From 296d8d694e7449cb7c1a04bb69235aaa82ba174f Mon Sep 17 00:00:00 2001 From: Zumeng Chen Date: Fri, 23 Jan 2009 17:49:24 +0800 Subject: [PATCH 4/4] bsdjail: fix kernel panic when using clone_ns CLONE_NEWNS is used as a parameter to be pass into clone by clone_ns, but the corresponding codes in bsdjail.c is disabled by default. Based on the comments from bsdjail author, to enable these codes can avoid kernel crash. Signed-off-by: Zumeng Chen --- kernel/nsproxy.c | 1 + security/Kconfig | 11 +++++++++++ security/bsdjail.c | 5 +++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index f74e6c0..c33a2b3 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -160,6 +160,7 @@ out: put_nsproxy(old_ns); return err; } +EXPORT_SYMBOL(copy_namespaces); void free_nsproxy(struct nsproxy *ns) { diff --git a/security/Kconfig b/security/Kconfig index 250781e..27bf96b 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -186,5 +186,16 @@ config SECURITY_BSDJAIL If you are unsure how to answer this question, answer N. +config SECURITY_BSDJAIL_USE_NAMESPACE + bool "Copying name space" + depends on SECURITY_BSDJAIL + default y + help + This could be useful, so that future mounts outside the jail + don't affect the jail. But it's not necessary, and requires + exporting copy_namespace from fs/namespace.c, Actually, it + would also be useful for truly hiding information about mounts + which do not exist in this jail. + endmenu diff --git a/security/bsdjail.c b/security/bsdjail.c index 7edc935..178b1fa 100644 --- a/security/bsdjail.c +++ b/security/bsdjail.c @@ -255,9 +255,10 @@ int enable_jail(struct task_struct *tsk) * * Actually, it would also be useful for truly hiding * information about mounts which do not exist in this jail. -#define USE_JAIL_NAMESPACE + * "#define USE_JAIL_NAMESPACE" has been replace with + * CONFIG_SECURITY_BSDJAIL_USE_NAMESPACE. */ -#ifdef USE_JAIL_NAMESPACE +#ifdef CONFIG_SECURITY_BSDJAIL_USE_NAMESPACE bsdj_debug(BSDJAIL_DBG, "bsdjail: copying namespace.\n"); retval = -EPERM; if (copy_namespaces(CLONE_NEWNS, tsk)) -- 1.6.5.2