Page MenuHomeFreeBSD
Differential D51708

Some tweaks to kern_chroot(2)
ClosedPublic
Actions

Authored by kib on Sat, Aug 2, 6:03 PM.
Tags
None
Referenced Files
F125690060: D51708.diff
Sun, Aug 10, 10:42 PM
Unknown Object (File)
Sat, Aug 9, 10:53 PM
Unknown Object (File)
Sat, Aug 9, 7:47 PM
Unknown Object (File)
Fri, Aug 8, 6:34 PM
Unknown Object (File)
Fri, Aug 8, 2:01 PM
Unknown Object (File)
Thu, Aug 7, 6:11 PM
Unknown Object (File)
Wed, Aug 6, 6:37 PM
Unknown Object (File)
Tue, Aug 5, 2:51 AM
View All 13 Files
Subscribers
imp
olce

Details

Reviewers
emaste
markj
kevans
Commits
rGcf0f693f0361: vfs_syscall.c: EXTERROR-ise EPERM from chroot(2)
rGa523d882a467: vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS
Summary
vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS

The flag is write-only, and if we raced with reading the action of
setting the flag, we can as well get it under the lock.


vfs_syscall.c: EXTERROR-ise EPERM from chroot(2)

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

kib created this revision.Sat, Aug 2, 6:03 PM
Herald added subscribers: olce, imp. · View Herald TranscriptSat, Aug 2, 6:03 PM
kib requested review of this revision.Sat, Aug 2, 6:03 PM
emaste accepted this revision.Sat, Aug 2, 6:10 PM

Maybe be explicit that unprivileged_chroot is a sysctl/tunable, e.g. security.bsd.unprivileged_chroot sysctl not enabled

This revision is now accepted and ready to land.Sat, Aug 2, 6:10 PM
kib updated this revision to Diff 159653.Sat, Aug 2, 6:13 PM

EXTERROR msg for disabled sysctl

This revision now requires review to proceed.Sat, Aug 2, 6:13 PM
kevans accepted this revision.Sat, Aug 2, 6:16 PM
kevans added inline comments.
sys/kern/vfs_syscalls.c
993

I don't feel that strongly here, but I think if I were to read this as someone unfamiliar, my question would be: "How does P2_NO_NEW_PRIVS get set?" -> a string that appears in a manpage to answer that would probably curtail that.

This revision is now accepted and ready to land.Sat, Aug 2, 6:16 PM
kevans added inline comments.Sat, Aug 2, 6:16 PM
sys/kern/vfs_syscalls.c
993

s/PROCS/PROC/, of course. bah.

kib updated this revision to Diff 159656.Sat, Aug 2, 6:30 PM
kib marked 2 inline comments as done.

Use API flag name, not kernel internal flag.

This revision now requires review to proceed.Sat, Aug 2, 6:30 PM
emaste accepted this revision.Sat, Aug 2, 6:31 PM
This revision is now accepted and ready to land.Sat, Aug 2, 6:31 PM
kevans accepted this revision.Sat, Aug 2, 6:41 PM
Closed by commit rGa523d882a467: vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS (authored by kib). · Explain WhySat, Aug 2, 11:36 PM
This revision was automatically updated to reflect the committed changes.
kib added a commit: rGa523d882a467: vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS.
kib added a commit: rGcf0f693f0361: vfs_syscall.c: EXTERROR-ise EPERM from chroot(2).

Revision Contents
Changeset List

PathSize
sys/
kern/
14 lines

Diff 159656

View Options

sys/kern/vfs_syscalls.c

Loading...