60c4ec806d
The default behavior for attaching processes to jails is that the jail's cpuset augments the attaching processes, so that it cannot be used to escalate a user's ability to take advantage of more CPUs than the administrator wanted them to. This is problematic when root needs to manage jails that have disjoint sets with whatever process is attaching, as this would otherwise result in a deadlock. Therefore, if we did not have an appropriate common subset of cpus/domains for our new policy, we now allow the process to simply take on the jail set *if* it has the privilege to widen its mask anyways. With the new logic, root can still usefully cpuset a process that attaches to a jail with the desire of maintaining the set it was given pre-attachment while still retaining the ability to manage child jails without jumping through hoops. A test has been added to demonstrate the issue; cpuset of a process down to just the first CPU and attempting to attach to a jail without access to any of the same CPUs previously resulted in EDEADLK and now results in taking on the jail's mask for privileged users. PR: 253724 Reviewed by: jamie (also discussed with) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28952 |
||
---|---|---|
.. | ||
c063 | ||
db | ||
gen | ||
hash | ||
iconv | ||
inet | ||
locale | ||
net | ||
nss | ||
regex | ||
resolv | ||
rpc | ||
setjmp | ||
ssp | ||
stdio | ||
stdlib | ||
string | ||
sys | ||
termios | ||
time | ||
tls | ||
tls_dso | ||
ttyio | ||
Makefile | ||
Makefile.depend | ||
Makefile.netbsd-tests |