1/*-
2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2008 Bjoern A. Zeeb.
4 * Copyright (c) 2009 James Gritton.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
--- 13 unchanged lines hidden (view full) ---
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <sys/cdefs.h>
30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 232278 2012-02-29 00:30:18Z mm $");
31
32#include "opt_compat.h"
33#include "opt_ddb.h"
34#include "opt_inet.h"
35#include "opt_inet6.h"
36
37#include <sys/param.h>
38#include <sys/types.h>
--- 160 unchanged lines hidden (view full) ---
199 "allow.raw_sockets",
200 "allow.chflags",
201 "allow.mount",
202 "allow.quotas",
203 "allow.socket_af",
204 "allow.mount.devfs",
205 "allow.mount.nullfs",
206 "allow.mount.zfs",
207 "allow.mount.procfs",
208};
209const size_t pr_allow_names_size = sizeof(pr_allow_names);
210
211static char *pr_allow_nonames[] = {
212 "allow.noset_hostname",
213 "allow.nosysvipc",
214 "allow.noraw_sockets",
215 "allow.nochflags",
216 "allow.nomount",
217 "allow.noquotas",
218 "allow.nosocket_af",
219 "allow.mount.nodevfs",
220 "allow.mount.nonullfs",
221 "allow.mount.nozfs",
222 "allow.mount.noprocfs",
223};
224const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
225
226#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
227#define JAIL_DEFAULT_ENFORCE_STATFS 2
228#define JAIL_DEFAULT_DEVFS_RSNUM 0
229static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
230static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
--- 3972 unchanged lines hidden (view full) ---
4203SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
4204 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4205 NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
4206 "Processes in jail can mount the devfs file system");
4207SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
4208 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4209 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
4210 "Processes in jail can mount the nullfs file system");
4211SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
4212 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4213 NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
4214 "Processes in jail can mount the procfs file system");
4215SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
4216 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4217 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
4218 "Processes in jail can mount the zfs file system");
4219
4220static int
4221sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
4222{
--- 134 unchanged lines hidden (view full) ---
4357
4358SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
4359SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
4360 "B", "Jail may mount/unmount jail-friendly file systems in general");
4361SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
4362 "B", "Jail may mount the devfs file system");
4363SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
4364 "B", "Jail may mount the nullfs file system");
4365SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
4366 "B", "Jail may mount the procfs file system");
4367SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
4368 "B", "Jail may mount the zfs file system");
4369
4370void
4371prison_racct_foreach(void (*callback)(struct racct *racct,
4372 void *arg2, void *arg3), void *arg2, void *arg3)
4373{
4374 struct prison_racct *prr;
--- 211 unchanged lines hidden ---
2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2008 Bjoern A. Zeeb.
4 * Copyright (c) 2009 James Gritton.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
--- 13 unchanged lines hidden (view full) ---
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <sys/cdefs.h>
30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 232278 2012-02-29 00:30:18Z mm $");
31
32#include "opt_compat.h"
33#include "opt_ddb.h"
34#include "opt_inet.h"
35#include "opt_inet6.h"
36
37#include <sys/param.h>
38#include <sys/types.h>
--- 160 unchanged lines hidden (view full) ---
199 "allow.raw_sockets",
200 "allow.chflags",
201 "allow.mount",
202 "allow.quotas",
203 "allow.socket_af",
204 "allow.mount.devfs",
205 "allow.mount.nullfs",
206 "allow.mount.zfs",
207 "allow.mount.procfs",
208};
209const size_t pr_allow_names_size = sizeof(pr_allow_names);
210
211static char *pr_allow_nonames[] = {
212 "allow.noset_hostname",
213 "allow.nosysvipc",
214 "allow.noraw_sockets",
215 "allow.nochflags",
216 "allow.nomount",
217 "allow.noquotas",
218 "allow.nosocket_af",
219 "allow.mount.nodevfs",
220 "allow.mount.nonullfs",
221 "allow.mount.nozfs",
222 "allow.mount.noprocfs",
223};
224const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
225
226#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
227#define JAIL_DEFAULT_ENFORCE_STATFS 2
228#define JAIL_DEFAULT_DEVFS_RSNUM 0
229static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
230static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
--- 3972 unchanged lines hidden (view full) ---
4203SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
4204 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4205 NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
4206 "Processes in jail can mount the devfs file system");
4207SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
4208 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4209 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
4210 "Processes in jail can mount the nullfs file system");
4211SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
4212 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4213 NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
4214 "Processes in jail can mount the procfs file system");
4215SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
4216 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
4217 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
4218 "Processes in jail can mount the zfs file system");
4219
4220static int
4221sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
4222{
--- 134 unchanged lines hidden (view full) ---
4357
4358SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
4359SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
4360 "B", "Jail may mount/unmount jail-friendly file systems in general");
4361SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
4362 "B", "Jail may mount the devfs file system");
4363SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
4364 "B", "Jail may mount the nullfs file system");
4365SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
4366 "B", "Jail may mount the procfs file system");
4367SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
4368 "B", "Jail may mount the zfs file system");
4369
4370void
4371prison_racct_foreach(void (*callback)(struct racct *racct,
4372 void *arg2, void *arg3), void *arg2, void *arg3)
4373{
4374 struct prison_racct *prr;
--- 211 unchanged lines hidden ---