1 /*- 2 * ---------------------------------------------------------------------------- 3 * "THE BEER-WARE LICENSE" (Revision 42): 4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 5 * can do whatever you want with this stuff. If we meet some day, and you think 6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 7 * ---------------------------------------------------------------------------- 8 */ 9 10 #include <sys/cdefs.h> 11 __FBSDID("$FreeBSD$"); 12 13 #include "opt_mac.h" 14 15 #include <sys/param.h> 16 #include <sys/types.h> 17 #include <sys/kernel.h> 18 #include <sys/systm.h> 19 #include <sys/errno.h> 20 #include <sys/sysproto.h> 21 #include <sys/malloc.h> 22 #include <sys/priv.h> 23 #include <sys/proc.h> 24 #include <sys/taskqueue.h> 25 #include <sys/jail.h> 26 #include <sys/lock.h> 27 #include <sys/mutex.h> 28 #include <sys/sx.h> 29 #include <sys/namei.h> 30 #include <sys/mount.h> 31 #include <sys/queue.h> 32 #include <sys/socket.h> 33 #include <sys/syscallsubr.h> 34 #include <sys/sysctl.h> 35 #include <sys/vnode.h> 36 #include <net/if.h> 37 #include <netinet/in.h> 38 39 #include <security/mac/mac_framework.h> 40 41 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); 42 43 SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, 44 "Jail rules"); 45 46 int jail_set_hostname_allowed = 1; 47 SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, 48 &jail_set_hostname_allowed, 0, 49 "Processes in jail can set their hostnames"); 50 51 int jail_socket_unixiproute_only = 1; 52 SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, 53 &jail_socket_unixiproute_only, 0, 54 "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); 55 56 int jail_sysvipc_allowed = 0; 57 SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, 58 &jail_sysvipc_allowed, 0, 59 "Processes in jail can use System V IPC primitives"); 60 61 static int jail_enforce_statfs = 2; 62 SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW, 63 &jail_enforce_statfs, 0, 64 "Processes in jail cannot see all mounted file systems"); 65 66 int jail_allow_raw_sockets = 0; 67 SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, 68 &jail_allow_raw_sockets, 0, 69 "Prison root can create raw sockets"); 70 71 int jail_chflags_allowed = 0; 72 SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, 73 &jail_chflags_allowed, 0, 74 "Processes in jail can alter system file flags"); 75 76 int jail_mount_allowed = 0; 77 SYSCTL_INT(_security_jail, OID_AUTO, mount_allowed, CTLFLAG_RW, 78 &jail_mount_allowed, 0, 79 "Processes in jail can mount/unmount jail-friendly file systems"); 80 81 /* allprison, lastprid, and prisoncount are protected by allprison_lock. */ 82 struct prisonlist allprison; 83 struct sx allprison_lock; 84 int lastprid = 0; 85 int prisoncount = 0; 86 87 /* 88 * List of jail services. Protected by allprison_lock. 89 */ 90 TAILQ_HEAD(prison_services_head, prison_service); 91 static struct prison_services_head prison_services = 92 TAILQ_HEAD_INITIALIZER(prison_services); 93 static int prison_service_slots = 0; 94 95 struct prison_service { 96 prison_create_t ps_create; 97 prison_destroy_t ps_destroy; 98 int ps_slotno; 99 TAILQ_ENTRY(prison_service) ps_next; 100 char ps_name[0]; 101 }; 102 103 static void init_prison(void *); 104 static void prison_complete(void *context, int pending); 105 static int sysctl_jail_list(SYSCTL_HANDLER_ARGS); 106 107 static void 108 init_prison(void *data __unused) 109 { 110 111 sx_init(&allprison_lock, "allprison"); 112 LIST_INIT(&allprison); 113 } 114 115 SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL); 116 117 /* 118 * struct jail_args { 119 * struct jail *jail; 120 * }; 121 */ 122 int 123 jail(struct thread *td, struct jail_args *uap) 124 { 125 struct nameidata nd; 126 struct prison *pr, *tpr; 127 struct prison_service *psrv; 128 struct jail j; 129 struct jail_attach_args jaa; 130 int vfslocked, error, tryprid; 131 132 error = copyin(uap->jail, &j, sizeof(j)); 133 if (error) 134 return (error); 135 if (j.version != 0) 136 return (EINVAL); 137 138 MALLOC(pr, struct prison *, sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO); 139 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF); 140 pr->pr_ref = 1; 141 error = copyinstr(j.path, &pr->pr_path, sizeof(pr->pr_path), 0); 142 if (error) 143 goto e_killmtx; 144 NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | LOCKLEAF, UIO_SYSSPACE, 145 pr->pr_path, td); 146 error = namei(&nd); 147 if (error) 148 goto e_killmtx; 149 vfslocked = NDHASGIANT(&nd); 150 pr->pr_root = nd.ni_vp; 151 VOP_UNLOCK(nd.ni_vp, 0, td); 152 NDFREE(&nd, NDF_ONLY_PNBUF); 153 VFS_UNLOCK_GIANT(vfslocked); 154 error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0); 155 if (error) 156 goto e_dropvnref; 157 pr->pr_ip = j.ip_number; 158 pr->pr_linux = NULL; 159 pr->pr_securelevel = securelevel; 160 if (prison_service_slots == 0) 161 pr->pr_slots = NULL; 162 else { 163 pr->pr_slots = malloc(sizeof(*pr->pr_slots) * prison_service_slots, 164 M_PRISON, M_ZERO | M_WAITOK); 165 } 166 167 /* Determine next pr_id and add prison to allprison list. */ 168 sx_xlock(&allprison_lock); 169 tryprid = lastprid + 1; 170 if (tryprid == JAIL_MAX) 171 tryprid = 1; 172 next: 173 LIST_FOREACH(tpr, &allprison, pr_list) { 174 if (tpr->pr_id == tryprid) { 175 tryprid++; 176 if (tryprid == JAIL_MAX) { 177 sx_xunlock(&allprison_lock); 178 error = EAGAIN; 179 goto e_dropvnref; 180 } 181 goto next; 182 } 183 } 184 pr->pr_id = jaa.jid = lastprid = tryprid; 185 LIST_INSERT_HEAD(&allprison, pr, pr_list); 186 prisoncount++; 187 sx_downgrade(&allprison_lock); 188 TAILQ_FOREACH(psrv, &prison_services, ps_next) { 189 psrv->ps_create(psrv, pr); 190 } 191 sx_sunlock(&allprison_lock); 192 193 error = jail_attach(td, &jaa); 194 if (error) 195 goto e_dropprref; 196 mtx_lock(&pr->pr_mtx); 197 pr->pr_ref--; 198 mtx_unlock(&pr->pr_mtx); 199 td->td_retval[0] = jaa.jid; 200 return (0); 201 e_dropprref: 202 sx_xlock(&allprison_lock); 203 LIST_REMOVE(pr, pr_list); 204 prisoncount--; 205 sx_downgrade(&allprison_lock); 206 TAILQ_FOREACH(psrv, &prison_services, ps_next) { 207 psrv->ps_destroy(psrv, pr); 208 } 209 sx_sunlock(&allprison_lock); 210 e_dropvnref: 211 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 212 vrele(pr->pr_root); 213 VFS_UNLOCK_GIANT(vfslocked); 214 e_killmtx: 215 mtx_destroy(&pr->pr_mtx); 216 FREE(pr, M_PRISON); 217 return (error); 218 } 219 220 /* 221 * struct jail_attach_args { 222 * int jid; 223 * }; 224 */ 225 int 226 jail_attach(struct thread *td, struct jail_attach_args *uap) 227 { 228 struct proc *p; 229 struct ucred *newcred, *oldcred; 230 struct prison *pr; 231 int vfslocked, error; 232 233 /* 234 * XXX: Note that there is a slight race here if two threads 235 * in the same privileged process attempt to attach to two 236 * different jails at the same time. It is important for 237 * user processes not to do this, or they might end up with 238 * a process root from one prison, but attached to the jail 239 * of another. 240 */ 241 error = priv_check(td, PRIV_JAIL_ATTACH); 242 if (error) 243 return (error); 244 245 p = td->td_proc; 246 sx_slock(&allprison_lock); 247 pr = prison_find(uap->jid); 248 if (pr == NULL) { 249 sx_sunlock(&allprison_lock); 250 return (EINVAL); 251 } 252 pr->pr_ref++; 253 mtx_unlock(&pr->pr_mtx); 254 sx_sunlock(&allprison_lock); 255 256 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 257 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY, td); 258 if ((error = change_dir(pr->pr_root, td)) != 0) 259 goto e_unlock; 260 #ifdef MAC 261 if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root))) 262 goto e_unlock; 263 #endif 264 VOP_UNLOCK(pr->pr_root, 0, td); 265 change_root(pr->pr_root, td); 266 VFS_UNLOCK_GIANT(vfslocked); 267 268 newcred = crget(); 269 PROC_LOCK(p); 270 oldcred = p->p_ucred; 271 setsugid(p); 272 crcopy(newcred, oldcred); 273 newcred->cr_prison = pr; 274 p->p_ucred = newcred; 275 PROC_UNLOCK(p); 276 crfree(oldcred); 277 return (0); 278 e_unlock: 279 VOP_UNLOCK(pr->pr_root, 0, td); 280 VFS_UNLOCK_GIANT(vfslocked); 281 mtx_lock(&pr->pr_mtx); 282 pr->pr_ref--; 283 mtx_unlock(&pr->pr_mtx); 284 return (error); 285 } 286 287 /* 288 * Returns a locked prison instance, or NULL on failure. 289 */ 290 struct prison * 291 prison_find(int prid) 292 { 293 struct prison *pr; 294 295 sx_assert(&allprison_lock, SX_LOCKED); 296 LIST_FOREACH(pr, &allprison, pr_list) { 297 if (pr->pr_id == prid) { 298 mtx_lock(&pr->pr_mtx); 299 if (pr->pr_ref == 0) { 300 mtx_unlock(&pr->pr_mtx); 301 break; 302 } 303 return (pr); 304 } 305 } 306 return (NULL); 307 } 308 309 void 310 prison_free(struct prison *pr) 311 { 312 313 mtx_lock(&pr->pr_mtx); 314 pr->pr_ref--; 315 if (pr->pr_ref == 0) { 316 mtx_unlock(&pr->pr_mtx); 317 TASK_INIT(&pr->pr_task, 0, prison_complete, pr); 318 taskqueue_enqueue(taskqueue_thread, &pr->pr_task); 319 return; 320 } 321 mtx_unlock(&pr->pr_mtx); 322 } 323 324 static void 325 prison_complete(void *context, int pending) 326 { 327 struct prison_service *psrv; 328 struct prison *pr; 329 int vfslocked; 330 331 pr = (struct prison *)context; 332 333 sx_xlock(&allprison_lock); 334 LIST_REMOVE(pr, pr_list); 335 prisoncount--; 336 sx_downgrade(&allprison_lock); 337 TAILQ_FOREACH(psrv, &prison_services, ps_next) { 338 psrv->ps_destroy(psrv, pr); 339 } 340 sx_sunlock(&allprison_lock); 341 342 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 343 vrele(pr->pr_root); 344 VFS_UNLOCK_GIANT(vfslocked); 345 346 mtx_destroy(&pr->pr_mtx); 347 if (pr->pr_linux != NULL) 348 FREE(pr->pr_linux, M_PRISON); 349 FREE(pr, M_PRISON); 350 } 351 352 void 353 prison_hold(struct prison *pr) 354 { 355 356 mtx_lock(&pr->pr_mtx); 357 KASSERT(pr->pr_ref > 0, 358 ("Trying to hold dead prison (id=%d).", pr->pr_id)); 359 pr->pr_ref++; 360 mtx_unlock(&pr->pr_mtx); 361 } 362 363 u_int32_t 364 prison_getip(struct ucred *cred) 365 { 366 367 return (cred->cr_prison->pr_ip); 368 } 369 370 int 371 prison_ip(struct ucred *cred, int flag, u_int32_t *ip) 372 { 373 u_int32_t tmp; 374 375 if (!jailed(cred)) 376 return (0); 377 if (flag) 378 tmp = *ip; 379 else 380 tmp = ntohl(*ip); 381 if (tmp == INADDR_ANY) { 382 if (flag) 383 *ip = cred->cr_prison->pr_ip; 384 else 385 *ip = htonl(cred->cr_prison->pr_ip); 386 return (0); 387 } 388 if (tmp == INADDR_LOOPBACK) { 389 if (flag) 390 *ip = cred->cr_prison->pr_ip; 391 else 392 *ip = htonl(cred->cr_prison->pr_ip); 393 return (0); 394 } 395 if (cred->cr_prison->pr_ip != tmp) 396 return (1); 397 return (0); 398 } 399 400 void 401 prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip) 402 { 403 u_int32_t tmp; 404 405 if (!jailed(cred)) 406 return; 407 if (flag) 408 tmp = *ip; 409 else 410 tmp = ntohl(*ip); 411 if (tmp == INADDR_LOOPBACK) { 412 if (flag) 413 *ip = cred->cr_prison->pr_ip; 414 else 415 *ip = htonl(cred->cr_prison->pr_ip); 416 return; 417 } 418 return; 419 } 420 421 int 422 prison_if(struct ucred *cred, struct sockaddr *sa) 423 { 424 struct sockaddr_in *sai; 425 int ok; 426 427 sai = (struct sockaddr_in *)sa; 428 if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only) 429 ok = 1; 430 else if (sai->sin_family != AF_INET) 431 ok = 0; 432 else if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr)) 433 ok = 1; 434 else 435 ok = 0; 436 return (ok); 437 } 438 439 /* 440 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH. 441 */ 442 int 443 prison_check(struct ucred *cred1, struct ucred *cred2) 444 { 445 446 if (jailed(cred1)) { 447 if (!jailed(cred2)) 448 return (ESRCH); 449 if (cred2->cr_prison != cred1->cr_prison) 450 return (ESRCH); 451 } 452 453 return (0); 454 } 455 456 /* 457 * Return 1 if the passed credential is in a jail, otherwise 0. 458 */ 459 int 460 jailed(struct ucred *cred) 461 { 462 463 return (cred->cr_prison != NULL); 464 } 465 466 /* 467 * Return the correct hostname for the passed credential. 468 */ 469 void 470 getcredhostname(struct ucred *cred, char *buf, size_t size) 471 { 472 473 if (jailed(cred)) { 474 mtx_lock(&cred->cr_prison->pr_mtx); 475 strlcpy(buf, cred->cr_prison->pr_host, size); 476 mtx_unlock(&cred->cr_prison->pr_mtx); 477 } else 478 strlcpy(buf, hostname, size); 479 } 480 481 /* 482 * Determine whether the subject represented by cred can "see" 483 * status of a mount point. 484 * Returns: 0 for permitted, ENOENT otherwise. 485 * XXX: This function should be called cr_canseemount() and should be 486 * placed in kern_prot.c. 487 */ 488 int 489 prison_canseemount(struct ucred *cred, struct mount *mp) 490 { 491 struct prison *pr; 492 struct statfs *sp; 493 size_t len; 494 495 if (!jailed(cred) || jail_enforce_statfs == 0) 496 return (0); 497 pr = cred->cr_prison; 498 if (pr->pr_root->v_mount == mp) 499 return (0); 500 if (jail_enforce_statfs == 2) 501 return (ENOENT); 502 /* 503 * If jail's chroot directory is set to "/" we should be able to see 504 * all mount-points from inside a jail. 505 * This is ugly check, but this is the only situation when jail's 506 * directory ends with '/'. 507 */ 508 if (strcmp(pr->pr_path, "/") == 0) 509 return (0); 510 len = strlen(pr->pr_path); 511 sp = &mp->mnt_stat; 512 if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0) 513 return (ENOENT); 514 /* 515 * Be sure that we don't have situation where jail's root directory 516 * is "/some/path" and mount point is "/some/pathpath". 517 */ 518 if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/') 519 return (ENOENT); 520 return (0); 521 } 522 523 void 524 prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp) 525 { 526 char jpath[MAXPATHLEN]; 527 struct prison *pr; 528 size_t len; 529 530 if (!jailed(cred) || jail_enforce_statfs == 0) 531 return; 532 pr = cred->cr_prison; 533 if (prison_canseemount(cred, mp) != 0) { 534 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 535 strlcpy(sp->f_mntonname, "[restricted]", 536 sizeof(sp->f_mntonname)); 537 return; 538 } 539 if (pr->pr_root->v_mount == mp) { 540 /* 541 * Clear current buffer data, so we are sure nothing from 542 * the valid path left there. 543 */ 544 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 545 *sp->f_mntonname = '/'; 546 return; 547 } 548 /* 549 * If jail's chroot directory is set to "/" we should be able to see 550 * all mount-points from inside a jail. 551 */ 552 if (strcmp(pr->pr_path, "/") == 0) 553 return; 554 len = strlen(pr->pr_path); 555 strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath)); 556 /* 557 * Clear current buffer data, so we are sure nothing from 558 * the valid path left there. 559 */ 560 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 561 if (*jpath == '\0') { 562 /* Should never happen. */ 563 *sp->f_mntonname = '/'; 564 } else { 565 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); 566 } 567 } 568 569 /* 570 * Check with permission for a specific privilege is granted within jail. We 571 * have a specific list of accepted privileges; the rest are denied. 572 */ 573 int 574 prison_priv_check(struct ucred *cred, int priv) 575 { 576 577 if (!jailed(cred)) 578 return (0); 579 580 switch (priv) { 581 582 /* 583 * Allow ktrace privileges for root in jail. 584 */ 585 case PRIV_KTRACE: 586 587 #if 0 588 /* 589 * Allow jailed processes to configure audit identity and 590 * submit audit records (login, etc). In the future we may 591 * want to further refine the relationship between audit and 592 * jail. 593 */ 594 case PRIV_AUDIT_GETAUDIT: 595 case PRIV_AUDIT_SETAUDIT: 596 case PRIV_AUDIT_SUBMIT: 597 #endif 598 599 /* 600 * Allow jailed processes to manipulate process UNIX 601 * credentials in any way they see fit. 602 */ 603 case PRIV_CRED_SETUID: 604 case PRIV_CRED_SETEUID: 605 case PRIV_CRED_SETGID: 606 case PRIV_CRED_SETEGID: 607 case PRIV_CRED_SETGROUPS: 608 case PRIV_CRED_SETREUID: 609 case PRIV_CRED_SETREGID: 610 case PRIV_CRED_SETRESUID: 611 case PRIV_CRED_SETRESGID: 612 613 /* 614 * Jail implements visibility constraints already, so allow 615 * jailed root to override uid/gid-based constraints. 616 */ 617 case PRIV_SEEOTHERGIDS: 618 case PRIV_SEEOTHERUIDS: 619 620 /* 621 * Jail implements inter-process debugging limits already, so 622 * allow jailed root various debugging privileges. 623 */ 624 case PRIV_DEBUG_DIFFCRED: 625 case PRIV_DEBUG_SUGID: 626 case PRIV_DEBUG_UNPRIV: 627 628 /* 629 * Allow jail to set various resource limits and login 630 * properties, and for now, exceed process resource limits. 631 */ 632 case PRIV_PROC_LIMIT: 633 case PRIV_PROC_SETLOGIN: 634 case PRIV_PROC_SETRLIMIT: 635 636 /* 637 * System V and POSIX IPC privileges are granted in jail. 638 */ 639 case PRIV_IPC_READ: 640 case PRIV_IPC_WRITE: 641 case PRIV_IPC_ADMIN: 642 case PRIV_IPC_MSGSIZE: 643 case PRIV_MQ_ADMIN: 644 645 /* 646 * Jail implements its own inter-process limits, so allow 647 * root processes in jail to change scheduling on other 648 * processes in the same jail. Likewise for signalling. 649 */ 650 case PRIV_SCHED_DIFFCRED: 651 case PRIV_SIGNAL_DIFFCRED: 652 case PRIV_SIGNAL_SUGID: 653 654 /* 655 * Allow jailed processes to write to sysctls marked as jail 656 * writable. 657 */ 658 case PRIV_SYSCTL_WRITEJAIL: 659 660 /* 661 * Allow root in jail to manage a variety of quota 662 * properties. These should likely be conditional on a 663 * configuration option. 664 */ 665 case PRIV_VFS_GETQUOTA: 666 case PRIV_VFS_SETQUOTA: 667 668 /* 669 * Since Jail relies on chroot() to implement file system 670 * protections, grant many VFS privileges to root in jail. 671 * Be careful to exclude mount-related and NFS-related 672 * privileges. 673 */ 674 case PRIV_VFS_READ: 675 case PRIV_VFS_WRITE: 676 case PRIV_VFS_ADMIN: 677 case PRIV_VFS_EXEC: 678 case PRIV_VFS_LOOKUP: 679 case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ 680 case PRIV_VFS_CHFLAGS_DEV: 681 case PRIV_VFS_CHOWN: 682 case PRIV_VFS_CHROOT: 683 case PRIV_VFS_RETAINSUGID: 684 case PRIV_VFS_FCHROOT: 685 case PRIV_VFS_LINK: 686 case PRIV_VFS_SETGID: 687 case PRIV_VFS_STICKYFILE: 688 return (0); 689 690 /* 691 * Depending on the global setting, allow privilege of 692 * setting system flags. 693 */ 694 case PRIV_VFS_SYSFLAGS: 695 if (jail_chflags_allowed) 696 return (0); 697 else 698 return (EPERM); 699 700 /* 701 * Depending on the global setting, allow privilege of 702 * mounting/unmounting file systems. 703 */ 704 case PRIV_VFS_MOUNT: 705 case PRIV_VFS_UNMOUNT: 706 case PRIV_VFS_MOUNT_NONUSER: 707 case PRIV_VFS_MOUNT_OWNER: 708 if (jail_mount_allowed) 709 return (0); 710 else 711 return (EPERM); 712 713 /* 714 * Allow jailed root to bind reserved ports and reuse in-use 715 * ports. 716 */ 717 case PRIV_NETINET_RESERVEDPORT: 718 case PRIV_NETINET_REUSEPORT: 719 return (0); 720 721 /* 722 * Conditionally allow creating raw sockets in jail. 723 */ 724 case PRIV_NETINET_RAW: 725 if (jail_allow_raw_sockets) 726 return (0); 727 else 728 return (EPERM); 729 730 /* 731 * Since jail implements its own visibility limits on netstat 732 * sysctls, allow getcred. This allows identd to work in 733 * jail. 734 */ 735 case PRIV_NETINET_GETCRED: 736 return (0); 737 738 default: 739 /* 740 * In all remaining cases, deny the privilege request. This 741 * includes almost all network privileges, many system 742 * configuration privileges. 743 */ 744 return (EPERM); 745 } 746 } 747 748 /* 749 * Register jail service. Provides 'create' and 'destroy' methods. 750 * 'create' method will be called for every existing jail and all 751 * jails in the future as they beeing created. 752 * 'destroy' method will be called for every jail going away and 753 * for all existing jails at the time of service deregistration. 754 */ 755 struct prison_service * 756 prison_service_register(const char *name, prison_create_t create, 757 prison_destroy_t destroy) 758 { 759 struct prison_service *psrv, *psrv2; 760 struct prison *pr; 761 int reallocate = 1, slotno = 0; 762 void **slots, **oldslots; 763 764 psrv = malloc(sizeof(*psrv) + strlen(name) + 1, M_PRISON, 765 M_WAITOK | M_ZERO); 766 psrv->ps_create = create; 767 psrv->ps_destroy = destroy; 768 strcpy(psrv->ps_name, name); 769 /* 770 * Grab the allprison_lock here, so we won't miss any jail 771 * creation/destruction. 772 */ 773 sx_xlock(&allprison_lock); 774 #ifdef INVARIANTS 775 /* 776 * Verify if service is not already registered. 777 */ 778 TAILQ_FOREACH(psrv2, &prison_services, ps_next) { 779 KASSERT(strcmp(psrv2->ps_name, name) != 0, 780 ("jail service %s already registered", name)); 781 } 782 #endif 783 /* 784 * Find free slot. When there is no existing free slot available, 785 * allocate one at the end. 786 */ 787 TAILQ_FOREACH(psrv2, &prison_services, ps_next) { 788 if (psrv2->ps_slotno != slotno) { 789 KASSERT(slotno < psrv2->ps_slotno, 790 ("Invalid slotno (slotno=%d >= ps_slotno=%d", 791 slotno, psrv2->ps_slotno)); 792 /* We found free slot. */ 793 reallocate = 0; 794 break; 795 } 796 slotno++; 797 } 798 psrv->ps_slotno = slotno; 799 /* 800 * Keep the list sorted by slot number. 801 */ 802 if (psrv2 != NULL) { 803 KASSERT(reallocate == 0, ("psrv2 != NULL && reallocate != 0")); 804 TAILQ_INSERT_BEFORE(psrv2, psrv, ps_next); 805 } else { 806 KASSERT(reallocate == 1, ("psrv2 == NULL && reallocate == 0")); 807 TAILQ_INSERT_TAIL(&prison_services, psrv, ps_next); 808 } 809 prison_service_slots++; 810 sx_downgrade(&allprison_lock); 811 /* 812 * Allocate memory for new slot if we didn't found empty one. 813 * Do not use realloc(9), because pr_slots is protected with a mutex, 814 * so we can't sleep. 815 */ 816 LIST_FOREACH(pr, &allprison, pr_list) { 817 if (reallocate) { 818 /* First allocate memory with M_WAITOK. */ 819 slots = malloc(sizeof(*slots) * prison_service_slots, 820 M_PRISON, M_WAITOK); 821 /* Now grab the mutex and replace pr_slots. */ 822 mtx_lock(&pr->pr_mtx); 823 oldslots = pr->pr_slots; 824 if (psrv->ps_slotno > 0) { 825 bcopy(oldslots, slots, 826 sizeof(*slots) * (prison_service_slots - 1)); 827 } 828 slots[psrv->ps_slotno] = NULL; 829 pr->pr_slots = slots; 830 mtx_unlock(&pr->pr_mtx); 831 if (oldslots != NULL) 832 free(oldslots, M_PRISON); 833 } 834 /* 835 * Call 'create' method for each existing jail. 836 */ 837 psrv->ps_create(psrv, pr); 838 } 839 sx_sunlock(&allprison_lock); 840 841 return (psrv); 842 } 843 844 void 845 prison_service_deregister(struct prison_service *psrv) 846 { 847 struct prison *pr; 848 void **slots, **oldslots; 849 int last = 0; 850 851 sx_xlock(&allprison_lock); 852 if (TAILQ_LAST(&prison_services, prison_services_head) == psrv) 853 last = 1; 854 TAILQ_REMOVE(&prison_services, psrv, ps_next); 855 prison_service_slots--; 856 sx_downgrade(&allprison_lock); 857 LIST_FOREACH(pr, &allprison, pr_list) { 858 /* 859 * Call 'destroy' method for every currently existing jail. 860 */ 861 psrv->ps_destroy(psrv, pr); 862 /* 863 * If this is the last slot, free the memory allocated for it. 864 */ 865 if (last) { 866 if (prison_service_slots == 0) 867 slots = NULL; 868 else { 869 slots = malloc(sizeof(*slots) * prison_service_slots, 870 M_PRISON, M_WAITOK); 871 } 872 mtx_lock(&pr->pr_mtx); 873 oldslots = pr->pr_slots; 874 /* 875 * We require setting slot to NULL after freeing it, 876 * this way we can check for memory leaks here. 877 */ 878 KASSERT(oldslots[psrv->ps_slotno] == NULL, 879 ("Slot %d (service %s, jailid=%d) still contains data?", 880 psrv->ps_slotno, psrv->ps_name, pr->pr_id)); 881 if (psrv->ps_slotno > 0) { 882 bcopy(oldslots, slots, 883 sizeof(*slots) * prison_service_slots); 884 } 885 pr->pr_slots = slots; 886 mtx_unlock(&pr->pr_mtx); 887 KASSERT(oldslots != NULL, ("oldslots == NULL")); 888 free(oldslots, M_PRISON); 889 } 890 } 891 sx_sunlock(&allprison_lock); 892 free(psrv, M_PRISON); 893 } 894 895 /* 896 * Function sets data for the given jail in slot assigned for the given 897 * jail service. 898 */ 899 void 900 prison_service_data_set(struct prison_service *psrv, struct prison *pr, 901 void *data) 902 { 903 904 mtx_assert(&pr->pr_mtx, MA_OWNED); 905 pr->pr_slots[psrv->ps_slotno] = data; 906 } 907 908 /* 909 * Function clears slots assigned for the given jail service in the given 910 * prison structure and returns current slot data. 911 */ 912 void * 913 prison_service_data_del(struct prison_service *psrv, struct prison *pr) 914 { 915 void *data; 916 917 mtx_assert(&pr->pr_mtx, MA_OWNED); 918 data = pr->pr_slots[psrv->ps_slotno]; 919 pr->pr_slots[psrv->ps_slotno] = NULL; 920 return (data); 921 } 922 923 /* 924 * Function returns current data from the slot assigned to the given jail 925 * service for the given jail. 926 */ 927 void * 928 prison_service_data_get(struct prison_service *psrv, struct prison *pr) 929 { 930 931 mtx_assert(&pr->pr_mtx, MA_OWNED); 932 return (pr->pr_slots[psrv->ps_slotno]); 933 } 934 935 static int 936 sysctl_jail_list(SYSCTL_HANDLER_ARGS) 937 { 938 struct xprison *xp, *sxp; 939 struct prison *pr; 940 int count, error; 941 942 if (jailed(req->td->td_ucred)) 943 return (0); 944 945 sx_slock(&allprison_lock); 946 if ((count = prisoncount) == 0) { 947 sx_sunlock(&allprison_lock); 948 return (0); 949 } 950 951 sxp = xp = malloc(sizeof(*xp) * count, M_TEMP, M_WAITOK | M_ZERO); 952 953 LIST_FOREACH(pr, &allprison, pr_list) { 954 xp->pr_version = XPRISON_VERSION; 955 xp->pr_id = pr->pr_id; 956 xp->pr_ip = pr->pr_ip; 957 strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path)); 958 mtx_lock(&pr->pr_mtx); 959 strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host)); 960 mtx_unlock(&pr->pr_mtx); 961 xp++; 962 } 963 sx_sunlock(&allprison_lock); 964 965 error = SYSCTL_OUT(req, sxp, sizeof(*sxp) * count); 966 free(sxp, M_TEMP); 967 return (error); 968 } 969 970 SYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD, 971 NULL, 0, sysctl_jail_list, "S", "List of active jails"); 972 973 static int 974 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS) 975 { 976 int error, injail; 977 978 injail = jailed(req->td->td_ucred); 979 error = SYSCTL_OUT(req, &injail, sizeof(injail)); 980 981 return (error); 982 } 983 SYSCTL_PROC(_security_jail, OID_AUTO, jailed, CTLTYPE_INT | CTLFLAG_RD, 984 NULL, 0, sysctl_jail_jailed, "I", "Process in jail?"); 985