bhyve was recently converted to the capsicum sandbox, and needs to be able to control the CPU sets of its vcpu threads
Details
Details
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 8381 Build 8657: CI src build Jenkins Build 8656: arc lint + arc unit
Event Timeline
| sys/kern/kern_cpuset.c | ||
|---|---|---|
| 339 | should this be allowed inside capsicum? check against IN_CAPABILITY_MODE(curthread) or something? | |
| 357 | same here | |
| 516 | allowed? | |
| 698 | only if id = -1? | |
| 1006 | eventually this might allow setting on a thread, should the if consider that, so that if the following condition is changed/removed, it doesn't block things? | |
Comment Actions
Oops, forgot to hit "Submit," so sorry if some of these comments are OBE.
| sys/kern/kern_cpuset.c | ||
|---|---|---|
| 50 | Hmm, this file seems to be mostly unsorted already :( I suppose supporting with another 'c' header is as good as anywhere. | |
| 339 | Yep, this helper doesn't need to be aware of capsicum. | |
| 1006 | These CPU sets refer to a global namespace; these should not be permitted in capability mode at all I think? | |
| 1120–1124 | This one looks good to me | |
| 1230 | I think that's out of scope for Capsicum. | |
Comment Actions
Update based on feedback
| sys/kern/kern_cpuset.c | ||
|---|---|---|
| 1006 | the setid being a global thing? I suppose that makes sense. | |
Comment Actions
I like the overall approach especially after various changes to do the checks only in the system calls themselves, not in the common helper functions.
| sys/kern/capabilities.conf | ||
|---|---|---|
| 137 | This comment will need updating. | |
| sys/kern/kern_cpuset.c | ||
| 1124 | I find this check pretty hard to read and understand. Is there some way to refactor it to use a nested if in an outside block conditioned in IN_CAPABILITY_MODE() and possibly a check on level to make it more readable? | |
| 1232 | Ditto here. I find the complex boolean expression hard to follow, and hence convince myself it is right. Can this become a nested if..? | |
| sys/kern/kern_cpuset.c | ||
|---|---|---|
| 1124 | So something like: if (IN_CAPABILITY_MODE(td)) {
if (level ...
return (ECAPMODE);
}Then do you think the inner if is more clear as | |
| sys/kern/kern_cpuset.c | ||
|---|---|---|
| 1124 | or even something like if (level != CPU_LEVEL_WHICH)
return (ECAPMODE);
if (which != CPU_WHICH_TID && which != CPU_WHICH_PID)
return (ECAPMODE);
if (id != -1)
return (ECAPMODE); | |
| sys/kern/kern_cpuset.c | ||
|---|---|---|
| 1124 | Yes, this sounds good (one big outside check for IN_CAPABILITY_MODE(td), and then the sequence of if() checks). It's now much more obvious to me what the policy is. | |
Comment Actions
FYI, it may be desirable to add a note about scoping of cpuset*(2) to the capsicum(4) man page. We should probably extend that man page in other ways to describe other sorts of scoping in place, but that's a separate task...
Comment Actions
compat32 capabilities.conf requires the same changes, and corresponding tables must be regenerated as well, in the follow-up commit.
Comment Actions
The two 'sysent' files should be done as a second commit, is that all that needs to be done?
Comment Actions
LGTM in general. Minor comment on the man page wording.
| lib/libc/sys/cpuset_getaffinity.2 | ||
|---|---|---|
| 152 ↗ | (On Diff #28499) | For consistency with typical error descriptions, should it not be something like "The calling process attempted to act on a process other than itself, in capability mode."? It seems a bit tortured, but the error descriptions always seem to be "this is what the caller did wrong." |
| head/lib/libc/sys/cpuset_getaffinity.2 | ||
|---|---|---|
| 158 ↗ | (On Diff #28731) | This is in the wrong place. This list is sorted by category first, then alpha. |