Page MenuHomeFreeBSD
Differential D43565

kern_jail: add security.jail.children.max and .cur sysctl
ClosedPublic
Actions

Authored by igor.ostapenko_pm.me on Jan 23 2024, 10:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Apr 28, 5:48 AM
Unknown Object (File)
Fri, Apr 19, 7:13 PM
Unknown Object (File)
Sun, Apr 14, 5:36 PM
Unknown Object (File)
Mon, Apr 8, 10:31 PM
Unknown Object (File)
Mar 13 2024, 7:28 PM
Unknown Object (File)
Feb 1 2024, 4:43 AM
Unknown Object (File)
Jan 26 2024, 6:50 PM
Unknown Object (File)
Jan 26 2024, 5:37 PM
Subscribers
imp
kevans

Details

Reviewers
jamie
kevans
Group Reviewers
Jails
Test Plan

kyua test -k /usr/tests/sys/kern/Kyuafile sysctl_security_jail_children

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

igor.ostapenko_pm.me created this revision.Jan 23 2024, 10:46 PM
Herald added a subscriber: imp. · View Herald TranscriptJan 23 2024, 10:46 PM
igor.ostapenko_pm.me requested review of this revision.Jan 23 2024, 10:46 PM

The purpose reasoning and initial discussion was in https://reviews.freebsd.org/D43476.

igor.ostapenko_pm.me mentioned this in D43476: sys/jail.h: expose JAIL_MAX constant to applications.Jan 23 2024, 10:55 PM
jamie added a comment.Jan 23 2024, 10:57 PM

You'll want to add CTLFLAG_PRISON to the sysctl flags.

igor.ostapenko_pm.me added a comment.Jan 24 2024, 9:07 PM
In D43565#993561, @jamie wrote:

You'll want to add CTLFLAG_PRISON to the sysctl flags.

The leafs are meant to be read-only (flagged with CTLFLAG_RD), i.e. it looks like we do not need CTLFLAG_PRISON here.

a) Do you mean to add it for possible future upgrades when some leafs could be changed to read-write?
b) Probably, it was meant to add CTLFLAG_PRISON to the children branch node which is marked with CTLFLAG_RW? As I understand it would not make much sense for a branch node.
c) Or something else what I have not spotted yet :)

jamie added a comment.Jan 25 2024, 12:21 AM

c) Or something else what I have not spotted yet :)

c) Jamie wasn't thinking and of course you don't need it for read-only.

igor.ostapenko_pm.me updated this revision to Diff 133346.Jan 25 2024, 1:48 PM

A little test improvement with additional comment about the magic numbers.

igor.ostapenko_pm.me added a comment.Jan 25 2024, 1:52 PM
In D43565#994045, @jamie wrote:

c) Or something else what I have not spotted yet :)

c) Jamie wasn't thinking and of course you don't need it for read-only.

No problem, a usual thing for us, non-robots. Thanks for the confirmation.

I've tested it for AArch64 and AMD64 on my side. Do we need anything else for the patch? Or it's ready to hit the main?

jamie accepted this revision.Jan 25 2024, 10:28 PM

Looks good to me!

This revision is now accepted and ready to land.Jan 25 2024, 10:28 PM
kevans accepted this revision.Jan 25 2024, 10:36 PM
kevans added a subscriber: kevans.

Is the plan still to use JAIL_MAX in the test work, or to switch to this since tests can be executed started in non-prison0?

igor.ostapenko_pm.me added a comment.Jan 25 2024, 11:52 PM
In D43565#994366, @kevans wrote:

Is the plan still to use JAIL_MAX in the test work, or to switch to this since tests can be executed started in non-prison0?

Yes, the idea is to use this approach introduced by this patch.

igor.ostapenko_pm.me added a comment.Jan 26 2024, 11:54 AM

May I ask for the help? To land the commit itself.

igor.ostapenko_pm.me closed this revision.Jan 26 2024, 6:43 PM

@jamie, thanks for the commit.

igor.ostapenko_pm.me mentioned this in D42350: kyua: add jail execution environment.Jan 27 2024, 4:47 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
29 lines
tests/
sys/
kern/
2 lines
80 lines

Diff 133346

View Options

sys/kern/kern_jail.c

Loading...
View Options

tests/sys/kern/Makefile

Loading...
View Options

tests/sys/kern/sysctl_security_jail_children.sh

Loading...