Page MenuHomeFreeBSD

jamie (James Gritton)
User

Projects

User Details

User Since
Aug 3 2014, 10:29 PM (583 w, 6 d)

Recent Activity

Mon, Sep 15

jamie committed rGdeaa609d065d: jaildesc: remove desc from the sysctl parameter list (authored by jamie).
jaildesc: remove desc from the sysctl parameter list
Mon, Sep 15, 4:05 AM
jamie committed rG9d7f89ef2607: jaildesc: add kevent support (authored by jamie).
jaildesc: add kevent support
Mon, Sep 15, 4:05 AM
jamie committed rG1a849ff1e9a9: jail: simplify EVFILT_JAIL events (authored by jamie).
jail: simplify EVFILT_JAIL events
Mon, Sep 15, 4:04 AM

Sat, Sep 13

jamie committed rG5df0b57b74e2: MFC jaildesc: remove file-mode-based access controls (authored by jamie).
MFC jaildesc: remove file-mode-based access controls
Sat, Sep 13, 11:45 PM
jamie committed rG0c23ee96c6e5: MFC jaildesc: fix typo and style(9) violations. (authored by jamie).
MFC jaildesc: fix typo and style(9) violations.
Sat, Sep 13, 11:45 PM
jamie committed rG595a705062de: MFC jaildesc: replace EBADF with EINVAL (authored by jamie).
MFC jaildesc: replace EBADF with EINVAL
Sat, Sep 13, 11:45 PM
jamie committed rG4ecbb3f19b44: MFC jaildesc: fix a misplaced error check and a spurious finit call (authored by jamie).
MFC jaildesc: fix a misplaced error check and a spurious finit call
Sat, Sep 13, 11:45 PM
jamie committed rGe75dda31c1ee: jaildesc: remove desc from the sysctl parameter list (authored by jamie).
jaildesc: remove desc from the sysctl parameter list
Sat, Sep 13, 10:32 PM
jamie requested review of D52516: Add capsicum support to jail descriptors.
Sat, Sep 13, 9:20 PM
jamie abandoned D52462: Jail descriptor kevents, Plan B.

Commit 66d8ffe30 has simpler kevent handling for jaildesc, without any recursion. Jail kevents have also have recussion removed. Its lack of guarantees and incomplete problem-solving meant that applications would need a way to handle when notifications weren't 100% collected. As long as that's the case, might as well get rid of the complexity.

Sat, Sep 13, 3:52 AM
jamie abandoned D52461: Jail descriptor kevents, Plan A.

Commit 66d8ffe30 has simpler kevent handling for jaildesc, without any recursion. Jail kevents have also have recussion removed. Its lack of guarantees and incomplete problem-solving meant that applications would need a way to handle when notifications weren't 100% collected. As long as that's the case, might as well get rid of the complexity.

Sat, Sep 13, 3:52 AM

Fri, Sep 12

jamie committed rG66d8ffe3046d: jaildesc: add kevent support (authored by jamie).
jaildesc: add kevent support
Fri, Sep 12, 6:35 PM

Sep 12 2025

jamie committed rGdbcaac13e49c: jail: simplify EVFILT_JAIL events (authored by jamie).
jail: simplify EVFILT_JAIL events
Sep 12 2025, 5:29 AM

Sep 10 2025

jamie committed rGd81b337d690c: jaildesc: remove file-mode-based access controls (authored by jamie).
jaildesc: remove file-mode-based access controls
Sep 10 2025, 11:27 PM
jamie accepted D52319: jail.2: Mention EPERM is returned on open directories.

Very well. I suppose it doesn't hurt.

Sep 10 2025, 5:35 PM

Sep 9 2025

jamie committed rGd8d5324ef533: jaildesc: fix typo and style(9) violations. (authored by jamie).
jaildesc: fix typo and style(9) violations.
Sep 9 2025, 6:53 PM
jamie committed rG16f600dc30b7: jaildesc: replace EBADF with EINVAL (authored by jamie).
jaildesc: replace EBADF with EINVAL
Sep 9 2025, 6:18 PM
jamie added a comment to D52461: Jail descriptor kevents, Plan A.

Plan B is in D52462.

Sep 9 2025, 4:57 PM
jamie added a comment to D52462: Jail descriptor kevents, Plan B.

Plan A is in D52461.

Sep 9 2025, 4:57 PM
jamie requested review of D52462: Jail descriptor kevents, Plan B.
Sep 9 2025, 4:37 PM
jamie requested review of D52461: Jail descriptor kevents, Plan A.
Sep 9 2025, 4:30 PM
jamie added a comment to D52319: jail.2: Mention EPERM is returned on open directories.

Yes, EPERM on open directories may be unexpected, but I don't see that is enough cause to change the long-standing tradition of referring to other manual pages when a function may return the set of errors produced by another function.

Sep 9 2025, 3:50 PM

Sep 5 2025

jamie committed rG8ec7a830f10b: jaildesc: fix a misplaced error check and a spurious finit call (authored by jamie).
jaildesc: fix a misplaced error check and a spurious finit call
Sep 5 2025, 4:51 AM
jamie closed D43696: Jail descriptors.
Sep 5 2025, 3:51 AM

Sep 4 2025

jamie committed rG851dc7f859c2: jail: add jail descriptors (authored by jamie).
jail: add jail descriptors
Sep 4 2025, 8:32 PM
jamie committed rG1bd74d201a53: jail: add kqueue(2) support for jails (authored by jamie).
jail: add kqueue(2) support for jails
Sep 4 2025, 7:00 PM
jamie closed D51940: kqueue(2) support for jails.
Sep 4 2025, 7:00 PM

Sep 3 2025

jamie added inline comments to D43696: Jail descriptors.
Sep 3 2025, 4:55 PM

Sep 1 2025

jamie updated the diff for D43696: Jail descriptors.

I've added a "Jail Descriptors" section to jail(2), and added the jail_attach_fd and jail_remove_jd system calls, and the new jail_get/jail_set flags.

Sep 1 2025, 11:59 PM

Aug 29 2025

jamie closed D50241: Teach ngctl to attach and run itself in a jail..
Aug 29 2025, 11:08 PM
jamie committed rG72d01e62b082: netgraph: teach ngctl to attach and run itself in a jail (authored by jamie).
netgraph: teach ngctl to attach and run itself in a jail
Aug 29 2025, 11:08 PM

Aug 26 2025

jamie requested changes to D46284: Add the ability have executable jail.conf.
Aug 26 2025, 8:14 PM · Jails

Aug 21 2025

jamie accepted D52039: kern: remove the need to allocate in prison_add_vfs().

The unrelated prison_add_allow talk deserves its own revision, so I made D52105 for that.

Aug 21 2025, 10:01 PM
jamie requested review of D52105: Remove asprintf from prison_add_allow.
Aug 21 2025, 9:59 PM
jamie added a comment to D52039: kern: remove the need to allocate in prison_add_vfs().

I wonder why asprintf() uses M_NOWAIT when strdup() uses M_WAITOK. Looking at the relatively few callers, I suspect we can perhaps just switch to M_WAITOK...

Aug 21 2025, 4:58 PM

Aug 20 2025

jamie added a comment to D52039: kern: remove the need to allocate in prison_add_vfs().

prison_add_vfs then goes on to call prison_add_allow, which has its own asprintf call. So unless you fix that as well, you've bought very little. And prison_add_allow really ought to be fixed. It's just a matter of not relying on asprintf with its M_NOWAIT allocation. The context it's called in (and presumably would ever be called in) can handle waiting for allocation.

Aug 20 2025, 9:15 PM

Aug 17 2025

jamie added a comment to D43696: Jail descriptors.

I've added D51940, which adds kqueue support to jails by JID, so it's separate from the descriptor work, except it contains fixes for the problems I've identified with the current kqueue code in this revision. In particular, it uses the NOTE_TRACK convention that processes use, and adds a flag that notes if attached processes were missed.

Aug 17 2025, 12:31 AM
jamie requested review of D51940: kqueue(2) support for jails.
Aug 17 2025, 12:28 AM

Aug 14 2025

jamie accepted D51831: jail: fix backfilling the "name" for jid-named jails.

Yep, tried it out and it looks good now.

Aug 14 2025, 7:18 PM
jamie added a comment to D43696: Jail descriptors.

As I learn more about kqueue, I see I am trying to make it do things it's not suited for. In particular, the data field can't contain the kind of information I'm putting it in (process ID, jail ID). The non-queuing nature of kqueue (!) means that one event can be obliterated by the next event, leading to unreliable notification. There's not a lot of advantage of being notified that at least one child jail has been created, and here's the JID of the most recent one.

Aug 14 2025, 5:01 AM

Aug 12 2025

jamie accepted D46284: Add the ability have executable jail.conf.
Aug 12 2025, 5:06 PM · Jails

Aug 7 2025

jamie accepted D51645: kern: disallow user scheduling/debugging/signalling of jailed procs.

True, there's no real need for the PR_ALLOW_PRISON0 change, but since you went to the effort to make that macro anyway, it's a good place to showcase it.

Aug 7 2025, 5:19 AM
jamie added inline comments to D51645: kern: disallow user scheduling/debugging/signalling of jailed procs.
Aug 7 2025, 1:02 AM
jamie accepted D51719: jail: Optionally allow audit session state to be configured in a jail.

It looks fine from the jail side of things.

Aug 7 2025, 12:55 AM

Jul 31 2025

jamie added inline comments to D51645: kern: disallow user scheduling/debugging/signalling of jailed procs.
Jul 31 2025, 11:05 PM
jamie accepted D51656: jail: separate "statically valid allow flags" from "prison0 allow flags".
Jul 31 2025, 10:27 PM
jamie requested changes to D51645: kern: disallow user scheduling/debugging/signalling of jailed procs.

In the meantime (and long-term), a knob makes sense.

Jul 31 2025, 4:38 PM
jamie added a comment to D51645: kern: disallow user scheduling/debugging/signalling of jailed procs.
In D51645#1179733, @kib wrote:

Would privileges actually work, I have no objections. But right now this change makes the very useful feature (at least for me), only available to root. I do often use 'jail -u <me> / something 127.0.0.1 /bin/sh', and have the jailed processes only bound to localhost, otherwise they are normal (can be debugged etc).

It would be pity to loose the ability. Can we have at least a knob to re-enable the current behavior?

Jul 31 2025, 4:36 PM
jamie accepted D51645: kern: disallow user scheduling/debugging/signalling of jailed procs.

I like this. Given that a non-root user isn't allowed to mess with a jail, it makes that it wouldn't be allowed to mess with processes in that jail, even if they happen to have the same uid. That sounds like preferable default behavior, even if it's a switch from current practice. The closer we get to namespaces like uid being conceptually a (jail, id) tuple, the better off we are.

Jul 31 2025, 4:31 PM
jamie added a comment to D43696: Jail descriptors.

This sounds deeply confused about what a file descriptor is (supposed to be). It is the capability to use the referenced resource. The permissions in the file description should govern what's allowed through the descriptor not the current process credentials. The check against the current process credential has to happen as the description the descriptor references is created.

Jul 31 2025, 12:52 AM
jamie added a comment to D43696: Jail descriptors.
In D43696#996669, @dvl wrote:

I read the description, but I'm still not sure how a jail descriptor would be used. How about some pseudo-code, to illustrate the concept please?

Jul 31 2025, 12:34 AM

Jul 30 2025

jamie updated the diff for D43696: Jail descriptors.

The big addition is kevent support. A jail descriptor can pass four notes:

Jul 30 2025, 9:54 PM

Jul 26 2025

jamie accepted D51502: jail: consistently populate the KP_JID and KP_NAME parameters.
Jul 26 2025, 2:38 AM

Jul 25 2025

jamie accepted D51541: jls: add a -c mode to check for a jail's existence.
Jul 25 2025, 10:55 PM
jamie accepted D51540: jls: minor simplification to arg handling.
Jul 25 2025, 10:54 PM
jamie added inline comments to D51502: jail: consistently populate the KP_JID and KP_NAME parameters.
Jul 25 2025, 10:54 PM
jamie accepted D51524: jail: Make prison_owns_vnet() operate on a prison instead of a ucred.

I could instead add an alternative function or even just an inline "is PR_VNET set" check.

Jul 25 2025, 5:46 PM
jamie added a comment to D51524: jail: Make prison_owns_vnet() operate on a prison instead of a ucred.

There's a general trend in the "prison can do this thing" functions that they all take a ucred. One the one hand it seems reasonable that they would all take a struct prison instead, but is there a particular reason to break the trend for this case?

Jul 25 2025, 5:22 PM
jamie added inline comments to D51502: jail: consistently populate the KP_JID and KP_NAME parameters.
Jul 25 2025, 5:18 PM
jamie accepted D51501: jail: tests: cleanup the commands test a bit.
Jul 25 2025, 4:32 PM

Jul 17 2025

jamie accepted D46284: Add the ability have executable jail.conf.

I had considered that the -l (exec clean) flag should be considered, but decided it really only makes sense for keeping the jail environment clean.

Jul 17 2025, 3:50 PM · Jails

Jul 7 2025

jamie accepted D51150: Jail sysctls: deprecated a generic sysctl in favour of allow-flags.

Yes, anything that makes these things more obviously deprecated is better.

Jul 7 2025, 4:39 PM

Jun 30 2025

jamie accepted D50241: Teach ngctl to attach and run itself in a jail..
Jun 30 2025, 11:31 PM

May 19 2025

jamie added a comment to D50418: namei: Make stackable filesystems check harder for jail roots.

I appreciate the single vfs_lookup_isroot function - it took me an embarrassingly long time to discover a second copy of that code had appeared in vfs_cache.c a mere five years ago.

May 19 2025, 5:30 PM

May 17 2025

jamie added a comment to D50371: unix: Restrict dirfds exchanged between jails with a different root.

@jamie : Was the possibility of having a sub-jail with a root that is not under its parent jail something that was explicitly meant to be allowed from the start? Aren't all the other jail-managed resources not allowed to grow when going down the jail tree (for those where that makes sense)? I agree there is currently no mechanism to actually enforce that some directory stays below another one, but maybe we can search for some practical ones if we consider this to be really relevant. Providing such a guarantee could ease general reasoning about whether some paths are contained in others. But that doesn't seem to make a big difference here: With such a property, we could allow simply passing any descriptor from some sub-jail to a parent jail, but it would still be too weak by itself to allow a parent jail to unconditionally send a descriptor to its children, or have two siblings exchanging one. If you have some pointers or remembrances about restrictions on the root of sub-jails, I would be interested.

May 17 2025, 10:39 PM

May 16 2025

jamie added a comment to D50371: unix: Restrict dirfds exchanged between jails with a different root.

I would widen this a little, and allow passing dirfds up and down the jail parent/child chain. That fits with the current ".."-handling strategy of preventing traversal up from the current jail or any ancestor.

May 16 2025, 5:21 PM
jamie added a comment to D50371: unix: Restrict dirfds exchanged between jails with a different root.
In D50371#1149495, @kib wrote:

IMO the right way is much simpler, and was formulated in the PR: only allow to pass dirfd across the same jail, or from any jail to prison0. I think your addition of allowing to pass dirfd between different jails but having same rootvp is neat.

May 16 2025, 5:06 PM

May 10 2025

jamie accepted D49843: jail: add allow.routing jail permission.
May 10 2025, 10:07 PM

Apr 21 2025

jamie accepted D48074: kern: osd: abstract away the math for locating a slot method.
Apr 21 2025, 4:29 PM
jamie added a comment to D49843: jail: add allow.routing jail permission.
In D49843#1138751, @zec wrote:

If this patch hits the tree, which I'm strongly opposed to, at minimum the commit message should clearly state that this is an open-ended redefinition of the jail contract, for a cause no one is able to articulate clearly.

Apr 21 2025, 4:17 PM

Apr 19 2025

jamie accepted D49844: svcj: add "routing" option.
Apr 19 2025, 3:56 PM
jamie accepted D49845: rc.subr: add 'settime' to svcj options.

No opinion on slew vs skew, the rest looks good.

Apr 19 2025, 3:55 PM

Apr 16 2025

jamie added a comment to D49843: jail: add allow.routing jail permission.

This looks good to me, but I'm hoping someone from networking will chime in.

Apr 16 2025, 8:14 PM
jamie accepted D49846: jail: allow jails to call settimeofday() if allow.settime is enabled.

It looks very basic, and is good by me. But I'm inviting Mariusz to make sure he didn't have a particular reason not to include PRIV_SETTIMEOFDAY when he added PRIV_CLOCK_SETTIME.

Apr 16 2025, 7:46 PM

Mar 31 2025

jamie accepted D47668: jail: Add meta and env parameters.

OK, I understand the problem with the maximum sizes. I think we need to pursue something in libjail that makes this seamless, but that can be later work.

Mar 31 2025, 12:14 AM

Mar 30 2025

jamie added a comment to D47668: jail: Add meta and env parameters.

I'm not sure what the point of the soft/hard size limits is. I imagine I could find it in the code, but could you explain it to me? Something more than the one comment about it, but less detail than the code itself :-).

Mar 30 2025, 5:07 PM
jamie added a comment to D47668: jail: Add meta and env parameters.

I don't disagree that the way the character set is limited is efficient and doesn't add much to the code base. It's just the entire direction that I don't like. There are many places where sloppy text interpretation can cause problems. Environment variables come to mind - they too are passed between processes in the kernel. But user-level string injection has never been considered a kernel problem, and I don't see why it should start now. That's just not the kernel's job.

Mar 30 2025, 5:00 PM

Mar 24 2025

jamie requested changes to D47668: jail: Add meta and env parameters.

Everything looks good, except that allowed chars part. That still looks like a kernel-level solution to a user-level non-problem.

Mar 24 2025, 9:17 PM

Mar 9 2025

jamie committed rG0d6ed98ef318: MFC jail: add jexec -d, to specify a working directory (authored by jamie).
MFC jail: add jexec -d, to specify a working directory
Mar 9 2025, 3:45 AM

Mar 5 2025

jamie committed rGd56f3b051f61: jail: add jexec -d, to specify a working directory (authored by jamie).
jail: add jexec -d, to specify a working directory
Mar 5 2025, 6:17 PM

Feb 23 2025

jamie added a comment to D47668: jail: Add meta and env parameters.

Here's a possibility:

Saying meta.foo="" on the command line or jail.conf clears the contents of meta.foo, or adds it with empty contents. The jail_set(2) interface passes an empty string for the value. This already works.

Just saying meta.foo (no '=') on the command line or jail.conf removes the key if it exists. The jail_set(2) interface passes a null string for the value, which is typically an error.

Thank you for confirming this way, it seems more usable instead of meta.nofoo or nometa.foo. The latest patch version adds key removal using NULL value as a trigger.

Feb 23 2025, 9:23 PM

Feb 17 2025

jamie committed rGdc384b96228f: MFC jls: fix the -q option to put quotes around all whitespace (authored by jamie).
MFC jls: fix the -q option to put quotes around all whitespace
Feb 17 2025, 7:42 PM
jamie committed rG486af41443e8: MFC jls: admit that jail parameters with newlines print multiple lines (authored by jamie).
MFC jls: admit that jail parameters with newlines print multiple lines
Feb 17 2025, 7:35 PM

Feb 13 2025

jamie committed rGb144e883cac8: jls: admit that jail parameters with newlines print multiple lines (authored by jamie).
jls: admit that jail parameters with newlines print multiple lines
Feb 13 2025, 11:49 PM
jamie committed rG3d11af1e595b: jls: fix the -q option to put quotes around all whitespace (authored by jamie).
jls: fix the -q option to put quotes around all whitespace
Feb 13 2025, 11:49 PM

Feb 8 2025

jamie added a comment to D47668: jail: Add meta and env parameters.
In D47668#1115164, I wrote:

There's no way to remove a key, only to add or set one. I can set it to an empty string, but they key is still there. I suppose that makes sense that setting a key to an empty value creates a key with an empty value, but I'd like a way to remove a key, short of reading the whole thing and writing back everything except the unwanted key. But I don't know a good way to specify that only working with a string value.

Feb 8 2025, 6:03 PM
jamie added a comment to D47668: jail: Add meta and env parameters.

A few observations from actually running this:

Feb 8 2025, 5:08 AM

Jan 23 2025

jamie added inline comments to D47668: jail: Add meta and env parameters.
Jan 23 2025, 5:48 AM

Jan 22 2025

jamie added inline comments to D47668: jail: Add meta and env parameters.
Jan 22 2025, 3:08 AM

Jan 6 2025

jamie accepted D47992: jail: Avoid a use-after-free when destroying jails.

No further comments, except sorry for taking so long to mention that.

Jan 6 2025, 10:40 PM

Dec 17 2024

jamie added a comment to D47992: jail: Avoid a use-after-free when destroying jails.

The new PR_VNET_ROOT flag is unneeded: it's equivalent to PR_VNET, just check
that instead.

Dec 17 2024, 6:02 PM
jamie added inline comments to D47992: jail: Avoid a use-after-free when destroying jails.
Dec 17 2024, 5:54 PM
jamie added a comment to D47668: jail: Add meta and env parameters.

There are currently a wide variety of strings in jail parameters, and for that matter many more elsewhere in the kernel. So far, we have gotten by with counting on administrators putting reasonable values in them.

Dec 17 2024, 5:33 PM

Dec 14 2024

jamie requested changes to D48074: kern: osd: abstract away the math for locating a slot method.
Dec 14 2024, 4:47 AM
jamie accepted D48075: kern: osd: trash a slot's methods upon deregistration.

Accepted with the caveat I mentioned in D48074.

Dec 14 2024, 4:46 AM
jamie accepted D48074: kern: osd: abstract away the math for locating a slot method.

I'd prefer it to take the slot number, and do the "slot - 1" translation in the macro. That came to mind looking at D48075 which passes in slot - 1.

Dec 14 2024, 4:44 AM

Dec 13 2024

jamie added a comment to D47668: jail: Add meta and env parameters.
  • The allowed chars for each buffer are very limited by default, it covers Base64, k=v\n format, and some extra bytes. It can be changed via security.jail.meta_allowedchars sysctl. For convenience (as it seems to me for now), setting it to an empty string allows everything.
Dec 13 2024, 7:05 PM

Dec 9 2024

jamie added inline comments to D47992: jail: Avoid a use-after-free when destroying jails.
Dec 9 2024, 6:44 PM
jamie added inline comments to D47992: jail: Avoid a use-after-free when destroying jails.
Dec 9 2024, 4:49 AM
jamie accepted D47991: jail: Handle jail removal in a dedicated thread.

Longer term, I'd like to push some of vnet removal into the period between prison_cleanup() and the final jail destruction; interface removal is definitely part of that desire. But that's a mess of dependencies that hasn't found a solution yet, so I can see how we need this.

Dec 9 2024, 4:48 AM