Page MenuHomeFreeBSD

jamie (James Gritton)
User

Projects

User Details

User Since
Aug 3 2014, 10:29 PM (531 w, 1 d)

Recent Activity

Sat, Oct 5

jamie added a comment to D46899: MAC: Define a common 'mac' node for MAC's jail parameters.

I suppose this will make more sense once there's at least one MAC policy that has an associated jail parameter. Currently, it seems to suggest (being a jailsys parameter) that there's some sort of valid "new" or "deleted" state for MAC inside the jail.

Sat, Oct 5, 11:57 PM
jamie accepted D46902: jail.h: New SYSCTL_JAIL_PARAM_DECL().
Sat, Oct 5, 11:52 PM
jamie accepted D46900: jail.h: Fix whitespace in the param macros declaration block.
Sat, Oct 5, 11:50 PM
jamie accepted D46901: jail.h: New SYSCTL_JAIL_PARAM_SYS_SUBNODE().
Sat, Oct 5, 11:49 PM
jamie accepted D46886: osd: Constify signature of osd_register().
Sat, Oct 5, 11:44 PM

Tue, Sep 24

jamie committed rGf616b13bb35a: MFC jail: unbreak the zfs.mount_snapshot option (authored by jamie).
MFC jail: unbreak the zfs.mount_snapshot option
Tue, Sep 24, 5:19 PM
jamie committed rG80c5d78d90e6: MFC jail: unbreak the zfs.mount_snapshot option (authored by jamie).
MFC jail: unbreak the zfs.mount_snapshot option
Tue, Sep 24, 5:17 PM

Thu, Sep 19

jamie committed rGae1a0648b05a: jail: unbreak the zfs.mount_snapshot option (authored by jamie).
jail: unbreak the zfs.mount_snapshot option
Thu, Sep 19, 7:50 PM

Aug 16 2024

jamie committed rG1ff3118d72b1: MFC jail: only chdir to user's home directory when user is specified (authored by jamie).
MFC jail: only chdir to user's home directory when user is specified
Aug 16 2024, 5:13 PM

Aug 12 2024

jamie closed D46226: Restrict jail(8) and jexec(8) to chdir to the user's directory only when the user is expicitly specified.
Aug 12 2024, 10:37 PM
jamie committed rG5cf705491727: jail: only chdir to user's home directory when user is specified (authored by jamie).
jail: only chdir to user's home directory when user is specified
Aug 12 2024, 10:36 PM

Aug 5 2024

jamie added a comment to D46226: Restrict jail(8) and jexec(8) to chdir to the user's directory only when the user is expicitly specified.

This comes from discussion in Bug 277210.

Aug 5 2024, 5:45 AM
jamie requested review of D46226: Restrict jail(8) and jexec(8) to chdir to the user's directory only when the user is expicitly specified.
Aug 5 2024, 5:41 AM

Jun 28 2024

jamie committed rG0e391d97fbe4: MFC zfs/jail: Document the zfs.mount_snapshot parameter in jail(8). (authored by jamie).
MFC zfs/jail: Document the zfs.mount_snapshot parameter in jail(8).
Jun 28 2024, 7:52 PM
jamie committed rG172fbf12fc22: MFC zfs/jail: Mark the zfs.mount_snapshot jail parameter as boolean. (authored by jamie).
MFC zfs/jail: Mark the zfs.mount_snapshot jail parameter as boolean.
Jun 28 2024, 7:51 PM
jamie committed rGbb7b7b0eb7cf: MFC zfs/jail: Document the zfs.mount_snapshot parameter in jail(8). (authored by jamie).
MFC zfs/jail: Document the zfs.mount_snapshot parameter in jail(8).
Jun 28 2024, 7:50 PM
jamie committed rGc8f147943d2e: MFC zfs/jail: Mark the zfs.mount_snapshot jail parameter as boolean. (authored by jamie).
MFC zfs/jail: Mark the zfs.mount_snapshot jail parameter as boolean.
Jun 28 2024, 7:46 PM

Jun 24 2024

jamie committed rG63875db56bd5: Document the zfs.mount_snapshot parameter in jail(8). (authored by jamie).
Document the zfs.mount_snapshot parameter in jail(8).
Jun 24 2024, 8:06 PM
jamie committed rG9cbf1de7e34a: Mark the zfs.mount_snapshot jail parameter as boolean. (authored by jamie).
Mark the zfs.mount_snapshot jail parameter as boolean.
Jun 24 2024, 8:03 PM
jamie closed D45647: Document and subtlely change the zfs.mount_snapshot jail parameter.
Jun 24 2024, 8:03 PM · Jails, ZFS

Jun 21 2024

jamie added a comment to D45647: Document and subtlely change the zfs.mount_snapshot jail parameter.

I guess the change for sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vfsops.c go to upstream first. Will it ?

Jun 21 2024, 5:05 PM · Jails, ZFS

Jun 19 2024

jamie requested review of D45647: Document and subtlely change the zfs.mount_snapshot jail parameter.
Jun 19 2024, 8:04 PM · Jails, ZFS

Jun 10 2024

jamie added a comment to D45545: jail: allow adjustment of host time.

Is there any value in a virtual time, i.e. letting a jail have its own clock? Apart from a test framework, I can't think of any, but maybe someone else can. That was actually my first thought when I saw the title of this, rather than encapsulating ntpd.

Jun 10 2024, 4:11 PM

May 16 2024

jamie added inline comments to D43696: Jail descriptors.
May 16 2024, 8:56 PM
jamie updated the diff for D43696: Jail descriptors.

Diff updated for libsys and other recent changes.

May 16 2024, 6:24 PM

Mar 17 2024

jamie committed rGd50685b303e3: jail: add the -C flag to clean up after a partially removed jail (authored by jamie).
jail: add the -C flag to clean up after a partially removed jail
Mar 17 2024, 5:13 AM
jamie closed D42670: jail(8) option to cleanup after dead jails.
Mar 17 2024, 5:13 AM

Feb 23 2024

jamie added a comment to D44010: jail: tests requires jail.

Yes, this is a better way.

Feb 23 2024, 4:18 PM

Feb 21 2024

jamie added a comment to D44010: jail: tests requires jail.

I'll admit very little familiarity with the testing framework. If there's a standard to show a test as skipped that doesn't indicate a problem, that sounds best. But if it just claims that it's passed, it would seem better to just not run it. Though both is probably a good idea: still have it pass (like if the test was built at another time), but don't build it on a jail-less system.

Feb 21 2024, 9:19 PM
jamie accepted D44010: jail: tests requires jail.
Feb 21 2024, 5:02 PM

Feb 11 2024

jamie added inline comments to D43696: Jail descriptors.
Feb 11 2024, 5:04 PM

Feb 5 2024

jamie updated the diff for D43696: Jail descriptors.

Here's the latest diff to address concerns so far (except those that request proper documentation).

Feb 5 2024, 4:27 AM
jamie added a comment to D43696: Jail descriptors.
In D43696#996617, @bz wrote:

Also, can we please have a man page?

Feb 5 2024, 3:46 AM
jamie added inline comments to D43696: Jail descriptors.
Feb 5 2024, 3:42 AM

Feb 4 2024

jamie accepted D43732: libjail: Guard against programmer error in jailparam_export().

Sure, looks helpful for just such a situation.

Feb 4 2024, 10:38 PM

Feb 2 2024

jamie committed rGdcae96578145: MFC jail: make sure jail.conf parse errors exit, and not crash. (authored by jamie).
MFC jail: make sure jail.conf parse errors exit, and not crash.
Feb 2 2024, 4:46 PM

Feb 1 2024

jamie added inline comments to D43696: Jail descriptors.
Feb 1 2024, 5:31 PM
jamie added inline comments to D43696: Jail descriptors.
Feb 1 2024, 5:29 PM
jamie requested review of D43696: Jail descriptors.
Feb 1 2024, 12:23 AM

Jan 26 2024

jamie committed rGab0841bdbe84: jail: expose children.max and children.cur via sysctl (authored by jamie).
jail: expose children.max and children.cur via sysctl
Jan 26 2024, 5:49 PM

Jan 25 2024

jamie accepted D43565: kern_jail: add security.jail.children.max and .cur sysctl.

Looks good to me!

Jan 25 2024, 10:28 PM
jamie added a comment to D43565: kern_jail: add security.jail.children.max and .cur sysctl.

c) Or something else what I have not spotted yet :)

c) Jamie wasn't thinking and of course you don't need it for read-only.

Jan 25 2024, 12:21 AM

Jan 23 2024

jamie added a comment to D43565: kern_jail: add security.jail.children.max and .cur sysctl.

You'll want to add CTLFLAG_PRISON to the sysctl flags.

Jan 23 2024, 10:57 PM
jamie added a comment to D43476: sys/jail.h: expose JAIL_MAX constant to applications.
In D43476#992839, @igor.ostapenko_pm.me wrote:

@jamie, does it look as an acceptable feature to introduce security.jail.children.max RO sysctl which reflects the current prison's p_childmax? If it does then I will help to implement it.
P.S. Probably you know existing "legal" ways to retrieve current prison's children.max w/o additional code to introduce.

Jan 23 2024, 5:18 PM

Jan 21 2024

jamie committed rG768149ff156e: jail: make sure jail.conf parse errors exit, and not crash. (authored by jamie).
jail: make sure jail.conf parse errors exit, and not crash.
Jan 21 2024, 5:23 AM

Jan 17 2024

jamie accepted D43476: sys/jail.h: expose JAIL_MAX constant to applications.

I'm not sure why this limit exists in the first place (it predates me). I suppose it's just for neatness' sake, with the idea no one would have more jails than that anyway. But as long as it's around, it might as well be known.

Jan 17 2024, 6:38 PM

Jan 5 2024

jamie accepted D43314: jail: add security.jail.mlock_allowed.

That's fine if there's a use for it, such as to quiet errors.

Jan 5 2024, 1:11 AM

Dec 21 2023

jamie accepted D43142: jail: Ignore errors from copyout() while copying the error string.
Dec 21 2023, 5:54 PM

Nov 30 2023

jamie committed rG51e7276365ba: Unbreak build from ed31b3f4a146 (misapplied diff). (authored by jamie).
Unbreak build from ed31b3f4a146 (misapplied diff).
Nov 30 2023, 1:30 AM
jamie committed rGed31b3f4a146: jail: Don't allow jail_set(2) to resurrect dying jails. (authored by jamie).
jail: Don't allow jail_set(2) to resurrect dying jails.
Nov 30 2023, 12:23 AM
jamie closed D28150: jail: Don't allow resurrection of dead jails.
Nov 30 2023, 12:23 AM

Nov 21 2023

jamie added a comment to D42672: Fix ZFS so that it sets mnt_exjail for snapshot automounts.

This version of the patch acquires a shared lock on
allprison_lock (which looks sufficient to ensure the
jail does not go from alive to dying.
It also acquires pr_mtx to check for prison_isalive(),
although I am not 100% sure it is needed?

Nov 21 2023, 9:34 PM

Nov 20 2023

jamie added a comment to D42672: Fix ZFS so that it sets mnt_exjail for snapshot automounts.

Since vfs_exjail_delete() is called when there are no processes running in the jail, a caller of vfs_exjail_clone() cannot be running in that jail.

It's not clear to me that the first part is true. In particular, prison_deref() first calls prison_deref_kill(), which calls prison_cleanup() and thus vfs_exjail_delete(); later it kills processes within the jail.

Hmm, unless I'm missing something, this is at odds with the comment in vfs_exjail_delete(). Perhaps we need to check the prison state when setting mnt_exjail? i.e., refuse to set it if the jail is dying.

Well, the comment on vfs_exjail_delete() states that no processes are in the
prison, but maybe the comment is bogus?
Anyhow, I think this version might be ok, but hopefully you or jamie@ can
confirm this?

My understanding (which could be wrong) is that a prison cannot go from
active to dying when there is a p_uref held on it. If that is the case, then
prison_proc_hold()/prison_proc_free() should ensure that it remains alive
until after the cloning is done, I hope?

Nov 20 2023, 7:10 PM
jamie added a comment to D42675: jail(8): make '-cm' run 'command=' in modify case as well.

The command parameters (including "command" itself) are well established as being run during jail setup and teardown. I would expect a lot of existing configuration to have problems with the command being run when the jail has already started up. While it makes sense on the command line, I don't want to break the connection between file configuration and command line configuration (more than it's already broken).

Nov 20 2023, 5:41 PM
jamie added inline comments to D42670: jail(8) option to cleanup after dead jails.
Nov 20 2023, 5:22 PM

Nov 18 2023

jamie requested review of D42670: jail(8) option to cleanup after dead jails.
Nov 18 2023, 11:54 PM
jamie committed rG6000d46fc3c1: Move "jail -e" out of the rest of jail(8) flow. (authored by jamie).
Move "jail -e" out of the rest of jail(8) flow.
Nov 18 2023, 8:49 PM

Oct 12 2023

jamie added inline comments to D28150: jail: Don't allow resurrection of dead jails.
Oct 12 2023, 4:59 PM

Oct 11 2023

jamie updated the diff for D28150: jail: Don't allow resurrection of dead jails.

Nothing new, though I just updated the diff against the latest sources.

Oct 11 2023, 12:52 AM

Oct 2 2023

jamie committed rG6a5113a8a1df: MFS jail: avoid a clash with /etc/jail.conf.d between rc and jail(8) (authored by jamie).
MFS jail: avoid a clash with /etc/jail.conf.d between rc and jail(8)
Oct 2 2023, 7:24 PM

Sep 28 2023

jamie committed rGc96d5c97bb65: MFC jail: avoid a clash with /etc/jail.conf.d between rc and jail(8) (authored by jamie).
MFC jail: avoid a clash with /etc/jail.conf.d between rc and jail(8)
Sep 28 2023, 4:40 AM

Sep 25 2023

jamie committed rGa2440348eed7: jail: avoid a clash with /etc/jail.conf.d between rc and jail(8) (authored by jamie).
jail: avoid a clash with /etc/jail.conf.d between rc and jail(8)
Sep 25 2023, 12:14 AM
jamie closed D41962: Avoid a clash between uses of /etc/jail.conf.d.
Sep 25 2023, 12:14 AM
jamie accepted D41962: Avoid a clash between uses of /etc/jail.conf.d.
Sep 25 2023, 12:01 AM

Sep 24 2023

jamie requested review of D41962: Avoid a clash between uses of /etc/jail.conf.d.
Sep 24 2023, 12:46 AM

Sep 14 2023

jamie committed rGd737efcc1c25: MFS jail.conf(5): Fix and expand description of ".include". (authored by jamie).
MFS jail.conf(5): Fix and expand description of ".include".
Sep 14 2023, 5:16 PM

Sep 9 2023

jamie committed rG402d5960cb82: MFC jail.conf(5): Fix and expand description of ".include". (authored by jamie).
MFC jail.conf(5): Fix and expand description of ".include".
Sep 9 2023, 4:58 PM

Sep 7 2023

crest_freebsd_rlwinm.de awarded D41723: Fix ".include" section of jail.conf.5 a Like token.
Sep 7 2023, 1:19 PM

Sep 5 2023

jamie committed rG165234d55274: jail.conf(5): Fix and expand description of ".include". (authored by jamie).
jail.conf(5): Fix and expand description of ".include".
Sep 5 2023, 8:38 PM
jamie closed D41723: Fix ".include" section of jail.conf.5.
Sep 5 2023, 8:37 PM

Sep 4 2023

jamie requested review of D41723: Fix ".include" section of jail.conf.5.
Sep 4 2023, 10:30 PM

Aug 31 2023

jamie committed rGad4f4146ef30: MFC jail: make jail(8) man page more readable and more correct (authored by jamie).
MFC jail: make jail(8) man page more readable and more correct
Aug 31 2023, 11:33 PM
jamie committed rGdb08e8ba0e7b: Re-remove $FreeBSD$ inadvertantly put back into jail.8 (authored by jamie).
Re-remove $FreeBSD$ inadvertantly put back into jail.8
Aug 31 2023, 10:36 PM
jamie accepted D41643: jail: Add the ability to access system-level filesystem extended attributes.
Aug 31 2023, 5:14 PM

Aug 28 2023

jamie committed rGdab7fc49e7a6: jail: make jail(8) man page more readable and more correct (authored by jamie).
jail: make jail(8) man page more readable and more correct
Aug 28 2023, 6:26 PM
jamie closed D41606: Reorganize jail(8) synopsis to identify common usage.
Aug 28 2023, 6:25 PM

Aug 26 2023

jamie requested review of D41606: Reorganize jail(8) synopsis to identify common usage.
Aug 26 2023, 8:16 PM

Aug 10 2023

jamie accepted D41404: kern: osd: avoid dereferencing freed slots.

The important part of this clearly good.

Aug 10 2023, 4:17 PM

Jun 29 2023

jamie added a comment to D40626: cr_canseejailproc(): New privilege, no direct check for UID 0.

Looks good to me. But then the original that did the direct cr_uid check looked apparently good to me too, so take it for what it's worth.

Jun 29 2023, 4:08 PM

Jun 7 2023

jamie accepted D40188: Add ".include" directive to jail.conf.

Commited in eb5bfdd06565. I forgot to add the review to the commit message :-/

Jun 7 2023, 12:23 AM · Jails
jamie committed rGe82a62943529: jail: add ".include" directive to jail.conf (authored by jamie).
jail: add ".include" directive to jail.conf
Jun 7 2023, 12:22 AM

Jun 4 2023

jamie updated the diff for D40188: Add ".include" directive to jail.conf.

I've committed the "jails can include jails" and "use the recursive parser" bits separately. This new diff is just the part that handles the includes.

Jun 4 2023, 4:29 AM · Jails
jamie committed rG086e0149ae56: jail: Use re-entrant versions of lex & yacc, and lex's yylineno (authored by jamie).
jail: Use re-entrant versions of lex & yacc, and lex's yylineno
Jun 4 2023, 3:08 AM
jamie committed rG097db30a8e03: jail: Allow nested jail definitions. (authored by jamie).
jail: Allow nested jail definitions.
Jun 4 2023, 12:47 AM

Jun 1 2023

jamie added a comment to D40188: Add ".include" directive to jail.conf.

Just a small nitpick: I would prefer a macro #define MAX_INCLUDE_DEPTH 32

Jun 1 2023, 2:59 PM · Jails

May 31 2023

jamie updated the diff for D40188: Add ".include" directive to jail.conf.

Simple include-loop prevention with via a maximum depth counter.

May 31 2023, 7:05 PM · Jails

May 26 2023

jamie added a comment to D40262: Allow setting a per-Jail fallback ABI brand..

However right now the kern.elfXX.fallback_elf_brand are tied to 2 global variables which their name are generated by the __elfN(xxx) macro. We could technically remove them and tie all 3 to the jail one? Maybe that belongs to a separate review?

May 26 2023, 3:20 AM · Jails
jamie added a comment to D40262: Allow setting a per-Jail fallback ABI brand..

Rather than add a separate value different from the kern.fallback_elf_brand sysctl, it would make sense for the jail parameter to be tied to the sysctl itself, such as the securelevel parameter is. It's complicated somewhat by the fact that there are three similar sysctls.

May 26 2023, 12:04 AM · Jails

May 25 2023

jamie added inline comments to D40262: Allow setting a per-Jail fallback ABI brand..
May 25 2023, 11:53 PM · Jails

May 23 2023

jamie added a comment to D40188: Add ".include" directive to jail.conf.

True, they're not handled. I took my include inspiration from newsyslog (which has includes that also support globbing), and there it's also just a simple matter or running whatever it's told to include. It's kind of a footgun situation, where it's generally good enough to trust the administrator not to make such a loop. I did it for depend loops, but only because that's kind of elemental in building an acyclic directed graph.

May 23 2023, 3:45 AM · Jails

May 21 2023

jamie updated the diff for D40188: Add ".include" directive to jail.conf.

New and improved diff :-)

May 21 2023, 12:46 AM · Jails
jamie added a comment to D39011: Enable jail(8) to parse all config files.

I just created D40188, which is my take on solving this issue. It goes the include-file direction, and doesn't require and changes to rc.conf, since jail.conf is where such changes are made. The jail(8) command line also remains untouched.

May 21 2023, 12:23 AM
jamie requested review of D40188: Add ".include" directive to jail.conf.
May 21 2023, 12:15 AM · Jails

May 5 2023

jamie added a reviewer for D38826: Fix multiple rc.d/jail and jail.conf.d issues: jamie.
May 5 2023, 4:52 PM · Jails

Mar 12 2023

jamie accepted D38809: Fix rc scripts so that nfsd(8), nfsuserd(8), gssd(8) and rpc.tlsservd(8) can run in vnet prisons.
Mar 12 2023, 5:42 PM · rc
jamie added a comment to D38809: Fix rc scripts so that nfsd(8), nfsuserd(8), gssd(8) and rpc.tlsservd(8) can run in vnet prisons.

s/novnetjail/nojailvnet/

Mar 12 2023, 3:57 AM · rc

Feb 21 2023

jamie added inline comments to D38371: mark which jail did exports via a reference to the credentials.
Feb 21 2023, 3:34 AM
jamie added inline comments to D38371: mark which jail did exports via a reference to the credentials.
Feb 21 2023, 12:20 AM

Feb 20 2023

jamie accepted D38697: jail: Fix redoing ip restricting.

This makes perfect sense to me. The original version only set redo_ip[46] provisionally , and I missed that the patch changed that.

Feb 20 2023, 7:15 PM

Feb 4 2023

jamie added inline comments to D38371: mark which jail did exports via a reference to the credentials.
Feb 4 2023, 4:43 PM