sys/kern/kern_jaildesc.c

851dc7f8SJamie Gritton/*-
851dc7f8SJamie Gritton * SPDX-License-Identifier: BSD-2-Clause
851dc7f8SJamie Gritton *
851dc7f8SJamie Gritton * Copyright (c) 2025 James Gritton.
851dc7f8SJamie Gritton * All rights reserved.
851dc7f8SJamie Gritton *
851dc7f8SJamie Gritton * Redistribution and use in source and binary forms, with or without
851dc7f8SJamie Gritton * modification, are permitted provided that the following conditions
851dc7f8SJamie Gritton * are met:
851dc7f8SJamie Gritton * 1. Redistributions of source code must retain the above copyright
851dc7f8SJamie Gritton *    notice, this list of conditions and the following disclaimer.
851dc7f8SJamie Gritton * 2. Redistributions in binary form must reproduce the above copyright
851dc7f8SJamie Gritton *    notice, this list of conditions and the following disclaimer in the
851dc7f8SJamie Gritton *    documentation and/or other materials provided with the distribution.
851dc7f8SJamie Gritton *
851dc7f8SJamie Gritton * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
851dc7f8SJamie Gritton * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
851dc7f8SJamie Gritton * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
851dc7f8SJamie Gritton * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
851dc7f8SJamie Gritton * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
851dc7f8SJamie Gritton * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
851dc7f8SJamie Gritton * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
851dc7f8SJamie Gritton * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
851dc7f8SJamie Gritton * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
851dc7f8SJamie Gritton * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
851dc7f8SJamie Gritton * SUCH DAMAGE.
851dc7f8SJamie Gritton */
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton#include <sys/param.h>
851dc7f8SJamie Gritton#include <sys/fcntl.h>
851dc7f8SJamie Gritton#include <sys/file.h>
851dc7f8SJamie Gritton#include <sys/filedesc.h>
851dc7f8SJamie Gritton#include <sys/kernel.h>
851dc7f8SJamie Gritton#include <sys/jail.h>
851dc7f8SJamie Gritton#include <sys/jaildesc.h>
851dc7f8SJamie Gritton#include <sys/lock.h>
851dc7f8SJamie Gritton#include <sys/malloc.h>
851dc7f8SJamie Gritton#include <sys/mutex.h>
851dc7f8SJamie Gritton#include <sys/priv.h>
851dc7f8SJamie Gritton#include <sys/stat.h>
851dc7f8SJamie Gritton#include <sys/sysproto.h>
851dc7f8SJamie Gritton#include <sys/systm.h>
851dc7f8SJamie Gritton#include <sys/ucred.h>
851dc7f8SJamie Gritton#include <sys/vnode.h>
851dc7f8SJamie Gritton
851dc7f8SJamie GrittonMALLOC_DEFINE(M_JAILDESC, "jaildesc", "jail descriptors");
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic fo_stat_t	jaildesc_stat;
851dc7f8SJamie Grittonstatic fo_close_t	jaildesc_close;
851dc7f8SJamie Grittonstatic fo_chmod_t	jaildesc_chmod;
851dc7f8SJamie Grittonstatic fo_chown_t	jaildesc_chown;
851dc7f8SJamie Grittonstatic fo_fill_kinfo_t	jaildesc_fill_kinfo;
851dc7f8SJamie Grittonstatic fo_cmp_t		jaildesc_cmp;
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic struct fileops jaildesc_ops = {
851dc7f8SJamie Gritton	.fo_read = invfo_rdwr,
851dc7f8SJamie Gritton	.fo_write = invfo_rdwr,
851dc7f8SJamie Gritton	.fo_truncate = invfo_truncate,
851dc7f8SJamie Gritton	.fo_ioctl = invfo_ioctl,
851dc7f8SJamie Gritton	.fo_poll = invfo_poll,
851dc7f8SJamie Gritton	.fo_kqfilter = invfo_kqfilter,
851dc7f8SJamie Gritton	.fo_stat = jaildesc_stat,
851dc7f8SJamie Gritton	.fo_close = jaildesc_close,
851dc7f8SJamie Gritton	.fo_chmod = jaildesc_chmod,
851dc7f8SJamie Gritton	.fo_chown = jaildesc_chown,
851dc7f8SJamie Gritton	.fo_sendfile = invfo_sendfile,
851dc7f8SJamie Gritton	.fo_fill_kinfo = jaildesc_fill_kinfo,
851dc7f8SJamie Gritton	.fo_cmp = jaildesc_cmp,
851dc7f8SJamie Gritton	.fo_flags = DFLAG_PASSABLE,
851dc7f8SJamie Gritton};
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton/*
851dc7f8SJamie Gritton * Given a jail descriptor number, return the jaildesc, its prison,
851dc7f8SJamie Gritton * and its credential.  The jaildesc will be returned locked, and
851dc7f8SJamie Gritton * prison and the credential will be returned held.
851dc7f8SJamie Gritton */
851dc7f8SJamie Grittonint
851dc7f8SJamie Grittonjaildesc_find(struct thread *td, int fd, struct jaildesc **jdp,
851dc7f8SJamie Gritton    struct prison **prp, struct ucred **ucredp)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct file *fp;
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton	struct prison *pr;
851dc7f8SJamie Gritton	int error;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	error = fget(td, fd, &cap_no_rights, &fp);
851dc7f8SJamie Gritton	if (error != 0)
851dc7f8SJamie Gritton		return (error);
851dc7f8SJamie Gritton	if (fp->f_type != DTYPE_JAILDESC) {
16f600dcSJamie Gritton		error = EINVAL;
851dc7f8SJamie Gritton		goto out;
851dc7f8SJamie Gritton	}
851dc7f8SJamie Gritton	jd = fp->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton	pr = jd->jd_prison;
851dc7f8SJamie Gritton	if (pr == NULL || !prison_isvalid(pr)) {
851dc7f8SJamie Gritton		error = ENOENT;
851dc7f8SJamie Gritton		JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton		goto out;
851dc7f8SJamie Gritton	}
851dc7f8SJamie Gritton	prison_hold(pr);
851dc7f8SJamie Gritton	*prp = pr;
851dc7f8SJamie Gritton	if (jdp != NULL)
851dc7f8SJamie Gritton		*jdp = jd;
851dc7f8SJamie Gritton	else
851dc7f8SJamie Gritton		JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton	if (ucredp != NULL)
851dc7f8SJamie Gritton		*ucredp = crhold(fp->f_cred);
851dc7f8SJamie Gritton out:
851dc7f8SJamie Gritton	fdrop(fp, td);
851dc7f8SJamie Gritton	return (error);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton/*
851dc7f8SJamie Gritton * Allocate a new jail decriptor, not yet associated with a prison.
851dc7f8SJamie Gritton * Return the file pointer (with a reference held) and the descriptor
851dc7f8SJamie Gritton * number.
851dc7f8SJamie Gritton */
851dc7f8SJamie Grittonint
851dc7f8SJamie Grittonjaildesc_alloc(struct thread *td, struct file **fpp, int *fdp, int owning)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct file *fp;
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton	int error;
851dc7f8SJamie Gritton	mode_t mode;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	if (owning) {
851dc7f8SJamie Gritton		error = priv_check(td, PRIV_JAIL_REMOVE);
851dc7f8SJamie Gritton		if (error != 0)
851dc7f8SJamie Gritton			return (error);
851dc7f8SJamie Gritton		mode = S_ISTXT;
851dc7f8SJamie Gritton	} else
851dc7f8SJamie Gritton		mode = 0;
851dc7f8SJamie Gritton	jd = malloc(sizeof(*jd), M_JAILDESC, M_WAITOK | M_ZERO);
851dc7f8SJamie Gritton	error = falloc_caps(td, &fp, fdp, 0, NULL);
851dc7f8SJamie Gritton	if (error != 0) {
851dc7f8SJamie Gritton		free(jd, M_JAILDESC);
851dc7f8SJamie Gritton		return (error);
851dc7f8SJamie Gritton	}
*d8d5324eSJamie Gritton	finit(fp, priv_check_cred(fp->f_cred, PRIV_JAIL_SET) == 0 ?
*d8d5324eSJamie Gritton	    FREAD | FWRITE : FREAD, DTYPE_JAILDESC, jd, &jaildesc_ops);
851dc7f8SJamie Gritton	JAILDESC_LOCK_INIT(jd);
851dc7f8SJamie Gritton	jd->jd_uid = fp->f_cred->cr_uid;
851dc7f8SJamie Gritton	jd->jd_gid = fp->f_cred->cr_gid;
*d8d5324eSJamie Gritton	jd->jd_mode = S_IFREG | S_IRUSR | S_IRGRP | S_IROTH | mode |
*d8d5324eSJamie Gritton	    (priv_check(td, PRIV_JAIL_SET) == 0 ? S_IWUSR | S_IXUSR : 0) |
*d8d5324eSJamie Gritton	    (priv_check(td, PRIV_JAIL_ATTACH) == 0 ? S_IXUSR : 0);
851dc7f8SJamie Gritton	*fpp = fp;
851dc7f8SJamie Gritton	return (0);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton/*
851dc7f8SJamie Gritton * Assocate a jail descriptor with its prison.
851dc7f8SJamie Gritton */
851dc7f8SJamie Grittonvoid
851dc7f8SJamie Grittonjaildesc_set_prison(struct file *fp, struct prison *pr)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	mtx_assert(&pr->pr_mtx, MA_OWNED);
851dc7f8SJamie Gritton	jd = fp->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton	jd->jd_prison = pr;
851dc7f8SJamie Gritton	LIST_INSERT_HEAD(&pr->pr_descs, jd, jd_list);
851dc7f8SJamie Gritton	prison_hold(pr);
851dc7f8SJamie Gritton	JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton/*
*d8d5324eSJamie Gritton * Detach all the jail descriptors from a prison.
851dc7f8SJamie Gritton */
851dc7f8SJamie Grittonvoid
851dc7f8SJamie Grittonjaildesc_prison_cleanup(struct prison *pr)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	mtx_assert(&pr->pr_mtx, MA_OWNED);
851dc7f8SJamie Gritton	while ((jd = LIST_FIRST(&pr->pr_descs))) {
851dc7f8SJamie Gritton		JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton		LIST_REMOVE(jd, jd_list);
851dc7f8SJamie Gritton		jd->jd_prison = NULL;
851dc7f8SJamie Gritton		JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton		prison_free(pr);
851dc7f8SJamie Gritton	}
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic int
851dc7f8SJamie Grittonjaildesc_close(struct file *fp, struct thread *td)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton	struct prison *pr;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	jd = fp->f_data;
851dc7f8SJamie Gritton	fp->f_data = NULL;
851dc7f8SJamie Gritton	if (jd != NULL) {
851dc7f8SJamie Gritton		JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton		pr = jd->jd_prison;
851dc7f8SJamie Gritton		if (pr != NULL) {
851dc7f8SJamie Gritton			/*
851dc7f8SJamie Gritton			 * Free or remove the associated prison.
851dc7f8SJamie Gritton			 * This requires a second check after re-
851dc7f8SJamie Gritton			 * ordering locks.  This jaildesc can remain
851dc7f8SJamie Gritton			 * unlocked once we have a prison reference,
851dc7f8SJamie Gritton			 * because that prison is the only place that
851dc7f8SJamie Gritton			 * still points back to it.
851dc7f8SJamie Gritton			 */
851dc7f8SJamie Gritton			prison_hold(pr);
851dc7f8SJamie Gritton			JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton			if (jd->jd_mode & S_ISTXT) {
851dc7f8SJamie Gritton				sx_xlock(&allprison_lock);
851dc7f8SJamie Gritton				prison_lock(pr);
851dc7f8SJamie Gritton				if (jd->jd_prison != NULL) {
851dc7f8SJamie Gritton					/*
851dc7f8SJamie Gritton					 * Unlink the prison, but don't free
851dc7f8SJamie Gritton					 * it; that will be done as part of
851dc7f8SJamie Gritton					 * of prison_remove.
851dc7f8SJamie Gritton					 */
851dc7f8SJamie Gritton					LIST_REMOVE(jd, jd_list);
851dc7f8SJamie Gritton					prison_remove(pr);
851dc7f8SJamie Gritton				} else {
851dc7f8SJamie Gritton					prison_unlock(pr);
851dc7f8SJamie Gritton					sx_xunlock(&allprison_lock);
851dc7f8SJamie Gritton				}
851dc7f8SJamie Gritton			} else {
851dc7f8SJamie Gritton				prison_lock(pr);
851dc7f8SJamie Gritton				if (jd->jd_prison != NULL) {
851dc7f8SJamie Gritton					LIST_REMOVE(jd, jd_list);
851dc7f8SJamie Gritton					prison_free(pr);
851dc7f8SJamie Gritton				}
851dc7f8SJamie Gritton				prison_unlock(pr);
851dc7f8SJamie Gritton			}
851dc7f8SJamie Gritton			prison_free(pr);
851dc7f8SJamie Gritton		}
851dc7f8SJamie Gritton		JAILDESC_LOCK_DESTROY(jd);
851dc7f8SJamie Gritton		free(jd, M_JAILDESC);
851dc7f8SJamie Gritton	}
851dc7f8SJamie Gritton	return (0);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic int
851dc7f8SJamie Grittonjaildesc_stat(struct file *fp, struct stat *sb, struct ucred *active_cred)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	bzero(sb, sizeof(struct stat));
851dc7f8SJamie Gritton	jd = fp->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton	if (jd->jd_prison != NULL) {
851dc7f8SJamie Gritton		sb->st_ino = jd->jd_prison ? jd->jd_prison->pr_id : 0;
851dc7f8SJamie Gritton		sb->st_uid = jd->jd_uid;
851dc7f8SJamie Gritton		sb->st_gid = jd->jd_gid;
851dc7f8SJamie Gritton		sb->st_mode = jd->jd_mode;
851dc7f8SJamie Gritton	} else
851dc7f8SJamie Gritton		sb->st_mode = S_IFREG;
851dc7f8SJamie Gritton	JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton	return (0);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic int
851dc7f8SJamie Grittonjaildesc_chmod(struct file *fp, mode_t mode, struct ucred *active_cred,
851dc7f8SJamie Gritton    struct thread *td)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton	int error;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	/* Reject permissions that the creator doesn't have. */
*d8d5324eSJamie Gritton	if (((mode & (S_IWUSR | S_IWGRP | S_IWOTH)) &&
*d8d5324eSJamie Gritton	    priv_check_cred(fp->f_cred, PRIV_JAIL_SET) != 0) ||
*d8d5324eSJamie Gritton	    ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) &&
*d8d5324eSJamie Gritton	    priv_check_cred(fp->f_cred, PRIV_JAIL_ATTACH) != 0 &&
*d8d5324eSJamie Gritton	    priv_check_cred(fp->f_cred, PRIV_JAIL_SET) != 0) ||
*d8d5324eSJamie Gritton	    ((mode & S_ISTXT) &&
*d8d5324eSJamie Gritton	    priv_check_cred(fp->f_cred, PRIV_JAIL_REMOVE) != 0))
851dc7f8SJamie Gritton		return (EPERM);
851dc7f8SJamie Gritton	if (mode & (S_ISUID | S_ISGID))
851dc7f8SJamie Gritton		return (EINVAL);
851dc7f8SJamie Gritton	jd = fp->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton	error = vaccess(VREG, jd->jd_mode, jd->jd_uid, jd->jd_gid, VADMIN,
851dc7f8SJamie Gritton		active_cred);
851dc7f8SJamie Gritton	if (error == 0)
851dc7f8SJamie Gritton		jd->jd_mode = S_IFREG | (mode & ALLPERMS);
851dc7f8SJamie Gritton	JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton	return (error);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic int
851dc7f8SJamie Grittonjaildesc_chown(struct file *fp, uid_t uid, gid_t gid, struct ucred *active_cred,
851dc7f8SJamie Gritton    struct thread *td)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd;
851dc7f8SJamie Gritton	int error;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	error = 0;
851dc7f8SJamie Gritton	jd = fp->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd);
851dc7f8SJamie Gritton	if (uid == (uid_t)-1)
851dc7f8SJamie Gritton		uid = jd->jd_uid;
851dc7f8SJamie Gritton	if (gid == (gid_t)-1)
851dc7f8SJamie Gritton		gid = jd->jd_gid;
851dc7f8SJamie Gritton	if ((uid != jd->jd_uid && uid != active_cred->cr_uid) ||
851dc7f8SJamie Gritton	    (gid != jd->jd_gid && !groupmember(gid, active_cred)))
851dc7f8SJamie Gritton		error = priv_check_cred(active_cred, PRIV_VFS_CHOWN);
851dc7f8SJamie Gritton	if (error == 0) {
851dc7f8SJamie Gritton		jd->jd_uid = uid;
851dc7f8SJamie Gritton		jd->jd_gid = gid;
851dc7f8SJamie Gritton	}
851dc7f8SJamie Gritton	JAILDESC_UNLOCK(jd);
851dc7f8SJamie Gritton	return (error);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic int
851dc7f8SJamie Grittonjaildesc_fill_kinfo(struct file *fp, struct kinfo_file *kif,
851dc7f8SJamie Gritton    struct filedesc *fdp)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	return (EINVAL);
851dc7f8SJamie Gritton}
851dc7f8SJamie Gritton
851dc7f8SJamie Grittonstatic int
851dc7f8SJamie Grittonjaildesc_cmp(struct file *fp1, struct file *fp2, struct thread *td)
851dc7f8SJamie Gritton{
851dc7f8SJamie Gritton	struct jaildesc *jd1, *jd2;
851dc7f8SJamie Gritton	int jid1, jid2;
851dc7f8SJamie Gritton
851dc7f8SJamie Gritton	if (fp2->f_type != DTYPE_JAILDESC)
851dc7f8SJamie Gritton		return (3);
851dc7f8SJamie Gritton	jd1 = fp1->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd1);
851dc7f8SJamie Gritton	jid1 = jd1->jd_prison ? (uintptr_t)jd1->jd_prison->pr_id : 0;
851dc7f8SJamie Gritton	JAILDESC_UNLOCK(jd1);
851dc7f8SJamie Gritton	jd2 = fp2->f_data;
851dc7f8SJamie Gritton	JAILDESC_LOCK(jd2);
851dc7f8SJamie Gritton	jid2 = jd2->jd_prison ? (uintptr_t)jd2->jd_prison->pr_id : 0;
851dc7f8SJamie Gritton	JAILDESC_UNLOCK(jd2);
851dc7f8SJamie Gritton	return (kcmp_cmp(jid1, jid2));
851dc7f8SJamie Gritton}