kern_jail.c (163606) | kern_jail.c (164032) |
---|---|
1/*- 2 * ---------------------------------------------------------------------------- 3 * "THE BEER-WARE LICENSE" (Revision 42): 4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 5 * can do whatever you want with this stuff. If we meet some day, and you think 6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 7 * ---------------------------------------------------------------------------- 8 */ 9 10#include <sys/cdefs.h> | 1/*- 2 * ---------------------------------------------------------------------------- 3 * "THE BEER-WARE LICENSE" (Revision 42): 4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 5 * can do whatever you want with this stuff. If we meet some day, and you think 6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 7 * ---------------------------------------------------------------------------- 8 */ 9 10#include <sys/cdefs.h> |
11__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 163606 2006-10-22 11:52:19Z rwatson $"); | 11__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 164032 2006-11-06 13:37:19Z rwatson $"); |
12 13#include "opt_mac.h" 14 15#include <sys/param.h> 16#include <sys/types.h> 17#include <sys/kernel.h> 18#include <sys/systm.h> 19#include <sys/errno.h> 20#include <sys/sysproto.h> 21#include <sys/malloc.h> | 12 13#include "opt_mac.h" 14 15#include <sys/param.h> 16#include <sys/types.h> 17#include <sys/kernel.h> 18#include <sys/systm.h> 19#include <sys/errno.h> 20#include <sys/sysproto.h> 21#include <sys/malloc.h> |
22#include <sys/priv.h> |
|
22#include <sys/proc.h> 23#include <sys/taskqueue.h> 24#include <sys/jail.h> 25#include <sys/lock.h> 26#include <sys/mutex.h> 27#include <sys/namei.h> 28#include <sys/mount.h> 29#include <sys/queue.h> --- 170 unchanged lines hidden (view full) --- 200 /* 201 * XXX: Note that there is a slight race here if two threads 202 * in the same privileged process attempt to attach to two 203 * different jails at the same time. It is important for 204 * user processes not to do this, or they might end up with 205 * a process root from one prison, but attached to the jail 206 * of another. 207 */ | 23#include <sys/proc.h> 24#include <sys/taskqueue.h> 25#include <sys/jail.h> 26#include <sys/lock.h> 27#include <sys/mutex.h> 28#include <sys/namei.h> 29#include <sys/mount.h> 30#include <sys/queue.h> --- 170 unchanged lines hidden (view full) --- 201 /* 202 * XXX: Note that there is a slight race here if two threads 203 * in the same privileged process attempt to attach to two 204 * different jails at the same time. It is important for 205 * user processes not to do this, or they might end up with 206 * a process root from one prison, but attached to the jail 207 * of another. 208 */ |
208 error = suser(td); | 209 error = priv_check(td, PRIV_JAIL_ATTACH); |
209 if (error) 210 return (error); 211 212 p = td->td_proc; 213 mtx_lock(&allprison_mtx); 214 pr = prison_find(uap->jid); 215 if (pr == NULL) { 216 mtx_unlock(&allprison_mtx); --- 301 unchanged lines hidden (view full) --- 518 if (*jpath == '\0') { 519 /* Should never happen. */ 520 *sp->f_mntonname = '/'; 521 } else { 522 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); 523 } 524} 525 | 210 if (error) 211 return (error); 212 213 p = td->td_proc; 214 mtx_lock(&allprison_mtx); 215 pr = prison_find(uap->jid); 216 if (pr == NULL) { 217 mtx_unlock(&allprison_mtx); --- 301 unchanged lines hidden (view full) --- 519 if (*jpath == '\0') { 520 /* Should never happen. */ 521 *sp->f_mntonname = '/'; 522 } else { 523 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); 524 } 525} 526 |
527/* 528 * Check with permission for a specific privilege is granted within jail. We 529 * have a specific list of accepted privileges; the rest are denied. 530 */ 531int 532prison_priv_check(struct ucred *cred, int priv) 533{ 534 535 if (!jailed(cred)) 536 return (0); 537 538 switch (priv) { 539 540 /* 541 * Allow ktrace privileges for root in jail. 542 */ 543 case PRIV_KTRACE: 544 545 /* 546 * Allow jailed processes to configure audit identity and 547 * submit audit records (login, etc). In the future we may 548 * want to further refine the relationship between audit and 549 * jail. 550 */ 551 case PRIV_AUDIT_GETAUDIT: 552 case PRIV_AUDIT_SETAUDIT: 553 case PRIV_AUDIT_SUBMIT: 554 555 /* 556 * Allow jailed processes to manipulate process UNIX 557 * credentials in any way they see fit. 558 */ 559 case PRIV_CRED_SETUID: 560 case PRIV_CRED_SETEUID: 561 case PRIV_CRED_SETGID: 562 case PRIV_CRED_SETEGID: 563 case PRIV_CRED_SETGROUPS: 564 case PRIV_CRED_SETREUID: 565 case PRIV_CRED_SETREGID: 566 case PRIV_CRED_SETRESUID: 567 case PRIV_CRED_SETRESGID: 568 569 /* 570 * Jail implements visibility constraints already, so allow 571 * jailed root to override uid/gid-based constraints. 572 */ 573 case PRIV_SEEOTHERGIDS: 574 case PRIV_SEEOTHERUIDS: 575 576 /* 577 * Jail implements inter-process debugging limits already, so 578 * allow jailed root various debugging privileges. 579 */ 580 case PRIV_DEBUG_DIFFCRED: 581 case PRIV_DEBUG_SUGID: 582 case PRIV_DEBUG_UNPRIV: 583 584 /* 585 * Allow jail to set various resource limits and login 586 * properties, and for now, exceed process resource limits. 587 */ 588 case PRIV_PROC_LIMIT: 589 case PRIV_PROC_SETLOGIN: 590 case PRIV_PROC_SETRLIMIT: 591 592 /* 593 * System V and POSIX IPC privileges are granted in jail. 594 */ 595 case PRIV_IPC_READ: 596 case PRIV_IPC_WRITE: 597 case PRIV_IPC_EXEC: 598 case PRIV_IPC_ADMIN: 599 case PRIV_IPC_MSGSIZE: 600 case PRIV_MQ_ADMIN: 601 602 /* 603 * Jail implements its own inter-process limits, so allow 604 * root processes in jail to change scheduling on other 605 * processes in the same jail. Likewise for signalling. 606 */ 607 case PRIV_SCHED_DIFFCRED: 608 case PRIV_SIGNAL_DIFFCRED: 609 case PRIV_SIGNAL_SUGID: 610 611 /* 612 * Allow jailed processes to write to sysctls marked as jail 613 * writable. 614 */ 615 case PRIV_SYSCTL_WRITEJAIL: 616 617 /* 618 * Allow root in jail to manage a variety of quota 619 * properties. Some are a bit surprising and should be 620 * reconsidered. 621 */ 622 case PRIV_UFS_GETQUOTA: 623 case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */ 624 case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */ 625 case PRIV_UFS_SETQUOTA: 626 case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */ 627 628 /* 629 * Since Jail relies on chroot() to implement file system 630 * protections, grant many VFS privileges to root in jail. 631 * Be careful to exclude mount-related and NFS-related 632 * privileges. 633 */ 634 case PRIV_VFS_READ: 635 case PRIV_VFS_WRITE: 636 case PRIV_VFS_ADMIN: 637 case PRIV_VFS_EXEC: 638 case PRIV_VFS_LOOKUP: 639 case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ 640 case PRIV_VFS_CHFLAGS_DEV: 641 case PRIV_VFS_CHOWN: 642 case PRIV_VFS_CHROOT: 643 case PRIV_VFS_CLEARSUGID: 644 case PRIV_VFS_FCHROOT: 645 case PRIV_VFS_LINK: 646 case PRIV_VFS_SETGID: 647 case PRIV_VFS_STICKYFILE: 648 return (0); 649 650 /* 651 * Depending on the global setting, allow privilege of 652 * setting system flags. 653 */ 654 case PRIV_VFS_SYSFLAGS: 655 if (jail_chflags_allowed) 656 return (0); 657 else 658 return (EPERM); 659 660 /* 661 * Allow jailed root to bind reserved ports. 662 */ 663 case PRIV_NETINET_RESERVEDPORT: 664 return (0); 665 666 /* 667 * Conditionally allow creating raw sockets in jail. 668 */ 669 case PRIV_NETINET_RAW: 670 if (jail_allow_raw_sockets) 671 return (0); 672 else 673 return (EPERM); 674 675 /* 676 * Since jail implements its own visibility limits on netstat 677 * sysctls, allow getcred. This allows identd to work in 678 * jail. 679 */ 680 case PRIV_NETINET_GETCRED: 681 return (0); 682 683 default: 684 /* 685 * In all remaining cases, deny the privilege request. This 686 * includes almost all network privileges, many system 687 * configuration privileges. 688 */ 689 return (EPERM); 690 } 691} 692 |
|
526static int 527sysctl_jail_list(SYSCTL_HANDLER_ARGS) 528{ 529 struct xprison *xp, *sxp; 530 struct prison *pr; 531 int count, error; 532 533 if (jailed(req->td->td_ucred)) --- 51 unchanged lines hidden --- | 693static int 694sysctl_jail_list(SYSCTL_HANDLER_ARGS) 695{ 696 struct xprison *xp, *sxp; 697 struct prison *pr; 698 int count, error; 699 700 if (jailed(req->td->td_ucred)) --- 51 unchanged lines hidden --- |