kern_jail.c (232186) | kern_jail.c (232278) |
---|---|
1/*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * Copyright (c) 2009 James Gritton. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 13 unchanged lines hidden (view full) --- 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * Copyright (c) 2009 James Gritton. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 13 unchanged lines hidden (view full) --- 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> |
30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 232186 2012-02-26 16:30:39Z mm $"); | 30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 232278 2012-02-29 00:30:18Z mm $"); |
31 32#include "opt_compat.h" 33#include "opt_ddb.h" 34#include "opt_inet.h" 35#include "opt_inet6.h" 36 37#include <sys/param.h> 38#include <sys/types.h> --- 160 unchanged lines hidden (view full) --- 199 "allow.raw_sockets", 200 "allow.chflags", 201 "allow.mount", 202 "allow.quotas", 203 "allow.socket_af", 204 "allow.mount.devfs", 205 "allow.mount.nullfs", 206 "allow.mount.zfs", | 31 32#include "opt_compat.h" 33#include "opt_ddb.h" 34#include "opt_inet.h" 35#include "opt_inet6.h" 36 37#include <sys/param.h> 38#include <sys/types.h> --- 160 unchanged lines hidden (view full) --- 199 "allow.raw_sockets", 200 "allow.chflags", 201 "allow.mount", 202 "allow.quotas", 203 "allow.socket_af", 204 "allow.mount.devfs", 205 "allow.mount.nullfs", 206 "allow.mount.zfs", |
207 "allow.mount.procfs", |
|
207}; 208const size_t pr_allow_names_size = sizeof(pr_allow_names); 209 210static char *pr_allow_nonames[] = { 211 "allow.noset_hostname", 212 "allow.nosysvipc", 213 "allow.noraw_sockets", 214 "allow.nochflags", 215 "allow.nomount", 216 "allow.noquotas", 217 "allow.nosocket_af", 218 "allow.mount.nodevfs", 219 "allow.mount.nonullfs", 220 "allow.mount.nozfs", | 208}; 209const size_t pr_allow_names_size = sizeof(pr_allow_names); 210 211static char *pr_allow_nonames[] = { 212 "allow.noset_hostname", 213 "allow.nosysvipc", 214 "allow.noraw_sockets", 215 "allow.nochflags", 216 "allow.nomount", 217 "allow.noquotas", 218 "allow.nosocket_af", 219 "allow.mount.nodevfs", 220 "allow.mount.nonullfs", 221 "allow.mount.nozfs", |
222 "allow.mount.noprocfs", |
|
221}; 222const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); 223 224#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME 225#define JAIL_DEFAULT_ENFORCE_STATFS 2 226#define JAIL_DEFAULT_DEVFS_RSNUM 0 227static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; 228static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; --- 3972 unchanged lines hidden (view full) --- 4201SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed, 4202 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4203 NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", 4204 "Processes in jail can mount the devfs file system"); 4205SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, 4206 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4207 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", 4208 "Processes in jail can mount the nullfs file system"); | 223}; 224const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); 225 226#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME 227#define JAIL_DEFAULT_ENFORCE_STATFS 2 228#define JAIL_DEFAULT_DEVFS_RSNUM 0 229static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; 230static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; --- 3972 unchanged lines hidden (view full) --- 4203SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed, 4204 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4205 NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I", 4206 "Processes in jail can mount the devfs file system"); 4207SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed, 4208 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4209 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I", 4210 "Processes in jail can mount the nullfs file system"); |
4211SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed, 4212 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4213 NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I", 4214 "Processes in jail can mount the procfs file system"); |
|
4209SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, 4210 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4211 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", 4212 "Processes in jail can mount the zfs file system"); 4213 4214static int 4215sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) 4216{ --- 134 unchanged lines hidden (view full) --- 4351 4352SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); 4353SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, 4354 "B", "Jail may mount/unmount jail-friendly file systems in general"); 4355SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, 4356 "B", "Jail may mount the devfs file system"); 4357SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, 4358 "B", "Jail may mount the nullfs file system"); | 4215SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed, 4216 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, 4217 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", 4218 "Processes in jail can mount the zfs file system"); 4219 4220static int 4221sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) 4222{ --- 134 unchanged lines hidden (view full) --- 4357 4358SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); 4359SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, 4360 "B", "Jail may mount/unmount jail-friendly file systems in general"); 4361SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, 4362 "B", "Jail may mount the devfs file system"); 4363SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW, 4364 "B", "Jail may mount the nullfs file system"); |
4365SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW, 4366 "B", "Jail may mount the procfs file system"); |
|
4359SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, 4360 "B", "Jail may mount the zfs file system"); 4361 4362void 4363prison_racct_foreach(void (*callback)(struct racct *racct, 4364 void *arg2, void *arg3), void *arg2, void *arg3) 4365{ 4366 struct prison_racct *prr; --- 211 unchanged lines hidden --- | 4367SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW, 4368 "B", "Jail may mount the zfs file system"); 4369 4370void 4371prison_racct_foreach(void (*callback)(struct racct *racct, 4372 void *arg2, void *arg3), void *arg2, void *arg3) 4373{ 4374 struct prison_racct *prr; --- 211 unchanged lines hidden --- |