d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge ^/head r277844 through r277857.

Browse Source
This commit is contained in:
Dimitry Andric 2015-01-28 21:40:22 +00:00
commit 478acb0118
12 changed files with 37 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/rc.d/ipfilter
View File

@ -65,7 +65,6 @@ ipfilter_reload()
err 1 'Load of rules into alternate set failed; aborting reload'
fi
fi
${ipfilter_program:-/sbin/ipf} -I -6 -Fa
if [ -r "${ipv6_ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} -I -6 \
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}

7
sys/fs/fdescfs/fdesc_vfsops.c
View File

@ -42,6 +42,7 @@
#include <sys/systm.h>
#include <sys/filedesc.h>
#include <sys/kernel.h>
#include <sys/jail.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/malloc.h>
@ -78,8 +79,12 @@ fdesc_mount(struct mount *mp)
{
int error = 0;
struct fdescmount *fmp;
struct thread *td = curthread;
struct vnode *rvp;
if (!prison_allow(td->td_ucred, PR_ALLOW_MOUNT_FDESCFS))
return (EPERM);
/*
* Update is a no-op
*/
@ -237,4 +242,4 @@ static struct vfsops fdesc_vfsops = {
.vfs_unmount = fdesc_unmount,
};
VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC);
VFS_SET(fdesc_vfsops, fdescfs, VFCF_SYNTHETIC | VFCF_JAIL);

8
sys/kern/kern_jail.c
View File

@ -208,6 +208,7 @@ static char *pr_allow_names[] = {
"allow.mount.zfs",
"allow.mount.procfs",
"allow.mount.tmpfs",
"allow.mount.fdescfs",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@ -224,6 +225,7 @@ static char *pr_allow_nonames[] = {
"allow.mount.nozfs",
"allow.mount.noprocfs",
"allow.mount.notmpfs",
"allow.mount.nofdescfs",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@ -4213,6 +4215,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the devfs file system");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the fdescfs file system");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
@ -4373,6 +4379,8 @@ SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount/unmount jail-friendly file systems in general");
SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the devfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the fdescfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the nullfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,

3
sys/sys/jail.h
View File

@ -226,7 +226,8 @@ struct prison_racct {
#define PR_ALLOW_MOUNT_ZFS 0x0200
#define PR_ALLOW_MOUNT_PROCFS 0x0400
#define PR_ALLOW_MOUNT_TMPFS 0x0800
#define PR_ALLOW_ALL 0x0fff
#define PR_ALLOW_MOUNT_FDESCFS 0x1000
#define PR_ALLOW_ALL 0x1fff
/*
* OSD methods

2
usr.sbin/binmiscctl/binmiscctl.c
View File

@ -363,7 +363,7 @@ add_cmd(__unused int argc, char *argv[], ximgact_binmisc_entry_t *xbe)
usage("Error: Missing magic argument");
}
if (!xbe->xbe_interpreter) {
if (!strnlen(xbe->xbe_interpreter, IBE_INTERP_LEN_MAX)) {
usage("Error: Missing 'interpreter' argument");
}

12
usr.sbin/jail/jail.8
View File

@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd August 4, 2014
.Dd January 28, 2015
.Dt JAIL 8
.Os
.Sh NAME
@ -362,7 +362,7 @@ A set of IPv6 options for the jail, the counterparts to
and
.Va ip4
above.
.It vnet
.It Va vnet
Create the jail with its own virtual network stack,
with its own network interfaces, addresses, routing table, etc.
The kernel must have been compiled with the
@ -531,6 +531,14 @@ is set to a value lower than 2.
The devfs ruleset should be restricted from the default by using the
.Va devfs_ruleset
option.
.It Va allow.mount.fdescfs
privileged users inside the jail will be able to mount and unmount the
fdescfs file system.
This permission is effective only together with
.Va allow.mount
and only when
.Va enforce_statfs
is set to a value lower than 2.
.It Va allow.mount.nullfs
privileged users inside the jail will be able to mount and unmount the
nullfs file system.

4
usr.sbin/pciconf/pciconf.c
View File

@ -234,9 +234,9 @@ list_devs(const char *name, int verbose, int bars, int caps, int errors,
for (p = conf; p < &conf[pc.num_matches]; p++) {
printf("%s%d@pci%d:%d:%d:%d:\tclass=0x%06x card=0x%08x "
"chip=0x%08x rev=0x%02x hdr=0x%02x\n",
(p->pd_name && *p->pd_name) ? p->pd_name :
*p->pd_name ? p->pd_name :
"none",
(p->pd_name && *p->pd_name) ? (int)p->pd_unit :
*p->pd_name ? (int)p->pd_unit :
none_count++, p->pc_sel.pc_domain,
p->pc_sel.pc_bus, p->pc_sel.pc_dev,
p->pc_sel.pc_func, (p->pc_class << 16) |

4
usr.sbin/ppp/command.c
View File

@ -2051,7 +2051,7 @@ SetVariable(struct cmdargs const *arg)
res = 1;
} else {
arg->bundle->radius.alive.interval = atoi(argp);
if (arg->bundle->radius.alive.interval && !arg->bundle->radius.cfg.file) {
if (arg->bundle->radius.alive.interval && !*arg->bundle->radius.cfg.file) {
log_Printf(LogWARN, "rad_alive requires radius to be configured\n");
res = 1;
} else if (arg->bundle->ncp.ipcp.fsm.state == ST_OPENED) {
@ -2335,7 +2335,7 @@ SetVariable(struct cmdargs const *arg)
res = 1;
}
if (arg->bundle->radius.port_id_type && !arg->bundle->radius.cfg.file) {
if (arg->bundle->radius.port_id_type && !*arg->bundle->radius.cfg.file) {
log_Printf(LogWARN, "rad_port_id requires radius to be configured\n");
res = 1;
}

4
usr.sbin/ppp/ipcp.c
View File

@ -880,7 +880,7 @@ IpcpLayerDown(struct fsm *fp)
radius_Account(&fp->bundle->radius, &fp->bundle->radacct,
fp->bundle->links, RAD_STOP, &ipcp->throughput);
if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
system_Select(fp->bundle, fp->bundle->radius.filterid, LINKDOWNFILE,
NULL, NULL);
radius_StopTimer(&fp->bundle->radius);
@ -949,7 +949,7 @@ IpcpLayerUp(struct fsm *fp)
radius_Account(&fp->bundle->radius, &fp->bundle->radacct, fp->bundle->links,
RAD_START, &ipcp->throughput);
if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
system_Select(fp->bundle, fp->bundle->radius.filterid, LINKUPFILE,
NULL, NULL);
radius_StartTimer(fp->bundle);

4
usr.sbin/ppp/ipv6cp.c
View File

@ -486,7 +486,7 @@ ipv6cp_LayerUp(struct fsm *fp)
* evaluated.
*/
if (!Enabled(fp->bundle, OPT_IPCP)) {
if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
system_Select(fp->bundle, fp->bundle->radius.filterid, LINKUPFILE,
NULL, NULL);
}
@ -539,7 +539,7 @@ ipv6cp_LayerDown(struct fsm *fp)
* evaluated.
*/
if (!Enabled(fp->bundle, OPT_IPCP)) {
if (fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
if (*fp->bundle->radius.cfg.file && fp->bundle->radius.filterid)
system_Select(fp->bundle, fp->bundle->radius.filterid, LINKDOWNFILE,
NULL, NULL);
}

2
usr.sbin/ppp/radius.c
View File

@ -1345,7 +1345,7 @@ radius_alive(void *v)
void
radius_StartTimer(struct bundle *bundle)
{
if (bundle->radius.cfg.file && bundle->radius.alive.interval) {
if (*bundle->radius.cfg.file && bundle->radius.alive.interval) {
bundle->radius.alive.timer.func = radius_alive;
bundle->radius.alive.timer.name = "radius alive";
bundle->radius.alive.timer.load = bundle->radius.alive.interval * SECTICKS;

2
usr.sbin/ppp/server.c
View File

@ -248,7 +248,7 @@ server_LocalOpen(struct bundle *bundle, const char *name, mode_t mask)
oldmask = (mode_t)-1; /* Silence compiler */
if (server.cfg.sockname && !strcmp(server.cfg.sockname, name))
if (server.cfg.sockname[0] != '\0' && !strcmp(server.cfg.sockname, name))
server_Close(bundle);
memset(&ifsun, '\0', sizeof ifsun);