D28150.id82280.diff
No OneTemporary
Actions

Size

8 KB

Referenced Files

None

Subscribers

None

D28150.id82280.diff
View Options

	diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
	--- a/sys/kern/kern_fork.c
	+++ b/sys/kern/kern_fork.c
	@@ -368,6 +368,7 @@
	struct filedesc_to_leader *fdtol;
	struct pwddesc *pd;
	struct sigacts *newsigacts;
	+ enum prison_state pr_state;

	p1 = td->td_proc;

	@@ -710,6 +711,19 @@
	*/
	knote_fork(p1->p_klist, p2->p_pid);

	+ /*
	+ * See if the containing prison died while the process was still new.
	+ */
	+ prison_lock(p2->p_ucred->cr_prison);
	+ pr_state = p2->p_ucred->cr_prison->pr_state;
	+ prison_unlock(p2->p_ucred->cr_prison);
	+ if (pr_state == PRISON_STATE_DYING) {
	+ /* Folow the prison into death. */
	+ PROC_LOCK(p2);
	+ kern_psignal(p2, SIGKILL);
	+ PROC_UNLOCK(p2);
	+ }
	+
	/*
	* Now can be swapped.
	*/
	diff --git a/sys/sys/jail.h b/sys/sys/jail.h
	--- a/sys/sys/jail.h
	+++ b/sys/sys/jail.h
	@@ -101,7 +101,7 @@
	#define JAIL_UPDATE 0x02 /* Update parameters of existing jail */
	#define JAIL_ATTACH 0x04 /* Attach to jail upon creation */
	#define JAIL_DYING 0x08 /* Allow getting a dying jail */
	-#define JAIL_SET_MASK 0x0f
	+#define JAIL_SET_MASK 0x0f /* JAIL_DYING is deprecated/ignored here */
	#define JAIL_GET_MASK 0x08

	#define JAIL_SYS_DISABLE 0
	@@ -180,7 +180,7 @@
	struct prison_racct pr_prison_racct; / (c) racct jail proxy */
	void *pr_sparep[3];
	int pr_childcount; /* (a) number of child jails */
	- int pr_childmax; /* (p) maximum child jails */
	+ int pr_childmax; /* (a) maximum child jails */
	unsigned pr_allow; /* (p) PR_ALLOW_* flags */
	int pr_securelevel; /* (p) securelevel */
	int pr_enforce_statfs; /* (p) statfs permission */
	@@ -218,6 +218,7 @@
	/* primary jail address. */

	/* Internal flag bits */
	+#define PR_REMOVE 0x01000000 /* In process of being removed */
	#define PR_IP4 0x02000000 /* IPv4 restricted or disabled */
	/* by this jail or an ancestor */
	#define PR_IP6 0x04000000 /* IPv6 restricted or disabled */
	@@ -334,6 +335,19 @@
	if ((descend) ? (prison_lock(cpr), 0) : 1) \
	; \
	else
	+
	+/*
	+ * As FOREACH_PRISON_DESCENDANT, but visit both preorder and postorder.
	+ */
	+#define FOREACH_PRISON_DESCENDANT_PRE_POST(ppr, cpr, descend) \
	+ for ((cpr) = (ppr), (descend) = 1; \
	+ ((cpr) = (descend) \
	+ ? ((descend) = !LIST_EMPTY(&(cpr)->pr_children)) \
	+ ? LIST_FIRST(&(cpr)->pr_children) \
	+ : (cpr) \
	+ : ((descend) = LIST_NEXT(cpr, pr_sibling) != NULL) \
	+ ? LIST_NEXT(cpr, pr_sibling) \
	+ : cpr->pr_parent) != (ppr);)

	/*
	* Attributes of the physical system, and the root of the jail tree.
	diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
	--- a/usr.sbin/jail/jail.8
	+++ b/usr.sbin/jail/jail.8
	@@ -25,7 +25,7 @@
	.\"
	.\" $FreeBSD$
	.\"
	-.Dd November 18, 2020
	+.Dd January 11, 2020
	.Dt JAIL 8
	.Os
	.Sh NAME
	@@ -136,10 +136,6 @@
	.Pp
	Other available options are:
	.Bl -tag -width indent
	-.It Fl d
	-Allow making changes to a dying jail, equivalent to the
	-.Va allow.dying
	-parameter.
	.It Fl f Ar conf_file
	Use configuration file
	.Ar conf_file
	@@ -207,6 +203,10 @@
	.It Fl v
	Print a message on every operation, such as running commands and
	mounting filesystems.
	+.It Fl d
	+This is deprecated, and equivalent to the (deprecated)
	+.Va allow.dying
	+parameter.
	.El
	.Pp
	If no arguments are given after the options, the operation (except
	@@ -903,9 +903,14 @@
	.Pa /proc
	directory.
	.It Va allow.dying
	-Allow making changes to a
	+This deprecated and has no effect.
	+It used to allow making changes to a
	.Va dying
	jail.
	+Now such jails are always replaced when a new jail is created with the same
	+.Va jid
	+or
	+.Va name .
	.It Va depend
	Specify a jail (or jails) that this jail depends on.
	When this jail is to be created, any jail(s) it depends on must already exist.
	diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
	--- a/usr.sbin/jail/jail.c
	+++ b/usr.sbin/jail/jail.c
	@@ -65,7 +65,7 @@
	static void clear_persist(struct cfjail *j);
	static int update_jail(struct cfjail *j);
	static int rdtun_params(struct cfjail *j, int dofail);
	-static void running_jid(struct cfjail *j, int dflag);
	+static void running_jid(struct cfjail *j);
	static void jail_quoted_warnx(const struct cfjail j, const char name_msg,
	const char *noname_msg);
	static int jailparam_set_note(const struct cfjail j, struct jailparam jp,
	@@ -140,7 +140,7 @@
	char *JidFile;
	size_t sysvallen;
	unsigned op, pi;
	- int ch, docf, error, i, oldcl, sysval;
	+ int ch, docf, error, i, oldcl, sysval, dying_warned;
	int dflag, Rflag;
	#if defined(INET) \|\| defined(INET6)
	char cs, ncs;
	@@ -377,6 +377,7 @@
	* operation on it. When that is done, the jail may be finished,
	* or it may go back for the next step.
	*/
	+ dying_warned = 0;
	while ((j = next_jail()))
	{
	if (j->flags & JF_FAILED) {
	@@ -397,11 +398,13 @@
	import_params(j) < 0)
	continue;
	}
	+ if (j->intparams[IP_ALLOW_DYING] && !dying_warned) {
	+ warnx("%s", "the 'allow.dying' parameter and '-d' flag"
	+ "are deprecated and have no effect.");
	+ dying_warned = 1;
	+ }
	if (!j->jid)
	- running_jid(j,
	- (j->flags & (JF_SET \| JF_DEPEND)) == JF_SET
	- ? dflag \|\| bool_param(j->intparams[IP_ALLOW_DYING])
	- : 0);
	+ running_jid(j);
	if (finish_command(j))
	continue;

	@@ -613,11 +616,10 @@
	int
	create_jail(struct cfjail *j)
	{
	- struct iovec jiov[4];
	struct stat st;
	- struct jailparam jp, setparams, setparams2, sjp;
	+ struct jailparam jp, setparams, *sjp;
	const char *path;
	- int dopersist, ns, jid, dying, didfail;
	+ int dopersist, ns;

	/*
	* Check the jail's path, with a better error message than jail_set
	@@ -657,57 +659,8 @@
	sjp++ = jp;
	ns = sjp - setparams;

	- didfail = 0;
	j->jid = jailparam_set_note(j, setparams, ns, JAIL_CREATE);
	- if (j->jid < 0 && errno == EEXIST &&
	- bool_param(j->intparams[IP_ALLOW_DYING]) &&
	- int_param(j->intparams[KP_JID], &jid) && jid != 0) {
	- /*
	- * The jail already exists, but may be dying.
	- * Make sure it is, in which case an update is appropriate.
	- */
	- jiov[0].iov_base = __DECONST(char *, "jid");
	- jiov[0].iov_len = sizeof("jid");
	- jiov[1].iov_base = &jid;
	- jiov[1].iov_len = sizeof(jid);
	- jiov[2].iov_base = __DECONST(char *, "dying");
	- jiov[2].iov_len = sizeof("dying");
	- jiov[3].iov_base = &dying;
	- jiov[3].iov_len = sizeof(dying);
	- if (jail_get(jiov, 4, JAIL_DYING) < 0) {
	- /*
	- * It could be that the jail just barely finished
	- * dying, or it could be that the jid never existed
	- * but the name does. In either case, another try
	- * at creating the jail should do the right thing.
	- */
	- if (errno == ENOENT)
	- j->jid = jailparam_set_note(j, setparams, ns,
	- JAIL_CREATE);
	- } else if (dying) {
	- j->jid = jid;
	- if (rdtun_params(j, 1) < 0) {
	- j->jid = -1;
	- didfail = 1;
	- } else {
	- sjp = setparams2 = alloca((j->njp + dopersist) *
	- sizeof(struct jailparam));
	- for (jp = setparams; jp < setparams + ns; jp++)
	- if (!JP_RDTUN(jp) \|\|
	- !strcmp(jp->jp_name, "jid"))
	- sjp++ = jp;
	- j->jid = jailparam_set_note(j, setparams2,
	- sjp - setparams2, JAIL_UPDATE \| JAIL_DYING);
	- /*
	- * Again, perhaps the jail just finished dying.
	- */
	- if (j->jid < 0 && errno == ENOENT)
	- j->jid = jailparam_set_note(j,
	- setparams, ns, JAIL_CREATE);
	- }
	- }
	- }
	- if (j->jid < 0 && !didfail) {
	+ if (j->jid < 0) {
	jail_warnx(j, "%s", jail_errmsg);
	failed(j);
	}
	@@ -772,9 +725,7 @@
	if (!JP_RDTUN(jp))
	++sjp = jp;

	- jid = jailparam_set_note(j, setparams, ns,
	- bool_param(j->intparams[IP_ALLOW_DYING])
	- ? JAIL_UPDATE \| JAIL_DYING : JAIL_UPDATE);
	+ jid = jailparam_set_note(j, setparams, ns, JAIL_UPDATE);
	if (jid < 0) {
	jail_warnx(j, "%s", jail_errmsg);
	failed(j);
	@@ -813,8 +764,7 @@
	rtjp->jp_value = NULL;
	}
	rval = 0;
	- if (jailparam_get(rtparams, nrt,
	- bool_param(j->intparams[IP_ALLOW_DYING]) ? JAIL_DYING : 0) > 0) {
	+ if (jailparam_get(rtparams, nrt, 0) > 0) {
	rtjp = rtparams + 1;
	for (jp = j->jp; rtjp < rtparams + nrt; jp++) {
	if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) {
	@@ -851,7 +801,7 @@
	* Get the jail's jid if it is running.
	*/
	static void
	-running_jid(struct cfjail *j, int dflag)
	+running_jid(struct cfjail *j)
	{
	struct iovec jiov[2];
	const char *pval;
	@@ -877,7 +827,7 @@
	j->jid = -1;
	return;
	}
	- j->jid = jail_get(jiov, 2, dflag ? JAIL_DYING : 0);
	+ j->jid = jail_get(jiov, 2, 0);
	}

	static void
	@@ -906,10 +856,9 @@

	jid = jailparam_set(jp, njp, flags);
	if (verbose > 0) {
	- jail_note(j, "jail_set(%s%s)",
	+ jail_note(j, "jail_set(%s)",
	(flags & (JAIL_CREATE \| JAIL_UPDATE)) == JAIL_CREATE
	- ? "JAIL_CREATE" : "JAIL_UPDATE",
	- (flags & JAIL_DYING) ? " \| JAIL_DYING" : "");
	+ ? "JAIL_CREATE" : "JAIL_UPDATE");
	for (i = 0; i < njp; i++) {
	printf(" %s", jp[i].jp_name);
	if (jp[i].jp_value == NULL)

File Metadata

Mime Type: text/plain
Expires: Thu, Apr 16, 2:04 AM (3 h, 21 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31570268
Default Alt Text: D28150.id82280.diff (8 KB)

D28150.id82280.diffNo OneTemporaryActions

D28150.id82280.diffView Options

File Metadata

Event Timeline

D28150.id82280.diff
No OneTemporary
Actions

D28150.id82280.diff
View Options