| kern_jail.c (250804) | kern_jail.c (254741) |
|---|---|
| 1/*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * Copyright (c) 2009 James Gritton. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 13 unchanged lines hidden (view full) --- 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * Copyright (c) 2009 James Gritton. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 13 unchanged lines hidden (view full) --- 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> |
| 30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 250804 2013-05-19 04:10:34Z jamie $"); | 30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 254741 2013-08-23 22:52:20Z delphij $"); |
| 31 32#include "opt_compat.h" 33#include "opt_ddb.h" 34#include "opt_inet.h" 35#include "opt_inet6.h" 36 37#include <sys/param.h> 38#include <sys/types.h> --- 162 unchanged lines hidden (view full) --- 201 "allow.chflags", 202 "allow.mount", 203 "allow.quotas", 204 "allow.socket_af", 205 "allow.mount.devfs", 206 "allow.mount.nullfs", 207 "allow.mount.zfs", 208 "allow.mount.procfs", | 31 32#include "opt_compat.h" 33#include "opt_ddb.h" 34#include "opt_inet.h" 35#include "opt_inet6.h" 36 37#include <sys/param.h> 38#include <sys/types.h> --- 162 unchanged lines hidden (view full) --- 201 "allow.chflags", 202 "allow.mount", 203 "allow.quotas", 204 "allow.socket_af", 205 "allow.mount.devfs", 206 "allow.mount.nullfs", 207 "allow.mount.zfs", 208 "allow.mount.procfs", |
| 209 "allow.mount.tmpfs", |
|
| 209}; 210const size_t pr_allow_names_size = sizeof(pr_allow_names); 211 212static char *pr_allow_nonames[] = { 213 "allow.noset_hostname", 214 "allow.nosysvipc", 215 "allow.noraw_sockets", 216 "allow.nochflags", 217 "allow.nomount", 218 "allow.noquotas", 219 "allow.nosocket_af", 220 "allow.mount.nodevfs", 221 "allow.mount.nonullfs", 222 "allow.mount.nozfs", 223 "allow.mount.noprocfs", | 210}; 211const size_t pr_allow_names_size = sizeof(pr_allow_names); 212 213static char *pr_allow_nonames[] = { 214 "allow.noset_hostname", 215 "allow.nosysvipc", 216 "allow.noraw_sockets", 217 "allow.nochflags", 218 "allow.nomount", 219 "allow.noquotas", 220 "allow.nosocket_af", 221 "allow.mount.nodevfs", 222 "allow.mount.nonullfs", 223 "allow.mount.nozfs", 224 "allow.mount.noprocfs", |
| 225 "allow.mount.notmpfs", |
|
| 224}; 225const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); 226 227#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME 228#define JAIL_DEFAULT_ENFORCE_STATFS 2 229#define JAIL_DEFAULT_DEVFS_RSNUM 0 230static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; 231static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; --- 3991 unchanged lines hidden (view full) --- 4223SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, 4224 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4225 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", 4226 "Processes in jail can mount the nullfs file system"); 4227SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, 4228 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4229 NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", 4230 "Processes in jail can mount the procfs file system"); | 226}; 227const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); 228 229#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME 230#define JAIL_DEFAULT_ENFORCE_STATFS 2 231#define JAIL_DEFAULT_DEVFS_RSNUM 0 232static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; 233static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; --- 3991 unchanged lines hidden (view full) --- 4225SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, 4226 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4227 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", 4228 "Processes in jail can mount the nullfs file system"); 4229SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, 4230 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4231 NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", 4232 "Processes in jail can mount the procfs file system"); |
| 4233SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed, 4234 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4235 NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I", 4236 "Processes in jail can mount the tmpfs file system"); |
|
| 4231SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, 4232 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4233 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", 4234 "Processes in jail can mount the zfs file system"); 4235 4236static int 4237sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) 4238{ --- 136 unchanged lines hidden (view full) --- 4375SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, 4376 "B", "Jail may mount/unmount jail-friendly file systems in general"); 4377SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, 4378 "B", "Jail may mount the devfs file system"); 4379SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, 4380 "B", "Jail may mount the nullfs file system"); 4381SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, 4382 "B", "Jail may mount the procfs file system"); | 4237SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, 4238 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4239 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", 4240 "Processes in jail can mount the zfs file system"); 4241 4242static int 4243sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) 4244{ --- 136 unchanged lines hidden (view full) --- 4381SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, 4382 "B", "Jail may mount/unmount jail-friendly file systems in general"); 4383SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, 4384 "B", "Jail may mount the devfs file system"); 4385SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, 4386 "B", "Jail may mount the nullfs file system"); 4387SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, 4388 "B", "Jail may mount the procfs file system"); |
| 4389SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW, 4390 "B", "Jail may mount the tmpfs file system"); |
|
| 4383SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, 4384 "B", "Jail may mount the zfs file system"); 4385 4386void 4387prison_racct_foreach(void (*callback)(struct racct *racct, 4388 void *arg2, void *arg3), void *arg2, void *arg3) 4389{ 4390 struct prison_racct *prr; --- 272 unchanged lines hidden --- | 4391SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, 4392 "B", "Jail may mount the zfs file system"); 4393 4394void 4395prison_racct_foreach(void (*callback)(struct racct *racct, 4396 void *arg2, void *arg3), void *arg2, void *arg3) 4397{ 4398 struct prison_racct *prr; --- 272 unchanged lines hidden --- |