Page MenuHomeFreeBSD

jamie (James Gritton)
User

Projects

User Details

User Since
Aug 3 2014, 10:29 PM (461 w, 4 d)

Recent Activity

Wed, Jun 7

jamie accepted D40188: Add ".include" directive to jail.conf.

Commited in eb5bfdd06565. I forgot to add the review to the commit message :-/

Wed, Jun 7, 12:23 AM · Jails
jamie committed rGe82a62943529: jail: add ".include" directive to jail.conf (authored by jamie).
jail: add ".include" directive to jail.conf
Wed, Jun 7, 12:22 AM

Sun, Jun 4

jamie updated the diff for D40188: Add ".include" directive to jail.conf.

I've committed the "jails can include jails" and "use the recursive parser" bits separately. This new diff is just the part that handles the includes.

Sun, Jun 4, 4:29 AM · Jails
jamie committed rG086e0149ae56: jail: Use re-entrant versions of lex & yacc, and lex's yylineno (authored by jamie).
jail: Use re-entrant versions of lex & yacc, and lex's yylineno
Sun, Jun 4, 3:08 AM
jamie committed rG097db30a8e03: jail: Allow nested jail definitions. (authored by jamie).
jail: Allow nested jail definitions.
Sun, Jun 4, 12:47 AM

Thu, Jun 1

jamie added a comment to D40188: Add ".include" directive to jail.conf.

Just a small nitpick: I would prefer a macro #define MAX_INCLUDE_DEPTH 32

Thu, Jun 1, 2:59 PM · Jails

Wed, May 31

jamie updated the diff for D40188: Add ".include" directive to jail.conf.

Simple include-loop prevention with via a maximum depth counter.

Wed, May 31, 7:05 PM · Jails

Fri, May 26

jamie added a comment to D40262: Allow setting a per-Jail fallback ABI brand..

However right now the kern.elfXX.fallback_elf_brand are tied to 2 global variables which their name are generated by the __elfN(xxx) macro. We could technically remove them and tie all 3 to the jail one? Maybe that belongs to a separate review?

Fri, May 26, 3:20 AM · Jails
jamie added a comment to D40262: Allow setting a per-Jail fallback ABI brand..

Rather than add a separate value different from the kern.fallback_elf_brand sysctl, it would make sense for the jail parameter to be tied to the sysctl itself, such as the securelevel parameter is. It's complicated somewhat by the fact that there are three similar sysctls.

Fri, May 26, 12:04 AM · Jails

Thu, May 25

jamie added inline comments to D40262: Allow setting a per-Jail fallback ABI brand..
Thu, May 25, 11:53 PM · Jails

Tue, May 23

jamie added a comment to D40188: Add ".include" directive to jail.conf.

True, they're not handled. I took my include inspiration from newsyslog (which has includes that also support globbing), and there it's also just a simple matter or running whatever it's told to include. It's kind of a footgun situation, where it's generally good enough to trust the administrator not to make such a loop. I did it for depend loops, but only because that's kind of elemental in building an acyclic directed graph.

Tue, May 23, 3:45 AM · Jails

Sun, May 21

jamie updated the diff for D40188: Add ".include" directive to jail.conf.

New and improved diff :-)

Sun, May 21, 12:46 AM · Jails
jamie added a comment to D39011: Enable jail(8) to parse all config files.

I just created D40188, which is my take on solving this issue. It goes the include-file direction, and doesn't require and changes to rc.conf, since jail.conf is where such changes are made. The jail(8) command line also remains untouched.

Sun, May 21, 12:23 AM
jamie requested review of D40188: Add ".include" directive to jail.conf.
Sun, May 21, 12:15 AM · Jails

May 5 2023

jamie added a reviewer for D38826: Fix multiple rc.d/jail and jail.conf.d issues: jamie.
May 5 2023, 4:52 PM · Jails

Mar 12 2023

jamie accepted D38809: Fix rc scripts so that nfsd(8), nfsuserd(8), gssd(8) and rpc.tlsservd(8) can run in vnet prisons.
Mar 12 2023, 5:42 PM · rc
jamie added a comment to D38809: Fix rc scripts so that nfsd(8), nfsuserd(8), gssd(8) and rpc.tlsservd(8) can run in vnet prisons.

s/novnetjail/nojailvnet/

Mar 12 2023, 3:57 AM · rc

Feb 21 2023

jamie added inline comments to D38371: mark which jail did exports via a reference to the credentials.
Feb 21 2023, 3:34 AM
jamie added inline comments to D38371: mark which jail did exports via a reference to the credentials.
Feb 21 2023, 12:20 AM

Feb 20 2023

jamie accepted D38697: jail: Fix redoing ip restricting.

This makes perfect sense to me. The original version only set redo_ip[46] provisionally , and I missed that the patch changed that.

Feb 20 2023, 7:15 PM

Feb 4 2023

jamie added inline comments to D38371: mark which jail did exports via a reference to the credentials.
Feb 4 2023, 4:43 PM

Feb 3 2023

jamie added a comment to D38144: Add MNT_EXJAIL to differentiate between exports in prisons vs prison0.

Oh, I remember jamie@ mentioning the jail cleanup
method.

Would the call to the PR_METHOD_REMOVE function
be the right place to get rid of the credential references
in the mountlist?

Feb 3 2023, 6:16 PM
jamie added a comment to D38371: mark which jail did exports via a reference to the credentials.

I defined a function called vfs_exjail_delete(), which I currently
call from the nfsd'd OSD PR_MOETHOD_REMOVE which
releases credentials and set mnt_exjail NULL for all cases
matching the prison argument.
Maybe this function should be called from within kern_jail.c
via prison_cleanup()?

Feb 3 2023, 6:09 PM
jamie added a comment to D38371: mark which jail did exports via a reference to the credentials.
In D38371#872242, @mjg wrote:

I would expect killing the jail to *fail* if there any exports active. You can keep the counter of them in struct prison to avoid the need to scan anything.

With the assumption that nfsd in jail is *disabled* by default, this would not violate POLA.

Feb 3 2023, 6:06 PM

Jan 31 2023

jamie added a comment to D38144: Add MNT_EXJAIL to differentiate between exports in prisons vs prison0.

The alive check raises a question: what if instead of a loop in vfs_export that checks prisons, how about a loop in prison_cleanup that checks exports? It could go through the mount list and any exports that belong to it can be refiled for the parent.

Jan 31 2023, 4:08 PM

Jan 30 2023

jamie accepted D38189: Add a check for enforce_statfs != 0 to prison_check_nfsd().

Sure, this one's no biggie.

Jan 30 2023, 3:34 AM
jamie added inline comments to D38144: Add MNT_EXJAIL to differentiate between exports in prisons vs prison0.
Jan 30 2023, 3:32 AM

Jan 24 2023

jamie added a comment to D38144: Add MNT_EXJAIL to differentiate between exports in prisons vs prison0.

I don't especially like the name pr_ident, which isn't readily differentiated from pr_id. Perhaps pr_permid? In a perfect world, I wouldn't have allowed prison IDs to be reused, but it's too late to stuff that horse back into the barn. Probably - I have considered actually changing the policy, but it would have POLA problems and would need a slow rollout with proper deprecation warnings.

Jan 24 2023, 6:47 PM
jamie added a comment to D38144: Add MNT_EXJAIL to differentiate between exports in prisons vs prison0.

I noticed that there are old versions of "struct prison"
in sys/jail.h. Is this necessary when "struct prison" is
revised?

Jan 24 2023, 5:32 PM

Dec 31 2022

jamie accepted D37918: jail: Avoid multipurpose return value of function prison_ip_restrict().

It took me longer to remember what I had done in the first place than it did to understand the new logic. I like this.

Dec 31 2022, 8:04 PM

Dec 23 2022

jamie added inline comments to D37777: Add VNET_NFSD support to the rpcsec_tls so NFS-over-TLS works in vnet prisons.
Dec 23 2022, 5:53 PM

Dec 22 2022

jamie added inline comments to D37777: Add VNET_NFSD support to the rpcsec_tls so NFS-over-TLS works in vnet prisons.
Dec 22 2022, 7:05 PM

Dec 18 2022

jamie accepted D37732: jail: Fix output of IPv[46] addresses of DDB `show prison`.
Dec 18 2022, 5:32 PM
jamie committed rG561dcc7f3722: jail: fix a NULL pointer derefence in parsing ip6.addr settings. (authored by jamie).
jail: fix a NULL pointer derefence in parsing ip6.addr settings.
Dec 18 2022, 12:34 AM
jamie committed rG47f21d91808c: jail: fix a NULL pointer derefence in parsing ip6.addr settings. (authored by jamie).
jail: fix a NULL pointer derefence in parsing ip6.addr settings.
Dec 18 2022, 12:32 AM

Dec 17 2022

jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 17 2022, 5:44 PM

Dec 16 2022

jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 16 2022, 9:55 PM
jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 16 2022, 5:17 PM

Dec 15 2022

jamie committed rGe8d7ae918a10: jail: fix a NULL pointer derefence in parsing ip6.addr settings. (authored by jamie).
jail: fix a NULL pointer derefence in parsing ip6.addr settings.
Dec 15 2022, 12:51 AM

Dec 14 2022

jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 14 2022, 6:05 PM

Dec 13 2022

jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 13 2022, 1:07 AM
jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 13 2022, 12:43 AM

Dec 12 2022

jamie added inline comments to D37519: modify the nfsd so that it can be run in a vnet prison.
Dec 12 2022, 9:44 PM

Dec 11 2022

jamie accepted D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.

Yes, the warning is sufficient. As I mentioned, there are other cases where a jail is allowed to be created as long as its options are allowed, even if it turns out not to be "fit for purpose".

Dec 11 2022, 4:27 AM
jamie added a comment to D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.

The thing about the vfs_opterror, is the error message only applies when the jail_set(2) fails (or at least it's only checked then). So If you want to still allow the jail to be created and only give a warning, then printf() is the way to go.

Dec 11 2022, 3:30 AM

Dec 10 2022

jamie accepted D37665: patch jail.8 man page to add info on allow.nfsd.
Dec 10 2022, 5:37 PM
jamie added inline comments to D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.
Dec 10 2022, 3:47 AM

Dec 9 2022

jamie added a comment to D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.

Also, the jail.8 man page should have the parameter, which is a good place to mention the requirements for using it.

Dec 9 2022, 10:52 PM
jamie added inline comments to D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.
Dec 9 2022, 10:50 PM
jamie added inline comments to D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.
Dec 9 2022, 10:04 PM
jamie added a comment to D37637: Patch jail so that it can support mountd/nfsd in a vnet jail.

What's the purpose of nfsd_call_vnet_cleanup being a function pointer? If it's because you need VNET_NFSD for it to exist, it should do to have #ifdef VNET_NFSD in prison_cleanup(). If it's to handle nfsd being dynamically loaded, the canonical way to handle it is via the OSD system, where the osd_jail_call(...PR_METHOD_REMOVE) would handle it. Or is there a third reason I don't know?

Dec 9 2022, 5:54 PM

Aug 31 2022

jamie accepted D34522: jail: add process iterator.
Aug 31 2022, 7:43 PM

Jul 3 2022

jamie committed rGcf18a61708d3: MFC jail: Remove a prison's shared memory when it dies (authored by jamie).
MFC jail: Remove a prison's shared memory when it dies
Jul 3 2022, 7:27 PM
jamie committed rG06dcf1499bf5: MFC jail: add prison_cleanup() to release resources held by a dying jail (authored by jamie).
MFC jail: add prison_cleanup() to release resources held by a dying jail
Jul 3 2022, 7:26 PM

Jun 29 2022

jamie committed rG7060da62ff18: jail: Remove a prison's shared memory when it dies (authored by jamie).
jail: Remove a prison's shared memory when it dies
Jun 29 2022, 5:49 PM
jamie committed rGa9f7455c38c1: jail: add prison_cleanup() to release resources held by a dying jail (authored by jamie).
jail: add prison_cleanup() to release resources held by a dying jail
Jun 29 2022, 5:37 PM

May 16 2022

jamie accepted D34563: devfs.rules: Do not expose "log" in the default devfs rules..
May 16 2022, 2:57 AM · Jails

May 13 2022

jamie added a comment to D35198: sysvsem: Fix a typo..

Wow, that has been there for an embarrassingly long time!

Well, it's not a bug)) because the rpr cannot be NULL AFAIR, or Im missed something?

May 13 2022, 9:10 PM
jamie accepted D35198: sysvsem: Fix a typo..

Wow, that has been there for an embarrassingly long time!

May 13 2022, 8:04 PM

Mar 28 2022

jamie committed rGf059a2c832f8: mfc jail: handle jailsys parameters in modification permission test (authored by jamie).
mfc jail: handle jailsys parameters in modification permission test
Mar 28 2022, 11:42 PM
jamie committed rGc1576434e9cf: mfc jail: handle jailsys parameters in modification permission test (authored by jamie).
mfc jail: handle jailsys parameters in modification permission test
Mar 28 2022, 11:41 PM

Mar 26 2022

jamie committed rG8f1543785f77: jail: handle jailsys parameters in modification permission test (authored by jamie).
jail: handle jailsys parameters in modification permission test
Mar 26 2022, 2:17 AM

Mar 12 2022

jamie added inline comments to D34522: jail: add process iterator.
Mar 12 2022, 6:27 PM

Mar 2 2022

jamie committed rG1e40fc6fa9c4: MFC posixshm: Add a -j option to posixshmcontrol ls, to specify a jail (authored by jamie).
MFC posixshm: Add a -j option to posixshmcontrol ls, to specify a jail
Mar 2 2022, 11:13 PM
jamie committed rG803d7f4ccdca: posixshm: Allow jails to use kern.ipc.posix_shm_list (authored by jamie).
posixshm: Allow jails to use kern.ipc.posix_shm_list
Mar 2 2022, 11:10 PM

Feb 27 2022

jamie committed rGbe7cf3f4b8c2: posixshm: Add a -j option to posixshmcontrol ls, to specify a jail (authored by jamie).
posixshm: Add a -j option to posixshmcontrol ls, to specify a jail
Feb 27 2022, 1:47 AM

Feb 24 2022

jamie committed rGd7c4ea7d728e: posixshm: Allow jails to use kern.ipc.posix_shm_list (authored by jamie).
posixshm: Allow jails to use kern.ipc.posix_shm_list
Feb 24 2022, 5:33 PM

Dec 19 2021

jamie accepted D33339: jail: network epoch protection for IP address lists.
Dec 19 2021, 9:27 PM

Dec 16 2021

jamie added inline comments to D33339: jail: network epoch protection for IP address lists.
Dec 16 2021, 1:45 AM
jamie added a comment to D33339: jail: network epoch protection for IP address lists.

@jamie I actually got one more question about this code. The code that checks for IP addresses clashing, in the old code under comment that starts "Check for conflicting IP addresses", in the new code separated into function prison_ip_conflict_check(), it would not allow to create a child that has IP address of a parent if parent has multiple addresses
...
So my patch doesn't change this behavior, but it seems counter-intuitive to me. And the comment actually says it is intended:

If there is a duplicate on a jail with more than one IP stop checking and return error.

Why so?

Dec 16 2021, 1:42 AM

Dec 15 2021

jamie added inline comments to D33339: jail: network epoch protection for IP address lists.
Dec 15 2021, 10:41 PM
jamie added inline comments to D33339: jail: network epoch protection for IP address lists.
Dec 15 2021, 8:01 PM

Dec 14 2021

jamie accepted D33340: inpcb: use epoch protection when doing prison checks.

I take it this is for what we're seeing in Bug 260335.

Dec 14 2021, 5:20 PM

Dec 9 2021

jamie added inline comments to D33339: jail: network epoch protection for IP address lists.
Dec 9 2021, 5:07 AM

Nov 11 2021

jamie added a comment to D32934: jail(8): cleanup jail when not persisting.

This presupposes that a jail that isn't marked to persist isn't going to stick around for some other reason. A jail could be started for example to start a long-running daemon, or to be a parent of other jails. Automatically going away when its task is done is a feature of such a jail.

Nov 11 2021, 1:59 AM

Oct 7 2021

jamie committed rG1ee0746e1af0: MFC uipc_shm: Fix kern.ipc.posix_shm_list for jails (authored by jamie).
MFC uipc_shm: Fix kern.ipc.posix_shm_list for jails
Oct 7 2021, 4:41 PM
jamie committed rG13cb61f9723e: MFC uipc_shm: Fix kern.ipc.posix_shm_list for jails (authored by jamie).
MFC uipc_shm: Fix kern.ipc.posix_shm_list for jails
Oct 7 2021, 4:34 PM

Sep 29 2021

jamie committed rG747a47261eee: Fix error return of kern.ipc.posix_shm_list, which caused it (and thus (authored by jamie).
Fix error return of kern.ipc.posix_shm_list, which caused it (and thus
Sep 29 2021, 5:23 PM

Sep 4 2021

jamie accepted D29659: jail: convert several functions from int to bool.
Sep 4 2021, 10:27 PM · Jails

Jul 27 2021

jamie accepted D31225: vmm: Destroy associated VM objects when a jail is destroyed.

I'm not thrilled at the redundant call to vfs_flagopt(), which shouldn't be necessary because kern_jail_set has already looked for allow.novmm and set the permission bit accordingly. But by the time vmmdev_prison_set() is called, the old value of the permission bit is forgotten. So you're left with

Jul 27 2021, 11:10 PM

Jun 24 2021

jamie committed rG75befde07bdf: jail: Don't allow substitution of valueless jail parameters. (authored by jamie).
jail: Don't allow substitution of valueless jail parameters.
Jun 24 2021, 5:55 PM
jamie committed rGade910f43b70: jail: Don't allow substitution of valueless jail parameters. (authored by jamie).
jail: Don't allow substitution of valueless jail parameters.
Jun 24 2021, 5:54 PM
jamie committed rG6e2623c012c3: jail: Don't allow substitution of valueless jail parameters. (authored by jamie).
jail: Don't allow substitution of valueless jail parameters.
Jun 24 2021, 5:52 PM

Jun 18 2021

jamie committed rG5bf6dca2c6db: jail: Don't allow substitution of valueless jail parameters. (authored by jamie).
jail: Don't allow substitution of valueless jail parameters.
Jun 18 2021, 4:48 PM

Apr 12 2021

jamie added inline comments to D29659: jail: convert several functions from int to bool.
Apr 12 2021, 4:13 PM · Jails
jamie added inline comments to D29659: jail: convert several functions from int to bool.
Apr 12 2021, 2:45 AM · Jails

Apr 11 2021

jamie added inline comments to D29659: jail: convert several functions from int to bool.
Apr 11 2021, 5:39 PM · Jails

Apr 9 2021

jamie added inline comments to D29659: jail: convert several functions from int to bool.
Apr 9 2021, 7:49 PM · Jails
jamie committed rG73b04801b316: MFC jail: fix jail(8) synposis and usage message to match reality. (authored by jamie).
MFC jail: fix jail(8) synposis and usage message to match reality.
Apr 9 2021, 3:28 AM
jamie committed rGbdb392c1d354: MFC jail: fix jail(8) synposis and usage message to match reality. (authored by jamie).
MFC jail: fix jail(8) synposis and usage message to match reality.
Apr 9 2021, 3:26 AM
jamie committed rG6186592c106b: MFC jail: fix jail(8) synposis and usage message to match reality. (authored by jamie).
MFC jail: fix jail(8) synposis and usage message to match reality.
Apr 9 2021, 3:25 AM

Apr 8 2021

jamie added a comment to D29659: jail: convert several functions from int to bool.
In D29659#665126, @me_igalic.co wrote:

there are other candidates that return (0) or a single error that is always the same, but here we would need modifying the call-site :

  • prison_check_af() 0/EAFNOSUPPORT
  • prison_canseemount() 0/ENOENT
  • prison_check() 0/ESRCH
Apr 8 2021, 10:57 PM · Jails
jamie added a comment to D29659: jail: convert several functions from int to bool.

Yeah, I'd been meaning to get around to that ;-).

Apr 8 2021, 8:43 PM · Jails

Apr 4 2021

jamie committed rG8c1d956ffa03: jail: fix jail(8) synposis and usage message to match reality. (authored by jamie).
jail: fix jail(8) synposis and usage message to match reality.
Apr 4 2021, 5:53 PM

Mar 14 2021

jamie added a comment to D29255: make shell started by "jexec -l [-U user] jail" a login shell.

This would work well with jexec -l, which is already somewhat like su -l but misses the parts you mention. In fact, I would recommend making clean (-l) the deciding factor instead of pwd (-u/U). And I don't see a reason why the same directory change shouldn't be done regardless of whether it's for a command or a shell.

Mar 14 2021, 5:04 PM

Mar 12 2021

jamie committed rGd2bbfc375487: MFC jail: Don't allow jails under dying parents (authored by jamie).
MFC jail: Don't allow jails under dying parents
Mar 12 2021, 6:50 PM
jamie committed rG246339530348: MFC jail: Add PD_KILL to remove a prison in prison_deref(). (authored by jamie).
MFC jail: Add PD_KILL to remove a prison in prison_deref().
Mar 12 2021, 6:49 PM
jamie added a reverting change for rG811e27fa3c44: jail: Add PD_KILL to remove a prison in prison_deref().: rG246339530348: MFC jail: Add PD_KILL to remove a prison in prison_deref()..
Mar 12 2021, 6:49 PM
jamie added a reverting change for D28473: Add PD_KILL option to prison_deref(): rG246339530348: MFC jail: Add PD_KILL to remove a prison in prison_deref()..
Mar 12 2021, 6:49 PM
jamie committed rG2bfecbef9a57: MFC jail: Add pr_state to struct prison (authored by jamie).
MFC jail: Add pr_state to struct prison
Mar 12 2021, 6:47 PM