diff options
author | Allan Jude <allanjude@FreeBSD.org> | 2017-05-24 00:58:30 +0000 |
---|---|---|
committer | Allan Jude <allanjude@FreeBSD.org> | 2017-05-24 00:58:30 +0000 |
commit | f299c47b52b7b116df305056cf121dbf9871abcf (patch) | |
tree | 7866f8b0a3fc2d7b3fd70275951bc845e3453248 /sys | |
parent | 7c0cad38c73d1a17a08f1d8c7d098e146f752ad8 (diff) | |
download | src-f299c47b52b7b116df305056cf121dbf9871abcf.tar.gz src-f299c47b52b7b116df305056cf121dbf9871abcf.zip |
Allow cpuset_{get,set}affinity in capabilities mode
bhyve was recently sandboxed with capsicum, and needs to be able to
control the CPU sets of its vcpu threads
Reviewed by: emaste, oshogbo, rwatson
MFC after: 2 weeks
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D10170
Notes
Notes:
svn path=/head/; revision=318765
Diffstat (limited to 'sys')
-rw-r--r-- | sys/compat/freebsd32/capabilities.conf | 4 | ||||
-rw-r--r-- | sys/kern/capabilities.conf | 7 | ||||
-rw-r--r-- | sys/kern/kern_cpuset.c | 20 |
3 files changed, 25 insertions, 6 deletions
diff --git a/sys/compat/freebsd32/capabilities.conf b/sys/compat/freebsd32/capabilities.conf index 1a5670cade91..4458227fd7bf 100644 --- a/sys/compat/freebsd32/capabilities.conf +++ b/sys/compat/freebsd32/capabilities.conf @@ -76,9 +76,9 @@ close closefrom connectat #cpuset -#freebsd32_cpuset_getaffinity +freebsd32_cpuset_getaffinity #freebsd32_cpuset_getid -#freebsd32_cpuset_setaffinity +freebsd32_cpuset_setaffinity #freebsd32_cpuset_setid dup dup2 diff --git a/sys/kern/capabilities.conf b/sys/kern/capabilities.conf index a59601345c9c..facb2354c36e 100644 --- a/sys/kern/capabilities.conf +++ b/sys/kern/capabilities.conf @@ -133,13 +133,12 @@ closefrom connectat ## -## cpuset(2) and related calls require scoping by process, but should -## eventually be allowed, at least in the current process case. +## cpuset(2) and related calls are limited to caller's own process/thread. ## #cpuset -#cpuset_getaffinity +cpuset_getaffinity #cpuset_getid -#cpuset_setaffinity +cpuset_setaffinity #cpuset_setid ## diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c index 9e83f568889e..c279264ea244 100644 --- a/sys/kern/kern_cpuset.c +++ b/sys/kern/kern_cpuset.c @@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <sys/sched.h> #include <sys/smp.h> #include <sys/syscallsubr.h> +#include <sys/capsicum.h> #include <sys/cpuset.h> #include <sys/sx.h> #include <sys/queue.h> @@ -522,6 +523,7 @@ cpuset_setproc(pid_t pid, struct cpuset *set, cpuset_t *mask) int threads; int nfree; int error; + /* * The algorithm requires two passes due to locking considerations. * @@ -1096,6 +1098,15 @@ kern_cpuset_getaffinity(struct thread *td, cpulevel_t level, cpuwhich_t which, if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY) return (ERANGE); + /* In Capability mode, you can only get your own CPU set. */ + if (IN_CAPABILITY_MODE(td)) { + if (level != CPU_LEVEL_WHICH) + return (ECAPMODE); + if (which != CPU_WHICH_TID && which != CPU_WHICH_PID) + return (ECAPMODE); + if (id != -1) + return (ECAPMODE); + } size = cpusetsize; mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO); error = cpuset_which(which, id, &p, &ttd, &set); @@ -1204,6 +1215,15 @@ kern_cpuset_setaffinity(struct thread *td, cpulevel_t level, cpuwhich_t which, if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY) return (ERANGE); + /* In Capability mode, you can only set your own CPU set. */ + if (IN_CAPABILITY_MODE(td)) { + if (level != CPU_LEVEL_WHICH) + return (ECAPMODE); + if (which != CPU_WHICH_TID && which != CPU_WHICH_PID) + return (ECAPMODE); + if (id != -1) + return (ECAPMODE); + } mask = malloc(cpusetsize, M_TEMP, M_WAITOK | M_ZERO); error = copyin(maskp, mask, cpusetsize); if (error) |