Lines Matching +full:vref +full:- +full:half
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 1999 Poul-Henning Kamp.
107 .pr_securelevel = -1,
203 * Make this array full-size so dynamic parameters can be added.
246 * Initialize the parts of prison0 that can't be static-initialized with
270 * non-printable characters to be safe. in prison0_init()
272 while (size > 0 && data[size - 1] <= 0x20) { in prison0_init()
273 size--; in prison0_init()
279 * Not NUL-terminated when passed from loader, but in prison0_init()
321 error = copyin(uap->jail, &version, sizeof(uint32_t)); in sys_jail()
332 error = copyin(uap->jail, &j0, sizeof(struct jail_v0)); in sys_jail()
344 * Version 1 was used by multi-IPv4 jail implementations in sys_jail()
350 /* FreeBSD multi-IPv4/IPv6,noIP jails. */ in sys_jail()
351 error = copyin(uap->jail, &j, sizeof(struct jail)); in sys_jail()
357 /* Sci-Fi jails are not supported, sorry. */ in sys_jail()
390 opt.uio_offset = -1; in kern_jail()
391 opt.uio_resid = -1; in kern_jail()
396 /* Set permissions for top-level jails from sysctls. */ in kern_jail()
397 if (!jailed(td->td_ucred)) { in kern_jail()
400 atomic_load_int(&bf->flag) != 0; in kern_jail()
403 (jail_default_allow & bf->flag) in kern_jail()
404 ? bf->name : bf->noname); in kern_jail()
420 ip4s = (j->version == 0) ? 1 : j->ip4s; in kern_jail()
425 if (j->ip4s > 0) in kern_jail()
429 if (j->ip6s > jail_max_af_ips) in kern_jail()
431 tmplen += j->ip6s * sizeof(struct in6_addr); in kern_jail()
433 if (j->ip6s > 0) in kern_jail()
453 error = copyinstr(j->path, u_path, MAXPATHLEN, in kern_jail()
464 error = copyinstr(j->hostname, u_hostname, MAXHOSTNAMELEN, in kern_jail()
471 if (j->jailname != NULL) { in kern_jail()
476 error = copyinstr(j->jailname, u_name, MAXHOSTNAMELEN, in kern_jail()
490 if (j->version == 0) in kern_jail()
491 u_ip4->s_addr = j->ip4s; in kern_jail()
493 error = copyin(j->ip4, u_ip4, optiov[opt.uio_iovcnt].iov_len); in kern_jail()
506 optiov[opt.uio_iovcnt].iov_len = j->ip6s * sizeof(struct in6_addr); in kern_jail()
507 error = copyin(j->ip6, u_ip6, optiov[opt.uio_iovcnt].iov_len); in kern_jail()
535 if (uap->iovcnt & 1) in sys_jail_set()
538 error = copyinuio(uap->iovp, uap->iovcnt, &auio); in sys_jail_set()
541 error = kern_jail_set(td, auio, uap->flags); in sys_jail_set()
583 * XXX Variable-length automatic arrays in union may be
601 MPASS(idx >= 0 && idx < pip->ips); in PR_IP()
603 return (pip->pr_ip + pr_families[af].size * idx); in PR_IP()
614 pip->ips = cnt; in prison_ip_alloc()
630 bcopy(op, pip->pr_ip, cnt * size); in prison_ip_copyin()
640 qsort(PR_IP(pip, af, 1), cnt - 1, size, cmp); in prison_ip_copyin()
669 const struct prison_ip *ppip = ppr->pr_addrs[af]; in prison_ip_dup()
673 pip = prison_ip_alloc(af, ppip->ips, M_WAITOK); in prison_ip_dup()
674 bcopy(ppip->pr_ip, pip->pr_ip, pip->ips * pr_families[af].size); in prison_ip_dup()
675 pr->pr_addrs[af] = pip; in prison_ip_dup()
695 for (i = 0; i < ppip->ips; i++) in prison_ip_parent_match()
699 if (i == ppip->ips) in prison_ip_parent_match()
703 if (pip->ips > 1) { in prison_ip_parent_match()
704 for (i = j = 1; i < pip->ips; i++) { in prison_ip_parent_match()
708 for (; j < ppip->ips; j++) in prison_ip_parent_match()
712 if (j == ppip->ips) in prison_ip_parent_match()
715 if (j == ppip->ips) in prison_ip_parent_match()
736 for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent) in prison_ip_conflict_check()
737 if (tppr->pr_flags & PR_VNET) in prison_ip_conflict_check()
745 (tpr != tppr && (tpr->pr_flags & PR_VNET)) || in prison_ip_conflict_check()
751 if (!(tpr->pr_flags & pr_families[af].ip_flag)) in prison_ip_conflict_check()
754 if (tpr->pr_addrs[af] == NULL || in prison_ip_conflict_check()
755 (pip->ips == 1 && tpr->pr_addrs[af]->ips == 1)) in prison_ip_conflict_check()
757 for (int i = 0; i < pip->ips; i++) in prison_ip_conflict_check()
779 NET_EPOCH_CALL(prison_ip_free_deferred, &pip->ctx); in prison_ip_free()
787 mtx_assert(&pr->pr_mtx, MA_OWNED); in prison_ip_set()
789 mem = &pr->pr_addrs[af]; in prison_ip_set()
805 struct prison_ip *ppip = pr->pr_parent->pr_addrs[af]; in prison_ip_restrict()
806 struct prison_ip *pip = pr->pr_addrs[af]; in prison_ip_restrict()
812 mtx_assert(&pr->pr_mtx, MA_OWNED); in prison_ip_restrict()
815 * Due to epoch-synchronized access to the IP address lists we always in prison_ip_restrict()
827 if (!(pr->pr_flags & pr_families[af].ip_flag)) { in prison_ip_restrict()
829 new = prison_ip_alloc(af, ppip->ips, M_NOWAIT); in prison_ip_restrict()
834 MPASS(new->ips == ppip->ips); in prison_ip_restrict()
835 bcopy(ppip->pr_ip, new->pr_ip, ppip->ips * size); in prison_ip_restrict()
847 new = prison_ip_alloc(af, pip->ips, M_NOWAIT); in prison_ip_restrict()
852 for (int pi = 0; pi < ppip->ips; pi++) in prison_ip_restrict()
861 for (int pi = 1; i < pip->ips; ) { in prison_ip_restrict()
872 switch (pi >= ppip->ips ? -1 : in prison_ip_restrict()
874 case -1: in prison_ip_restrict()
895 KASSERT((new->ips >= ips), in prison_ip_restrict()
896 ("Out-of-bounds write to prison_ip %p", new)); in prison_ip_restrict()
897 new->ips = ips; in prison_ip_restrict()
907 * Fast-path check if an address belongs to a prison.
917 MPASS(mtx_owned(&pr->pr_mtx) || in prison_ip_check()
921 pip = atomic_load_ptr(&pr->pr_addrs[af]); in prison_ip_check()
933 z = pip->ips - 2; in prison_ip_check()
938 z = i - 1; in prison_ip_check()
950 * us to support epoch-protected access. Is it used in fast path?
956 const struct prison_ip *pip = pr->pr_addrs[af]; in prison_ip_get0()
958 mtx_assert(&pr->pr_mtx, MA_OWNED); in prison_ip_get0()
961 return (pip->pr_ip); in prison_ip_get0()
968 return (pr->pr_addrs[af]->ips); in prison_ip_cnt()
1018 mypr = td->td_ucred->cr_prison; in kern_jail_set()
1019 if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) in kern_jail_set()
1031 * options. But it makes more sense to re-use the vfsopt code in kern_jail_set()
1098 vfs_flagopt(opts, bf->name, &pr_flags, bf->flag); in kern_jail_set()
1099 vfs_flagopt(opts, bf->noname, &ch_flags, bf->flag); in kern_jail_set()
1105 error = vfs_copyopt(opts, jsf->name, &jsys, sizeof(jsys)); in kern_jail_set()
1112 if (!jsf->disable) { in kern_jail_set()
1116 pr_flags |= jsf->disable; in kern_jail_set()
1119 pr_flags |= jsf->new; in kern_jail_set()
1127 ch_flags |= jsf->new | jsf->disable; in kern_jail_set()
1160 atomic_load_int(&bf->flag) != 0; in kern_jail_set()
1162 vfs_flagopt(opts, bf->name, &pr_allow, bf->flag); in kern_jail_set()
1163 vfs_flagopt(opts, bf->noname, &ch_allow, bf->flag); in kern_jail_set()
1173 if (len == 0 || name[len - 1] != '\0') { in kern_jail_set()
1191 if (len == 0 || host[len - 1] != '\0') { in kern_jail_set()
1209 if (len == 0 || domain[len - 1] != '\0') { in kern_jail_set()
1227 if (len == 0 || uuid[len - 1] != '\0') { in kern_jail_set()
1238 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { in kern_jail_set()
1262 else if (ip4s & (sizeof(struct in_addr) - 1)) { in kern_jail_set()
1290 else if (ip6s & (sizeof(struct in6_addr) - 1)) { in kern_jail_set()
1333 if (len == 0 || osrelstr[len - 1] != '\0') { in kern_jail_set()
1340 "osrelease string must be 1-%d bytes long", in kern_jail_set()
1341 OSRELEASELEN - 1); in kern_jail_set()
1378 if (len == 0 || path[len - 1] != '\0') { in kern_jail_set()
1397 if (root->v_type != VDIR) { in kern_jail_set()
1437 if (inspr->pr_id < jid) in kern_jail_set()
1439 if (inspr->pr_id > jid) in kern_jail_set()
1443 mtx_lock(&pr->pr_mtx); in kern_jail_set()
1494 if (strncmp(name, ppr->pr_name, namelc - name) in kern_jail_set()
1495 || ppr->pr_name[namelc - name] != '\0') { in kern_jail_set()
1510 mtx_unlock(&ppr->pr_mtx); in kern_jail_set()
1523 (ppr == &prison0) ? 0 : strlen(ppr->pr_name) + 1; in kern_jail_set()
1526 strcmp(tpr->pr_name + pnamelen, namelc)) in kern_jail_set()
1540 mtx_lock(&pr->pr_mtx); in kern_jail_set()
1570 for (tpr = mypr; tpr != NULL; tpr = tpr->pr_parent) in kern_jail_set()
1571 if (tpr->pr_childcount >= tpr->pr_childmax) { in kern_jail_set()
1590 mtx_lock(&deadpr->pr_mtx); in kern_jail_set()
1591 deadpr->pr_id = deadid; in kern_jail_set()
1592 mtx_unlock(&deadpr->pr_mtx); in kern_jail_set()
1613 pr->pr_state = PRISON_STATE_INVALID; in kern_jail_set()
1614 refcount_init(&pr->pr_ref, 1); in kern_jail_set()
1615 refcount_init(&pr->pr_uref, 0); in kern_jail_set()
1617 LIST_INIT(&pr->pr_children); in kern_jail_set()
1618 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK); in kern_jail_set()
1619 TASK_INIT(&pr->pr_task, 0, prison_complete, pr); in kern_jail_set()
1621 pr->pr_id = jid; in kern_jail_set()
1627 pr->pr_parent = ppr; in kern_jail_set()
1630 LIST_INSERT_HEAD(&ppr->pr_children, pr, pr_sibling); in kern_jail_set()
1631 for (tpr = ppr; tpr != NULL; tpr = tpr->pr_parent) in kern_jail_set()
1632 tpr->pr_childcount++; in kern_jail_set()
1639 root = mypr->pr_root; in kern_jail_set()
1640 vref(root); in kern_jail_set()
1642 strlcpy(pr->pr_hostuuid, DEFAULT_HOSTUUID, HOSTUUIDLEN); in kern_jail_set()
1643 pr->pr_flags |= PR_HOST; in kern_jail_set()
1651 pr->pr_flags |= PR_IP4 | PR_IP4_USER; in kern_jail_set()
1653 pr->pr_flags |= ppr->pr_flags & PR_IP4; in kern_jail_set()
1659 pr->pr_flags |= PR_IP6 | PR_IP6_USER; in kern_jail_set()
1661 pr->pr_flags |= ppr->pr_flags & PR_IP6; in kern_jail_set()
1668 pr->pr_flags |= _PR_IP_SADDRSEL; in kern_jail_set()
1670 pr->pr_securelevel = ppr->pr_securelevel; in kern_jail_set()
1671 pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow; in kern_jail_set()
1672 pr->pr_enforce_statfs = jail_default_enforce_statfs; in kern_jail_set()
1673 pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum; in kern_jail_set()
1675 pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate; in kern_jail_set()
1677 strlcpy(pr->pr_osrelease, ppr->pr_osrelease, in kern_jail_set()
1678 sizeof(pr->pr_osrelease)); in kern_jail_set()
1680 strlcpy(pr->pr_osrelease, osrelstr, in kern_jail_set()
1681 sizeof(pr->pr_osrelease)); in kern_jail_set()
1685 pr->pr_vnet = (pr_flags & PR_VNET) in kern_jail_set()
1686 ? vnet_alloc() : ppr->pr_vnet; in kern_jail_set()
1692 error = cpuset_create_root(ppr, &pr->pr_cpuset); in kern_jail_set()
1696 mtx_lock(&pr->pr_mtx); in kern_jail_set()
1706 if ((pr->pr_flags & PR_VNET) && in kern_jail_set()
1715 if (PR_IP4_USER & ch_flags & (pr_flags ^ pr->pr_flags)) { in kern_jail_set()
1723 if (PR_IP6_USER & ch_flags & (pr_flags ^ pr->pr_flags)) { in kern_jail_set()
1734 if (slevel < ppr->pr_securelevel) { in kern_jail_set()
1740 if (childmax >= ppr->pr_childmax) { in kern_jail_set()
1746 if (enforce < ppr->pr_enforce_statfs) { in kern_jail_set()
1762 if (jailed(td->td_ucred)) { in kern_jail_set()
1763 if (rsnum > 0 && rsnum != ppr->pr_devfs_rsnum) { in kern_jail_set()
1767 rsnum = ppr->pr_devfs_rsnum; in kern_jail_set()
1772 if ((ppr->pr_flags & PR_IP4) && in kern_jail_set()
1773 !prison_ip_parent_match(ppr->pr_addrs[PR_INET], ip4, in kern_jail_set()
1787 if ((ppr->pr_flags & PR_IP6) && in kern_jail_set()
1788 !prison_ip_parent_match(ppr->pr_addrs[PR_INET6], ip6, in kern_jail_set()
1803 * explicitly the jid - but not any other number, and only in in kern_jail_set()
1819 pnamelen = (ppr == &prison0) ? 0 : strlen(ppr->pr_name) + 1; in kern_jail_set()
1820 onamelen = strlen(pr->pr_name + pnamelen); in kern_jail_set()
1822 if (pnamelen + namelen + 1 > sizeof(pr->pr_name)) { in kern_jail_set()
1827 if (strlen(tpr->pr_name) + (namelen - onamelen) >= in kern_jail_set()
1828 sizeof(pr->pr_name)) { in kern_jail_set()
1834 pr_allow_diff = pr_allow & ~ppr->pr_allow; in kern_jail_set()
1842 * then re-locking the prison, but this is still a valid state as long in kern_jail_set()
1845 mtx_unlock(&pr->pr_mtx); in kern_jail_set()
1850 mtx_lock(&pr->pr_mtx); in kern_jail_set()
1855 if (!opt->seen && strcmp(opt->name, "errmsg")) { in kern_jail_set()
1857 vfs_opterror(opts, "unknown parameter: %s", opt->name); in kern_jail_set()
1866 pr->pr_flags |= PR_IP4; in kern_jail_set()
1871 if (tpr->pr_flags & PR_VNET) { in kern_jail_set()
1886 pr->pr_flags |= PR_IP6; in kern_jail_set()
1891 if (tpr->pr_flags & PR_VNET) { in kern_jail_set()
1904 pr->pr_securelevel = slevel; in kern_jail_set()
1907 if (tpr->pr_securelevel < slevel) in kern_jail_set()
1908 tpr->pr_securelevel = slevel; in kern_jail_set()
1911 pr->pr_childmax = childmax; in kern_jail_set()
1914 if (tpr->pr_childmax > childmax - level) in kern_jail_set()
1915 tpr->pr_childmax = childmax > level in kern_jail_set()
1916 ? childmax - level : 0; in kern_jail_set()
1919 pr->pr_enforce_statfs = enforce; in kern_jail_set()
1922 if (tpr->pr_enforce_statfs < enforce) in kern_jail_set()
1923 tpr->pr_enforce_statfs = enforce; in kern_jail_set()
1926 pr->pr_devfs_rsnum = rsnum; in kern_jail_set()
1929 tpr->pr_devfs_rsnum = rsnum; in kern_jail_set()
1933 strlcpy(pr->pr_name, namelc, sizeof(pr->pr_name)); in kern_jail_set()
1935 snprintf(pr->pr_name, sizeof(pr->pr_name), "%s.%s", in kern_jail_set()
1936 ppr->pr_name, namelc); in kern_jail_set()
1939 bcopy(tpr->pr_name + onamelen, tpr->pr_name + namelen, in kern_jail_set()
1940 strlen(tpr->pr_name + onamelen) + 1); in kern_jail_set()
1941 bcopy(pr->pr_name, tpr->pr_name, namelen); in kern_jail_set()
1945 /* Try to keep a real-rooted full pathname. */ in kern_jail_set()
1946 strlcpy(pr->pr_path, path, sizeof(pr->pr_path)); in kern_jail_set()
1947 pr->pr_root = root; in kern_jail_set()
1951 if (pr->pr_flags & PR_HOST) { in kern_jail_set()
1958 strlcpy(pr->pr_hostname, pr->pr_parent->pr_hostname, in kern_jail_set()
1959 sizeof(pr->pr_hostname)); in kern_jail_set()
1960 strlcpy(pr->pr_domainname, pr->pr_parent->pr_domainname, in kern_jail_set()
1961 sizeof(pr->pr_domainname)); in kern_jail_set()
1962 strlcpy(pr->pr_hostuuid, pr->pr_parent->pr_hostuuid, in kern_jail_set()
1963 sizeof(pr->pr_hostuuid)); in kern_jail_set()
1964 pr->pr_hostid = pr->pr_parent->pr_hostid; in kern_jail_set()
1969 strlcpy(pr->pr_hostname, host, sizeof(pr->pr_hostname)); in kern_jail_set()
1971 strlcpy(pr->pr_domainname, domain, in kern_jail_set()
1972 sizeof(pr->pr_domainname)); in kern_jail_set()
1974 strlcpy(pr->pr_hostuuid, uuid, sizeof(pr->pr_hostuuid)); in kern_jail_set()
1976 pr->pr_hostid = hid; in kern_jail_set()
1978 if (tpr->pr_flags & PR_HOST) in kern_jail_set()
1982 strlcpy(tpr->pr_hostname, in kern_jail_set()
1983 pr->pr_hostname, in kern_jail_set()
1984 sizeof(tpr->pr_hostname)); in kern_jail_set()
1986 strlcpy(tpr->pr_domainname, in kern_jail_set()
1987 pr->pr_domainname, in kern_jail_set()
1988 sizeof(tpr->pr_domainname)); in kern_jail_set()
1990 strlcpy(tpr->pr_hostuuid, in kern_jail_set()
1991 pr->pr_hostuuid, in kern_jail_set()
1992 sizeof(tpr->pr_hostuuid)); in kern_jail_set()
1994 tpr->pr_hostid = hid; in kern_jail_set()
1998 pr->pr_allow = (pr->pr_allow & ~ch_allow) | pr_allow; in kern_jail_set()
2005 if (ch_flags & PR_PERSIST & (pr_flags ^ pr->pr_flags)) { in kern_jail_set()
2013 refcount_acquire(&pr->pr_uref); in kern_jail_set()
2019 pr->pr_flags = (pr->pr_flags & ~ch_flags) | pr_flags; in kern_jail_set()
2020 mtx_unlock(&pr->pr_mtx); in kern_jail_set()
2023 * Any errors past this point will need to de-persist newly created in kern_jail_set()
2039 ip4s = pr->pr_addrs[PR_INET]->ips; in kern_jail_set()
2042 mtx_lock(&pr->pr_mtx); in kern_jail_set()
2046 if (tpr->pr_flags & PR_VNET) { in kern_jail_set()
2054 mtx_unlock(&pr->pr_mtx); in kern_jail_set()
2059 ip6s = pr->pr_addrs[PR_INET6]->ips; in kern_jail_set()
2062 mtx_lock(&pr->pr_mtx); in kern_jail_set()
2066 if (tpr->pr_flags & PR_VNET) { in kern_jail_set()
2074 mtx_unlock(&pr->pr_mtx); in kern_jail_set()
2094 pr->pr_state = PRISON_STATE_ALIVE; in kern_jail_set()
2111 mtx_unlock(&pr->pr_mtx); in kern_jail_set()
2122 if (created && pr != &prison0 && (pr->pr_allow & PR_ALLOW_NFSD) != 0 && in kern_jail_set()
2123 (pr->pr_root->v_vflag & VV_ROOT) == 0) in kern_jail_set()
2125 " file system\n", pr->pr_id); in kern_jail_set()
2128 td->td_retval[0] = pr->pr_id; in kern_jail_set()
2146 if (optuio->uio_segflg == UIO_SYSSPACE) in kern_jail_set()
2148 optuio->uio_iov[errmsg_pos].iov_base, in kern_jail_set()
2152 optuio->uio_iov[errmsg_pos].iov_base, in kern_jail_set()
2182 TAILQ_LAST(&allprison, prisonlist)->pr_id < jid) { in get_next_prid()
2196 if (inspr->pr_id < jid) in get_next_prid()
2198 if (inspr->pr_id > jid) { in get_next_prid()
2239 deadid = lastdeadid ? lastdeadid - 1 : JAIL_MAX; in get_next_deadid()
2246 if (dinspr->pr_id > deadid) in get_next_deadid()
2248 if (dinspr->pr_id < deadid) { in get_next_deadid()
2253 if (--deadid < minid) { in get_next_deadid()
2292 if (uap->iovcnt & 1) in sys_jail_get()
2295 error = copyinuio(uap->iovp, uap->iovcnt, &auio); in sys_jail_get()
2298 error = kern_jail_get(td, auio, uap->flags); in sys_jail_get()
2300 error = copyout(auio->uio_iov, uap->iovp, in sys_jail_get()
2301 uap->iovcnt * sizeof(struct iovec)); in sys_jail_get()
2326 mypr = td->td_ucred->cr_prison; in kern_jail_get()
2337 if (pr->pr_id > jid && in kern_jail_get()
2340 mtx_lock(&pr->pr_mtx); in kern_jail_get()
2375 if (len == 0 || name[len - 1] != '\0') { in kern_jail_get()
2404 td->td_retval[0] = pr->pr_id; in kern_jail_get()
2405 error = vfs_setopt(opts, "jid", &pr->pr_id, sizeof(pr->pr_id)); in kern_jail_get()
2408 i = (pr->pr_parent == mypr) ? 0 : pr->pr_parent->pr_id; in kern_jail_get()
2415 error = vfs_setopt(opts, "cpuset.id", &pr->pr_cpuset->cs_id, in kern_jail_get()
2416 sizeof(pr->pr_cpuset->cs_id)); in kern_jail_get()
2423 error = vfs_setopt_part(opts, "ip4.addr", pr->pr_addrs[PR_INET]->pr_ip, in kern_jail_get()
2424 pr->pr_addrs[PR_INET] ? pr->pr_addrs[PR_INET]->ips * in kern_jail_get()
2430 error = vfs_setopt_part(opts, "ip6.addr", pr->pr_addrs[PR_INET6]->pr_ip, in kern_jail_get()
2431 pr->pr_addrs[PR_INET6] ? pr->pr_addrs[PR_INET6]->ips * in kern_jail_get()
2436 error = vfs_setopt(opts, "securelevel", &pr->pr_securelevel, in kern_jail_get()
2437 sizeof(pr->pr_securelevel)); in kern_jail_get()
2440 error = vfs_setopt(opts, "children.cur", &pr->pr_childcount, in kern_jail_get()
2441 sizeof(pr->pr_childcount)); in kern_jail_get()
2444 error = vfs_setopt(opts, "children.max", &pr->pr_childmax, in kern_jail_get()
2445 sizeof(pr->pr_childmax)); in kern_jail_get()
2448 error = vfs_setopts(opts, "host.hostname", pr->pr_hostname); in kern_jail_get()
2451 error = vfs_setopts(opts, "host.domainname", pr->pr_domainname); in kern_jail_get()
2454 error = vfs_setopts(opts, "host.hostuuid", pr->pr_hostuuid); in kern_jail_get()
2458 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { in kern_jail_get()
2459 uint32_t hid32 = pr->pr_hostid; in kern_jail_get()
2464 error = vfs_setopt(opts, "host.hostid", &pr->pr_hostid, in kern_jail_get()
2465 sizeof(pr->pr_hostid)); in kern_jail_get()
2468 error = vfs_setopt(opts, "enforce_statfs", &pr->pr_enforce_statfs, in kern_jail_get()
2469 sizeof(pr->pr_enforce_statfs)); in kern_jail_get()
2472 error = vfs_setopt(opts, "devfs_ruleset", &pr->pr_devfs_rsnum, in kern_jail_get()
2473 sizeof(pr->pr_devfs_rsnum)); in kern_jail_get()
2479 i = (pr->pr_flags & bf->flag) ? 1 : 0; in kern_jail_get()
2480 error = vfs_setopt(opts, bf->name, &i, sizeof(i)); in kern_jail_get()
2484 error = vfs_setopt(opts, bf->noname, &i, sizeof(i)); in kern_jail_get()
2491 f = pr->pr_flags & (jsf->disable | jsf->new); in kern_jail_get()
2492 i = (f != 0 && f == jsf->disable) ? JAIL_SYS_DISABLE in kern_jail_get()
2493 : (f == jsf->new) ? JAIL_SYS_NEW in kern_jail_get()
2495 error = vfs_setopt(opts, jsf->name, &i, sizeof(i)); in kern_jail_get()
2501 atomic_load_int(&bf->flag) != 0; in kern_jail_get()
2503 i = (pr->pr_allow & bf->flag) ? 1 : 0; in kern_jail_get()
2504 error = vfs_setopt(opts, bf->name, &i, sizeof(i)); in kern_jail_get()
2508 error = vfs_setopt(opts, bf->noname, &i, sizeof(i)); in kern_jail_get()
2520 error = vfs_setopt(opts, "osreldate", &pr->pr_osreldate, in kern_jail_get()
2521 sizeof(pr->pr_osreldate)); in kern_jail_get()
2524 error = vfs_setopts(opts, "osrelease", pr->pr_osrelease); in kern_jail_get()
2529 mtx_unlock(&pr->pr_mtx); in kern_jail_get()
2540 if (!opt->seen && strcmp(opt->name, "errmsg")) { in kern_jail_get()
2542 vfs_opterror(opts, "unknown parameter: %s", opt->name); in kern_jail_get()
2550 if (opt->pos >= 0 && opt->pos != errmsg_pos) { in kern_jail_get()
2551 pos = 2 * opt->pos + 1; in kern_jail_get()
2552 optuio->uio_iov[pos].iov_len = opt->len; in kern_jail_get()
2553 if (opt->value != NULL) { in kern_jail_get()
2554 if (optuio->uio_segflg == UIO_SYSSPACE) { in kern_jail_get()
2555 bcopy(opt->value, in kern_jail_get()
2556 optuio->uio_iov[pos].iov_base, in kern_jail_get()
2557 opt->len); in kern_jail_get()
2559 error = copyout(opt->value, in kern_jail_get()
2560 optuio->uio_iov[pos].iov_base, in kern_jail_get()
2561 opt->len); in kern_jail_get()
2580 if (optuio->uio_segflg == UIO_SYSSPACE) in kern_jail_get()
2582 optuio->uio_iov[errmsg_pos].iov_base, in kern_jail_get()
2586 optuio->uio_iov[errmsg_pos].iov_base, in kern_jail_get()
2610 pr = prison_find_child(td->td_ucred->cr_prison, uap->jid); in sys_jail_remove()
2616 /* Silently ignore already-dying prisons. */ in sys_jail_remove()
2617 mtx_unlock(&pr->pr_mtx); in sys_jail_remove()
2641 pr = prison_find_child(td->td_ucred->cr_prison, uap->jid); in sys_jail_attach()
2649 mtx_unlock(&pr->pr_mtx); in sys_jail_attach()
2664 mtx_assert(&pr->pr_mtx, MA_OWNED); in do_jail_attach()
2676 refcount_acquire(&pr->pr_uref); in do_jail_attach()
2678 mtx_unlock(&pr->pr_mtx); in do_jail_attach()
2693 p = td->td_proc; in do_jail_attach()
2694 error = cpuset_setproc_update_set(p, pr->pr_cpuset); in do_jail_attach()
2698 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY); in do_jail_attach()
2699 if ((error = change_dir(pr->pr_root, td)) != 0) in do_jail_attach()
2702 if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root))) in do_jail_attach()
2705 VOP_UNLOCK(pr->pr_root); in do_jail_attach()
2706 if ((error = pwd_chroot_chdir(td, pr->pr_root))) in do_jail_attach()
2712 newcred->cr_prison = pr; in do_jail_attach()
2724 prison_proc_relink(oldcred->cr_prison, pr, p); in do_jail_attach()
2725 prison_deref(oldcred->cr_prison, drflags); in do_jail_attach()
2741 VOP_UNLOCK(pr->pr_root); in do_jail_attach()
2746 (void)osd_jail_call(td->td_ucred->cr_prison, PR_METHOD_ATTACH, td); in do_jail_attach()
2761 if (pr->pr_id < prid) in prison_find()
2763 if (pr->pr_id > prid) in prison_find()
2766 mtx_lock(&pr->pr_mtx); in prison_find()
2783 if (pr->pr_id == prid) { in prison_find_child()
2786 mtx_lock(&pr->pr_mtx); in prison_find_child()
2804 mylen = (mypr == &prison0) ? 0 : strlen(mypr->pr_name) + 1; in prison_find_name()
2807 if (!strcmp(pr->pr_name + mylen, name)) { in prison_find_name()
2811 mtx_lock(&pr->pr_mtx); in prison_find_name()
2817 /* There was no valid prison - perhaps there was a dying one. */ in prison_find_name()
2819 mtx_lock(&deadpr->pr_mtx); in prison_find_name()
2833 return ((cred->cr_prison->pr_flags & flag) != 0); in prison_flag()
2845 return ((cred->cr_prison->pr_allow & flag) != 0); in prison_allow()
2867 int was_valid = refcount_acquire_if_not_zero(&pr->pr_ref); in prison_hold()
2870 ("Trying to hold dead prison %p (jid=%d).", pr, pr->pr_id)); in prison_hold()
2872 refcount_acquire(&pr->pr_ref); in prison_hold()
2884 mtx_assert(&pr->pr_mtx, MA_OWNED); in prison_free_locked()
2889 mtx_unlock(&pr->pr_mtx); in prison_free_locked()
2897 KASSERT(refcount_load(&pr->pr_ref) > 0, in prison_free()
2899 pr, pr->pr_id)); in prison_free()
2900 if (!refcount_release_if_not_last(&pr->pr_ref)) { in prison_free()
2905 taskqueue_enqueue(taskqueue_thread, &pr->pr_task); in prison_free()
2915 KASSERT(refcount_load(&pr->pr_ref) > 0, in prison_free_not_last()
2917 pr, pr->pr_id)); in prison_free_not_last()
2918 lastref = refcount_release(&pr->pr_ref); in prison_free_not_last()
2921 pr, pr->pr_id)); in prison_free_not_last()
2923 refcount_release(&pr->pr_ref); in prison_free_not_last()
2930 * user-visible, except through the jail system calls. It is also
2940 int was_alive = refcount_acquire_if_not_zero(&pr->pr_uref); in prison_proc_hold()
2943 ("Cannot add a process to a non-alive prison (jid=%d)", pr->pr_id)); in prison_proc_hold()
2945 refcount_acquire(&pr->pr_uref); in prison_proc_hold()
2963 KASSERT(refcount_load(&pr->pr_uref) > 0, in prison_proc_free()
2964 ("Trying to kill a process in a dead prison (jid=%d)", pr->pr_id)); in prison_proc_free()
2965 if (!refcount_release_if_not_last(&pr->pr_uref)) { in prison_proc_free()
2969 * but also half dead. Add a reference so any calls to in prison_proc_free()
2970 * prison_free() won't re-submit the task. in prison_proc_free()
2973 mtx_lock(&pr->pr_mtx); in prison_proc_free()
2974 KASSERT(!(pr->pr_flags & PR_COMPLETE_PROC), in prison_proc_free()
2976 pr->pr_id)); in prison_proc_free()
2977 pr->pr_flags |= PR_COMPLETE_PROC; in prison_proc_free()
2978 mtx_unlock(&pr->pr_mtx); in prison_proc_free()
2979 taskqueue_enqueue(taskqueue_thread, &pr->pr_task); in prison_proc_free()
2989 KASSERT(refcount_load(&pr->pr_uref) > 0, in prison_proc_free_not_last()
2991 pr, pr->pr_id)); in prison_proc_free_not_last()
2992 lastref = refcount_release(&pr->pr_uref); in prison_proc_free_not_last()
2995 pr, pr->pr_id)); in prison_proc_free_not_last()
2997 refcount_release(&pr->pr_uref); in prison_proc_free_not_last()
3006 LIST_INSERT_HEAD(&pr->pr_proclist, p, p_jaillist); in prison_proc_link()
3041 if (pr->pr_flags & PR_COMPLETE_PROC) { in prison_complete()
3042 pr->pr_flags &= ~PR_COMPLETE_PROC; in prison_complete()
3066 if (atomic_load_int(&pr->pr_childcount) == 0) { in prison_proc_iterate()
3068 LIST_FOREACH(p, &pr->pr_proclist, p_jaillist) { in prison_proc_iterate()
3069 if (p->p_state == PRS_NEW) in prison_proc_iterate()
3076 if (atomic_load_int(&pr->pr_childcount) == 0) in prison_proc_iterate()
3080 * system-wide search. in prison_proc_iterate()
3087 if (p->p_state != PRS_NEW && p->p_ucred != NULL) { in prison_proc_iterate()
3088 for (ppr = p->p_ucred->cr_prison; in prison_proc_iterate()
3090 ppr = ppr->pr_parent) { in prison_proc_iterate()
3105 * with no non-sleeping locks held, except perhaps the prison itself.
3136 KASSERT(refcount_load(&pr->pr_uref) > 0, in prison_deref()
3138 pr->pr_id)); in prison_deref()
3139 if (!refcount_release_if_not_last(&pr->pr_uref)) { in prison_deref()
3145 if (refcount_release(&pr->pr_uref) && in prison_deref()
3146 pr->pr_state == PRISON_STATE_ALIVE) { in prison_deref()
3154 pr->pr_state = PRISON_STATE_DYING; in prison_deref()
3155 mtx_unlock(&pr->pr_mtx); in prison_deref()
3167 if (refcount_load(&pr->pr_uref) > 0) in prison_deref()
3174 KASSERT(refcount_load(&pr->pr_ref) > 0, in prison_deref()
3176 pr->pr_id)); in prison_deref()
3177 if (!refcount_release_if_not_last(&pr->pr_ref)) { in prison_deref()
3179 if (refcount_release(&pr->pr_ref)) { in prison_deref()
3185 refcount_load(&pr->pr_uref) == 0, in prison_deref()
3188 pr->pr_uref, pr->pr_id)); in prison_deref()
3192 pr->pr_state = PRISON_STATE_INVALID; in prison_deref()
3197 for (ppr = pr->pr_parent; in prison_deref()
3199 ppr = ppr->pr_parent) in prison_deref()
3200 ppr->pr_childcount--; in prison_deref()
3205 mtx_unlock(&pr->pr_mtx); in prison_deref()
3207 pr = pr->pr_parent; in prison_deref()
3218 mtx_unlock(&pr->pr_mtx); in prison_deref()
3234 if (rpr->pr_vnet != rpr->pr_parent->pr_vnet) in prison_deref()
3235 vnet_destroy(rpr->pr_vnet); in prison_deref()
3237 if (rpr->pr_root != NULL) in prison_deref()
3238 vrele(rpr->pr_root); in prison_deref()
3239 mtx_destroy(&rpr->pr_mtx); in prison_deref()
3241 prison_ip_free(rpr->pr_addrs[PR_INET]); in prison_deref()
3244 prison_ip_free(rpr->pr_addrs[PR_INET6]); in prison_deref()
3246 if (rpr->pr_cpuset != NULL) in prison_deref()
3247 cpuset_rel(rpr->pr_cpuset); in prison_deref()
3273 KASSERT(refcount_load(&pr->pr_ref) > 0, in prison_deref_kill()
3275 pr, pr->pr_id)); in prison_deref_kill()
3276 refcount_acquire(&pr->pr_uref); in prison_deref_kill()
3277 pr->pr_state = PRISON_STATE_DYING; in prison_deref_kill()
3278 mtx_unlock(&pr->pr_mtx); in prison_deref_kill()
3289 mtx_lock(&cpr->pr_mtx); in prison_deref_kill()
3290 cpr->pr_state = PRISON_STATE_DYING; in prison_deref_kill()
3291 cpr->pr_flags |= PR_REMOVE; in prison_deref_kill()
3292 mtx_unlock(&cpr->pr_mtx); in prison_deref_kill()
3295 if (!(cpr->pr_flags & PR_REMOVE)) in prison_deref_kill()
3298 mtx_lock(&cpr->pr_mtx); in prison_deref_kill()
3299 cpr->pr_flags &= ~PR_REMOVE; in prison_deref_kill()
3300 if (cpr->pr_flags & PR_PERSIST) { in prison_deref_kill()
3301 cpr->pr_flags &= ~PR_PERSIST; in prison_deref_kill()
3305 (void)refcount_release(&cpr->pr_uref); in prison_deref_kill()
3306 if (refcount_release(&cpr->pr_ref)) { in prison_deref_kill()
3316 rpr->pr_state = PRISON_STATE_INVALID; in prison_deref_kill()
3322 ppr = rpr->pr_parent; in prison_deref_kill()
3325 for (; ppr != NULL; ppr = ppr->pr_parent) in prison_deref_kill()
3326 ppr->pr_childcount--; in prison_deref_kill()
3328 mtx_unlock(&cpr->pr_mtx); in prison_deref_kill()
3334 mtx_lock(&pr->pr_mtx); in prison_deref_kill()
3335 if (pr->pr_flags & PR_PERSIST) { in prison_deref_kill()
3336 pr->pr_flags &= ~PR_PERSIST; in prison_deref_kill()
3340 (void)refcount_release(&pr->pr_uref); in prison_deref_kill()
3358 mtx_unlock(&pr->pr_mtx); in prison_lock_xlock()
3373 mtx_lock(&pr->pr_mtx); in prison_lock_xlock()
3387 mtx_assert(&pr->pr_mtx, MA_NOTOWNED); in prison_cleanup()
3402 pr = cred->cr_prison; in prison_set_allow()
3404 mtx_lock(&pr->pr_mtx); in prison_set_allow()
3406 mtx_unlock(&pr->pr_mtx); in prison_set_allow()
3417 pr->pr_allow |= flag; in prison_set_allow_locked()
3419 pr->pr_allow &= ~flag; in prison_set_allow_locked()
3421 cpr->pr_allow &= ~flag; in prison_set_allow_locked()
3439 pr = cred->cr_prison; in prison_check_af()
3451 if (pr->pr_flags & PR_IP4) in prison_check_af()
3453 mtx_lock(&pr->pr_mtx); in prison_check_af()
3454 if ((pr->pr_flags & PR_IP4) && in prison_check_af()
3455 pr->pr_addrs[PR_INET] == NULL) in prison_check_af()
3457 mtx_unlock(&pr->pr_mtx); in prison_check_af()
3463 if (pr->pr_flags & PR_IP6) in prison_check_af()
3465 mtx_lock(&pr->pr_mtx); in prison_check_af()
3466 if ((pr->pr_flags & PR_IP6) && in prison_check_af()
3467 pr->pr_addrs[PR_INET6] == NULL) in prison_check_af()
3469 mtx_unlock(&pr->pr_mtx); in prison_check_af()
3478 if (!(pr->pr_allow & PR_ALLOW_SOCKET_AF)) in prison_check_af()
3512 switch (sa->sa_family) in prison_if()
3517 error = prison_check_ip4(cred, &sai->sin_addr); in prison_if()
3523 error = prison_check_ip6(cred, &sai6->sin6_addr); in prison_if()
3527 if (!(cred->cr_prison->pr_allow & PR_ALLOW_SOCKET_AF)) in prison_if()
3540 return ((cred1->cr_prison == cred2->cr_prison || in prison_check()
3541 prison_ischild(cred1->cr_prison, cred2->cr_prison)) ? 0 : ESRCH); in prison_check()
3546 * - A vnet prison.
3547 * - PR_ALLOW_NFSD must be set on it.
3548 * - The root directory (pr_root) of the prison must be
3551 * - The prison's enforce_statfs cannot be 0, so that
3562 if ((cred->cr_prison->pr_root->v_vflag & VV_ROOT) == 0) in prison_check_nfsd()
3564 if (cred->cr_prison->pr_enforce_statfs == 0) in prison_check_nfsd()
3576 for (pr2 = pr2->pr_parent; pr2 != NULL; pr2 = pr2->pr_parent) in prison_ischild()
3590 if (__predict_false(pr->pr_state != PRISON_STATE_ALIVE)) in prison_isalive()
3606 if (__predict_false(pr->pr_state == PRISON_STATE_INVALID)) in prison_isvalid()
3608 if (__predict_false(refcount_load(&pr->pr_ref) == 0)) in prison_isvalid()
3643 pr = (cred != NULL) ? cred->cr_prison : &prison0; in getcredhostname()
3644 mtx_lock(&pr->pr_mtx); in getcredhostname()
3645 strlcpy(buf, pr->pr_hostname, size); in getcredhostname()
3646 mtx_unlock(&pr->pr_mtx); in getcredhostname()
3653 mtx_lock(&cred->cr_prison->pr_mtx); in getcreddomainname()
3654 strlcpy(buf, cred->cr_prison->pr_domainname, size); in getcreddomainname()
3655 mtx_unlock(&cred->cr_prison->pr_mtx); in getcreddomainname()
3662 mtx_lock(&cred->cr_prison->pr_mtx); in getcredhostuuid()
3663 strlcpy(buf, cred->cr_prison->pr_hostuuid, size); in getcredhostuuid()
3664 mtx_unlock(&cred->cr_prison->pr_mtx); in getcredhostuuid()
3671 mtx_lock(&cred->cr_prison->pr_mtx); in getcredhostid()
3672 *hostid = cred->cr_prison->pr_hostid; in getcredhostid()
3673 mtx_unlock(&cred->cr_prison->pr_mtx); in getcredhostid()
3680 mtx_lock(&cred->cr_prison->pr_mtx); in getjailname()
3681 strlcpy(name, cred->cr_prison->pr_name, len); in getjailname()
3682 mtx_unlock(&cred->cr_prison->pr_mtx); in getjailname()
3700 return ((cred->cr_prison->pr_flags & PR_VNET) != 0); in prison_owns_vnet()
3718 pr = cred->cr_prison; in prison_canseemount()
3719 if (pr->pr_enforce_statfs == 0) in prison_canseemount()
3721 if (pr->pr_root->v_mount == mp) in prison_canseemount()
3723 if (pr->pr_enforce_statfs == 2) in prison_canseemount()
3727 * all mount-points from inside a jail. in prison_canseemount()
3731 if (strcmp(pr->pr_path, "/") == 0) in prison_canseemount()
3733 len = strlen(pr->pr_path); in prison_canseemount()
3734 sp = &mp->mnt_stat; in prison_canseemount()
3735 if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0) in prison_canseemount()
3741 if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/') in prison_canseemount()
3753 pr = cred->cr_prison; in prison_enforce_statfs()
3754 if (pr->pr_enforce_statfs == 0) in prison_enforce_statfs()
3757 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); in prison_enforce_statfs()
3758 strlcpy(sp->f_mntonname, "[restricted]", in prison_enforce_statfs()
3759 sizeof(sp->f_mntonname)); in prison_enforce_statfs()
3762 if (pr->pr_root->v_mount == mp) { in prison_enforce_statfs()
3767 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); in prison_enforce_statfs()
3768 *sp->f_mntonname = '/'; in prison_enforce_statfs()
3773 * all mount-points from inside a jail. in prison_enforce_statfs()
3775 if (strcmp(pr->pr_path, "/") == 0) in prison_enforce_statfs()
3777 len = strlen(pr->pr_path); in prison_enforce_statfs()
3778 strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath)); in prison_enforce_statfs()
3783 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); in prison_enforce_statfs()
3786 *sp->f_mntonname = '/'; in prison_enforce_statfs()
3788 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); in prison_enforce_statfs()
3824 * NFS-specific privileges. in prison_priv_check()
3871 * 802.11-related privileges. in prison_priv_check()
3932 if (cred->cr_prison->pr_flags & PR_VNET) in prison_priv_check()
3971 * jailed root to override uid/gid-based constraints. in prison_priv_check()
3978 * Jail implements inter-process debugging limits already, so in prison_priv_check()
4010 * Jail implements its own inter-process limits, so allow in prison_priv_check()
4036 * Be careful to exclude mount-related and NFS-related in prison_priv_check()
4055 * As in the non-jail case, non-root users are expected to be in prison_priv_check()
4067 if (cred->cr_prison->pr_allow & PR_ALLOW_CHFLAGS) in prison_priv_check()
4080 pr = cred->cr_prison; in prison_priv_check()
4082 if (pr->pr_allow & PR_ALLOW_MOUNT && pr->pr_enforce_statfs < 2) in prison_priv_check()
4103 if ((cred->cr_prison->pr_allow & PR_ALLOW_EXTATTR) != 0) in prison_priv_check()
4114 if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK) in prison_priv_check()
4123 if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) in prison_priv_check()
4129 * Allow jailed root to reuse in-use ports. in prison_priv_check()
4144 if (cred->cr_prison->pr_allow & PR_ALLOW_RAW_SOCKETS) in prison_priv_check()
4168 if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF) in prison_priv_check()
4178 if (cred->cr_prison->pr_allow & in prison_priv_check()
4189 if (cred->cr_prison->pr_allow & PR_ALLOW_SETTIME) in prison_priv_check()
4217 name = pr2->pr_name; in prison_name()
4222 * can be counted on - and counted. in prison_name()
4224 for (; pr1 != &prison0; pr1 = pr1->pr_parent) in prison_name()
4240 path1 = pr1->pr_path; in prison_path()
4241 path2 = pr2->pr_path; in prison_path()
4255 * Jail-related sysctls.
4262 * Copy address array to memory that would be then SYSCTL_OUT-ed.
4272 mtx_assert(&pr->pr_mtx, MA_OWNED); in prison_ip_copyout()
4273 if ((pip = pr->pr_addrs[af]) != NULL) { in prison_ip_copyout()
4274 if (*len < pip->ips) { in prison_ip_copyout()
4275 *len = pip->ips; in prison_ip_copyout()
4276 mtx_unlock(&pr->pr_mtx); in prison_ip_copyout()
4278 mtx_lock(&pr->pr_mtx); in prison_ip_copyout()
4281 bcopy(pip->pr_ip, *out, pip->ips * size); in prison_ip_copyout()
4302 pr = req->td->td_ucred->cr_prison; in sysctl_jail_list()
4306 mtx_lock(&cpr->pr_mtx); in sysctl_jail_list()
4314 xp->pr_version = XPRISON_VERSION; in sysctl_jail_list()
4315 xp->pr_id = cpr->pr_id; in sysctl_jail_list()
4316 xp->pr_state = cpr->pr_state; in sysctl_jail_list()
4317 strlcpy(xp->pr_path, prison_path(pr, cpr), sizeof(xp->pr_path)); in sysctl_jail_list()
4318 strlcpy(xp->pr_host, cpr->pr_hostname, sizeof(xp->pr_host)); in sysctl_jail_list()
4319 strlcpy(xp->pr_name, prison_name(pr, cpr), sizeof(xp->pr_name)); in sysctl_jail_list()
4321 xp->pr_ip4s = ip4s; in sysctl_jail_list()
4324 xp->pr_ip6s = ip6s; in sysctl_jail_list()
4326 mtx_unlock(&cpr->pr_mtx); in sysctl_jail_list()
4331 if (xp->pr_ip4s > 0) { in sysctl_jail_list()
4333 xp->pr_ip4s * sizeof(struct in_addr)); in sysctl_jail_list()
4339 if (xp->pr_ip6s > 0) { in sysctl_jail_list()
4341 xp->pr_ip6s * sizeof(struct in6_addr)); in sysctl_jail_list()
4367 injail = jailed(req->td->td_ucred); in sysctl_jail_jailed()
4382 struct ucred *cred = req->td->td_ucred; in sysctl_jail_vnet()
4414 if (req->td->td_ucred->cr_prison == &prison0) { in sysctl_jail_default_allow()
4419 i = prison_allow(req->td->td_ucred, arg2); in sysctl_jail_default_allow()
4424 if (error || !req->newptr) in sysctl_jail_default_allow()
4462 "Processes in jail can mount/unmount jail-friendly file systems (deprecated)");
4474 pr = req->td->td_ucred->cr_prison; in sysctl_jail_default_level()
4477 if (error || !req->newptr) in sysctl_jail_default_level()
4504 pr = req->td->td_ucred->cr_prison; in sysctl_jail_children()
4506 switch (oidp->oid_kind & CTLTYPE) { in sysctl_jail_children()
4540 switch (oidp->oid_kind & CTLTYPE) in sysctl_jail_param()
4546 if (!(req->flags & SCTL_MASK32)) in sysctl_jail_param()
4575 "Jail value for kern.osreldate and uname -K");
4577 "Jail value for kern.osrelease and uname -r");
4581 "I", "Ruleset for in-jail devfs mounts");
4657 "B", "Jail may set system-level filesystem extended attributes");
4665 "B", "Jail may mount/unmount jail-friendly file systems in general");
4702 atomic_load_int(&bf->flag) != 0; in prison_add_allow()
4704 if (strcmp(bf->name, allow_name) == 0) { in prison_add_allow()
4705 allow_flag = bf->flag; in prison_add_allow()
4729 if (atomic_load_int(&bf->flag) == 0) in prison_add_allow()
4732 bf->name = allow_name; in prison_add_allow()
4733 bf->noname = allow_noname; in prison_add_allow()
4741 atomic_store_rel_int(&bf->flag, allow_flag); in prison_add_allow()
4745 * Create sysctls for the parameter, and the back-compat global in prison_add_allow()
4782 * The VFS system will register jail-aware filesystems here. They each get
4791 vfsp->vfc_prison_flag = prison_add_allow("mount", vfsp->vfc_name, in prison_add_vfs()
4797 vfsp->vfc_name); in prison_add_vfs()
4798 vfsp->vfc_prison_flag = prison_add_allow("mount", vfsp->vfc_name, in prison_add_vfs()
4818 (callback)(prr->prr_racct, arg2, arg3); in prison_racct_foreach()
4836 if (strcmp(name, prr->prr_name) != 0) in prison_racct_find_locked()
4846 racct_create(&prr->prr_racct); in prison_racct_find_locked()
4848 strcpy(prr->prr_name, name); in prison_racct_find_locked()
4849 refcount_init(&prr->prr_refcount, 1); in prison_racct_find_locked()
4874 refcount_acquire(&prr->prr_refcount); in prison_racct_hold()
4884 if (refcount_release(&prr->prr_refcount)) { in prison_racct_free_locked()
4885 racct_destroy(&prr->prr_racct); in prison_racct_free_locked()
4898 if (refcount_release_if_not_last(&prr->prr_refcount)) in prison_racct_free()
4914 prr = prison_racct_find_locked(pr->pr_name); in prison_racct_attach()
4917 pr->pr_prison_racct = prr; in prison_racct_attach()
4938 if (strcmp(pr->pr_name, pr->pr_prison_racct->prr_name) == 0) { in prison_racct_modify()
4944 oldprr = pr->pr_prison_racct; in prison_racct_modify()
4945 pr->pr_prison_racct = NULL; in prison_racct_modify()
4952 racct_move(pr->pr_prison_racct->prr_racct, oldprr->prr_racct); in prison_racct_modify()
4960 cred = crhold(p->p_ucred); in prison_racct_modify()
4979 if (pr->pr_prison_racct == NULL) in prison_racct_detach()
4981 prison_racct_free(pr->pr_prison_racct); in prison_racct_detach()
4982 pr->pr_prison_racct = NULL; in prison_racct_detach()
5006 db_printf(" jid = %d\n", pr->pr_id); in db_show_prison()
5007 db_printf(" name = %s\n", pr->pr_name); in db_show_prison()
5008 db_printf(" parent = %p\n", pr->pr_parent); in db_show_prison()
5009 db_printf(" ref = %d\n", pr->pr_ref); in db_show_prison()
5010 db_printf(" uref = %d\n", pr->pr_uref); in db_show_prison()
5012 pr->pr_state == PRISON_STATE_ALIVE ? "alive" : in db_show_prison()
5013 pr->pr_state == PRISON_STATE_DYING ? "dying" : in db_show_prison()
5015 db_printf(" path = %s\n", pr->pr_path); in db_show_prison()
5016 db_printf(" cpuset = %d\n", pr->pr_cpuset in db_show_prison()
5017 ? pr->pr_cpuset->cs_id : -1); in db_show_prison()
5019 db_printf(" vnet = %p\n", pr->pr_vnet); in db_show_prison()
5021 db_printf(" root = %p\n", pr->pr_root); in db_show_prison()
5022 db_printf(" securelevel = %d\n", pr->pr_securelevel); in db_show_prison()
5023 db_printf(" devfs_rsnum = %d\n", pr->pr_devfs_rsnum); in db_show_prison()
5024 db_printf(" children.max = %d\n", pr->pr_childmax); in db_show_prison()
5025 db_printf(" children.cur = %d\n", pr->pr_childcount); in db_show_prison()
5026 db_printf(" child = %p\n", LIST_FIRST(&pr->pr_children)); in db_show_prison()
5028 db_printf(" flags = 0x%x", pr->pr_flags); in db_show_prison()
5030 if (pr->pr_flags & bf->flag) in db_show_prison()
5031 db_printf(" %s", bf->name); in db_show_prison()
5035 f = pr->pr_flags & (jsf->disable | jsf->new); in db_show_prison()
5036 db_printf(" %-16s= %s\n", jsf->name, in db_show_prison()
5037 (f != 0 && f == jsf->disable) ? "disable" in db_show_prison()
5038 : (f == jsf->new) ? "new" in db_show_prison()
5041 db_printf(" allow = 0x%x", pr->pr_allow); in db_show_prison()
5044 atomic_load_int(&bf->flag) != 0; in db_show_prison()
5046 if (pr->pr_allow & bf->flag) in db_show_prison()
5047 db_printf(" %s", bf->name); in db_show_prison()
5049 db_printf(" enforce_statfs = %d\n", pr->pr_enforce_statfs); in db_show_prison()
5050 db_printf(" host.hostname = %s\n", pr->pr_hostname); in db_show_prison()
5051 db_printf(" host.domainname = %s\n", pr->pr_domainname); in db_show_prison()
5052 db_printf(" host.hostuuid = %s\n", pr->pr_hostuuid); in db_show_prison()
5053 db_printf(" host.hostid = %lu\n", pr->pr_hostid); in db_show_prison()
5055 if ((pip = pr->pr_addrs[PR_INET]) != NULL) { in db_show_prison()
5056 db_printf(" ip4s = %d\n", pip->ips); in db_show_prison()
5057 for (ii = 0; ii < pip->ips; ii++) in db_show_prison()
5066 if ((pip = pr->pr_addrs[PR_INET6]) != NULL) { in db_show_prison()
5067 db_printf(" ip6s = %d\n", pip->ips); in db_show_prison()
5068 for (ii = 0; ii < pip->ips; ii++) in db_show_prison()
5102 if (pr->pr_id == addr && pr->pr_ref > 0) in DB_SHOW_COMMAND()
5107 if (pr->pr_id == addr) in DB_SHOW_COMMAND()