)
TODO
- libjail: RESCUE build
- cap_sysctl: lookup int* names when limits are set
- document jail_cap_init in jail(3)
lib/libcasper/services/cap_jail/cap_jail.c | ||
---|---|---|
204 ↗ | (On Diff #42389) | the alloca(3) calls here should be changed to malloc(3) and checked for failure since |
cap_sysctl.c: resolve names to mibs when limits are set.
the implication of this is, if a name is not resolvable during cap_limit_set, but becomes available later (kldload);
cap_sysctl calls using this name will fail until cap_limit_set is called again (with the same limits).
cap_sysctlbyname behavior is unchanged
TODO
- libjail: RESCUE build
- document jail_cap_init in jail(3)
cap_jail.c: improve allocation and error handling in service command
TODO
- libjail: RESCUE build
- document jail_cap_init in jail(3)
fix RESCUE: include lib/libjail/jail.c in librescue if necessary
TODO
- document jail_cap_init()
share/mk/src.libnames.mk | ||
---|---|---|
543 ↗ | (On Diff #42440) | made obsolete by r333654 |
share/mk/src.libnames.mk | ||
---|---|---|
543 ↗ | (On Diff #42440) | no. it is not made obsolete by r333654, sorry about the noise. |
lib/libcasper/services/cap_jail/cap_jail.c | ||
---|---|---|
186 ↗ | (On Diff #42440) | We should also support limitng the jail_get command. |
lib/libcasper/services/cap_sysctl/cap_sysctl.c | ||
399 ↗ | (On Diff #42440) | This is very hackish. W eshould just send the name of function we want to use. |
lib/libcasper/services/cap_sysctl/tests/sysctl_test.c | ||
115 ↗ | (On Diff #42440) | We should not change the tests! |
lib/libjail/jail.c | ||
42 ↗ | (On Diff #42440) | You don't need that. |
79 ↗ | (On Diff #42440) | If there is no casper the standard function will be used so you don't need to do distinguish between casper version and version without casper. |