Commit 589e4c1d authored by Jamie Gritton's avatar Jamie Gritton
Browse files

jail: Add safety around prison_deref() flags.

do_jail_attach() now only uses the PD_XXX flags that refer to lock
status, so make sure that something else like PD_KILL doesn't slip
through.

Add a KASSERT() in prison_deref() to catch any further PD_KILL misuse.
parent 108a9384
...@@ -161,6 +161,8 @@ static void prison_racct_detach(struct prison *pr); ...@@ -161,6 +161,8 @@ static void prison_racct_detach(struct prison *pr);
#define PD_LOCKED 0x10 /* pr_mtx is held */ #define PD_LOCKED 0x10 /* pr_mtx is held */
#define PD_LIST_SLOCKED 0x20 /* allprison_lock is held shared */ #define PD_LIST_SLOCKED 0x20 /* allprison_lock is held shared */
#define PD_LIST_XLOCKED 0x40 /* allprison_lock is held exclusive */ #define PD_LIST_XLOCKED 0x40 /* allprison_lock is held exclusive */
#define PD_OP_FLAGS 0x07 /* Operation flags */
#define PD_LOCK_FLAGS 0x70 /* Lock status flags */
/* /*
* Parameter names corresponding to PR_* flag values. Size values are for kvm * Parameter names corresponding to PR_* flag values. Size values are for kvm
...@@ -1836,7 +1838,7 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) ...@@ -1836,7 +1838,7 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
/* Attach this process to the prison if requested. */ /* Attach this process to the prison if requested. */
if (flags & JAIL_ATTACH) { if (flags & JAIL_ATTACH) {
error = do_jail_attach(td, pr, error = do_jail_attach(td, pr,
prison_lock_xlock(pr, drflags & ~PD_KILL)); prison_lock_xlock(pr, drflags & PD_LOCK_FLAGS));
drflags &= ~(PD_LOCKED | PD_LIST_XLOCKED); drflags &= ~(PD_LOCKED | PD_LIST_XLOCKED);
if (error) { if (error) {
vfs_opterror(opts, "attach failed"); vfs_opterror(opts, "attach failed");
...@@ -2346,6 +2348,7 @@ do_jail_attach(struct thread *td, struct prison *pr, int drflags) ...@@ -2346,6 +2348,7 @@ do_jail_attach(struct thread *td, struct prison *pr, int drflags)
mtx_assert(&pr->pr_mtx, MA_OWNED); mtx_assert(&pr->pr_mtx, MA_OWNED);
sx_assert(&allprison_lock, SX_LOCKED); sx_assert(&allprison_lock, SX_LOCKED);
drflags &= PD_LOCK_FLAGS;
/* /*
* XXX: Note that there is a slight race here if two threads * XXX: Note that there is a slight race here if two threads
* in the same privileged process attempt to attach to two * in the same privileged process attempt to attach to two
...@@ -2719,6 +2722,8 @@ prison_deref(struct prison *pr, int flags) ...@@ -2719,6 +2722,8 @@ prison_deref(struct prison *pr, int flags)
for (;;) { for (;;) {
if (flags & PD_KILL) { if (flags & PD_KILL) {
/* Kill the prison and its descendents. */ /* Kill the prison and its descendents. */
KASSERT(pr != &prison0,
("prison_deref trying to kill prison0"));
if (!(flags & PD_DEREF)) { if (!(flags & PD_DEREF)) {
prison_hold(pr); prison_hold(pr);
flags |= PD_DEREF; flags |= PD_DEREF;
...@@ -2755,7 +2760,6 @@ prison_deref(struct prison *pr, int flags) ...@@ -2755,7 +2760,6 @@ prison_deref(struct prison *pr, int flags)
} }
} }
if (flags & PD_KILL) { if (flags & PD_KILL) {
flags &= ~PD_KILL;
/* /*
* Any remaining user references are probably processes * Any remaining user references are probably processes
* that need to be killed, either in this prison or its * that need to be killed, either in this prison or its
...@@ -2763,6 +2767,8 @@ prison_deref(struct prison *pr, int flags) ...@@ -2763,6 +2767,8 @@ prison_deref(struct prison *pr, int flags)
*/ */
if (refcount_load(&pr->pr_uref) > 0) if (refcount_load(&pr->pr_uref) > 0)
killpr = pr; killpr = pr;
/* Make sure the parent prison doesn't get killed. */
flags &= ~PD_KILL;
} }
if (flags & PD_DEREF) { if (flags & PD_DEREF) {
/* Drop a reference. */ /* Drop a reference. */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment