1 /*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include "opt_ddb.h" 32 #include "opt_inet.h" 33 #include "opt_inet6.h" 34 #include "opt_mac.h" 35 36 #include <sys/param.h> 37 #include <sys/types.h> 38 #include <sys/kernel.h> 39 #include <sys/systm.h> 40 #include <sys/errno.h> 41 #include <sys/sysproto.h> 42 #include <sys/malloc.h> 43 #include <sys/priv.h> 44 #include <sys/proc.h> 45 #include <sys/taskqueue.h> 46 #include <sys/fcntl.h> 47 #include <sys/jail.h> 48 #include <sys/lock.h> 49 #include <sys/mutex.h> 50 #include <sys/sx.h> 51 #include <sys/namei.h> 52 #include <sys/mount.h> 53 #include <sys/queue.h> 54 #include <sys/socket.h> 55 #include <sys/syscallsubr.h> 56 #include <sys/sysctl.h> 57 #include <sys/vnode.h> 58 #include <sys/vimage.h> 59 #include <sys/osd.h> 60 #include <net/if.h> 61 #include <netinet/in.h> 62 #ifdef DDB 63 #include <ddb/ddb.h> 64 #ifdef INET6 65 #include <netinet6/in6_var.h> 66 #endif /* INET6 */ 67 #endif /* DDB */ 68 69 #include <security/mac/mac_framework.h> 70 71 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); 72 73 SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, 74 "Jail rules"); 75 76 int jail_set_hostname_allowed = 1; 77 SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, 78 &jail_set_hostname_allowed, 0, 79 "Processes in jail can set their hostnames"); 80 81 int jail_socket_unixiproute_only = 1; 82 SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, 83 &jail_socket_unixiproute_only, 0, 84 "Processes in jail are limited to creating UNIX/IP/route sockets only"); 85 86 int jail_sysvipc_allowed = 0; 87 SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, 88 &jail_sysvipc_allowed, 0, 89 "Processes in jail can use System V IPC primitives"); 90 91 static int jail_enforce_statfs = 2; 92 SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW, 93 &jail_enforce_statfs, 0, 94 "Processes in jail cannot see all mounted file systems"); 95 96 int jail_allow_raw_sockets = 0; 97 SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, 98 &jail_allow_raw_sockets, 0, 99 "Prison root can create raw sockets"); 100 101 int jail_chflags_allowed = 0; 102 SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, 103 &jail_chflags_allowed, 0, 104 "Processes in jail can alter system file flags"); 105 106 int jail_mount_allowed = 0; 107 SYSCTL_INT(_security_jail, OID_AUTO, mount_allowed, CTLFLAG_RW, 108 &jail_mount_allowed, 0, 109 "Processes in jail can mount/unmount jail-friendly file systems"); 110 111 int jail_max_af_ips = 255; 112 SYSCTL_INT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW, 113 &jail_max_af_ips, 0, 114 "Number of IP addresses a jail may have at most per address family"); 115 116 /* allprison, lastprid, and prisoncount are protected by allprison_lock. */ 117 struct prisonlist allprison; 118 struct sx allprison_lock; 119 int lastprid = 0; 120 int prisoncount = 0; 121 122 static void init_prison(void *); 123 static void prison_complete(void *context, int pending); 124 static int sysctl_jail_list(SYSCTL_HANDLER_ARGS); 125 #ifdef INET 126 static int _prison_check_ip4(struct prison *, struct in_addr *); 127 #endif 128 #ifdef INET6 129 static int _prison_check_ip6(struct prison *, struct in6_addr *); 130 #endif 131 132 static void 133 init_prison(void *data __unused) 134 { 135 136 sx_init(&allprison_lock, "allprison"); 137 LIST_INIT(&allprison); 138 } 139 140 SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL); 141 142 #ifdef INET 143 static int 144 qcmp_v4(const void *ip1, const void *ip2) 145 { 146 in_addr_t iaa, iab; 147 148 /* 149 * We need to compare in HBO here to get the list sorted as expected 150 * by the result of the code. Sorting NBO addresses gives you 151 * interesting results. If you do not understand, do not try. 152 */ 153 iaa = ntohl(((const struct in_addr *)ip1)->s_addr); 154 iab = ntohl(((const struct in_addr *)ip2)->s_addr); 155 156 /* 157 * Do not simply return the difference of the two numbers, the int is 158 * not wide enough. 159 */ 160 if (iaa > iab) 161 return (1); 162 else if (iaa < iab) 163 return (-1); 164 else 165 return (0); 166 } 167 #endif 168 169 #ifdef INET6 170 static int 171 qcmp_v6(const void *ip1, const void *ip2) 172 { 173 const struct in6_addr *ia6a, *ia6b; 174 int i, rc; 175 176 ia6a = (const struct in6_addr *)ip1; 177 ia6b = (const struct in6_addr *)ip2; 178 179 rc = 0; 180 for (i=0; rc == 0 && i < sizeof(struct in6_addr); i++) { 181 if (ia6a->s6_addr[i] > ia6b->s6_addr[i]) 182 rc = 1; 183 else if (ia6a->s6_addr[i] < ia6b->s6_addr[i]) 184 rc = -1; 185 } 186 return (rc); 187 } 188 #endif 189 190 #if defined(INET) || defined(INET6) 191 static int 192 prison_check_conflicting_ips(struct prison *p) 193 { 194 struct prison *pr; 195 int i; 196 197 sx_assert(&allprison_lock, SX_LOCKED); 198 199 if (p->pr_ip4s == 0 && p->pr_ip6s == 0) 200 return (0); 201 202 LIST_FOREACH(pr, &allprison, pr_list) { 203 /* 204 * Skip 'dying' prisons to avoid problems when 205 * restarting multi-IP jails. 206 */ 207 if (pr->pr_state == PRISON_STATE_DYING) 208 continue; 209 210 /* 211 * We permit conflicting IPs if there is no 212 * more than 1 IP on eeach jail. 213 * In case there is one duplicate on a jail with 214 * more than one IP stop checking and return error. 215 */ 216 #ifdef INET 217 if ((p->pr_ip4s >= 1 && pr->pr_ip4s > 1) || 218 (p->pr_ip4s > 1 && pr->pr_ip4s >= 1)) { 219 for (i = 0; i < p->pr_ip4s; i++) { 220 if (_prison_check_ip4(pr, &p->pr_ip4[i]) == 0) 221 return (EINVAL); 222 } 223 } 224 #endif 225 #ifdef INET6 226 if ((p->pr_ip6s >= 1 && pr->pr_ip6s > 1) || 227 (p->pr_ip6s > 1 && pr->pr_ip6s >= 1)) { 228 for (i = 0; i < p->pr_ip6s; i++) { 229 if (_prison_check_ip6(pr, &p->pr_ip6[i]) == 0) 230 return (EINVAL); 231 } 232 } 233 #endif 234 } 235 236 return (0); 237 } 238 239 static int 240 jail_copyin_ips(struct jail *j) 241 { 242 #ifdef INET 243 struct in_addr *ip4; 244 #endif 245 #ifdef INET6 246 struct in6_addr *ip6; 247 #endif 248 int error, i; 249 250 /* 251 * Copy in addresses, check for duplicate addresses and do some 252 * simple 0 and broadcast checks. If users give other bogus addresses 253 * it is their problem. 254 * 255 * IP addresses are all sorted but ip[0] to preserve the primary IP 256 * address as given from userland. This special IP is used for 257 * unbound outgoing connections as well for "loopback" traffic. 258 */ 259 #ifdef INET 260 ip4 = NULL; 261 #endif 262 #ifdef INET6 263 ip6 = NULL; 264 #endif 265 #ifdef INET 266 if (j->ip4s > 0) { 267 ip4 = (struct in_addr *)malloc(j->ip4s * sizeof(struct in_addr), 268 M_PRISON, M_WAITOK | M_ZERO); 269 error = copyin(j->ip4, ip4, j->ip4s * sizeof(struct in_addr)); 270 if (error) 271 goto e_free_ip; 272 /* Sort all but the first IPv4 address. */ 273 if (j->ip4s > 1) 274 qsort((ip4 + 1), j->ip4s - 1, 275 sizeof(struct in_addr), qcmp_v4); 276 277 /* 278 * We do not have to care about byte order for these checks 279 * so we will do them in NBO. 280 */ 281 for (i=0; i<j->ip4s; i++) { 282 if (ip4[i].s_addr == htonl(INADDR_ANY) || 283 ip4[i].s_addr == htonl(INADDR_BROADCAST)) { 284 error = EINVAL; 285 goto e_free_ip; 286 } 287 if ((i+1) < j->ip4s && 288 (ip4[0].s_addr == ip4[i+1].s_addr || 289 ip4[i].s_addr == ip4[i+1].s_addr)) { 290 error = EINVAL; 291 goto e_free_ip; 292 } 293 } 294 295 j->ip4 = ip4; 296 } else 297 j->ip4 = NULL; 298 #endif 299 #ifdef INET6 300 if (j->ip6s > 0) { 301 ip6 = (struct in6_addr *)malloc(j->ip6s * sizeof(struct in6_addr), 302 M_PRISON, M_WAITOK | M_ZERO); 303 error = copyin(j->ip6, ip6, j->ip6s * sizeof(struct in6_addr)); 304 if (error) 305 goto e_free_ip; 306 /* Sort all but the first IPv6 address. */ 307 if (j->ip6s > 1) 308 qsort((ip6 + 1), j->ip6s - 1, 309 sizeof(struct in6_addr), qcmp_v6); 310 for (i=0; i<j->ip6s; i++) { 311 if (IN6_IS_ADDR_UNSPECIFIED(&ip6[i])) { 312 error = EINVAL; 313 goto e_free_ip; 314 } 315 if ((i+1) < j->ip6s && 316 (IN6_ARE_ADDR_EQUAL(&ip6[0], &ip6[i+1]) || 317 IN6_ARE_ADDR_EQUAL(&ip6[i], &ip6[i+1]))) { 318 error = EINVAL; 319 goto e_free_ip; 320 } 321 } 322 323 j->ip6 = ip6; 324 } else 325 j->ip6 = NULL; 326 #endif 327 return (0); 328 329 e_free_ip: 330 #ifdef INET6 331 free(ip6, M_PRISON); 332 #endif 333 #ifdef INET 334 free(ip4, M_PRISON); 335 #endif 336 return (error); 337 } 338 #endif /* INET || INET6 */ 339 340 static int 341 jail_handle_ips(struct jail *j) 342 { 343 #if defined(INET) || defined(INET6) 344 int error; 345 #endif 346 347 /* 348 * Finish conversion for older versions, copyin and setup IPs. 349 */ 350 switch (j->version) { 351 case 0: 352 { 353 #ifdef INET 354 /* FreeBSD single IPv4 jails. */ 355 struct in_addr *ip4; 356 357 if (j->ip4s == INADDR_ANY || j->ip4s == INADDR_BROADCAST) 358 return (EINVAL); 359 ip4 = (struct in_addr *)malloc(sizeof(struct in_addr), 360 M_PRISON, M_WAITOK | M_ZERO); 361 362 /* 363 * Jail version 0 still used HBO for the IPv4 address. 364 */ 365 ip4->s_addr = htonl(j->ip4s); 366 j->ip4s = 1; 367 j->ip4 = ip4; 368 break; 369 #else 370 return (EINVAL); 371 #endif 372 } 373 374 case 1: 375 /* 376 * Version 1 was used by multi-IPv4 jail implementations 377 * that never made it into the official kernel. 378 * We should never hit this here; jail() should catch it. 379 */ 380 return (EINVAL); 381 382 case 2: /* JAIL_API_VERSION */ 383 /* FreeBSD multi-IPv4/IPv6,noIP jails. */ 384 #if defined(INET) || defined(INET6) 385 #ifdef INET 386 if (j->ip4s > jail_max_af_ips) 387 return (EINVAL); 388 #else 389 if (j->ip4s != 0) 390 return (EINVAL); 391 #endif 392 #ifdef INET6 393 if (j->ip6s > jail_max_af_ips) 394 return (EINVAL); 395 #else 396 if (j->ip6s != 0) 397 return (EINVAL); 398 #endif 399 error = jail_copyin_ips(j); 400 if (error) 401 return (error); 402 #endif 403 break; 404 405 default: 406 /* Sci-Fi jails are not supported, sorry. */ 407 return (EINVAL); 408 } 409 410 return (0); 411 } 412 413 414 /* 415 * struct jail_args { 416 * struct jail *jail; 417 * }; 418 */ 419 int 420 jail(struct thread *td, struct jail_args *uap) 421 { 422 uint32_t version; 423 int error; 424 struct jail j; 425 426 error = copyin(uap->jail, &version, sizeof(uint32_t)); 427 if (error) 428 return (error); 429 430 switch (version) { 431 case 0: 432 /* FreeBSD single IPv4 jails. */ 433 { 434 struct jail_v0 j0; 435 436 bzero(&j, sizeof(struct jail)); 437 error = copyin(uap->jail, &j0, sizeof(struct jail_v0)); 438 if (error) 439 return (error); 440 j.version = j0.version; 441 j.path = j0.path; 442 j.hostname = j0.hostname; 443 j.ip4s = j0.ip_number; 444 break; 445 } 446 447 case 1: 448 /* 449 * Version 1 was used by multi-IPv4 jail implementations 450 * that never made it into the official kernel. 451 */ 452 return (EINVAL); 453 454 case 2: /* JAIL_API_VERSION */ 455 /* FreeBSD multi-IPv4/IPv6,noIP jails. */ 456 error = copyin(uap->jail, &j, sizeof(struct jail)); 457 if (error) 458 return (error); 459 break; 460 461 default: 462 /* Sci-Fi jails are not supported, sorry. */ 463 return (EINVAL); 464 } 465 return (kern_jail(td, &j)); 466 } 467 468 int 469 kern_jail(struct thread *td, struct jail *j) 470 { 471 struct nameidata nd; 472 struct prison *pr, *tpr; 473 struct jail_attach_args jaa; 474 int vfslocked, error, tryprid; 475 476 KASSERT(j != NULL, ("%s: j is NULL", __func__)); 477 478 /* Handle addresses - convert old structs, copyin, check IPs. */ 479 error = jail_handle_ips(j); 480 if (error) 481 return (error); 482 483 /* Allocate struct prison and fill it with life. */ 484 pr = malloc(sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO); 485 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF); 486 pr->pr_ref = 1; 487 error = copyinstr(j->path, &pr->pr_path, sizeof(pr->pr_path), NULL); 488 if (error) 489 goto e_killmtx; 490 NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | LOCKLEAF, UIO_SYSSPACE, 491 pr->pr_path, td); 492 error = namei(&nd); 493 if (error) 494 goto e_killmtx; 495 vfslocked = NDHASGIANT(&nd); 496 pr->pr_root = nd.ni_vp; 497 VOP_UNLOCK(nd.ni_vp, 0); 498 NDFREE(&nd, NDF_ONLY_PNBUF); 499 VFS_UNLOCK_GIANT(vfslocked); 500 error = copyinstr(j->hostname, &pr->pr_host, sizeof(pr->pr_host), NULL); 501 if (error) 502 goto e_dropvnref; 503 if (j->jailname != NULL) { 504 error = copyinstr(j->jailname, &pr->pr_name, 505 sizeof(pr->pr_name), NULL); 506 if (error) 507 goto e_dropvnref; 508 } 509 if (j->ip4s > 0) { 510 pr->pr_ip4 = j->ip4; 511 pr->pr_ip4s = j->ip4s; 512 } 513 #ifdef INET6 514 if (j->ip6s > 0) { 515 pr->pr_ip6 = j->ip6; 516 pr->pr_ip6s = j->ip6s; 517 } 518 #endif 519 pr->pr_linux = NULL; 520 pr->pr_securelevel = securelevel; 521 bzero(&pr->pr_osd, sizeof(pr->pr_osd)); 522 523 /* 524 * Pre-set prison state to ALIVE upon cration. This is needed so we 525 * can later attach the process to it, etc (avoiding another extra 526 * state for ther process of creation, complicating things). 527 */ 528 pr->pr_state = PRISON_STATE_ALIVE; 529 530 /* Allocate a dedicated cpuset for each jail. */ 531 error = cpuset_create_root(td, &pr->pr_cpuset); 532 if (error) 533 goto e_dropvnref; 534 535 sx_xlock(&allprison_lock); 536 /* Make sure we cannot run into problems with ambiguous bind()ings. */ 537 #if defined(INET) || defined(INET6) 538 error = prison_check_conflicting_ips(pr); 539 if (error) { 540 sx_xunlock(&allprison_lock); 541 goto e_dropcpuset; 542 } 543 #endif 544 545 /* Determine next pr_id and add prison to allprison list. */ 546 tryprid = lastprid + 1; 547 if (tryprid == JAIL_MAX) 548 tryprid = 1; 549 next: 550 LIST_FOREACH(tpr, &allprison, pr_list) { 551 if (tpr->pr_id == tryprid) { 552 tryprid++; 553 if (tryprid == JAIL_MAX) { 554 sx_xunlock(&allprison_lock); 555 error = EAGAIN; 556 goto e_dropcpuset; 557 } 558 goto next; 559 } 560 } 561 pr->pr_id = jaa.jid = lastprid = tryprid; 562 LIST_INSERT_HEAD(&allprison, pr, pr_list); 563 prisoncount++; 564 sx_xunlock(&allprison_lock); 565 566 error = jail_attach(td, &jaa); 567 if (error) 568 goto e_dropprref; 569 mtx_lock(&pr->pr_mtx); 570 pr->pr_ref--; 571 mtx_unlock(&pr->pr_mtx); 572 td->td_retval[0] = jaa.jid; 573 return (0); 574 e_dropprref: 575 sx_xlock(&allprison_lock); 576 LIST_REMOVE(pr, pr_list); 577 prisoncount--; 578 sx_xunlock(&allprison_lock); 579 e_dropcpuset: 580 cpuset_rel(pr->pr_cpuset); 581 e_dropvnref: 582 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 583 vrele(pr->pr_root); 584 VFS_UNLOCK_GIANT(vfslocked); 585 e_killmtx: 586 mtx_destroy(&pr->pr_mtx); 587 free(pr, M_PRISON); 588 #ifdef INET6 589 free(j->ip6, M_PRISON); 590 #endif 591 #ifdef INET 592 free(j->ip4, M_PRISON); 593 #endif 594 return (error); 595 } 596 597 /* 598 * struct jail_attach_args { 599 * int jid; 600 * }; 601 */ 602 int 603 jail_attach(struct thread *td, struct jail_attach_args *uap) 604 { 605 struct proc *p; 606 struct ucred *newcred, *oldcred; 607 struct prison *pr; 608 int vfslocked, error; 609 610 /* 611 * XXX: Note that there is a slight race here if two threads 612 * in the same privileged process attempt to attach to two 613 * different jails at the same time. It is important for 614 * user processes not to do this, or they might end up with 615 * a process root from one prison, but attached to the jail 616 * of another. 617 */ 618 error = priv_check(td, PRIV_JAIL_ATTACH); 619 if (error) 620 return (error); 621 622 p = td->td_proc; 623 sx_slock(&allprison_lock); 624 pr = prison_find(uap->jid); 625 if (pr == NULL) { 626 sx_sunlock(&allprison_lock); 627 return (EINVAL); 628 } 629 630 /* 631 * Do not allow a process to attach to a prison that is not 632 * considered to be "ALIVE". 633 */ 634 if (pr->pr_state != PRISON_STATE_ALIVE) { 635 mtx_unlock(&pr->pr_mtx); 636 sx_sunlock(&allprison_lock); 637 return (EINVAL); 638 } 639 pr->pr_ref++; 640 mtx_unlock(&pr->pr_mtx); 641 sx_sunlock(&allprison_lock); 642 643 /* 644 * Reparent the newly attached process to this jail. 645 */ 646 error = cpuset_setproc_update_set(p, pr->pr_cpuset); 647 if (error) 648 goto e_unref; 649 650 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 651 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY); 652 if ((error = change_dir(pr->pr_root, td)) != 0) 653 goto e_unlock; 654 #ifdef MAC 655 if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root))) 656 goto e_unlock; 657 #endif 658 VOP_UNLOCK(pr->pr_root, 0); 659 change_root(pr->pr_root, td); 660 VFS_UNLOCK_GIANT(vfslocked); 661 662 newcred = crget(); 663 PROC_LOCK(p); 664 oldcred = p->p_ucred; 665 setsugid(p); 666 crcopy(newcred, oldcred); 667 newcred->cr_prison = pr; 668 p->p_ucred = newcred; 669 prison_proc_hold(pr); 670 PROC_UNLOCK(p); 671 crfree(oldcred); 672 return (0); 673 e_unlock: 674 VOP_UNLOCK(pr->pr_root, 0); 675 VFS_UNLOCK_GIANT(vfslocked); 676 e_unref: 677 mtx_lock(&pr->pr_mtx); 678 pr->pr_ref--; 679 mtx_unlock(&pr->pr_mtx); 680 return (error); 681 } 682 683 /* 684 * Returns a locked prison instance, or NULL on failure. 685 */ 686 struct prison * 687 prison_find(int prid) 688 { 689 struct prison *pr; 690 691 sx_assert(&allprison_lock, SX_LOCKED); 692 LIST_FOREACH(pr, &allprison, pr_list) { 693 if (pr->pr_id == prid) { 694 mtx_lock(&pr->pr_mtx); 695 if (pr->pr_ref == 0) { 696 mtx_unlock(&pr->pr_mtx); 697 break; 698 } 699 return (pr); 700 } 701 } 702 return (NULL); 703 } 704 705 void 706 prison_free_locked(struct prison *pr) 707 { 708 709 mtx_assert(&pr->pr_mtx, MA_OWNED); 710 pr->pr_ref--; 711 if (pr->pr_ref == 0) { 712 mtx_unlock(&pr->pr_mtx); 713 TASK_INIT(&pr->pr_task, 0, prison_complete, pr); 714 taskqueue_enqueue(taskqueue_thread, &pr->pr_task); 715 return; 716 } 717 mtx_unlock(&pr->pr_mtx); 718 } 719 720 void 721 prison_free(struct prison *pr) 722 { 723 724 mtx_lock(&pr->pr_mtx); 725 prison_free_locked(pr); 726 } 727 728 static void 729 prison_complete(void *context, int pending) 730 { 731 struct prison *pr; 732 int vfslocked; 733 734 pr = (struct prison *)context; 735 736 sx_xlock(&allprison_lock); 737 LIST_REMOVE(pr, pr_list); 738 prisoncount--; 739 sx_xunlock(&allprison_lock); 740 741 cpuset_rel(pr->pr_cpuset); 742 743 /* Free all OSD associated to this jail. */ 744 osd_jail_exit(pr); 745 746 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 747 vrele(pr->pr_root); 748 VFS_UNLOCK_GIANT(vfslocked); 749 750 mtx_destroy(&pr->pr_mtx); 751 free(pr->pr_linux, M_PRISON); 752 #ifdef INET6 753 free(pr->pr_ip6, M_PRISON); 754 #endif 755 #ifdef INET 756 free(pr->pr_ip4, M_PRISON); 757 #endif 758 free(pr, M_PRISON); 759 } 760 761 void 762 prison_hold_locked(struct prison *pr) 763 { 764 765 mtx_assert(&pr->pr_mtx, MA_OWNED); 766 KASSERT(pr->pr_ref > 0, 767 ("Trying to hold dead prison (id=%d).", pr->pr_id)); 768 pr->pr_ref++; 769 } 770 771 void 772 prison_hold(struct prison *pr) 773 { 774 775 mtx_lock(&pr->pr_mtx); 776 prison_hold_locked(pr); 777 mtx_unlock(&pr->pr_mtx); 778 } 779 780 void 781 prison_proc_hold(struct prison *pr) 782 { 783 784 mtx_lock(&pr->pr_mtx); 785 KASSERT(pr->pr_state == PRISON_STATE_ALIVE, 786 ("Cannot add a process to a non-alive prison (id=%d).", pr->pr_id)); 787 pr->pr_nprocs++; 788 mtx_unlock(&pr->pr_mtx); 789 } 790 791 void 792 prison_proc_free(struct prison *pr) 793 { 794 795 mtx_lock(&pr->pr_mtx); 796 KASSERT(pr->pr_state == PRISON_STATE_ALIVE && pr->pr_nprocs > 0, 797 ("Trying to kill a process in a dead prison (id=%d).", pr->pr_id)); 798 pr->pr_nprocs--; 799 if (pr->pr_nprocs == 0) 800 pr->pr_state = PRISON_STATE_DYING; 801 mtx_unlock(&pr->pr_mtx); 802 } 803 804 805 #ifdef INET 806 /* 807 * Pass back primary IPv4 address of this jail. 808 * 809 * If not jailed return success but do not alter the address. Caller has to 810 * make sure to intialize it correctly (e.g. INADDR_ANY). 811 * 812 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4. 813 * Address returned in NBO. 814 */ 815 int 816 prison_get_ip4(struct ucred *cred, struct in_addr *ia) 817 { 818 819 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 820 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 821 822 if (!jailed(cred)) 823 /* Do not change address passed in. */ 824 return (0); 825 826 if (cred->cr_prison->pr_ip4 == NULL) 827 return (EAFNOSUPPORT); 828 829 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 830 return (0); 831 } 832 833 /* 834 * Make sure our (source) address is set to something meaningful to this 835 * jail. 836 * 837 * Returns 0 if not jailed or if address belongs to jail, EADDRNOTAVAIL if 838 * the address doesn't belong, or EAFNOSUPPORT if the jail doesn't allow IPv4. 839 * Address passed in in NBO and returned in NBO. 840 */ 841 int 842 prison_local_ip4(struct ucred *cred, struct in_addr *ia) 843 { 844 struct in_addr ia0; 845 846 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 847 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 848 849 if (!jailed(cred)) 850 return (0); 851 if (cred->cr_prison->pr_ip4 == NULL) 852 return (EAFNOSUPPORT); 853 854 ia0.s_addr = ntohl(ia->s_addr); 855 if (ia0.s_addr == INADDR_LOOPBACK) { 856 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 857 return (0); 858 } 859 860 if (ia0.s_addr == INADDR_ANY) { 861 /* 862 * In case there is only 1 IPv4 address, bind directly. 863 */ 864 if (cred->cr_prison->pr_ip4s == 1) 865 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 866 return (0); 867 } 868 869 return (_prison_check_ip4(cred->cr_prison, ia)); 870 } 871 872 /* 873 * Rewrite destination address in case we will connect to loopback address. 874 * 875 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4. 876 * Address passed in in NBO and returned in NBO. 877 */ 878 int 879 prison_remote_ip4(struct ucred *cred, struct in_addr *ia) 880 { 881 882 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 883 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 884 885 if (!jailed(cred)) 886 return (0); 887 if (cred->cr_prison->pr_ip4 == NULL) 888 return (EAFNOSUPPORT); 889 890 if (ntohl(ia->s_addr) == INADDR_LOOPBACK) { 891 ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr; 892 return (0); 893 } 894 895 /* 896 * Return success because nothing had to be changed. 897 */ 898 return (0); 899 } 900 901 /* 902 * Check if given address belongs to the jail referenced by cred/prison. 903 * 904 * Returns 0 if not jailed or if address belongs to jail, EADDRNOTAVAIL if 905 * the address doesn't belong, or EAFNOSUPPORT if the jail doesn't allow IPv4. 906 * Address passed in in NBO. 907 */ 908 static int 909 _prison_check_ip4(struct prison *pr, struct in_addr *ia) 910 { 911 int i, a, z, d; 912 913 /* 914 * Check the primary IP. 915 */ 916 if (pr->pr_ip4[0].s_addr == ia->s_addr) 917 return (0); 918 919 /* 920 * All the other IPs are sorted so we can do a binary search. 921 */ 922 a = 0; 923 z = pr->pr_ip4s - 2; 924 while (a <= z) { 925 i = (a + z) / 2; 926 d = qcmp_v4(&pr->pr_ip4[i+1], ia); 927 if (d > 0) 928 z = i - 1; 929 else if (d < 0) 930 a = i + 1; 931 else 932 return (0); 933 } 934 935 return (EADDRNOTAVAIL); 936 } 937 938 int 939 prison_check_ip4(struct ucred *cred, struct in_addr *ia) 940 { 941 942 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 943 KASSERT(ia != NULL, ("%s: ia is NULL", __func__)); 944 945 if (!jailed(cred)) 946 return (0); 947 if (cred->cr_prison->pr_ip4 == NULL) 948 return (EAFNOSUPPORT); 949 950 return (_prison_check_ip4(cred->cr_prison, ia)); 951 } 952 #endif 953 954 #ifdef INET6 955 /* 956 * Pass back primary IPv6 address for this jail. 957 * 958 * If not jailed return success but do not alter the address. Caller has to 959 * make sure to intialize it correctly (e.g. IN6ADDR_ANY_INIT). 960 * 961 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6. 962 */ 963 int 964 prison_get_ip6(struct ucred *cred, struct in6_addr *ia6) 965 { 966 967 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 968 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 969 970 if (!jailed(cred)) 971 return (0); 972 if (cred->cr_prison->pr_ip6 == NULL) 973 return (EAFNOSUPPORT); 974 975 bcopy(&cred->cr_prison->pr_ip6[0], ia6, sizeof(struct in6_addr)); 976 return (0); 977 } 978 979 /* 980 * Make sure our (source) address is set to something meaningful to this jail. 981 * 982 * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0) 983 * when needed while binding. 984 * 985 * Returns 0 if not jailed or if address belongs to jail, EADDRNOTAVAIL if 986 * the address doesn't belong, or EAFNOSUPPORT if the jail doesn't allow IPv6. 987 */ 988 int 989 prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only) 990 { 991 992 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 993 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 994 995 if (!jailed(cred)) 996 return (0); 997 if (cred->cr_prison->pr_ip6 == NULL) 998 return (EAFNOSUPPORT); 999 1000 if (IN6_IS_ADDR_LOOPBACK(ia6)) { 1001 bcopy(&cred->cr_prison->pr_ip6[0], ia6, 1002 sizeof(struct in6_addr)); 1003 return (0); 1004 } 1005 1006 if (IN6_IS_ADDR_UNSPECIFIED(ia6)) { 1007 /* 1008 * In case there is only 1 IPv6 address, and v6only is true, 1009 * then bind directly. 1010 */ 1011 if (v6only != 0 && cred->cr_prison->pr_ip6s == 1) 1012 bcopy(&cred->cr_prison->pr_ip6[0], ia6, 1013 sizeof(struct in6_addr)); 1014 return (0); 1015 } 1016 1017 return (_prison_check_ip6(cred->cr_prison, ia6)); 1018 } 1019 1020 /* 1021 * Rewrite destination address in case we will connect to loopback address. 1022 * 1023 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6. 1024 */ 1025 int 1026 prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6) 1027 { 1028 1029 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1030 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 1031 1032 if (!jailed(cred)) 1033 return (0); 1034 if (cred->cr_prison->pr_ip6 == NULL) 1035 return (EAFNOSUPPORT); 1036 1037 if (IN6_IS_ADDR_LOOPBACK(ia6)) { 1038 bcopy(&cred->cr_prison->pr_ip6[0], ia6, 1039 sizeof(struct in6_addr)); 1040 return (0); 1041 } 1042 1043 /* 1044 * Return success because nothing had to be changed. 1045 */ 1046 return (0); 1047 } 1048 1049 /* 1050 * Check if given address belongs to the jail referenced by cred/prison. 1051 * 1052 * Returns 0 if not jailed or if address belongs to jail, EADDRNOTAVAIL if 1053 * the address doesn't belong, or EAFNOSUPPORT if the jail doesn't allow IPv6. 1054 */ 1055 static int 1056 _prison_check_ip6(struct prison *pr, struct in6_addr *ia6) 1057 { 1058 int i, a, z, d; 1059 1060 /* 1061 * Check the primary IP. 1062 */ 1063 if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[0], ia6)) 1064 return (0); 1065 1066 /* 1067 * All the other IPs are sorted so we can do a binary search. 1068 */ 1069 a = 0; 1070 z = pr->pr_ip6s - 2; 1071 while (a <= z) { 1072 i = (a + z) / 2; 1073 d = qcmp_v6(&pr->pr_ip6[i+1], ia6); 1074 if (d > 0) 1075 z = i - 1; 1076 else if (d < 0) 1077 a = i + 1; 1078 else 1079 return (0); 1080 } 1081 1082 return (EADDRNOTAVAIL); 1083 } 1084 1085 int 1086 prison_check_ip6(struct ucred *cred, struct in6_addr *ia6) 1087 { 1088 1089 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1090 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__)); 1091 1092 if (!jailed(cred)) 1093 return (0); 1094 if (cred->cr_prison->pr_ip6 == NULL) 1095 return (EAFNOSUPPORT); 1096 1097 return (_prison_check_ip6(cred->cr_prison, ia6)); 1098 } 1099 #endif 1100 1101 /* 1102 * Check if a jail supports the given address family. 1103 * 1104 * Returns 0 if not jailed or the address family is supported, EAFNOSUPPORT 1105 * if not. 1106 */ 1107 int 1108 prison_check_af(struct ucred *cred, int af) 1109 { 1110 int error; 1111 1112 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1113 1114 1115 if (!jailed(cred)) 1116 return (0); 1117 1118 error = 0; 1119 switch (af) 1120 { 1121 #ifdef INET 1122 case AF_INET: 1123 if (cred->cr_prison->pr_ip4 == NULL) 1124 error = EAFNOSUPPORT; 1125 break; 1126 #endif 1127 #ifdef INET6 1128 case AF_INET6: 1129 if (cred->cr_prison->pr_ip6 == NULL) 1130 error = EAFNOSUPPORT; 1131 break; 1132 #endif 1133 case AF_LOCAL: 1134 case AF_ROUTE: 1135 break; 1136 default: 1137 if (jail_socket_unixiproute_only) 1138 error = EAFNOSUPPORT; 1139 } 1140 return (error); 1141 } 1142 1143 /* 1144 * Check if given address belongs to the jail referenced by cred (wrapper to 1145 * prison_check_ip[46]). 1146 * 1147 * Returns 0 if not jailed or if address belongs to jail, EADDRNOTAVAIL if 1148 * the address doesn't belong, or EAFNOSUPPORT if the jail doesn't allow 1149 * the address family. IPv4 Address passed in in NBO. 1150 */ 1151 int 1152 prison_if(struct ucred *cred, struct sockaddr *sa) 1153 { 1154 #ifdef INET 1155 struct sockaddr_in *sai; 1156 #endif 1157 #ifdef INET6 1158 struct sockaddr_in6 *sai6; 1159 #endif 1160 int error; 1161 1162 KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); 1163 KASSERT(sa != NULL, ("%s: sa is NULL", __func__)); 1164 1165 error = 0; 1166 switch (sa->sa_family) 1167 { 1168 #ifdef INET 1169 case AF_INET: 1170 sai = (struct sockaddr_in *)sa; 1171 error = prison_check_ip4(cred, &sai->sin_addr); 1172 break; 1173 #endif 1174 #ifdef INET6 1175 case AF_INET6: 1176 sai6 = (struct sockaddr_in6 *)sa; 1177 error = prison_check_ip6(cred, &sai6->sin6_addr); 1178 break; 1179 #endif 1180 default: 1181 if (jailed(cred) && jail_socket_unixiproute_only) 1182 error = EAFNOSUPPORT; 1183 } 1184 return (error); 1185 } 1186 1187 /* 1188 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH. 1189 */ 1190 int 1191 prison_check(struct ucred *cred1, struct ucred *cred2) 1192 { 1193 1194 if (jailed(cred1)) { 1195 if (!jailed(cred2)) 1196 return (ESRCH); 1197 if (cred2->cr_prison != cred1->cr_prison) 1198 return (ESRCH); 1199 } 1200 1201 return (0); 1202 } 1203 1204 /* 1205 * Return 1 if the passed credential is in a jail, otherwise 0. 1206 */ 1207 int 1208 jailed(struct ucred *cred) 1209 { 1210 1211 return (cred->cr_prison != NULL); 1212 } 1213 1214 /* 1215 * Return the correct hostname for the passed credential. 1216 */ 1217 void 1218 getcredhostname(struct ucred *cred, char *buf, size_t size) 1219 { 1220 INIT_VPROCG(cred->cr_vimage->v_procg); 1221 1222 if (jailed(cred)) { 1223 mtx_lock(&cred->cr_prison->pr_mtx); 1224 strlcpy(buf, cred->cr_prison->pr_host, size); 1225 mtx_unlock(&cred->cr_prison->pr_mtx); 1226 } else { 1227 mtx_lock(&hostname_mtx); 1228 strlcpy(buf, V_hostname, size); 1229 mtx_unlock(&hostname_mtx); 1230 } 1231 } 1232 1233 /* 1234 * Determine whether the subject represented by cred can "see" 1235 * status of a mount point. 1236 * Returns: 0 for permitted, ENOENT otherwise. 1237 * XXX: This function should be called cr_canseemount() and should be 1238 * placed in kern_prot.c. 1239 */ 1240 int 1241 prison_canseemount(struct ucred *cred, struct mount *mp) 1242 { 1243 struct prison *pr; 1244 struct statfs *sp; 1245 size_t len; 1246 1247 if (!jailed(cred) || jail_enforce_statfs == 0) 1248 return (0); 1249 pr = cred->cr_prison; 1250 if (pr->pr_root->v_mount == mp) 1251 return (0); 1252 if (jail_enforce_statfs == 2) 1253 return (ENOENT); 1254 /* 1255 * If jail's chroot directory is set to "/" we should be able to see 1256 * all mount-points from inside a jail. 1257 * This is ugly check, but this is the only situation when jail's 1258 * directory ends with '/'. 1259 */ 1260 if (strcmp(pr->pr_path, "/") == 0) 1261 return (0); 1262 len = strlen(pr->pr_path); 1263 sp = &mp->mnt_stat; 1264 if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0) 1265 return (ENOENT); 1266 /* 1267 * Be sure that we don't have situation where jail's root directory 1268 * is "/some/path" and mount point is "/some/pathpath". 1269 */ 1270 if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/') 1271 return (ENOENT); 1272 return (0); 1273 } 1274 1275 void 1276 prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp) 1277 { 1278 char jpath[MAXPATHLEN]; 1279 struct prison *pr; 1280 size_t len; 1281 1282 if (!jailed(cred) || jail_enforce_statfs == 0) 1283 return; 1284 pr = cred->cr_prison; 1285 if (prison_canseemount(cred, mp) != 0) { 1286 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 1287 strlcpy(sp->f_mntonname, "[restricted]", 1288 sizeof(sp->f_mntonname)); 1289 return; 1290 } 1291 if (pr->pr_root->v_mount == mp) { 1292 /* 1293 * Clear current buffer data, so we are sure nothing from 1294 * the valid path left there. 1295 */ 1296 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 1297 *sp->f_mntonname = '/'; 1298 return; 1299 } 1300 /* 1301 * If jail's chroot directory is set to "/" we should be able to see 1302 * all mount-points from inside a jail. 1303 */ 1304 if (strcmp(pr->pr_path, "/") == 0) 1305 return; 1306 len = strlen(pr->pr_path); 1307 strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath)); 1308 /* 1309 * Clear current buffer data, so we are sure nothing from 1310 * the valid path left there. 1311 */ 1312 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 1313 if (*jpath == '\0') { 1314 /* Should never happen. */ 1315 *sp->f_mntonname = '/'; 1316 } else { 1317 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); 1318 } 1319 } 1320 1321 /* 1322 * Check with permission for a specific privilege is granted within jail. We 1323 * have a specific list of accepted privileges; the rest are denied. 1324 */ 1325 int 1326 prison_priv_check(struct ucred *cred, int priv) 1327 { 1328 1329 if (!jailed(cred)) 1330 return (0); 1331 1332 switch (priv) { 1333 1334 /* 1335 * Allow ktrace privileges for root in jail. 1336 */ 1337 case PRIV_KTRACE: 1338 1339 #if 0 1340 /* 1341 * Allow jailed processes to configure audit identity and 1342 * submit audit records (login, etc). In the future we may 1343 * want to further refine the relationship between audit and 1344 * jail. 1345 */ 1346 case PRIV_AUDIT_GETAUDIT: 1347 case PRIV_AUDIT_SETAUDIT: 1348 case PRIV_AUDIT_SUBMIT: 1349 #endif 1350 1351 /* 1352 * Allow jailed processes to manipulate process UNIX 1353 * credentials in any way they see fit. 1354 */ 1355 case PRIV_CRED_SETUID: 1356 case PRIV_CRED_SETEUID: 1357 case PRIV_CRED_SETGID: 1358 case PRIV_CRED_SETEGID: 1359 case PRIV_CRED_SETGROUPS: 1360 case PRIV_CRED_SETREUID: 1361 case PRIV_CRED_SETREGID: 1362 case PRIV_CRED_SETRESUID: 1363 case PRIV_CRED_SETRESGID: 1364 1365 /* 1366 * Jail implements visibility constraints already, so allow 1367 * jailed root to override uid/gid-based constraints. 1368 */ 1369 case PRIV_SEEOTHERGIDS: 1370 case PRIV_SEEOTHERUIDS: 1371 1372 /* 1373 * Jail implements inter-process debugging limits already, so 1374 * allow jailed root various debugging privileges. 1375 */ 1376 case PRIV_DEBUG_DIFFCRED: 1377 case PRIV_DEBUG_SUGID: 1378 case PRIV_DEBUG_UNPRIV: 1379 1380 /* 1381 * Allow jail to set various resource limits and login 1382 * properties, and for now, exceed process resource limits. 1383 */ 1384 case PRIV_PROC_LIMIT: 1385 case PRIV_PROC_SETLOGIN: 1386 case PRIV_PROC_SETRLIMIT: 1387 1388 /* 1389 * System V and POSIX IPC privileges are granted in jail. 1390 */ 1391 case PRIV_IPC_READ: 1392 case PRIV_IPC_WRITE: 1393 case PRIV_IPC_ADMIN: 1394 case PRIV_IPC_MSGSIZE: 1395 case PRIV_MQ_ADMIN: 1396 1397 /* 1398 * Jail implements its own inter-process limits, so allow 1399 * root processes in jail to change scheduling on other 1400 * processes in the same jail. Likewise for signalling. 1401 */ 1402 case PRIV_SCHED_DIFFCRED: 1403 case PRIV_SCHED_CPUSET: 1404 case PRIV_SIGNAL_DIFFCRED: 1405 case PRIV_SIGNAL_SUGID: 1406 1407 /* 1408 * Allow jailed processes to write to sysctls marked as jail 1409 * writable. 1410 */ 1411 case PRIV_SYSCTL_WRITEJAIL: 1412 1413 /* 1414 * Allow root in jail to manage a variety of quota 1415 * properties. These should likely be conditional on a 1416 * configuration option. 1417 */ 1418 case PRIV_VFS_GETQUOTA: 1419 case PRIV_VFS_SETQUOTA: 1420 1421 /* 1422 * Since Jail relies on chroot() to implement file system 1423 * protections, grant many VFS privileges to root in jail. 1424 * Be careful to exclude mount-related and NFS-related 1425 * privileges. 1426 */ 1427 case PRIV_VFS_READ: 1428 case PRIV_VFS_WRITE: 1429 case PRIV_VFS_ADMIN: 1430 case PRIV_VFS_EXEC: 1431 case PRIV_VFS_LOOKUP: 1432 case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ 1433 case PRIV_VFS_CHFLAGS_DEV: 1434 case PRIV_VFS_CHOWN: 1435 case PRIV_VFS_CHROOT: 1436 case PRIV_VFS_RETAINSUGID: 1437 case PRIV_VFS_FCHROOT: 1438 case PRIV_VFS_LINK: 1439 case PRIV_VFS_SETGID: 1440 case PRIV_VFS_STAT: 1441 case PRIV_VFS_STICKYFILE: 1442 return (0); 1443 1444 /* 1445 * Depending on the global setting, allow privilege of 1446 * setting system flags. 1447 */ 1448 case PRIV_VFS_SYSFLAGS: 1449 if (jail_chflags_allowed) 1450 return (0); 1451 else 1452 return (EPERM); 1453 1454 /* 1455 * Depending on the global setting, allow privilege of 1456 * mounting/unmounting file systems. 1457 */ 1458 case PRIV_VFS_MOUNT: 1459 case PRIV_VFS_UNMOUNT: 1460 case PRIV_VFS_MOUNT_NONUSER: 1461 case PRIV_VFS_MOUNT_OWNER: 1462 if (jail_mount_allowed) 1463 return (0); 1464 else 1465 return (EPERM); 1466 1467 /* 1468 * Allow jailed root to bind reserved ports and reuse in-use 1469 * ports. 1470 */ 1471 case PRIV_NETINET_RESERVEDPORT: 1472 case PRIV_NETINET_REUSEPORT: 1473 return (0); 1474 1475 /* 1476 * Allow jailed root to set certian IPv4/6 (option) headers. 1477 */ 1478 case PRIV_NETINET_SETHDROPTS: 1479 return (0); 1480 1481 /* 1482 * Conditionally allow creating raw sockets in jail. 1483 */ 1484 case PRIV_NETINET_RAW: 1485 if (jail_allow_raw_sockets) 1486 return (0); 1487 else 1488 return (EPERM); 1489 1490 /* 1491 * Since jail implements its own visibility limits on netstat 1492 * sysctls, allow getcred. This allows identd to work in 1493 * jail. 1494 */ 1495 case PRIV_NETINET_GETCRED: 1496 return (0); 1497 1498 default: 1499 /* 1500 * In all remaining cases, deny the privilege request. This 1501 * includes almost all network privileges, many system 1502 * configuration privileges. 1503 */ 1504 return (EPERM); 1505 } 1506 } 1507 1508 static int 1509 sysctl_jail_list(SYSCTL_HANDLER_ARGS) 1510 { 1511 struct xprison *xp, *sxp; 1512 struct prison *pr; 1513 char *p; 1514 size_t len; 1515 int count, error; 1516 1517 if (jailed(req->td->td_ucred)) 1518 return (0); 1519 1520 sx_slock(&allprison_lock); 1521 if ((count = prisoncount) == 0) { 1522 sx_sunlock(&allprison_lock); 1523 return (0); 1524 } 1525 1526 len = sizeof(*xp) * count; 1527 LIST_FOREACH(pr, &allprison, pr_list) { 1528 #ifdef INET 1529 len += pr->pr_ip4s * sizeof(struct in_addr); 1530 #endif 1531 #ifdef INET6 1532 len += pr->pr_ip6s * sizeof(struct in6_addr); 1533 #endif 1534 } 1535 1536 sxp = xp = malloc(len, M_TEMP, M_WAITOK | M_ZERO); 1537 1538 LIST_FOREACH(pr, &allprison, pr_list) { 1539 xp->pr_version = XPRISON_VERSION; 1540 xp->pr_id = pr->pr_id; 1541 xp->pr_state = pr->pr_state; 1542 xp->pr_cpusetid = pr->pr_cpuset->cs_id; 1543 strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path)); 1544 mtx_lock(&pr->pr_mtx); 1545 strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host)); 1546 strlcpy(xp->pr_name, pr->pr_name, sizeof(xp->pr_name)); 1547 mtx_unlock(&pr->pr_mtx); 1548 #ifdef INET 1549 xp->pr_ip4s = pr->pr_ip4s; 1550 #endif 1551 #ifdef INET6 1552 xp->pr_ip6s = pr->pr_ip6s; 1553 #endif 1554 p = (char *)(xp + 1); 1555 #ifdef INET 1556 if (pr->pr_ip4s > 0) { 1557 bcopy(pr->pr_ip4, (struct in_addr *)p, 1558 pr->pr_ip4s * sizeof(struct in_addr)); 1559 p += (pr->pr_ip4s * sizeof(struct in_addr)); 1560 } 1561 #endif 1562 #ifdef INET6 1563 if (pr->pr_ip6s > 0) { 1564 bcopy(pr->pr_ip6, (struct in6_addr *)p, 1565 pr->pr_ip6s * sizeof(struct in6_addr)); 1566 p += (pr->pr_ip6s * sizeof(struct in6_addr)); 1567 } 1568 #endif 1569 xp = (struct xprison *)p; 1570 } 1571 sx_sunlock(&allprison_lock); 1572 1573 error = SYSCTL_OUT(req, sxp, len); 1574 free(sxp, M_TEMP); 1575 return (error); 1576 } 1577 1578 SYSCTL_OID(_security_jail, OID_AUTO, list, 1579 CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, 1580 sysctl_jail_list, "S", "List of active jails"); 1581 1582 static int 1583 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS) 1584 { 1585 int error, injail; 1586 1587 injail = jailed(req->td->td_ucred); 1588 error = SYSCTL_OUT(req, &injail, sizeof(injail)); 1589 1590 return (error); 1591 } 1592 SYSCTL_PROC(_security_jail, OID_AUTO, jailed, 1593 CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, 1594 sysctl_jail_jailed, "I", "Process in jail?"); 1595 1596 #ifdef DDB 1597 DB_SHOW_COMMAND(jails, db_show_jails) 1598 { 1599 struct prison *pr; 1600 #ifdef INET 1601 struct in_addr ia; 1602 #endif 1603 #ifdef INET6 1604 char ip6buf[INET6_ADDRSTRLEN]; 1605 #endif 1606 const char *state; 1607 #if defined(INET) || defined(INET6) 1608 int i; 1609 #endif 1610 1611 db_printf( 1612 " JID pr_ref pr_nprocs pr_ip4s pr_ip6s\n"); 1613 db_printf( 1614 " Hostname Path\n"); 1615 db_printf( 1616 " Name State\n"); 1617 db_printf( 1618 " Cpusetid\n"); 1619 db_printf( 1620 " IP Address(es)\n"); 1621 LIST_FOREACH(pr, &allprison, pr_list) { 1622 db_printf("%6d %6d %9d %7d %7d\n", 1623 pr->pr_id, pr->pr_ref, pr->pr_nprocs, 1624 pr->pr_ip4s, pr->pr_ip6s); 1625 db_printf("%6s %-29.29s %.74s\n", 1626 "", pr->pr_host, pr->pr_path); 1627 if (pr->pr_state < 0 || pr->pr_state >= (int)((sizeof( 1628 prison_states) / sizeof(struct prison_state)))) 1629 state = "(bogus)"; 1630 else 1631 state = prison_states[pr->pr_state].state_name; 1632 db_printf("%6s %-29.29s %.74s\n", 1633 "", (pr->pr_name[0] != '\0') ? pr->pr_name : "", state); 1634 db_printf("%6s %-6d\n", 1635 "", pr->pr_cpuset->cs_id); 1636 #ifdef INET 1637 for (i=0; i < pr->pr_ip4s; i++) { 1638 ia.s_addr = pr->pr_ip4[i].s_addr; 1639 db_printf("%6s %s\n", "", inet_ntoa(ia)); 1640 } 1641 #endif 1642 #ifdef INET6 1643 for (i=0; i < pr->pr_ip6s; i++) 1644 db_printf("%6s %s\n", 1645 "", ip6_sprintf(ip6buf, &pr->pr_ip6[i])); 1646 #endif /* INET6 */ 1647 if (db_pager_quit) 1648 break; 1649 } 1650 } 1651 #endif /* DDB */ 1652