Revision tags: vendor/llvm-project/llvmorg-18.1.5-0-g617a15a9eac9, vendor/NetBSD/bmake/20240430, vendor/libcbor/0.11.0, vendor/llvm-project/llvmorg-18.1.4-0-ge6c3289804a6, vendor/device-tree/6.8, vendor/device-tree/6.7, vendor/llvm-project/llvmorg-18.1.3-0-gc13b7485b879, vendor/device-tree/6.5, vendor/openssh/9.7p1, vendor/unbound/1.19.3, vendor/NetBSD/bmake/20240309, vendor/sqlite3/sqlite-3450100, vendor/llvm-project/llvmorg-18.1.1-0-gdba2a75e9c7e, vendor/got/diff/2023-09-15, release/13.3.0, vendor/libucl/20240206, vendor/xz/5.6.0, vendor/llvm-project/llvmorg-18.1.0-rc3-0-g6c90f8dd5463, vendor/llvm-project/llvmorg-18.1.0-rc2-53-gc7b0a6ecd442, vendor/arm-optimized-routines/v24.01, vendor/zlib/1.3.1, vendor/expat/2.6.0, vendor/unbound/1.19.1, vendor/tzcode/tzcode2024a, vendor/llvm-project/llvmorg-18.1.0-rc2-0-gc6c86965d967, vendor/tzdata/tzdata2024a, vendor/sendmail/8.18.1, vendor/acpica/20230628, vendor/acpica/20230331, vendor/llvm-project/llvmorg-18-init-18361-g22683463740e, vendor/libcxxrt/2024-01-25-fd484be8d1e94a1fcf6bc5c67e5c07b65ada19b6, vendor/llvm-project/llvmorg-18-init-18359-g93248729cfae, vendor/sqlite3/sqlite-3450000 |
|
#
61cc4830 |
| 18-Jan-2024 |
Alfredo Mazzinghi <am2419@cl.cam.ac.uk> |
Abstract UIO allocation and deallocation.
Introduce the allocuio() and freeuio() functions to allocate and deallocate struct uio. This hides the actual allocator interface, so it is easier to modify
Abstract UIO allocation and deallocation.
Introduce the allocuio() and freeuio() functions to allocate and deallocate struct uio. This hides the actual allocator interface, so it is easier to modify the sub-allocation layout of struct uio and the corresponding iovec array.
Obtained from: CheriBSD Reviewed by: kib, markj MFC after: 2 weeks Sponsored by: CHaOS, EPSRC grant EP/V000292/1 Differential Revision: https://reviews.freebsd.org/D43711
show more ...
|
#
ab0841bd |
| 26-Jan-2024 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: expose children.max and children.cur via sysctl
Submitted by: Igor Ostapenko <igor.ostapenko_pm.me> Differential Revision: <https://reviews.freebsd.org/D43565>
|
Revision tags: vendor/NetBSD/bmake/20240108, vendor/llvm-project/llvmorg-18-init-16864-g3b3ee1f53424, vendor/llvm-project/llvmorg-18-init-16595-g7c00a5be5cde |
|
#
9fd97868 |
| 04-Jan-2024 |
Baptiste Daroussin <bapt@FreeBSD.org> |
jail: add security.jail.mlock_allowed
when the parameter allow.mlock was added a way for jails to check if the parameter was set or now has not been added, this change covers it.
MFC After: 3 days
jail: add security.jail.mlock_allowed
when the parameter allow.mlock was added a way for jails to check if the parameter was set or now has not been added, this change covers it.
MFC After: 3 days Reviewed by: jamie@ Differential Revision: https://reviews.freebsd.org/D43314
show more ...
|
Revision tags: vendor/llvm-project/llvmorg-18-init-16003-gfc5f51cf5af4, vendor/bc/6.7.4, vendor/ena-com/2.7.0 |
|
#
abbc260f |
| 26-Dec-2023 |
Mark Johnston <markj@FreeBSD.org> |
jail: Ignore errors from copyout() while copying the error string
Reviewed by: zlei, jamie MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D43142
|
Revision tags: vendor/llvm-project/llvmorg-18-init-15692-g007ed0dccd6a, vendor/tzdata/tzdata2023d, vendor/openssh/9.6p1, vendor/llvm-project/llvmorg-18-init-15088-gd14ee76181fb, vendor/llvm-project/llvmorg-18-init-14265-ga17671084db1, vendor/llvm-project/llvmorg-17.0.6-0-g6009708b4367 |
|
#
ed31b3f4 |
| 30-Nov-2023 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Don't allow jail_set(2) to resurrect dying jails.
Currently, a prison in "dying" state (removed but still holding resources) can be brought back to alive state via "jail -d", or the JAIL_DYING
jail: Don't allow jail_set(2) to resurrect dying jails.
Currently, a prison in "dying" state (removed but still holding resources) can be brought back to alive state via "jail -d", or the JAIL_DYING flag to jail_set(2). This seemed like a good idea at the time.
Its main use was to improve support for specifying the jid when creating a jail, which also seemed like a good idea at the time. But resurrecting a jail that was partway through thr process of shutting down is trouble waiting to happen.
This patch deprecates that flag, leaving it as a no-op for creating jails (but still useful for looking at dying jails). It sill allows creating a new jail with the same jid as a dying one, but will renumber the old one in that case. That's imperfect, but allows for current behavior.
Reviewed by: bz Differential Revision: https://reviews.freebsd.org/D28150
show more ...
|
Revision tags: vendor/xz/5.4.5, vendor/llvm-project/llvmorg-17.0.5-0-g98bfdac5ce82, vendor/unbound/1.19.0, vendor/sqlite3/sqlite-3440000, release/14.0.0, vendor/bc/6.7.2, vendor/llvm-project/llvmorg-17.0.3-0-g888437e1b600, vendor/bsddialog/1.0, vendor/llvm-project/llvmorg-17.0.2-0-gb2417f51dbbd, vendor/openssh/9.5p1, vendor/llvm-project/llvmorg-17.0.1-25-g098e653a5bed, vendor/nvi/2.2.1, vendor/openssl/3.0.11, vendor/sqlite3/sqlite-3430100, vendor/unbound/1.18.0, vendor/NetBSD/bmake/20230909, vendor/openssl/1.1.1w, vendor/llvm-project/llvmorg-17.0.0-rc4-10-g0176e8729ea4, vendor/file/5.45, vendor/llvm-project/llvmorg-17.0.0-rc3-79-ga612cb0b81d8, vendor/krb5/1.21.2, vendor/unifdef/2.12, vendor/unifdef/2.11, 2023.08.19-b34f66deb02e188104, vendor/zlib/1.3 |
|
#
7974ca1c |
| 17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
cr_canseejailproc(): New privilege, no direct check for UID 0
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for
cr_canseejailproc(): New privilege, no direct check for UID 0
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for almost 20 years).
As a consequence, cr_canseejailproc() now abides by the 'security.bsd.suser_enabled' sysctl and MAC policies.
Update the MAC policies Biba and LOMAC, and prison_priv_check() so that they don't deny this privilege. This preserves the existing behavior (the 'root' user is not restricted, even when jailed, unless 'security.bsd.suser_enabled' is not 0) and is consistent with what is done for the related policies/privileges (PRIV_SEEOTHERGIDS, PRIV_SEEOTHERUIDS).
Reviewed by: emaste (earlier version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40626
show more ...
|
#
cb48780d |
| 01-Sep-2023 |
Shawn Webb <shawn.webb@hardenedbsd.org> |
jail: Add the ability to access system-level filesystem extended attributes
Prior to this commit privileged accounts in a jail could not access to the filesystem extended attributes in the system na
jail: Add the ability to access system-level filesystem extended attributes
Prior to this commit privileged accounts in a jail could not access to the filesystem extended attributes in the system namespace. To control access to the system namespace in a per-jail basis add a new configuration parameter allow.extattr which is off by default.
Reported by: zirias Tested by: zirias Obtained from: HardenedBSD Reviewed by: kevans, jamie Differential revision: https://reviews.freebsd.org/D41643 MFC after: 1 week Relnotes: yes
show more ...
|
#
685dc743 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
Revision tags: vendor/less/v643, vendor/NetBSD/libc-vis/20230813, vendor/openssh/9.4p1, vendor/device-tree/6.4, vendor/device-tree/6.3, vendor/device-tree/6.2, vendor/device-tree/6.1, vendor/krb5/1.21.1, vendor/xz/5.4.4, vendor/openssl/3.0.10, vendor/openssl/1.1.1v, vendor/llvm-project/llvmorg-17-init-19311-gbc849e525f80, vendor/llvm-project/llvmorg-17-init-19304-gd0b54bb50e51, vendor/openssh/9.3p2, vendor/lua/5.4.6, vendor/NetBSD/bmake/20230622, vendor/openpam/XIMENIA, vendor/heimdal/7.8.0-2023-06-10-f62e2f278, vendor/openssl/3.0.9, vendor/llvm-project/llvmorg-16.0.6-0-g7cbf1a259152, vendor/ntp/4.2.8p17, vendor/llvm-project/llvmorg-16.0.5-0-g185b81e034ba, vendor/spleen/2.0.0, vendor/ntp/4.2.8p16, vendor/openssl/1.1.1u, vendor/sqlite3/sqlite-3420000, vendor/bc/6.6.0, vendor/llvm-project/llvmorg-16.0.4-0-gae42196bc493, vendor/NetBSD/bmake/20230510, vendor/xz/5.4.3 |
|
#
4d846d26 |
| 10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
show more ...
|
Revision tags: vendor/tcpdump/4.99.4, vendor/llvm-project/llvmorg-16.0.3-0-gda3cd333bea5, vendor/ldns/1.8.3, vendor/spleen/1.9.3, vendor/libpcap/1.10.4, vendor/spleen/1.6.0, vendor/less/v632, vendor/bc/6.5.0, vendor/libfido2/1.13.0, vendor/libfido2/1.12.0, vendor/libfido2/1.11.0, vendor/libfido2/1.10.0, vendor/libfido2/1.9.0, vendor/NetBSD/bmake/20230414, vendor/llvm-project/llvmorg-16.0.2-0-g18ddebe1a1a9, vendor/libcbor/0.10.2, vendor/tzcode/tzcode2023c, vendor/tzcode/tzcode2023b, vendor/tzcode/tzcode2023a, vendor/sqlite3/sqlite-3410200, vendor/llvm-project/llvmorg-16.0.1-0-gcd89023f7979, release/13.2.0, vendor/llvm-project/llvmorg-16.0.0-45-g42d1b276f779, vendor/llvm-project/llvmorg-16.0.0-0-g08d094a0e457, vendor/tzdata/tzdata2023c, vendor/libpcap/1.10.3, vendor/opencsd/v1.4.0, vendor/arm-optimized-routines/v23.01 |
|
#
04f75b98 |
| 26-Mar-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
netlink: allow netlink sockets in non-vnet jails.
This change allow to open Netlink sockets in the non-vnet jails, even for unpriviledged processes. The security model largely follows the existing
netlink: allow netlink sockets in non-vnet jails.
This change allow to open Netlink sockets in the non-vnet jails, even for unpriviledged processes. The security model largely follows the existing one. To be more specific: * by default, every `NETLINK_ROUTE` command is **NOT** allowed in non-VNET jail UNLESS `RTNL_F_ALLOW_NONVNET_JAIL` flag is specified in the command handler. * All notifications are **disabled** for non-vnet jails (requests to subscribe for the notifications are ignored). This will change to be more fine-grained model once the first netlink provider requiring this gets committed. * Listing interfaces (RTM_GETLINK) is **allowed** w/o limits (**including** interfaces w/o any addresses attached to the jail). The value of this is questionable, but it follows the existing approach. * Listing ARP/NDP neighbours is **forbidden**. This is a **change** from the current approach - currently we list static ARP/ND entries belonging to the addresses attached to the jail. * Listing interface addresses is **allowed**, but the addresses are filtered to match only ones attached to the jail. * Listing routes is **allowed**, but the routes are filtered to provide only host routes matching the addresses attached to the jail. * By default, every `NETLINK_GENERIC` command is **allowed** in non-VNET jail (as sub-families may be unrelated to network at all). It is the goal of the family author to implement the restriction if necessary.
Differential Revision: https://reviews.freebsd.org/D39206 MFC after: 1 month
show more ...
|
Revision tags: vendor/tzdata/tzdata2023b, vendor/tzdata/tzdata2023a, vendor/xz/5.4.2, vendor/openssh/9.3p1 |
|
#
0b0ae2e4 |
| 15-Mar-2023 |
Mina Galić <freebsd@igalic.co> |
jail: convert several functions from int to bool
these functions exclusively return (0) and (1), so convert them to bool
We also convert some networking related jail functions from int to bool some
jail: convert several functions from int to bool
these functions exclusively return (0) and (1), so convert them to bool
We also convert some networking related jail functions from int to bool some of which were returning an error that was never used.
Differential Revision: https://reviews.freebsd.org/D29659 Reviewed by: imp, jamie (earlier version) Pull Request: https://github.com/freebsd/freebsd-src/pull/663
show more ...
|
Revision tags: vendor/openssl/3.0.8, vendor/bc/6.4.0 |
|
#
cbbb2203 |
| 02-Mar-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
kern_jail.c: Remove #ifdefs for VNET_NFSD
The consensus was that VNET_NFSD was not needed. This patch removes it from kern_jail.c.
With this patch, support for the "allow.nfsd" jail parameter is en
kern_jail.c: Remove #ifdefs for VNET_NFSD
The consensus was that VNET_NFSD was not needed. This patch removes it from kern_jail.c.
With this patch, support for the "allow.nfsd" jail parameter is enabled in the kernel for kernels built with "options VIMAGE".
Reviewed by: markj MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D38808
show more ...
|
#
2c33b456 |
| 28-Feb-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Improve readability
No functional change intended.
Reviewed by: melifaro Differential Revision: https://reviews.freebsd.org/D37890
|
#
500f82d6 |
| 28-Feb-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Use flexible array member within struct prison_ip
Current implementation utilize off-by-one struct prison_ip to access the IPv[46] addresses. It is error prone and hence comes the regression f
jail: Use flexible array member within struct prison_ip
Current implementation utilize off-by-one struct prison_ip to access the IPv[46] addresses. It is error prone and hence comes the regression fix 21ad3e27fabc and ddbf879d79d4. Use flexible array member so that compiler will catch such errors and it will also be easier to review.
No functional change intended.
Reviewed by: melifaro, glebius Differential Revision: https://reviews.freebsd.org/D37874
show more ...
|
Revision tags: vendor/sqlite3/sqlite-3410000, vendor/bc/6.3.1 |
|
#
88175af8 |
| 21-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
vfs_export: Add mnt_exjail to control exports done in prisons
If there are multiple instances of mountd(8) (in different prisons), there will be confusion if they manipulate the exports of the same
vfs_export: Add mnt_exjail to control exports done in prisons
If there are multiple instances of mountd(8) (in different prisons), there will be confusion if they manipulate the exports of the same file system. This patch adds mnt_exjail to "struct mount" so that the credentials (and, therefore, the prison) that did the exports for that file system can be recorded. If another prison has already exported the file system, vfs_export() will fail with an error. If mnt_exjail == NULL, the file system has not been exported. mnt_exjail is checked by the NFS server, so that exports done from within a different prison will not be used.
The patch also implements vfs_exjail_destroy(), which is called from prison_cleanup() to release all the mnt_exjail credential references, so that the prison can be removed. Mainly to avoid doing a scan of the mountlist for the case where there were no exports done from within the prison, a count of how many file systems have been exported from within the prison is kept in pr_exportcnt.
Reviewed by: markj Discussed with: jamie Differential Revision: https://reviews.freebsd.org/D38371 MFC after: 3 months
show more ...
|
#
b2d76b52 |
| 21-Feb-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Fix redoing ip restricting
`prison_ip_restrict()` is called in loop FOREACH_PRISON_DESCENDANT_LOCKED. While under low memory, it is still possible that in subsequent rounds `prison_ip_restrict
jail: Fix redoing ip restricting
`prison_ip_restrict()` is called in loop FOREACH_PRISON_DESCENDANT_LOCKED. While under low memory, it is still possible that in subsequent rounds `prison_ip_restrict()` succeed and `redo_ip[46]` flip over from true to false, thus leave some prisons's IPv[46] addresses unrestricted.
Reviewed by: jamie Fixes: 8bce8d28abe6 jail: Avoid multipurpose return value of function prison_ip_restrict() Differential Revision: https://reviews.freebsd.org/D38697
show more ...
|
Revision tags: vendor/bearssl/20230220, vendor/zlib/1.2.13, vendor/llvm-project/llvmorg-16.0.0-rc2-10-g073506d8c15c, vendor/llvm-project/llvmorg-16-init-18548-gb0daacf58f41, vendor/NetBSD/bmake/20230208 |
|
#
27202b98 |
| 07-Feb-2023 |
Mark Johnston <markj@FreeBSD.org> |
jail: Use atomic(9) instead of CK atomics
There's no reason to use one over the other here, let's prefer the interface that's used elsewhere in the kernel.
No functional change intended.
Reviewed
jail: Use atomic(9) instead of CK atomics
There's no reason to use one over the other here, let's prefer the interface that's used elsewhere in the kernel.
No functional change intended.
Reviewed by: mjg Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D38360
show more ...
|
Revision tags: vendor/byacc/20230201, vendor/openssl/1.1.1t, vendor/NetBSD/libedit/2023-01-06, vendor/openssh/9.2p1 |
|
#
d94e0bdc |
| 04-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
Revert "vfs_export: Add checks for correct prison when updating exports"
This reverts commit 7926a01ed7ae7cefd81ef4cc2142c35b84d81913.
A new patch in D38371 is being considered for doing this.
|
#
7926a01e |
| 03-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
vfs_export: Add checks for correct prison when updating exports
mountd(8) basically does the following: getmntinfo() for each mount delete_exports using nmount(2) to do the creation/deletion o
vfs_export: Add checks for correct prison when updating exports
mountd(8) basically does the following: getmntinfo() for each mount delete_exports using nmount(2) to do the creation/deletion of individual exports.
For prison0 (and for other prisons if enforce_statfs == 0) getmntinfo() returns all mount points, including ones being used within other prisons. This can cause confusion if the same file system is specified in the exports(5) file for multiple prisons.
This patch adds a perminent identifier to each prison and marks which prison did the exports in a field of the mount structure called mnt_exjail. This field can then be compared to the perminent identifier for the prison that the thread's credentials is in. Also required was a new function called prison_isalive_permid() which returns if the prison is alive, so that the check can be ignored for prisons that have been removed.
This prepares the system to allow mountd(8) to run in multiple prisons, including prison0.
Future commits will complete the modifications to allow mountd(8) to run in vnet prisons. Until then, these changes should not affect semantics.
Reviewed by: markj MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D38144
show more ...
|
#
99187c3a |
| 02-Feb-2023 |
Rick Macklem <rmacklem@FreeBSD.org> |
prison_check_nfsd: Add check for enforce_statfs != 0
Since mountd(8) will not be able to do exports when running in a vnet prison if enforce_statfs is set to 0, add a check for this to prison_check_
prison_check_nfsd: Add check for enforce_statfs != 0
Since mountd(8) will not be able to do exports when running in a vnet prison if enforce_statfs is set to 0, add a check for this to prison_check_nfsd().
Reviewed by: jamie, markj MFC after: 2 months Differential Revision: https://reviews.freebsd.org/D38189
show more ...
|
Revision tags: vendor/tcsh/6.24.07, vendor/bc/6.2.2, vendor/bc/6.2.1, vendor/bc/6.2.0, vendor/bc/6.1.0, vendor/bc/6.0.4, vendor/NetBSD/bmake/20230126, vendor/Juniper/libxo/1.6.0, vendor/zstd/1.5.2, vendor/xz/5.4.1, vendor/sendmail/8.17.1, vendor/llvm-project/llvmorg-15.0.7-0-g8dfdcc7b7bf6, vendor/heimdal/7.8.0, vendor/sqlite3/sqlite-3400100, vendor/xz/5.4.0 |
|
#
8bce8d28 |
| 31-Dec-2022 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Avoid multipurpose return value of function prison_ip_restrict()
Currently function prison_ip_restrict() returns true if the replacement buffer was used, or no buffer provided and allocation f
jail: Avoid multipurpose return value of function prison_ip_restrict()
Currently function prison_ip_restrict() returns true if the replacement buffer was used, or no buffer provided and allocation fails and should redo. The logic is confusing and cause possibly infinite loop from eb8dcdeac22d .
Reviewed by: jamie, glebius Approved by: kp (mentor) Differential Revision: https://reviews.freebsd.org/D37918
show more ...
|
#
89ddfbba |
| 13-Jan-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Fix regression panic from eb8dcdeac22d
And possibly infinite loop calling prison_ip_restrict() in kern_jail_set() [2].
[1] It is possible that prisons do not have any IPv4 or IPv6 addresses.
jail: Fix regression panic from eb8dcdeac22d
And possibly infinite loop calling prison_ip_restrict() in kern_jail_set() [2].
[1] It is possible that prisons do not have any IPv4 or IPv6 addresses. [2] If prison_ip_restrict() is not provided with prison_ip, when it allocates prison_ip successfully, then it should return false to indicate not redo prison_ip_restrict() later.
Reviewed by: glebius Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential Revision: https://reviews.freebsd.org/D37906
show more ...
|
#
ddbf879d |
| 13-Jan-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Correctly access IPv[46] addresses of prison_ip
* Fix wrong IPv[46] addresses inherited from parent jail * Properly restrict the child jail's IPv[46] addresses
Reviewed by: melifaro, glebius
jail: Correctly access IPv[46] addresses of prison_ip
* Fix wrong IPv[46] addresses inherited from parent jail * Properly restrict the child jail's IPv[46] addresses
Reviewed by: melifaro, glebius Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential Revision: https://reviews.freebsd.org/D37871 Differential Revision: https://reviews.freebsd.org/D37872
show more ...
|
#
21ad3e27 |
| 21-Dec-2022 |
Zhenlei Huang <zlei@FreeBSD.org> |
jail: Fix output of IPv[46] addresses of DDB `show prison`
Reviewed by: melifaro, jamie Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential
jail: Fix output of IPv[46] addresses of DDB `show prison`
Reviewed by: melifaro, jamie Approved by: kp (mentor) Fixes: eb8dcdeac22d jail: network epoch protection for IP address lists Differential Revision: https://reviews.freebsd.org/D37732
show more ...
|
#
bba7a2e8 |
| 17-Dec-2022 |
Rick Macklem <rmacklem@FreeBSD.org> |
kern_jail.c: Allow mountd/nfsd to optionally run in a jail
This patch adds "allow.nfsd" to the jail code based on a new kernel build option VNET_NFSD. This will not work until future patches fix nm
kern_jail.c: Allow mountd/nfsd to optionally run in a jail
This patch adds "allow.nfsd" to the jail code based on a new kernel build option VNET_NFSD. This will not work until future patches fix nmount(2) to allow mountd to run in a vnet prison and the NFS server code is patched so that global variables are in a vnet.
The jail(8) man page will be patched in a future commit.
Reviewed by: jamie MFC after: 4 months Differential Revision: https://reviews.freebsd.org/D37637
show more ...
|