1 /*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include "opt_ddb.h" 32 #include "opt_inet.h" 33 #include "opt_inet6.h" 34 #include "opt_mac.h" 35 36 #include <sys/param.h> 37 #include <sys/types.h> 38 #include <sys/kernel.h> 39 #include <sys/systm.h> 40 #include <sys/errno.h> 41 #include <sys/sysproto.h> 42 #include <sys/malloc.h> 43 #include <sys/priv.h> 44 #include <sys/proc.h> 45 #include <sys/taskqueue.h> 46 #include <sys/fcntl.h> 47 #include <sys/jail.h> 48 #include <sys/lock.h> 49 #include <sys/mutex.h> 50 #include <sys/sx.h> 51 #include <sys/namei.h> 52 #include <sys/mount.h> 53 #include <sys/queue.h> 54 #include <sys/socket.h> 55 #include <sys/syscallsubr.h> 56 #include <sys/sysctl.h> 57 #include <sys/vnode.h> 58 #include <sys/vimage.h> 59 #include <sys/osd.h> 60 #include <net/if.h> 61 #include <netinet/in.h> 62 #ifdef DDB 63 #include <ddb/ddb.h> 64 #ifdef INET6 65 #include <netinet6/in6_var.h> 66 #endif /* INET6 */ 67 #endif /* DDB */ 68 69 #include <security/mac/mac_framework.h> 70 71 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); 72 73 SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, 74 "Jail rules"); 75 76 int jail_set_hostname_allowed = 1; 77 SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, 78 &jail_set_hostname_allowed, 0, 79 "Processes in jail can set their hostnames"); 80 81 int jail_socket_unixiproute_only = 1; 82 SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, 83 &jail_socket_unixiproute_only, 0, 84 "Processes in jail are limited to creating UNIX/IP/route sockets only"); 85 86 int jail_sysvipc_allowed = 0; 87 SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, 88 &jail_sysvipc_allowed, 0, 89 "Processes in jail can use System V IPC primitives"); 90 91 static int jail_enforce_statfs = 2; 92 SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW, 93 &jail_enforce_statfs, 0, 94 "Processes in jail cannot see all mounted file systems"); 95 96 int jail_allow_raw_sockets = 0; 97 SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, 98 &jail_allow_raw_sockets, 0, 99 "Prison root can create raw sockets"); 100 101 int jail_chflags_allowed = 0; 102 SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, 103 &jail_chflags_allowed, 0, 104 "Processes in jail can alter system file flags"); 105 106 int jail_mount_allowed = 0; 107 SYSCTL_INT(_security_jail, OID_AUTO, mount_allowed, CTLFLAG_RW, 108 &jail_mount_allowed, 0, 109 "Processes in jail can mount/unmount jail-friendly file systems"); 110 111 int jail_max_af_ips = 255; 112 SYSCTL_INT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW, 113 &jail_max_af_ips, 0, 114 "Number of IP addresses a jail may have at most per address family"); 115 116 /* allprison, lastprid, and prisoncount are protected by allprison_lock. */ 117 struct prisonlist allprison; 118 struct sx allprison_lock; 119 int lastprid = 0; 120 int prisoncount = 0; 121 122 static void init_prison(void *); 123 static void prison_complete(void *context, int pending); 124 static int sysctl_jail_list(SYSCTL_HANDLER_ARGS); 125 #ifdef INET 126 static int _prison_check_ip4(struct prison *, struct in_addr *); 127 #endif 128 #ifdef INET6 129 static int _prison_check_ip6(struct prison *, struct in6_addr *); 130 #endif 131 132 static void 133 init_prison(void *data __unused) 134 { 135 136 sx_init(&allprison_lock, "allprison"); 137 LIST_INIT(&allprison); 138 } 139 140 SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL); 141 142 #ifdef INET 143 static int 144 qcmp_v4(const void *ip1, const void *ip2) 145 { 146 in_addr_t iaa, iab; 147 148 /* 149 * We need to compare in HBO here to get the list sorted as expected 150 * by the result of the code. Sorting NBO addresses gives you 151 * interesting results. If you do not understand, do not try. 152 */ 153 iaa = ntohl(((const struct in_addr *)ip1)->s_addr); 154 iab = ntohl(((const struct in_addr *)ip2)->s_addr); 155 156 /* 157 * Do not simply return the difference of the two numbers, the int is 158 * not wide enough. 159 */ 160 if (iaa > iab) 161 return (1); 162 else if (iaa < iab) 163 return (-1); 164 else 165 return (0); 166 } 167 #endif 168 169 #ifdef INET6 170 static int 171 qcmp_v6(const void *ip1, const void *ip2) 172 { 173 const struct in6_addr *ia6a, *ia6b; 174 int i, rc; 175 176 ia6a = (const struct in6_addr *)ip1; 177 ia6b = (const struct in6_addr *)ip2; 178 179 rc = 0; 180 for (i=0; rc == 0 && i < sizeof(struct in6_addr); i++) { 181 if (ia6a->s6_addr[i] > ia6b->s6_addr[i]) 182 rc = 1; 183 else if (ia6a->s6_addr[i] < ia6b->s6_addr[i]) 184 rc = -1; 185 } 186 return (rc); 187 } 188 #endif 189 190 #if defined(INET) || defined(INET6) 191 static int 192 prison_check_conflicting_ips(struct prison *p) 193 { 194 struct prison *pr; 195 int i; 196 197 sx_assert(&allprison_lock, SX_LOCKED); 198 199 if (p->pr_ip4s == 0 && p->pr_ip6s == 0) 200 return (0); 201 202 LIST_FOREACH(pr, &allprison, pr_list) { 203 /* 204 * Skip 'dying' prisons to avoid problems when 205 * restarting multi-IP jails. 206 */ 207 if (pr->pr_state == PRISON_STATE_DYING) 208 continue; 209 210 /* 211 * We permit conflicting IPs if there is no 212 * more than 1 IP on eeach jail. 213 * In case there is one duplicate on a jail with 214 * more than one IP stop checking and return error. 215 */ 216 #ifdef INET 217 if ((p->pr_ip4s >= 1 && pr->pr_ip4s > 1) || 218 (p->pr_ip4s > 1 && pr->pr_ip4s >= 1)) { 219 for (i = 0; i < p->pr_ip4s; i++) { 220 if (_prison_check_ip4(pr, &p->pr_ip4[i])) 221 return (EINVAL); 222 } 223 } 224 #endif 225 #ifdef INET6 226 if ((p->pr_ip6s >= 1 && pr->pr_ip6s > 1) || 227 (p->pr_ip6s > 1 && pr->pr_ip6s >= 1)) { 228 for (i = 0; i < p->pr_ip6s; i++) { 229 if (_prison_check_ip6(pr, &p->pr_ip6[i])) 230 return (EINVAL); 231 } 232 } 233 #endif 234 } 235 236 return (0); 237 } 238 239 static int 240 jail_copyin_ips(struct jail *j) 241 { 242 #ifdef INET 243 struct in_addr *ip4; 244 #endif 245 #ifdef INET6 246 struct in6_addr *ip6; 247 #endif 248 int error, i; 249 250 /* 251 * Copy in addresses, check for duplicate addresses and do some 252 * simple 0 and broadcast checks. If users give other bogus addresses 253 * it is their problem. 254 * 255 * IP addresses are all sorted but ip[0] to preserve the primary IP 256 * address as given from userland. This special IP is used for 257 * unbound outgoing connections as well for "loopback" traffic. 258 */ 259 #ifdef INET 260 ip4 = NULL; 261 #endif 262 #ifdef INET6 263 ip6 = NULL; 264 #endif 265 #ifdef INET 266 if (j->ip4s > 0) { 267 ip4 = (struct in_addr *)malloc(j->ip4s * sizeof(struct in_addr), 268 M_PRISON, M_WAITOK | M_ZERO); 269 error = copyin(j->ip4, ip4, j->ip4s * sizeof(struct in_addr)); 270 if (error) 271 goto e_free_ip; 272 /* Sort all but the first IPv4 address. */ 273 if (j->ip4s > 1) 274 qsort((ip4 + 1), j->ip4s - 1, 275 sizeof(struct in_addr), qcmp_v4); 276 277 /* 278 * We do not have to care about byte order for these checks 279 * so we will do them in NBO. 280 */ 281 for (i=0; i<j->ip4s; i++) { 282 if (ip4[i].s_addr == htonl(INADDR_ANY) || 283 ip4[i].s_addr == htonl(INADDR_BROADCAST)) { 284 error = EINVAL; 285 goto e_free_ip; 286 } 287 if ((i+1) < j->ip4s && 288 (ip4[0].s_addr == ip4[i+1].s_addr || 289 ip4[i].s_addr == ip4[i+1].s_addr)) { 290 error = EINVAL; 291 goto e_free_ip; 292 } 293 } 294 295 j->ip4 = ip4; 296 } 297 #endif 298 #ifdef INET6 299 if (j->ip6s > 0) { 300 ip6 = (struct in6_addr *)malloc(j->ip6s * sizeof(struct in6_addr), 301 M_PRISON, M_WAITOK | M_ZERO); 302 error = copyin(j->ip6, ip6, j->ip6s * sizeof(struct in6_addr)); 303 if (error) 304 goto e_free_ip; 305 /* Sort all but the first IPv6 address. */ 306 if (j->ip6s > 1) 307 qsort((ip6 + 1), j->ip6s - 1, 308 sizeof(struct in6_addr), qcmp_v6); 309 for (i=0; i<j->ip6s; i++) { 310 if (IN6_IS_ADDR_UNSPECIFIED(&ip6[i])) { 311 error = EINVAL; 312 goto e_free_ip; 313 } 314 if ((i+1) < j->ip6s && 315 (IN6_ARE_ADDR_EQUAL(&ip6[0], &ip6[i+1]) || 316 IN6_ARE_ADDR_EQUAL(&ip6[i], &ip6[i+1]))) { 317 error = EINVAL; 318 goto e_free_ip; 319 } 320 } 321 322 j->ip6 = ip6; 323 } 324 #endif 325 return (0); 326 327 e_free_ip: 328 #ifdef INET6 329 free(ip6, M_PRISON); 330 #endif 331 #ifdef INET 332 free(ip4, M_PRISON); 333 #endif 334 return (error); 335 } 336 #endif /* INET || INET6 */ 337 338 static int 339 jail_handle_ips(struct jail *j) 340 { 341 #if defined(INET) || defined(INET6) 342 int error; 343 #endif 344 345 /* 346 * Finish conversion for older versions, copyin and setup IPs. 347 */ 348 switch (j->version) { 349 case 0: 350 { 351 #ifdef INET 352 /* FreeBSD single IPv4 jails. */ 353 struct in_addr *ip4; 354 355 if (j->ip4s == INADDR_ANY || j->ip4s == INADDR_BROADCAST) 356 return (EINVAL); 357 ip4 = (struct in_addr *)malloc(sizeof(struct in_addr), 358 M_PRISON, M_WAITOK | M_ZERO); 359 360 /* 361 * Jail version 0 still used HBO for the IPv4 address. 362 */ 363 ip4->s_addr = htonl(j->ip4s); 364 j->ip4s = 1; 365 j->ip4 = ip4; 366 break; 367 #else 368 return (EINVAL); 369 #endif 370 } 371 372 case 1: 373 /* 374 * Version 1 was used by multi-IPv4 jail implementations 375 * that never made it into the official kernel. 376 * We should never hit this here; jail() should catch it. 377 */ 378 return (EINVAL); 379 380 case 2: /* JAIL_API_VERSION */ 381 /* FreeBSD multi-IPv4/IPv6,noIP jails. */ 382 #if defined(INET) || defined(INET6) 383 #ifdef INET 384 if (j->ip4s > jail_max_af_ips) 385 return (EINVAL); 386 #else 387 if (j->ip4s != 0) 388 return (EINVAL); 389 #endif 390 #ifdef INET6 391 if (j->ip6s > jail_max_af_ips) 392 return (EINVAL); 393 #else 394 if (j->ip6s != 0) 395 return (EINVAL); 396 #endif 397 error = jail_copyin_ips(j); 398 if (error) 399 return (error); 400 #endif 401 break; 402 403 default: 404 /* Sci-Fi jails are not supported, sorry. */ 405 return (EINVAL); 406 } 407 408 return (0); 409 } 410 411 412 /* 413 * struct jail_args { 414 * struct jail *jail; 415 * }; 416 */ 417 int 418 jail(struct thread *td, struct jail_args *uap) 419 { 420 uint32_t version; 421 int error; 422 struct jail j; 423 424 error = copyin(uap->jail, &version, sizeof(uint32_t)); 425 if (error) 426 return (error); 427 428 switch (version) { 429 case 0: 430 /* FreeBSD single IPv4 jails. */ 431 { 432 struct jail_v0 j0; 433 434 bzero(&j, sizeof(struct jail)); 435 error = copyin(uap->jail, &j0, sizeof(struct jail_v0)); 436 if (error) 437 return (error); 438 j.version = j0.version; 439 j.path = j0.path; 440 j.hostname = j0.hostname; 441 j.ip4s = j0.ip_number; 442 break; 443 } 444 445 case 1: 446 /* 447 * Version 1 was used by multi-IPv4 jail implementations 448 * that never made it into the official kernel. 449 */ 450 return (EINVAL); 451 452 case 2: /* JAIL_API_VERSION */ 453 /* FreeBSD multi-IPv4/IPv6,noIP jails. */ 454 error = copyin(uap->jail, &j, sizeof(struct jail)); 455 if (error) 456 return (error); 457 break; 458 459 default: 460 /* Sci-Fi jails are not supported, sorry. */ 461 return (EINVAL); 462 } 463 return (kern_jail(td, &j)); 464 } 465 466 int 467 kern_jail(struct thread *td, struct jail *j) 468 { 469 struct nameidata nd; 470 struct prison *pr, *tpr; 471 struct jail_attach_args jaa; 472 int vfslocked, error, tryprid; 473 474 KASSERT(j != NULL, ("%s: j is NULL", __func__)); 475 476 /* Handle addresses - convert old structs, copyin, check IPs. */ 477 error = jail_handle_ips(j); 478 if (error) 479 return (error); 480 481 /* Allocate struct prison and fill it with life. */ 482 pr = malloc(sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO); 483 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF); 484 pr->pr_ref = 1; 485 error = copyinstr(j->path, &pr->pr_path, sizeof(pr->pr_path), NULL); 486 if (error) 487 goto e_killmtx; 488 NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | LOCKLEAF, UIO_SYSSPACE, 489 pr->pr_path, td); 490 error = namei(&nd); 491 if (error) 492 goto e_killmtx; 493 vfslocked = NDHASGIANT(&nd); 494 pr->pr_root = nd.ni_vp; 495 VOP_UNLOCK(nd.ni_vp, 0); 496 NDFREE(&nd, NDF_ONLY_PNBUF); 497 VFS_UNLOCK_GIANT(vfslocked); 498 error = copyinstr(j->hostname, &pr->pr_host, sizeof(pr->pr_host), NULL); 499 if (error) 500 goto e_dropvnref; 501 if (j->jailname != NULL) { 502 error = copyinstr(j->jailname, &pr->pr_name, 503 sizeof(pr->pr_name), NULL); 504 if (error) 505 goto e_dropvnref; 506 } 507 if (j->ip4s > 0) { 508 pr->pr_ip4 = j->ip4; 509 pr->pr_ip4s = j->ip4s; 510 } 511 #ifdef INET6 512 if (j->ip6s > 0) { 513 pr->pr_ip6 = j->ip6; 514 pr->pr_ip6s = j->ip6s; 515 } 516 #endif 517 pr->pr_linux = NULL; 518 pr->pr_securelevel = securelevel; 519 bzero(&pr->pr_osd, sizeof(pr->pr_osd)); 520 521 /* 522 * Pre-set prison state to ALIVE upon cration. This is needed so we 523 * can later attach the process to it, etc (avoiding another extra 524 * state for ther process of creation, complicating things). 525 */ 526 pr->pr_state = PRISON_STATE_ALIVE; 527 528 /* Allocate a dedicated cpuset for each jail. */ 529 error = cpuset_create_root(td, &pr->pr_cpuset); 530 if (error) 531 goto e_dropvnref; 532 533 sx_xlock(&allprison_lock); 534 /* Make sure we cannot run into problems with ambiguous bind()ings. */ 535 #if defined(INET) || defined(INET6) 536 error = prison_check_conflicting_ips(pr); 537 if (error) { 538 sx_xunlock(&allprison_lock); 539 goto e_dropcpuset; 540 } 541 #endif 542 543 /* Determine next pr_id and add prison to allprison list. */ 544 tryprid = lastprid + 1; 545 if (tryprid == JAIL_MAX) 546 tryprid = 1; 547 next: 548 LIST_FOREACH(tpr, &allprison, pr_list) { 549 if (tpr->pr_id == tryprid) { 550 tryprid++; 551 if (tryprid == JAIL_MAX) { 552 sx_xunlock(&allprison_lock); 553 error = EAGAIN; 554 goto e_dropcpuset; 555 } 556 goto next; 557 } 558 } 559 pr->pr_id = jaa.jid = lastprid = tryprid; 560 LIST_INSERT_HEAD(&allprison, pr, pr_list); 561 prisoncount++; 562 sx_xunlock(&allprison_lock); 563 564 error = jail_attach(td, &jaa); 565 if (error) 566 goto e_dropprref; 567 mtx_lock(&pr->pr_mtx); 568 pr->pr_ref--; 569 mtx_unlock(&pr->pr_mtx); 570 td->td_retval[0] = jaa.jid; 571 return (0); 572 e_dropprref: 573 sx_xlock(&allprison_lock); 574 LIST_REMOVE(pr, pr_list); 575 prisoncount--; 576 sx_xunlock(&allprison_lock); 577 e_dropcpuset: 578 cpuset_rel(pr->pr_cpuset); 579 e_dropvnref: 580 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 581 vrele(pr->pr_root); 582 VFS_UNLOCK_GIANT(vfslocked); 583 e_killmtx: 584 mtx_destroy(&pr->pr_mtx); 585 free(pr, M_PRISON); 586 #ifdef INET6 587 free(j->ip6, M_PRISON); 588 #endif 589 #ifdef INET 590 free(j->ip4, M_PRISON); 591 #endif 592 return (error); 593 } 594 595 /* 596 * struct jail_attach_args { 597 * int jid; 598 * }; 599 */ 600 int 601 jail_attach(struct thread *td, struct jail_attach_args *uap) 602 { 603 struct proc *p; 604 struct ucred *newcred, *oldcred; 605 struct prison *pr; 606 int vfslocked, error; 607 608 /* 609 * XXX: Note that there is a slight race here if two threads 610 * in the same privileged process attempt to attach to two 611 * different jails at the same time. It is important for 612 * user processes not to do this, or they might end up with 613 * a process root from one prison, but attached to the jail 614 * of another. 615 */ 616 error = priv_check(td, PRIV_JAIL_ATTACH); 617 if (error) 618 return (error); 619 620 p = td->td_proc; 621 sx_slock(&allprison_lock); 622 pr = prison_find(uap->jid); 623 if (pr == NULL) { 624 sx_sunlock(&allprison_lock); 625 return (EINVAL); 626 } 627 628 /* 629 * Do not allow a process to attach to a prison that is not 630 * considered to be "ALIVE". 631 */ 632 if (pr->pr_state != PRISON_STATE_ALIVE) { 633 mtx_unlock(&pr->pr_mtx); 634 sx_sunlock(&allprison_lock); 635 return (EINVAL); 636 } 637 pr->pr_ref++; 638 mtx_unlock(&pr->pr_mtx); 639 sx_sunlock(&allprison_lock); 640 641 /* 642 * Reparent the newly attached process to this jail. 643 */ 644 error = cpuset_setproc_update_set(p, pr->pr_cpuset); 645 if (error) 646 goto e_unref; 647 648 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 649 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY); 650 if ((error = change_dir(pr->pr_root, td)) != 0) 651 goto e_unlock; 652 #ifdef MAC 653 if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root))) 654 goto e_unlock; 655 #endif 656 VOP_UNLOCK(pr->pr_root, 0); 657 change_root(pr->pr_root, td); 658 VFS_UNLOCK_GIANT(vfslocked); 659 660 newcred = crget(); 661 PROC_LOCK(p); 662 oldcred = p->p_ucred; 663 setsugid(p); 664 crcopy(newcred, oldcred); 665 newcred->cr_prison = pr; 666 p->p_ucred = newcred; 667 prison_proc_hold(pr); 668 PROC_UNLOCK(p); 669 crfree(oldcred); 670 return (0); 671 e_unlock: 672 VOP_UNLOCK(pr->pr_root, 0); 673 VFS_UNLOCK_GIANT(vfslocked); 674 e_unref: 675 mtx_lock(&pr->pr_mtx); 676 pr->pr_ref--; 677 mtx_unlock(&pr->pr_mtx); 678 return (error); 679 } 680 681 /* 682 * Returns a locked prison instance, or NULL on failure. 683 */ 684 struct prison * 685 prison_find(int prid) 686 { 687 struct prison *pr; 688 689 sx_assert(&allprison_lock, SX_LOCKED); 690 LIST_FOREACH(pr, &allprison, pr_list) { 691 if (pr->pr_id == prid) { 692 mtx_lock(&pr->pr_mtx); 693 if (pr->pr_ref == 0) { 694 mtx_unlock(&pr->pr_mtx); 695 break; 696 } 697 return (pr); 698 } 699 } 700 return (NULL); 701 } 702 703 void 704 prison_free_locked(struct prison *pr) 705 { 706 707 mtx_assert(&pr->pr_mtx, MA_OWNED); 708 pr->pr_ref--; 709 if (pr->pr_ref == 0) { 710 mtx_unlock(&pr->pr_mtx); 711 TASK_INIT(&pr->pr_task, 0, prison_complete, pr); 712 taskqueue_enqueue(taskqueue_thread, &pr->pr_task); 713 return; 714 } 715 mtx_unlock(&pr->pr_mtx); 716 } 717 718 void 719 prison_free(struct prison *pr) 720 { 721 722 mtx_lock(&pr->pr_mtx); 723 prison_free_locked(pr); 724 } 725 726 static void 727 prison_complete(void *context, int pending) 728 { 729 struct prison *pr; 730 int vfslocked; 731 732 pr = (struct prison *)context; 733 734 sx_xlock(&allprison_lock); 735 LIST_REMOVE(pr, pr_list); 736 prisoncount--; 737 sx_xunlock(&allprison_lock); 738 739 cpuset_rel(pr->pr_cpuset); 740 741 /* Free all OSD associated to this jail. */ 742 osd_jail_exit(pr); 743 744 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 745 vrele(pr->pr_root); 746 VFS_UNLOCK_GIANT(vfslocked); 747 748 mtx_destroy(&pr->pr_mtx); 749 free(pr->pr_linux, M_PRISON); 750 #ifdef INET6 751 free(pr->pr_ip6, M_PRISON); 752 #endif 753 #ifdef INET 754 free(pr->pr_ip4, M_PRISON); 755 #endif 756 free(pr, M_PRISON); 757 } 758 759 void 760 prison_hold_locked(struct prison *pr) 761 { 762 763 mtx_assert(&pr->pr_mtx, MA_OWNED); 764 KASSERT(pr->pr_ref > 0, 765 ("Trying to hold dead prison (id=%d).", pr->pr_id)); 766 pr->pr_ref++; 767 } 768 769 void 770 prison_hold(struct prison *pr) 771 { 772 773 mtx_lock(&pr->pr_mtx); 774 prison_hold_locked(pr); 775 mtx_unlock(&pr->pr_mtx); 776 } 777 778 void 779 prison_proc_hold(struct prison *pr) 780 { 781 782 mtx_lock(&pr->pr_mtx); 783 KASSERT(pr->pr_state == PRISON_STATE_ALIVE, 784 ("Cannot add a process to a non-alive prison (id=%d).", pr->pr_id)); 785 pr->pr_nprocs++; 786 mtx_unlock(&pr->pr_mtx); 787 } 788 789 void 790 prison_proc_free(struct prison *pr) 791 { 792 793 mtx_lock(&pr->pr_mtx); 794 KASSERT(pr->pr_state == PRISON_STATE_ALIVE && pr->pr_nprocs > 0, 795 ("Trying to kill a process in a dead prison (id=%d).", pr->pr_id)); 796 pr->pr_nprocs--; 797 if (pr->pr_nprocs == 0) 798 pr->pr_state = PRISON_STATE_DYING; 799 mtx_unlock(&pr->pr_mtx); 800 } 801 802 803 #ifdef INET 804 /* 805 * Pass back primary IPv4 address of this jail. 806 * 807 * If not jailed return success but do not alter the address. Caller has to 808 * make sure to intialize it correctly (INADDR_ANY). 809 * 810 * Returns 0 on success, 1 on error. Address returned in NBO. 811 */ 812 int 813 prison_getip4(struct ucred *cred, struct in_addr *ia) 814 { 815 816 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 817 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 818 819 if (!jailed(cred)) 820 /* Do not change address passed in. */ 821 return (0); 822 823 if (cred->cr_prison->pr_ip4 == NULL) 824 return (1); 825 826 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 827 return (0); 828 } 829 830 /* 831 * Make sure our (source) address is set to something meaningful to this 832 * jail. 833 * 834 * Returns 0 on success, 1 on error. Address passed in in NBO and returned 835 * in NBO. 836 */ 837 int 838 prison_local_ip4(struct ucred *cred, struct in_addr *ia) 839 { 840 struct in_addr ia0; 841 842 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 843 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 844 845 if (!jailed(cred)) 846 return (0); 847 if (cred->cr_prison->pr_ip4 == NULL) 848 return (1); 849 850 ia0.s_addr = ntohl(ia->s_addr); 851 if (ia0.s_addr == INADDR_LOOPBACK) { 852 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 853 return (0); 854 } 855 856 /* 857 * In case there is only 1 IPv4 address, bind directly. 858 */ 859 if (ia0.s_addr == INADDR_ANY && cred->cr_prison->pr_ip4s == 1) { 860 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 861 return (0); 862 } 863 864 if (ia0.s_addr == INADDR_ANY || prison_check_ip4(cred, ia)) 865 return (0); 866 867 return (1); 868 } 869 870 /* 871 * Rewrite destination address in case we will connect to loopback address. 872 * 873 * Returns 0 on success, 1 on error. Address passed in in NBO and returned 874 * in NBO. 875 */ 876 int 877 prison_remote_ip4(struct ucred *cred, struct in_addr *ia) 878 { 879 880 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 881 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 882 883 if (!jailed(cred)) 884 return (0); 885 if (cred->cr_prison->pr_ip4 == NULL) 886 return (1); 887 if (ntohl(ia->s_addr) == INADDR_LOOPBACK) { 888 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 889 return (0); 890 } 891 892 /* 893 * Return success because nothing had to be changed. 894 */ 895 return (0); 896 } 897 898 /* 899 * Check if given address belongs to the jail referenced by cred. 900 * 901 * Returns 1 if address belongs to jail, 0 if not. Address passed in in NBO. 902 */ 903 static int 904 _prison_check_ip4(struct prison *pr, struct in_addr *ia) 905 { 906 int i, a, z, d; 907 908 if (pr->pr_ip4 == NULL) 909 return (0); 910 911 /* 912 * Check the primary IP. 913 */ 914 if (pr->pr_ip4[0].s_addr == ia->s_addr) 915 return (1); 916 917 /* 918 * All the other IPs are sorted so we can do a binary search. 919 */ 920 a = 0; 921 z = pr->pr_ip4s - 2; 922 while (a <= z) { 923 i = (a + z) / 2; 924 d = qcmp_v4(&pr->pr_ip4[i+1], ia); 925 if (d > 0) 926 z = i - 1; 927 else if (d < 0) 928 a = i + 1; 929 else 930 return (1); 931 } 932 return (0); 933 } 934 935 int 936 prison_check_ip4(struct ucred *cred, struct in_addr *ia) 937 { 938 939 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 940 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 941 942 if (!jailed(cred)) 943 return (1); 944 945 return (_prison_check_ip4(cred->cr_prison, ia)); 946 } 947 #endif 948 949 #ifdef INET6 950 /* 951 * Pass back primary IPv6 address for this jail. 952 * 953 * If not jailed return success but do not alter the address. Caller has to 954 * make sure to intialize it correctly (IN6ADDR_ANY_INIT). 955 * 956 * Returns 0 on success, 1 on error. 957 */ 958 int 959 prison_getip6(struct ucred *cred, struct in6_addr *ia6) 960 { 961 962 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 963 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 964 965 if (!jailed(cred)) 966 return (0); 967 if (cred->cr_prison->pr_ip6 == NULL) 968 return (1); 969 bcopy(&cred->cr_prison->pr_ip6[0], ia6, sizeof(struct in6_addr)); 970 return (0); 971 } 972 973 /* 974 * Make sure our (source) address is set to something meaningful to this jail. 975 * 976 * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0) 977 * when needed while binding. 978 * 979 * Returns 0 on success, 1 on error. 980 */ 981 int 982 prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only) 983 { 984 985 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 986 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 987 988 if (!jailed(cred)) 989 return (0); 990 if (cred->cr_prison->pr_ip6 == NULL) 991 return (1); 992 if (IN6_IS_ADDR_LOOPBACK(ia6)) { 993 bcopy(&cred->cr_prison->pr_ip6[0], ia6, 994 sizeof(struct in6_addr)); 995 return (0); 996 } 997 998 /* 999 * In case there is only 1 IPv6 address, and v6only is true, then 1000 * bind directly. 1001 */ 1002 if (v6only != 0 && IN6_IS_ADDR_UNSPECIFIED(ia6) && 1003 cred->cr_prison->pr_ip6s == 1) { 1004 bcopy(&cred->cr_prison->pr_ip6[0], ia6, 1005 sizeof(struct in6_addr)); 1006 return (0); 1007 } 1008 if (IN6_IS_ADDR_UNSPECIFIED(ia6) || prison_check_ip6(cred, ia6)) 1009 return (0); 1010 return (1); 1011 } 1012 1013 /* 1014 * Rewrite destination address in case we will connect to loopback address. 1015 * 1016 * Returns 0 on success, 1 on error. 1017 */ 1018 int 1019 prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6) 1020 { 1021 1022 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1023 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 1024 1025 if (!jailed(cred)) 1026 return (0); 1027 if (cred->cr_prison->pr_ip6 == NULL) 1028 return (1); 1029 if (IN6_IS_ADDR_LOOPBACK(ia6)) { 1030 bcopy(&cred->cr_prison->pr_ip6[0], ia6, 1031 sizeof(struct in6_addr)); 1032 return (0); 1033 } 1034 1035 /* 1036 * Return success because nothing had to be changed. 1037 */ 1038 return (0); 1039 } 1040 1041 /* 1042 * Check if given address belongs to the jail referenced by cred. 1043 * 1044 * Returns 1 if address belongs to jail, 0 if not. 1045 */ 1046 static int 1047 _prison_check_ip6(struct prison *pr, struct in6_addr *ia6) 1048 { 1049 int i, a, z, d; 1050 1051 if (pr->pr_ip6 == NULL) 1052 return (0); 1053 1054 /* 1055 * Check the primary IP. 1056 */ 1057 if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[0], ia6)) 1058 return (1); 1059 1060 /* 1061 * All the other IPs are sorted so we can do a binary search. 1062 */ 1063 a = 0; 1064 z = pr->pr_ip6s - 2; 1065 while (a <= z) { 1066 i = (a + z) / 2; 1067 d = qcmp_v6(&pr->pr_ip6[i+1], ia6); 1068 if (d > 0) 1069 z = i - 1; 1070 else if (d < 0) 1071 a = i + 1; 1072 else 1073 return (1); 1074 } 1075 return (0); 1076 } 1077 1078 int 1079 prison_check_ip6(struct ucred *cred, struct in6_addr *ia6) 1080 { 1081 1082 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1083 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 1084 1085 if (!jailed(cred)) 1086 return (1); 1087 1088 return (_prison_check_ip6(cred->cr_prison, ia6)); 1089 } 1090 #endif 1091 1092 /* 1093 * Check if given address belongs to the jail referenced by cred (wrapper to 1094 * prison_check_ip[46]). 1095 * 1096 * Returns 1 if address belongs to jail, 0 if not. IPv4 Address passed in in 1097 * NBO. 1098 */ 1099 int 1100 prison_if(struct ucred *cred, struct sockaddr *sa) 1101 { 1102 #ifdef INET 1103 struct sockaddr_in *sai; 1104 #endif 1105 #ifdef INET6 1106 struct sockaddr_in6 *sai6; 1107 #endif 1108 int ok; 1109 1110 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1111 KASSERT(sa != NULL, ("%s: sa is NULL", __func__)); 1112 1113 ok = 0; 1114 switch(sa->sa_family) 1115 { 1116 #ifdef INET 1117 case AF_INET: 1118 sai = (struct sockaddr_in *)sa; 1119 if (prison_check_ip4(cred, &sai->sin_addr)) 1120 ok = 1; 1121 break; 1122 1123 #endif 1124 #ifdef INET6 1125 case AF_INET6: 1126 sai6 = (struct sockaddr_in6 *)sa; 1127 if (prison_check_ip6(cred, (struct in6_addr *)&sai6->sin6_addr)) 1128 ok = 1; 1129 break; 1130 1131 #endif 1132 default: 1133 if (!jail_socket_unixiproute_only) 1134 ok = 1; 1135 } 1136 return (ok); 1137 } 1138 1139 /* 1140 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH. 1141 */ 1142 int 1143 prison_check(struct ucred *cred1, struct ucred *cred2) 1144 { 1145 1146 if (jailed(cred1)) { 1147 if (!jailed(cred2)) 1148 return (ESRCH); 1149 if (cred2->cr_prison != cred1->cr_prison) 1150 return (ESRCH); 1151 } 1152 1153 return (0); 1154 } 1155 1156 /* 1157 * Return 1 if the passed credential is in a jail, otherwise 0. 1158 */ 1159 int 1160 jailed(struct ucred *cred) 1161 { 1162 1163 return (cred->cr_prison != NULL); 1164 } 1165 1166 /* 1167 * Return the correct hostname for the passed credential. 1168 */ 1169 void 1170 getcredhostname(struct ucred *cred, char *buf, size_t size) 1171 { 1172 INIT_VPROCG(cred->cr_vimage->v_procg); 1173 1174 if (jailed(cred)) { 1175 mtx_lock(&cred->cr_prison->pr_mtx); 1176 strlcpy(buf, cred->cr_prison->pr_host, size); 1177 mtx_unlock(&cred->cr_prison->pr_mtx); 1178 } else { 1179 mtx_lock(&hostname_mtx); 1180 strlcpy(buf, V_hostname, size); 1181 mtx_unlock(&hostname_mtx); 1182 } 1183 } 1184 1185 /* 1186 * Determine whether the subject represented by cred can "see" 1187 * status of a mount point. 1188 * Returns: 0 for permitted, ENOENT otherwise. 1189 * XXX: This function should be called cr_canseemount() and should be 1190 * placed in kern_prot.c. 1191 */ 1192 int 1193 prison_canseemount(struct ucred *cred, struct mount *mp) 1194 { 1195 struct prison *pr; 1196 struct statfs *sp; 1197 size_t len; 1198 1199 if (!jailed(cred) || jail_enforce_statfs == 0) 1200 return (0); 1201 pr = cred->cr_prison; 1202 if (pr->pr_root->v_mount == mp) 1203 return (0); 1204 if (jail_enforce_statfs == 2) 1205 return (ENOENT); 1206 /* 1207 * If jail's chroot directory is set to "/" we should be able to see 1208 * all mount-points from inside a jail. 1209 * This is ugly check, but this is the only situation when jail's 1210 * directory ends with '/'. 1211 */ 1212 if (strcmp(pr->pr_path, "/") == 0) 1213 return (0); 1214 len = strlen(pr->pr_path); 1215 sp = &mp->mnt_stat; 1216 if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0) 1217 return (ENOENT); 1218 /* 1219 * Be sure that we don't have situation where jail's root directory 1220 * is "/some/path" and mount point is "/some/pathpath". 1221 */ 1222 if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/') 1223 return (ENOENT); 1224 return (0); 1225 } 1226 1227 void 1228 prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp) 1229 { 1230 char jpath[MAXPATHLEN]; 1231 struct prison *pr; 1232 size_t len; 1233 1234 if (!jailed(cred) || jail_enforce_statfs == 0) 1235 return; 1236 pr = cred->cr_prison; 1237 if (prison_canseemount(cred, mp) != 0) { 1238 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 1239 strlcpy(sp->f_mntonname, "[restricted]", 1240 sizeof(sp->f_mntonname)); 1241 return; 1242 } 1243 if (pr->pr_root->v_mount == mp) { 1244 /* 1245 * Clear current buffer data, so we are sure nothing from 1246 * the valid path left there. 1247 */ 1248 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 1249 *sp->f_mntonname = '/'; 1250 return; 1251 } 1252 /* 1253 * If jail's chroot directory is set to "/" we should be able to see 1254 * all mount-points from inside a jail. 1255 */ 1256 if (strcmp(pr->pr_path, "/") == 0) 1257 return; 1258 len = strlen(pr->pr_path); 1259 strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath)); 1260 /* 1261 * Clear current buffer data, so we are sure nothing from 1262 * the valid path left there. 1263 */ 1264 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 1265 if (*jpath == '\0') { 1266 /* Should never happen. */ 1267 *sp->f_mntonname = '/'; 1268 } else { 1269 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); 1270 } 1271 } 1272 1273 /* 1274 * Check with permission for a specific privilege is granted within jail. We 1275 * have a specific list of accepted privileges; the rest are denied. 1276 */ 1277 int 1278 prison_priv_check(struct ucred *cred, int priv) 1279 { 1280 1281 if (!jailed(cred)) 1282 return (0); 1283 1284 switch (priv) { 1285 1286 /* 1287 * Allow ktrace privileges for root in jail. 1288 */ 1289 case PRIV_KTRACE: 1290 1291 #if 0 1292 /* 1293 * Allow jailed processes to configure audit identity and 1294 * submit audit records (login, etc). In the future we may 1295 * want to further refine the relationship between audit and 1296 * jail. 1297 */ 1298 case PRIV_AUDIT_GETAUDIT: 1299 case PRIV_AUDIT_SETAUDIT: 1300 case PRIV_AUDIT_SUBMIT: 1301 #endif 1302 1303 /* 1304 * Allow jailed processes to manipulate process UNIX 1305 * credentials in any way they see fit. 1306 */ 1307 case PRIV_CRED_SETUID: 1308 case PRIV_CRED_SETEUID: 1309 case PRIV_CRED_SETGID: 1310 case PRIV_CRED_SETEGID: 1311 case PRIV_CRED_SETGROUPS: 1312 case PRIV_CRED_SETREUID: 1313 case PRIV_CRED_SETREGID: 1314 case PRIV_CRED_SETRESUID: 1315 case PRIV_CRED_SETRESGID: 1316 1317 /* 1318 * Jail implements visibility constraints already, so allow 1319 * jailed root to override uid/gid-based constraints. 1320 */ 1321 case PRIV_SEEOTHERGIDS: 1322 case PRIV_SEEOTHERUIDS: 1323 1324 /* 1325 * Jail implements inter-process debugging limits already, so 1326 * allow jailed root various debugging privileges. 1327 */ 1328 case PRIV_DEBUG_DIFFCRED: 1329 case PRIV_DEBUG_SUGID: 1330 case PRIV_DEBUG_UNPRIV: 1331 1332 /* 1333 * Allow jail to set various resource limits and login 1334 * properties, and for now, exceed process resource limits. 1335 */ 1336 case PRIV_PROC_LIMIT: 1337 case PRIV_PROC_SETLOGIN: 1338 case PRIV_PROC_SETRLIMIT: 1339 1340 /* 1341 * System V and POSIX IPC privileges are granted in jail. 1342 */ 1343 case PRIV_IPC_READ: 1344 case PRIV_IPC_WRITE: 1345 case PRIV_IPC_ADMIN: 1346 case PRIV_IPC_MSGSIZE: 1347 case PRIV_MQ_ADMIN: 1348 1349 /* 1350 * Jail implements its own inter-process limits, so allow 1351 * root processes in jail to change scheduling on other 1352 * processes in the same jail. Likewise for signalling. 1353 */ 1354 case PRIV_SCHED_DIFFCRED: 1355 case PRIV_SCHED_CPUSET: 1356 case PRIV_SIGNAL_DIFFCRED: 1357 case PRIV_SIGNAL_SUGID: 1358 1359 /* 1360 * Allow jailed processes to write to sysctls marked as jail 1361 * writable. 1362 */ 1363 case PRIV_SYSCTL_WRITEJAIL: 1364 1365 /* 1366 * Allow root in jail to manage a variety of quota 1367 * properties. These should likely be conditional on a 1368 * configuration option. 1369 */ 1370 case PRIV_VFS_GETQUOTA: 1371 case PRIV_VFS_SETQUOTA: 1372 1373 /* 1374 * Since Jail relies on chroot() to implement file system 1375 * protections, grant many VFS privileges to root in jail. 1376 * Be careful to exclude mount-related and NFS-related 1377 * privileges. 1378 */ 1379 case PRIV_VFS_READ: 1380 case PRIV_VFS_WRITE: 1381 case PRIV_VFS_ADMIN: 1382 case PRIV_VFS_EXEC: 1383 case PRIV_VFS_LOOKUP: 1384 case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ 1385 case PRIV_VFS_CHFLAGS_DEV: 1386 case PRIV_VFS_CHOWN: 1387 case PRIV_VFS_CHROOT: 1388 case PRIV_VFS_RETAINSUGID: 1389 case PRIV_VFS_FCHROOT: 1390 case PRIV_VFS_LINK: 1391 case PRIV_VFS_SETGID: 1392 case PRIV_VFS_STAT: 1393 case PRIV_VFS_STICKYFILE: 1394 return (0); 1395 1396 /* 1397 * Depending on the global setting, allow privilege of 1398 * setting system flags. 1399 */ 1400 case PRIV_VFS_SYSFLAGS: 1401 if (jail_chflags_allowed) 1402 return (0); 1403 else 1404 return (EPERM); 1405 1406 /* 1407 * Depending on the global setting, allow privilege of 1408 * mounting/unmounting file systems. 1409 */ 1410 case PRIV_VFS_MOUNT: 1411 case PRIV_VFS_UNMOUNT: 1412 case PRIV_VFS_MOUNT_NONUSER: 1413 case PRIV_VFS_MOUNT_OWNER: 1414 if (jail_mount_allowed) 1415 return (0); 1416 else 1417 return (EPERM); 1418 1419 /* 1420 * Allow jailed root to bind reserved ports and reuse in-use 1421 * ports. 1422 */ 1423 case PRIV_NETINET_RESERVEDPORT: 1424 case PRIV_NETINET_REUSEPORT: 1425 return (0); 1426 1427 /* 1428 * Allow jailed root to set certian IPv4/6 (option) headers. 1429 */ 1430 case PRIV_NETINET_SETHDROPTS: 1431 return (0); 1432 1433 /* 1434 * Conditionally allow creating raw sockets in jail. 1435 */ 1436 case PRIV_NETINET_RAW: 1437 if (jail_allow_raw_sockets) 1438 return (0); 1439 else 1440 return (EPERM); 1441 1442 /* 1443 * Since jail implements its own visibility limits on netstat 1444 * sysctls, allow getcred. This allows identd to work in 1445 * jail. 1446 */ 1447 case PRIV_NETINET_GETCRED: 1448 return (0); 1449 1450 default: 1451 /* 1452 * In all remaining cases, deny the privilege request. This 1453 * includes almost all network privileges, many system 1454 * configuration privileges. 1455 */ 1456 return (EPERM); 1457 } 1458 } 1459 1460 static int 1461 sysctl_jail_list(SYSCTL_HANDLER_ARGS) 1462 { 1463 struct xprison *xp, *sxp; 1464 struct prison *pr; 1465 char *p; 1466 size_t len; 1467 int count, error; 1468 1469 if (jailed(req->td->td_ucred)) 1470 return (0); 1471 1472 sx_slock(&allprison_lock); 1473 if ((count = prisoncount) == 0) { 1474 sx_sunlock(&allprison_lock); 1475 return (0); 1476 } 1477 1478 len = sizeof(*xp) * count; 1479 LIST_FOREACH(pr, &allprison, pr_list) { 1480 #ifdef INET 1481 len += pr->pr_ip4s * sizeof(struct in_addr); 1482 #endif 1483 #ifdef INET6 1484 len += pr->pr_ip6s * sizeof(struct in6_addr); 1485 #endif 1486 } 1487 1488 sxp = xp = malloc(len, M_TEMP, M_WAITOK | M_ZERO); 1489 1490 LIST_FOREACH(pr, &allprison, pr_list) { 1491 xp->pr_version = XPRISON_VERSION; 1492 xp->pr_id = pr->pr_id; 1493 xp->pr_state = pr->pr_state; 1494 xp->pr_cpusetid = pr->pr_cpuset->cs_id; 1495 strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path)); 1496 mtx_lock(&pr->pr_mtx); 1497 strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host)); 1498 strlcpy(xp->pr_name, pr->pr_name, sizeof(xp->pr_name)); 1499 mtx_unlock(&pr->pr_mtx); 1500 #ifdef INET 1501 xp->pr_ip4s = pr->pr_ip4s; 1502 #endif 1503 #ifdef INET6 1504 xp->pr_ip6s = pr->pr_ip6s; 1505 #endif 1506 p = (char *)(xp + 1); 1507 #ifdef INET 1508 if (pr->pr_ip4s > 0) { 1509 bcopy(pr->pr_ip4, (struct in_addr *)p, 1510 pr->pr_ip4s * sizeof(struct in_addr)); 1511 p += (pr->pr_ip4s * sizeof(struct in_addr)); 1512 } 1513 #endif 1514 #ifdef INET6 1515 if (pr->pr_ip6s > 0) { 1516 bcopy(pr->pr_ip6, (struct in6_addr *)p, 1517 pr->pr_ip6s * sizeof(struct in6_addr)); 1518 p += (pr->pr_ip6s * sizeof(struct in6_addr)); 1519 } 1520 #endif 1521 xp = (struct xprison *)p; 1522 } 1523 sx_sunlock(&allprison_lock); 1524 1525 error = SYSCTL_OUT(req, sxp, len); 1526 free(sxp, M_TEMP); 1527 return (error); 1528 } 1529 1530 SYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD, 1531 NULL, 0, sysctl_jail_list, "S", "List of active jails"); 1532 1533 static int 1534 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS) 1535 { 1536 int error, injail; 1537 1538 injail = jailed(req->td->td_ucred); 1539 error = SYSCTL_OUT(req, &injail, sizeof(injail)); 1540 1541 return (error); 1542 } 1543 SYSCTL_PROC(_security_jail, OID_AUTO, jailed, CTLTYPE_INT | CTLFLAG_RD, 1544 NULL, 0, sysctl_jail_jailed, "I", "Process in jail?"); 1545 1546 #ifdef DDB 1547 DB_SHOW_COMMAND(jails, db_show_jails) 1548 { 1549 struct prison *pr; 1550 #ifdef INET 1551 struct in_addr ia; 1552 #endif 1553 #ifdef INET6 1554 char ip6buf[INET6_ADDRSTRLEN]; 1555 #endif 1556 const char *state; 1557 #if defined(INET) || defined(INET6) 1558 int i; 1559 #endif 1560 1561 db_printf( 1562 " JID pr_ref pr_nprocs pr_ip4s pr_ip6s\n"); 1563 db_printf( 1564 " Hostname Path\n"); 1565 db_printf( 1566 " Name State\n"); 1567 db_printf( 1568 " Cpusetid\n"); 1569 db_printf( 1570 " IP Address(es)\n"); 1571 LIST_FOREACH(pr, &allprison, pr_list) { 1572 db_printf("%6d %6d %9d %7d %7d\n", 1573 pr->pr_id, pr->pr_ref, pr->pr_nprocs, 1574 pr->pr_ip4s, pr->pr_ip6s); 1575 db_printf("%6s %-29.29s %.74s\n", 1576 "", pr->pr_host, pr->pr_path); 1577 if (pr->pr_state < 0 || pr->pr_state > (int)((sizeof( 1578 prison_states) / sizeof(struct prison_state)))) 1579 state = "(bogus)"; 1580 else 1581 state = prison_states[pr->pr_state].state_name; 1582 db_printf("%6s %-29.29s %.74s\n", 1583 "", (pr->pr_name != NULL) ? pr->pr_name : "", state); 1584 db_printf("%6s %-6d\n", 1585 "", pr->pr_cpuset->cs_id); 1586 #ifdef INET 1587 for (i=0; i < pr->pr_ip4s; i++) { 1588 ia.s_addr = pr->pr_ip4[i].s_addr; 1589 db_printf("%6s %s\n", "", inet_ntoa(ia)); 1590 } 1591 #endif 1592 #ifdef INET6 1593 for (i=0; i < pr->pr_ip6s; i++) 1594 db_printf("%6s %s\n", 1595 "", ip6_sprintf(ip6buf, &pr->pr_ip6[i])); 1596 #endif /* INET6 */ 1597 if (db_pager_quit) 1598 break; 1599 } 1600 } 1601 #endif /* DDB */ 1602