freebsd-hackers-digest V5 #730
owner-freebsd-...@freebsd.org
freebsd-hackers-digest Wednesday, February 26 2003 Volume 05 : Number 730
In this issue:
HOWTO track resource leaks in kernel modules ?
Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix needs to be committed.
Re: booting from Promise tx2000: FIXED
Re: booting from Promise tx2000: FIXED
=?Big5?B?p0G3UcX9rmGkSLlMp/Ombqq6pc2sobbcPw==?=
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix needs to be committed.
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix needs to be committed.
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need
Touchpad program
FreeBSD 5.0 roadmap
Isn't today Troll Tuesday?
Isn't today Troll Tuesday?
i386 tinderbox failure
IA-64 tinderbox failure
Newest Arrivals
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need (fwd)
new freebsd distribution...
Jail seperation patch
Re: Jail seperation patch
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need (fwd)
ESS1868 sound card and the *infamous* play interrupt timeout, channel dead:)
----------------------------------------------------------------------
Date: Tue, 25 Feb 2003 04:09:44 -0800
From: Daxbert <daxber...@dweebsoft.com>
Subject: HOWTO track resource leaks in kernel modules ?
Hi -
I was thinking about making some changes to if_de.c to support a tulip card
which isn't being recognized properly.
To begin this process, I need to make if_de.c export a detach function so it
could be unloaded from the kernel to make debugging of the module a little
easier. I've implemented a detach function, which at first glance seems ok.
I've run an extremely crude test by kldload / kldunload in an infinte loop for
about an hour... and the system hasn't panic-ed. And memory utilization doesn't
appear to have grown. However, I'd like something a bit more accurate.
Where would I look for resource leaks? Is there a library or toolkit to track
such things for kernel modules?
Sorry for my ignorance, but most of my Unix development experience has been
centered around apache modules.
Thanks,
- --daxbert
------------------------------
Date: Tue, 25 Feb 2003 13:10:25 +0100 (CET)
From: Martin Blapp <m...@imp.ch>
Subject: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix needs to be committed.
Hi all,
To tell the short story. Linux-mozilla works like a charm as root, but it
doesn't as a user if you have a java-applet.
Some solutions are mentioned for jdk4 but they applly to jdk13 too:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&th=5dfc5db60b48af3f&rnum=1
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=132728+0+archive/2002/freebsd-java/20020714.freebsd-java
Started as user:
55909 java_vm RET mprotect 0
55909 java_vm CALL mprotect(0x28b21000,0x9000,0x5)
55909 java_vm RET mprotect 0
55909 java_vm CALL linux_brk(0x8050000)
55909 java_vm RET linux_brk 134545408/0x8050000
55909 java_vm CALL linux_sched_getscheduler(0xda65)
55909 java_vm RET linux_sched_getscheduler RESTART
-> BOOM
Started as root:
55836 java_vm RET mprotect 0
55836 java_vm CALL mprotect(0x28b21000,0x9000,0x5)
55836 java_vm RET mprotect 0
55836 java_vm CALL linux_brk(0x8050000)
55836 java_vm RET linux_brk 134545408/0x8050000
55836 java_vm CALL linux_sched_getscheduler(0xda1c)
55836 java_vm RET linux_sched_getscheduler 0
55836 java_vm CALL sched_getparam(0xda1c,0xbfbf9444)
55836 java_vm RET sched_getparam 0
55836 java_vm CALL linux_sched_getscheduler(0xda1c)
55836 java_vm RET linux_sched_getscheduler 0
55836 java_vm CALL sched_getparam(0xda1c,0xbfbf9444)
55836 java_vm RET sched_getparam 0
[...]
Martin
------------------------------
Date: Tue, 25 Feb 2003 06:22:56 -0600
From: Len Conrad <LCo...@Go2France.com>
Subject: Re: booting from Promise tx2000: FIXED
>Len Conrad <LCo...@Go2France.com> writes:
> > .... while waiting for Soeren Schmidt to get the Promise SX4000 driver
> done!
>
>I was under the impression that the SX4000 and SX6000 were already
>supported? I know that phk has an SX6000 which he says works fine.
>OTOH, it's possible that this hasn't percolated down to -STABLE yet.
Last autumn, SS and I tried to get SX4000 docs from Promise and I was told
by Promise .tw that the "Promise doesn't support FreeBSD", and SS has lost
his earlier contact person at Promise. So it's a happy surprise that I
learn this week that SS now has coop from Promise. He didn't say the
driver was ready.
Len
------------------------------
Date: Tue, 25 Feb 2003 13:45:10 +0100 (CET)
From: Soeren Schmidt <s...@spider.deepcore.dk>
Subject: Re: booting from Promise tx2000: FIXED
It seems Dag-Erling Smorgrav wrote:
> Len Conrad <LCo...@Go2France.com> writes:
> > .... while waiting for Soeren Schmidt to get the Promise SX4000 driver done!
>
> I was under the impression that the SX4000 and SX6000 were already
> supported? I know that phk has an SX6000 which he says works fine.
> OTOH, it's possible that this hasn't percolated down to -STABLE yet.
The SX6000 is supported, the SX4000 is quite a different animal and
is not supported yet. However I'm working with Promise to write
support for it...
- -S鷨en
------------------------------
Date: Tue, 25 Feb 2003 22:22:08 +0800
From: =?Big5?B?p9qmYrRNp+QuLi4uLi4u?= <pop9...@yahoo.com.tw>
Subject: =?Big5?B?p0G3UcX9rmGkSLlMp/Ombqq6pc2sobbcPw==?=
<html>
<head>
<meta http-equiv="Content-Language" content="zh-tw">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=big5">
<title>深夜1點了</title>
</head>
<body>
<p>深夜1點了</p>
<p>躺在床上的我不斷的思索...無法入睡</p>
<p>腦中出現的是父母親疲憊的身體...</p>
<p>我睡不著...睡不著.......</p>
<p>曾經...我誇下海口要讓他們過好日子</p>
<p>可是微薄薪水卻無法讓我履行承諾</p>
<p>幾個月前...我接觸到了一片光碟...</p>
<p>短短的40幾分鐘...我看到了希望</p>
<p>我一步一步的在對的地方為家努力</p>
<p>而我的承諾也將兌現</p>
<p>如果你也想讓家人過更好的生活</p>
<p>請留下資料,我將把這片光碟寄給你</p>
<p>我保證,只要你看懂了,一定會為你開啟亮麗的人生</p>
<p>姓名<br>
姓別<br>
年齡<br>
家中電話<br>
行動電話<br>
郵寄地址<br>
郵遞區號<br>
請寄到<a href="mailto:pop9...@yahoo.com.tw">pop9...@yahoo.com.tw</a></p>
</body>
</html>
------------------------------
Date: Tue, 25 Feb 2003 06:56:17 -0800
From: Murray Stokely <mur...@FreeBSD.ORG>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix needs to be committed.
- --NQTVMVnDVuULnIzU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Feb 25, 2003 at 01:10:25PM +0100, Martin Blapp wrote:
> To tell the short story. Linux-mozilla works like a charm as root, but it
> doesn't as a user if you have a java-applet.
This has been a problem for years and it affects other Linux
appications such as LabView. There is some commented out code in
linux_sched_getscheduler() function that provides the proper
functionality. It's unclear to me why the code was commented out in
the first place, but it would be really nice to get that resolved once
and for all.
- Murray
- --NQTVMVnDVuULnIzU
Content-Type: application/pgp-signature
Content-Disposition: inline
- -----BEGIN PGP SIGNATURE-----
iD8DBQE+W4QRtNcQog5FH30RAi+hAJ4isrArLzRudfiKH7lPQbdNHefWgACgkvBv
D0po4VwnRANdMaMwa9LnWRU=
=dJPN
- -----END PGP SIGNATURE-----
- --NQTVMVnDVuULnIzU--
------------------------------
Date: Tue, 25 Feb 2003 15:39:38 +0000
From: Bob Bishop <r...@gid.co.uk>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix needs to be committed.
At 14:56 25/2/03, Murray Stokely wrote:
>This has been a problem for years and it affects other Linux
>appications such as LabView. There is some commented out code in
>linux_sched_getscheduler() function that provides the proper
>functionality. It's unclear to me why the code was commented out in
>the first place, but it would be really nice to get that resolved once
>and for all.
According to kern/40611, the problem is in posix4/p1003_1b.c not in the
linux wrapper. The updated patch in the PR audit trail seems to work.
- --
Bob Bishop +44 (0)118 977 4017
r...@gid.co.uk fax +44 (0)118 989 4254
------------------------------
Date: Tue, 25 Feb 2003 11:20:34 -0500 (EST)
From: John Baldwin <j...@FreeBSD.org>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need
On 25-Feb-2003 Bob Bishop wrote:
> At 14:56 25/2/03, Murray Stokely wrote:
>>This has been a problem for years and it affects other Linux
>>appications such as LabView. There is some commented out code in
>>linux_sched_getscheduler() function that provides the proper
>>functionality. It's unclear to me why the code was commented out in
>>the first place, but it would be really nice to get that resolved once
>>and for all.
>
> According to kern/40611, the problem is in posix4/p1003_1b.c not in the
> linux wrapper. The updated patch in the PR audit trail seems to work.
There is a much simpler patch one can do:
Index: p1003_1b.c
===================================================================
RCS file: /usr/cvs/src/sys/posix4/p1003_1b.c,v
retrieving revision 1.5.2.1
diff -u -r1.5.2.1 p1003_1b.c
- --- p1003_1b.c 3 Aug 2000 01:09:59 -0000 1.5.2.1
+++ p1003_1b.c 25 Feb 2003 16:17:55 -0000
@@ -62,7 +62,7 @@
* only root can do this.
*/
- -#if 0
+#if 1
/*
* This is stolen from CANSIGNAL in kern_sig:
*
Basically, it changes p31b_proc() to not always return an error
for non-root. If rwaston@ signs off on the security implications
(should be minimal, basically means that you can change your own
scheduling params and can change the params of other processes
you own) then I would prefer this patch.
I don't know why the check was turned off. The entire #if 0 /
#else / #endif seems to have been around since revision 1.1.
- --
John Baldwin <j...@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
------------------------------
Date: Tue, 25 Feb 2003 08:44:19 -0800
From: Murray Stokely <mur...@FreeBSD.org>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need
- --t4apE7yKrX2dGgJC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Feb 25, 2003 at 11:20:34AM -0500, John Baldwin wrote:
> Basically, it changes p31b_proc() to not always return an error
> for non-root. If rwaston@ signs off on the security implications
> (should be minimal, basically means that you can change your own
> scheduling params and can change the params of other processes
> you own) then I would prefer this patch.
Yes this is the one I was thinking about when I said the commented out
code. I've run a kernel with this patch for months, and I didn't see
any problems with it in my (unqualified) review. ;)
- Murray
- --t4apE7yKrX2dGgJC
Content-Type: application/pgp-signature
Content-Disposition: inline
- -----BEGIN PGP SIGNATURE-----
iD8DBQE+W51itNcQog5FH30RAlBDAJ4vZ8XvLSafyXhmjJ2ykjHwqJ3rCACeNwSo
7hSh5DCxEYEFic/pYIyq/KU=
=M7i7
- -----END PGP SIGNATURE-----
- --t4apE7yKrX2dGgJC--
------------------------------
Date: Tue, 25 Feb 2003 12:09:05 -0600
From: roc...@galileo.edu
Subject: Touchpad program
I want to make a program (or pseudo-device) to emulate the scrolling wheel in my
laptop touchpad (alps), the same way it is done in the windows drivers: if you
drag your finger along the right side it will act as the wheel scrolling. I had
been looking into psm, atkbd and atkbdc but I still don't know where to really
start. If some one could give me a basic help to where to start looking or to
what files I shoul look at, it would be very helpfull. Thanks in advance.
Please CC to my address as I am not currently subscribed to this list.
Rodrigo F.
------------------------------
Date: Tue, 25 Feb 2003 10:29:52
From: "elcott" <elc...@mailfreeway.com>
Subject: FreeBSD 5.0 roadmap
Fellow committers, let's have a look at the 5.0 planned roadmap:
1) KSE
KSE is a joke at best. Is one of those over-engineered ideas that will never be finished. Too bad, it looked good some months ago.
2) GEOM
GEOM is another ego trip for Poul-Henning Kamp. He won't let anyone touch it or improve it. Another piece of code that will rot, like phkmalloc and devd.
3) devfs and devd
Like Bruce Evans, I don't see what the advantage of having this is. Another ego trip Poul?
4) UFS2
Unlike other parts of FreeBSD, UFS2 is now a reality, kudos to you Mr. McKusick.
5) gcc + toolchain
Until Troll Glass brings us TenDRA, we'll have to do with Gah! Nu's proprietary software. Thankfully, we have Mr. O'Brien on board to take care of it. Also Mr. Kabaev as well.
6) Ports
The ports people have done an excellent job, kudos to them.
7) PowerPC port
Little progress in this area, come on Benno, you can do better.
8) IA-64
Mr. LNUX Torvalds thinks it's not good, so it must be a heck of a cpu. As we all know, Linux is pure hore sh*t.
9) RAIDframe
Pathetic!!!! Those RAIDframes are *crap*. Scott, not only you fscked up with the release, but your patches are crap!
Sincerely,
Elcott Song, RE
- ---------------------
Tired of spam? Get advanced junk mail protection with MailFreeway.com
Join today its FREE!
------------------------------
Date: Tue, 25 Feb 2003 12:30:34
From: "elcott" <elc...@mailfreeway.com>
Subject: Isn't today Troll Tuesday?
________________
( Brett Glass!!! )
----------------
o ^__^
o (oo)\_______
(__)\ )\/\
||----w |
|| ||
- ---------------------
Tired of spam? Get advanced junk mail protection with MailFreeway.com
Join today its FREE!
------------------------------
Date: Tue, 25 Feb 2003 12:30:47
From: "elcott" <elc...@mailfreeway.com>
Subject: Isn't today Troll Tuesday?
________________
( Brett Glass!!! )
----------------
o ^__^
o (oo)\_______
(__)\ )\/\
||----w |
|| ||
- ---------------------
Tired of spam? Get advanced junk mail protection with MailFreeway.com
Join today its FREE!
------------------------------
Date: Tue, 25 Feb 2003 12:31:34
From: "elcott" <elc...@mailfreeway.com>
Subject: i386 tinderbox failure
________________
( Brett Glass!!! )
----------------
o ^__^
o (oo)\_______
(__)\ )\/\
||----w |
|| ||
- ---------------------
Tired of spam? Get advanced junk mail protection with MailFreeway.com
Join today its FREE!
------------------------------
Date: Tue, 25 Feb 2003 12:31:13
From: "elcott" <elc...@mailfreeway.com>
Subject: IA-64 tinderbox failure
________________
( Brett Glass!!! )
----------------
o ^__^
o (oo)\_______
(__)\ )\/\
||----w |
|| ||
- ---------------------
Tired of spam? Get advanced junk mail protection with MailFreeway.com
Join today its FREE!
------------------------------
Date: Wed, 26 Feb 2003 03:43:00 +0700
From: in...@habitat-thailand.com
Subject: Newest Arrivals
<HTML>
<HEAD>
<TITLE>HBT Newsletter FEB 03</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY text="#FF6633" LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0>
<TABLE WIDTH=580 BORDER=0 CELLPADDING=0 CELLSPACING=0 bgcolor="#FF6633">
<TR>
<TD width="15" rowspan="12"> </TD>
<TD> <IMG SRC="http://www.chmsystems.com/habitatnews2/images/HBT.E-Newsletter5_02.gif" WIDTH=550 HEIGHT=60 ALT=""></TD>
<TD width="20" rowspan="12"> </TD>
</TR>
<TR>
<TD> <IMG SRC="http://www.chmsystems.com/habitatnews2/images/HBT.E-Newsletter5_05.gif" WIDTH=550 HEIGHT=294 ALT=""></TD>
</TR>
<TR>
<TD> <IMG SRC="http://www.chmsystems.com/habitatnews2/images/HBT.E-Newsletter5_08.gif" WIDTH=550 HEIGHT=260 ALT=""></TD>
</TR>
<TR>
<TD> </TD>
</TR>
<TR>
<TD> <IMG SRC="http://www.chmsystems.com/habitatnews2/images/HBT.E-Newsletter5_14.gif" WIDTH=550 HEIGHT=162 ALT=""></TD>
</TR>
<TR>
<TD> </TD>
</TR>
<TR>
<TD> <IMG SRC="http://www.chmsystems.com/habitatnews2/images/HBT.E-Newsletter5_20.gif" WIDTH=550 HEIGHT=234 ALT=""></TD>
</TR>
<TR>
<TD> </TD>
</TR>
<TR>
<TD> <IMG SRC="http://www.chmsystems.com/habitatnews2/images/HBT.E-Newsletter5_26.gif" WIDTH=550 HEIGHT=240 ALT=""></TD>
</TR>
<TR>
<TD> </TD>
</TR>
<TR>
<TD bgcolor="#33FF00"> <font color="#000000" size="1" face="Verdana, Arial, Helvetica, sans-serif">Did
someone forward you this? Opt in to hear it first. <A href="mailto:in...@habitat-thailand.com?Subject=subscribe">Please click.</a></font></TD>
</TR>
<TR>
<TD><font color="#FFFFFF" size="1" face="Verdana, Arial, Helvetica, sans-serif">If
You no no longger wish to receive our mail, <A href="mailto:unsub...@habitat-thailand.com?Subject=unsubscribe">please click here.</a></font></TD>
</TR>
</TABLE>
</BODY>
</HTML>
------------------------------
Date: Tue, 25 Feb 2003 17:01:56 -0500 (EST)
From: Robert Watson <rwa...@FreeBSD.org>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need (fwd)
Per Martin's request, I'm forwarding this response to the broader group
involved in this thread. Basically, I think broadening the scope of
processes permitted to make the scheduler call is fine, but you don't want
to use the CANSIGNAL() code that's currently present for several reasons.
The simplist solution might be to only allow the scheduler change if the
requesting process is targetting itself.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
rob...@fledge.watson.org Network Associates Laboratories
- ---------- Forwarded message ----------
Date: Tue, 25 Feb 2003 12:53:53 -0500 (EST)
From: Robert Watson <rwa...@FreeBSD.org>
To: Martin Blapp <m...@imp.ch>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need (fwd)
On Tue, 25 Feb 2003, Martin Blapp wrote:
> Basically, it changes p31b_proc() to not always return an error for
> non-root. If rwaston@ signs off on the security implications (should be
> minimal, basically means that you can change your own scheduling params
> and can change the params of other processes you own) then I would
> prefer this patch.
Hmm. I think the check there is a bit on the unsafe side, that could be
why it was disabled. Basically, it permits the scheduler change in the
following four circumstances:
(0) Superuser always wins
(1) Subject real uid is object real uid
E.g., any process I should randomly start or own
(2) Subject effective uid is object real uid
If a tool is temporarily switched to my uid to exercise my
privileges, sounds OK.
(3) Subject real uid is object effective uid (uh oh)
(4) Subject effective uid is object effective uid (uh oh)
The reason (3) and (4) are problems is that they affect daemons
temporarily switching to a user's privileges to carry out a task -- such
as mail delivery, or a userland NFS server or the like. It could be that
these are poor handling of the loopback process case, wherein a process
can always modify its own scheduling. Take a look at p_cansched() in 5.x
for a bit more what I think the check should be. In summary, the rules
are:
(0) You can always reschedule the current process.
(1) If you're in a different jail, deny.
(2) Optionally call out to MAC.
(3) If the "seeotheruids" support says you can't see the other process,
you can't reschedule it either, regardless of uids.
(4) If the real uids are the same, it's OK -- i.e., any arbitrary shell
process (setuid or otherwise).
(5) If the subject effective uid is the same as the object real uid -- if
temporarily adopting a user's privileges, we can reschedule the
processes they own.
(6) Superuser always wins (subject to 0, 1, 2, 3).
(7) Deny
> I don't know why the check was turned off. The entire #if 0 / #else /
> #endif seems to have been around since revision 1.1.
It's probably because whoever wrote it realized that it was moderately
suspect. I would oppose simply enabling the current CANSIGNAL check -- it
has serious problems. On the other hand, putting in a refined check
sounds reasonable and I'd be happy to review such a patch. Although the
code from 5.x won't instantly work with 4.x without substantial
modification, it might make a good starting point.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
rob...@fledge.watson.org Network Associates Laboratories
------------------------------
Date: Tue, 25 Feb 2003 14:30:41 -0800 (PST)
From: Diego Montalvo <di...@earthoid.org>
Subject: new freebsd distribution...
Hello,
I am wanting to start a new distribution of FreeBSD,
which will in short =
run on the FreeBSD kore, but will consist of a
completely redesigned =
installation and driver setup layer. =20
The "blue lagoon" distribution, will not only consist
of a graphical =
setup interface, but it will also allow easier: driver
, port, x windows =
setup, etc... =20
Another improvement would be better interface for
disabled users: larger =
fonts, colors, etc....
The project is still in the green, but I am seeking
help on getting this =
project started. =20
I have worked on a graphical illustration, I can
provide it upon =
request.
Cheers,
Diego Montalvo
------------------------------
Date: Tue, 25 Feb 2003 14:47:11 -0800
From: "Mooneer Salem" <moo...@translator.cx>
Subject: Jail seperation patch
Hello,
I've been working on extending the jail feature of FreeBSD to make it
more friendly to VPS providers. I added the following features:
* Rudimentary CPU/RAM/number of processes per-jail limits
* Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7)
* Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP
addresses
within a jail)
* struct prison added to SysV IPC code (to allow for secure use)
* Disk mount hiding
* Hot add/remove IP addresses from jail using sysctl
* Process hiding (non-root users outside jails cannot see jailed processes)
The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in
any comments or suggestions. If anyone's interested, it can be retrieved
at http://msalem.translator.cx/dist/jail_seperation.v5.patch.
Example of new sysctl entries:
%sysctl -a | grep jail
jail.jails.test_lifeafterking_org.max_ram: 0
jail.jails.test_lifeafterking_org.max_cpu: 0
jail.jails.test_lifeafterking_org.max_procs: 0
jail.jails.test_lifeafterking_org.procs_used: 10
jail.jails.test_lifeafterking_org.ram_used: 5971968
jail.jails.test_lifeafterking_org.cpu_used: 0
jail.jails.test_lifeafterking_org.ipv4addr: 10.0.0.3,10.0.0.4
security.jail.set_hostname_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.quotas_allowed: 0
security.jail.hide_processes: 0
%
Thanks,
- --
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
------------------------------
Date: Wed, 26 Feb 2003 09:05:09 +0100
From: Pawel Jakub Dawidek <ni...@garage.freebsd.pl>
Subject: Re: Jail seperation patch
- --Jsn5+Lu/ZvzbAGtZ
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Feb 25, 2003 at 02:47:11PM -0800, Mooneer Salem wrote:
+> I've been working on extending the jail feature of FreeBSD to make it
+> more friendly to VPS providers. I added the following features:
+>=20
+> * Rudimentary CPU/RAM/number of processes per-jail limits
+> * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7)
+> * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP
+> addresses
+> within a jail)
And what when we got situation like:
1.
main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4
jailed host ips: 1.1.1.2, 1.1.1.3
Daemon in jail binds to INADDR_ANY to port X, somebody connects
to port X, but to IP 1.1.1.4 (outside jail). Connection will success?
2.
main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4
jailed host ips: 1.1.1.2, 1.1.1.3
Daemon outside jail binds to port X on IP 1.1.1.4.
User in jail connects to port X to INADDR_ANY.
Connection will success?
What when daemon idside jail and daemon outside jail binds to those
same port? If I'm connectin to this port who will handle connection?
+> * struct prison added to SysV IPC code (to allow for secure use)
Better solution is created separated memory zones for main host and every
jail, look at my patch agains 5.0-CURRENT:
http://garage.freebsd.pl/privipc.tbz=20
http://garage.freebsd.pl/privipc.README
+> * Disk mount hiding
Better way is IMHO hiding and cutting pathnames, look at:
http://garage.freebsd.pl/jailfsstat.tgz
http://garage.freebsd.pl/jailfsstat.README
+> * Hot add/remove IP addresses from jail using sysctl
+> * Process hiding (non-root users outside jails cannot see jailed process=
es)
This isn't a complete solution and I think it couldn't be, because you
still could modify files owned by jailed users with UID notjailed user, so.=
..
+> The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in
+> any comments or suggestions. If anyone's interested, it can be retrieved
+> at http://msalem.translator.cx/dist/jail_seperation.v5.patch.
You could add multi-level jailing, IMHO it's cool:
http://garage.freebsd.pl/mljail.tbz
http://garage.freebsd.pl/mljail.README
Nice work, I'm wondering if something will be ever commited:)
- --=20
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.
- --Jsn5+Lu/ZvzbAGtZ
Content-Type: application/pgp-signature
Content-Disposition: inline
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iQCVAwUBPlx1NT/PhmMH/Mf1AQEwTwP/VjOI5aQsxYBb7s7sV46TJqcfDKuu1tOn
0jvjYq7hgsLBvkDpLPfjovYUkCh0qhDSyc0nEDfsGaZLZIB07Hrktx+Pbux003gc
znL6Iu44LTStfCqMgsboGqjCqdOpncxgYV0kxc5eBLyd9P3H3irv+RaA5JSEqWN4
DB1CbcUYWfQ=
=x4FH
- -----END PGP SIGNATURE-----
- --Jsn5+Lu/ZvzbAGtZ--
------------------------------
Date: Wed, 26 Feb 2003 08:25:24 +0000
From: Bob Bishop <r...@gid.co.uk>
Subject: Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need (fwd)
Hi,
At 22:01 25/2/03, Robert Watson wrote:
>[...]
>I would oppose simply enabling the current CANSIGNAL check -- it
>has serious problems. On the other hand, putting in a refined check
>sounds reasonable and I'd be happy to review such a patch. Although the
>code from 5.x won't instantly work with 4.x without substantial
>modification, it might make a good starting point.
OK, so what's the score with the patch at the end of the kern/40611 audit
trail? Thanks
- --
Bob Bishop +44 (0)118 977 4017
r...@gid.co.uk fax +44 (0)118 989 4254
------------------------------
Date: Wed, 26 Feb 2003 14:58:35 +0200
From: "Riccardo Spagni" <jedih...@mighty.co.za>
Subject: ESS1868 sound card and the *infamous* play interrupt timeout, channel dead:)
Lo all,
Running 5.0-RELEASE with 'device pcm' in my kernel, and now
I see this is happening:
Dump from /var/log/messages:
Feb 23 14:59:20 Hobbes kernel: sbc0: <ESS ES1868> at port
0x300-0x301,0x388-0x38b,0x220-0x22f irq 10 drq 0,1 on isa0
Feb 23 14:59:20 Hobbes kernel: pcm0: <ESS 18xx DSP> on sbc0
Feb 23 14:59:20 Hobbes kernel: midi0: <SB Midi Interface>
on sbc0
Feb 23 14:59:20 Hobbes kernel: midi1: <SB OPL FM
Synthesizer> on sbc0
Feb 23 14:59:20 Hobbes kernel: joy0: <ESS0001 PnP Joystick>
at port 0x201 on isa0
Feb 23 14:59:20 Hobbes kernel: unknown: <ESS ES1868 Plug
and Play AudioDrive> can't assign resources (irq)
So, according to the BIOS startup messages and DMESG,
should be assigned no DMA, and an IRQ of 10. And no, I do
*not* have device sbc in my kernel. Anyway, I added this
line to /boot/device.hints:
hint.pcm.0.irq="10"
Has no effect, still getting the same message. Any ideas?
Oh, if I ignore the fact that the error's there, and try
mpg321 or anything to play sound (even if I cat a .au into
/dev/dsp0), it gives me this:
Feb 23 14:59:44 Hobbes kernel: pcm0:play:0: play interrupt
timeout, channel dead
Interestingly enough, there appear to be problems with a
lot of interrupt assignments. When I had ACPI disabled in
the BIOS, then it moaned about assigning interrupts to the
AGP card. ACPI and APM are enabled in the BIOS, I've tried
disabling APM (don't ask why I thought it would make a
difference:) Also, the BIOS (Award) has some simple
settings for enabling/disabling a PNP-OS, allowing the OS
to set IRQs et. al. Dunno if that has any bearing tho...
Thanks,
Riccardo "JediHobbes" Spagni
==
Download ringtones, logos and picture messages at Ananzi Mobile Fun.
http://www.ananzi.co.za/cgi-bin/goto.pl?mobile
------------------------------
End of freebsd-hackers-digest V5 #730
*************************************
To Unsubscribe: send mail to majo...@FreeBSD.org
with unsubscribe freebsd-hackers-digest in the body of the message