diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2016-04-20 16:49:21 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2016-04-20 16:49:21 +0000 |
| commit | cadce43bb15b0bb4f369e7bcc869156948da34a1 (patch) | |
| tree | 268cd250eb927ac00b3979fc94819ef9ebc9756f | |
| parent | 3ea40c8ad52fbaced2ec68a5675083be7f73f09e (diff) | |
| download | illumos-joyent-cadce43bb15b0bb4f369e7bcc869156948da34a1.tar.gz | |
OS-5346 disable kmem/physmem access from a zone
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Reviewed by: Bryan Cantrill <bryan@joyent.com>
| -rw-r--r-- | usr/src/uts/common/io/ksyms.c | 9 | ||||
| -rw-r--r-- | usr/src/uts/common/io/mem.c | 13 | ||||
| -rw-r--r-- | usr/src/uts/common/io/physmem.c | 8 |
3 files changed, 28 insertions, 2 deletions
diff --git a/usr/src/uts/common/io/ksyms.c b/usr/src/uts/common/io/ksyms.c index c9f0c63b69..5233fcd0b4 100644 --- a/usr/src/uts/common/io/ksyms.c +++ b/usr/src/uts/common/io/ksyms.c @@ -21,6 +21,7 @@ /* * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2016 Joyent, Inc. */ @@ -219,6 +220,14 @@ ksyms_open(dev_t *devp, int flag, int otyp, struct cred *cred) char *addr; void *hptr = NULL; ksyms_buflist_hdr_t hdr; + + /* + * This device should never be visible in a zone, but if it somehow + * does get created we refuse to allow the zone to use it. + */ + if (crgetzoneid(cred) != GLOBAL_ZONEID) + return (EACCES); + bzero(&hdr, sizeof (struct ksyms_buflist_hdr)); list_create(&hdr.blist, PAGESIZE, offsetof(ksyms_buflist_t, buflist_node)); diff --git a/usr/src/uts/common/io/mem.c b/usr/src/uts/common/io/mem.c index cdbeb0d422..8955b3d935 100644 --- a/usr/src/uts/common/io/mem.c +++ b/usr/src/uts/common/io/mem.c @@ -24,7 +24,7 @@ */ /* - * Copyright (c) 2015, Joyent, Inc. All rights reserved. + * Copyright 2016, Joyent, Inc. */ /* @@ -221,10 +221,19 @@ mmopen(dev_t *devp, int flag, int typ, struct cred *cred) switch (getminor(*devp)) { case M_NULL: case M_ZERO: + /* standard devices */ + break; + case M_MEM: case M_KMEM: case M_ALLKMEM: - /* standard devices */ + /* + * These devices should never be visible in a zone, but if they + * somehow do get created we refuse to allow the zone to use + * them. + */ + if (crgetzoneid(cred) != GLOBAL_ZONEID) + return (EACCES); break; default: diff --git a/usr/src/uts/common/io/physmem.c b/usr/src/uts/common/io/physmem.c index 39d5003b02..c48fecd133 100644 --- a/usr/src/uts/common/io/physmem.c +++ b/usr/src/uts/common/io/physmem.c @@ -21,6 +21,7 @@ /* * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2016 Joyent, Inc. */ @@ -807,6 +808,13 @@ physmem_open(dev_t *devp, int flag, int otyp, cred_t *credp) int ret; static int msg_printed = 0; + /* + * This device should never be visible in a zone, but if it somehow + * does get created we refuse to allow the zone to use it. + */ + if (crgetzoneid(credp) != GLOBAL_ZONEID) + return (EACCES); + if ((flag & (FWRITE | FREAD)) != (FWRITE | FREAD)) { return (EINVAL); } |