kern_jail.c (194118) | kern_jail.c (194251) |
---|---|
1/*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * Copyright (c) 2009 James Gritton. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 13 unchanged lines hidden (view full) --- 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2008 Bjoern A. Zeeb. 4 * Copyright (c) 2009 James Gritton. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions --- 13 unchanged lines hidden (view full) --- 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29#include <sys/cdefs.h> |
30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 194118 2009-06-13 15:39:12Z jamie $"); | 30__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 194251 2009-06-15 18:59:29Z jamie $"); |
31 32#include "opt_compat.h" 33#include "opt_ddb.h" 34#include "opt_inet.h" 35#include "opt_inet6.h" 36 37#include <sys/param.h> 38#include <sys/types.h> --- 82 unchanged lines hidden (view full) --- 121 [0] = "persist", 122 "host", 123#ifdef INET 124 "ip4", 125#endif 126#ifdef INET6 127 [3] = "ip6", 128#endif | 31 32#include "opt_compat.h" 33#include "opt_ddb.h" 34#include "opt_inet.h" 35#include "opt_inet6.h" 36 37#include <sys/param.h> 38#include <sys/types.h> --- 82 unchanged lines hidden (view full) --- 121 [0] = "persist", 122 "host", 123#ifdef INET 124 "ip4", 125#endif 126#ifdef INET6 127 [3] = "ip6", 128#endif |
129#ifdef VIMAGE 130 [4] = "vnet", 131#endif |
|
129}; 130 131static char *pr_flag_nonames[] = { 132 [0] = "nopersist", 133 "nohost", 134#ifdef INET 135 "noip4", 136#endif 137#ifdef INET6 138 [3] = "noip6", 139#endif | 132}; 133 134static char *pr_flag_nonames[] = { 135 [0] = "nopersist", 136 "nohost", 137#ifdef INET 138 "noip4", 139#endif 140#ifdef INET6 141 [3] = "noip6", 142#endif |
143#ifdef VIMAGE 144 [4] = "novnet", 145#endif |
|
140}; 141 142static char *pr_allow_names[] = { 143 "allow.set_hostname", 144 "allow.sysvipc", 145 "allow.raw_sockets", 146 "allow.chflags", 147 "allow.mount", --- 408 unchanged lines hidden (view full) --- 556 } 557 ch_flags |= pr_flags; 558 if ((flags & (JAIL_CREATE | JAIL_UPDATE | JAIL_ATTACH)) == JAIL_CREATE 559 && !(pr_flags & PR_PERSIST)) { 560 error = EINVAL; 561 vfs_opterror(opts, "new jail must persist or attach"); 562 goto done_errmsg; 563 } | 146}; 147 148static char *pr_allow_names[] = { 149 "allow.set_hostname", 150 "allow.sysvipc", 151 "allow.raw_sockets", 152 "allow.chflags", 153 "allow.mount", --- 408 unchanged lines hidden (view full) --- 562 } 563 ch_flags |= pr_flags; 564 if ((flags & (JAIL_CREATE | JAIL_UPDATE | JAIL_ATTACH)) == JAIL_CREATE 565 && !(pr_flags & PR_PERSIST)) { 566 error = EINVAL; 567 vfs_opterror(opts, "new jail must persist or attach"); 568 goto done_errmsg; 569 } |
570#ifdef VIMAGE 571 if ((flags & JAIL_UPDATE) && (ch_flags & PR_VNET)) { 572 error = EINVAL; 573 vfs_opterror(opts, "vnet cannot be changed after creation"); 574 goto done_errmsg; 575 } 576#endif |
|
564 565 pr_allow = ch_allow = 0; 566 for (fi = 0; fi < sizeof(pr_allow_names) / sizeof(pr_allow_names[0]); 567 fi++) { 568 vfs_flagopt(opts, pr_allow_names[fi], &pr_allow, 1 << fi); 569 vfs_flagopt(opts, pr_allow_nonames[fi], &ch_allow, 1 << fi); 570 } 571 ch_allow |= pr_allow; --- 536 unchanged lines hidden (view full) --- 1108#endif 1109 pr->pr_securelevel = ppr->pr_securelevel; 1110 pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow; 1111 pr->pr_enforce_statfs = ppr->pr_enforce_statfs; 1112 1113 LIST_INIT(&pr->pr_children); 1114 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK); 1115 | 577 578 pr_allow = ch_allow = 0; 579 for (fi = 0; fi < sizeof(pr_allow_names) / sizeof(pr_allow_names[0]); 580 fi++) { 581 vfs_flagopt(opts, pr_allow_names[fi], &pr_allow, 1 << fi); 582 vfs_flagopt(opts, pr_allow_nonames[fi], &ch_allow, 1 << fi); 583 } 584 ch_allow |= pr_allow; --- 536 unchanged lines hidden (view full) --- 1121#endif 1122 pr->pr_securelevel = ppr->pr_securelevel; 1123 pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow; 1124 pr->pr_enforce_statfs = ppr->pr_enforce_statfs; 1125 1126 LIST_INIT(&pr->pr_children); 1127 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK); 1128 |
1129#ifdef VIMAGE 1130 /* Allocate a new vnet if specified. */ 1131 pr->pr_vnet = (pr_flags & PR_VNET) 1132 ? vnet_alloc() : ppr->pr_vnet; 1133#endif |
|
1116 /* 1117 * Allocate a dedicated cpuset for each jail. 1118 * Unlike other initial settings, this may return an erorr. 1119 */ 1120 error = cpuset_create_root(ppr, &pr->pr_cpuset); 1121 if (error) { 1122 prison_deref(pr, PD_LIST_XLOCKED); 1123 goto done_releroot; --- 1281 unchanged lines hidden (view full) --- 2405 2406 TAILQ_REMOVE(&allprison, pr, pr_list); 2407 LIST_REMOVE(pr, pr_sibling); 2408 ppr = pr->pr_parent; 2409 for (tpr = ppr; tpr != NULL; tpr = tpr->pr_parent) 2410 tpr->pr_prisoncount--; 2411 sx_downgrade(&allprison_lock); 2412 | 1134 /* 1135 * Allocate a dedicated cpuset for each jail. 1136 * Unlike other initial settings, this may return an erorr. 1137 */ 1138 error = cpuset_create_root(ppr, &pr->pr_cpuset); 1139 if (error) { 1140 prison_deref(pr, PD_LIST_XLOCKED); 1141 goto done_releroot; --- 1281 unchanged lines hidden (view full) --- 2423 2424 TAILQ_REMOVE(&allprison, pr, pr_list); 2425 LIST_REMOVE(pr, pr_sibling); 2426 ppr = pr->pr_parent; 2427 for (tpr = ppr; tpr != NULL; tpr = tpr->pr_parent) 2428 tpr->pr_prisoncount--; 2429 sx_downgrade(&allprison_lock); 2430 |
2431#ifdef VIMAGE 2432 if (pr->pr_flags & PR_VNET) 2433 vnet_destroy(pr->pr_vnet); 2434#endif |
|
2413 if (pr->pr_root != NULL) { 2414 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 2415 vrele(pr->pr_root); 2416 VFS_UNLOCK_GIANT(vfslocked); 2417 } 2418 mtx_destroy(&pr->pr_mtx); 2419#ifdef INET 2420 free(pr->pr_ip4, M_PRISON); --- 1423 unchanged lines hidden (view full) --- 3844SYSCTL_JAIL_PARAM_STRING(, name, CTLFLAG_RW, MAXHOSTNAMELEN, "Jail name"); 3845SYSCTL_JAIL_PARAM_STRING(, path, CTLFLAG_RDTUN, MAXPATHLEN, "Jail root path"); 3846SYSCTL_JAIL_PARAM(, securelevel, CTLTYPE_INT | CTLFLAG_RW, 3847 "I", "Jail secure level"); 3848SYSCTL_JAIL_PARAM(, enforce_statfs, CTLTYPE_INT | CTLFLAG_RW, 3849 "I", "Jail cannot see all mounted file systems"); 3850SYSCTL_JAIL_PARAM(, persist, CTLTYPE_INT | CTLFLAG_RW, 3851 "B", "Jail persistence"); | 2435 if (pr->pr_root != NULL) { 2436 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 2437 vrele(pr->pr_root); 2438 VFS_UNLOCK_GIANT(vfslocked); 2439 } 2440 mtx_destroy(&pr->pr_mtx); 2441#ifdef INET 2442 free(pr->pr_ip4, M_PRISON); --- 1423 unchanged lines hidden (view full) --- 3866SYSCTL_JAIL_PARAM_STRING(, name, CTLFLAG_RW, MAXHOSTNAMELEN, "Jail name"); 3867SYSCTL_JAIL_PARAM_STRING(, path, CTLFLAG_RDTUN, MAXPATHLEN, "Jail root path"); 3868SYSCTL_JAIL_PARAM(, securelevel, CTLTYPE_INT | CTLFLAG_RW, 3869 "I", "Jail secure level"); 3870SYSCTL_JAIL_PARAM(, enforce_statfs, CTLTYPE_INT | CTLFLAG_RW, 3871 "I", "Jail cannot see all mounted file systems"); 3872SYSCTL_JAIL_PARAM(, persist, CTLTYPE_INT | CTLFLAG_RW, 3873 "B", "Jail persistence"); |
3874#ifdef VIMAGE 3875SYSCTL_JAIL_PARAM(, vnet, CTLTYPE_INT | CTLFLAG_RDTUN, 3876 "B", "Virtual network stack"); 3877#endif |
|
3852SYSCTL_JAIL_PARAM(, dying, CTLTYPE_INT | CTLFLAG_RD, 3853 "B", "Jail is in the process of shutting down"); 3854 3855SYSCTL_JAIL_PARAM_NODE(host, "Jail host info"); 3856SYSCTL_JAIL_PARAM(, nohost, CTLTYPE_INT | CTLFLAG_RW, 3857 "BN", "Jail w/ no host info"); 3858SYSCTL_JAIL_PARAM_STRING(_host, hostname, CTLFLAG_RW, MAXHOSTNAMELEN, 3859 "Jail hostname"); --- 58 unchanged lines hidden (view full) --- 3918 db_printf(" jid = %d\n", pr->pr_id); 3919 db_printf(" name = %s\n", pr->pr_name); 3920 db_printf(" parent = %p\n", pr->pr_parent); 3921 db_printf(" ref = %d\n", pr->pr_ref); 3922 db_printf(" uref = %d\n", pr->pr_uref); 3923 db_printf(" path = %s\n", pr->pr_path); 3924 db_printf(" cpuset = %d\n", pr->pr_cpuset 3925 ? pr->pr_cpuset->cs_id : -1); | 3878SYSCTL_JAIL_PARAM(, dying, CTLTYPE_INT | CTLFLAG_RD, 3879 "B", "Jail is in the process of shutting down"); 3880 3881SYSCTL_JAIL_PARAM_NODE(host, "Jail host info"); 3882SYSCTL_JAIL_PARAM(, nohost, CTLTYPE_INT | CTLFLAG_RW, 3883 "BN", "Jail w/ no host info"); 3884SYSCTL_JAIL_PARAM_STRING(_host, hostname, CTLFLAG_RW, MAXHOSTNAMELEN, 3885 "Jail hostname"); --- 58 unchanged lines hidden (view full) --- 3944 db_printf(" jid = %d\n", pr->pr_id); 3945 db_printf(" name = %s\n", pr->pr_name); 3946 db_printf(" parent = %p\n", pr->pr_parent); 3947 db_printf(" ref = %d\n", pr->pr_ref); 3948 db_printf(" uref = %d\n", pr->pr_uref); 3949 db_printf(" path = %s\n", pr->pr_path); 3950 db_printf(" cpuset = %d\n", pr->pr_cpuset 3951 ? pr->pr_cpuset->cs_id : -1); |
3952#ifdef VIMAGE 3953 db_printf(" vnet = %p\n", pr->pr_vnet); 3954#endif |
|
3926 db_printf(" root = %p\n", pr->pr_root); 3927 db_printf(" securelevel = %d\n", pr->pr_securelevel); 3928 db_printf(" child = %p\n", LIST_FIRST(&pr->pr_children)); 3929 db_printf(" sibling = %p\n", LIST_NEXT(pr, pr_sibling)); 3930 db_printf(" flags = %x", pr->pr_flags); 3931 for (fi = 0; fi < sizeof(pr_flag_names) / sizeof(pr_flag_names[0]); 3932 fi++) 3933 if (pr_flag_names[fi] != NULL && (pr->pr_flags & (1 << fi))) --- 68 unchanged lines hidden --- | 3955 db_printf(" root = %p\n", pr->pr_root); 3956 db_printf(" securelevel = %d\n", pr->pr_securelevel); 3957 db_printf(" child = %p\n", LIST_FIRST(&pr->pr_children)); 3958 db_printf(" sibling = %p\n", LIST_NEXT(pr, pr_sibling)); 3959 db_printf(" flags = %x", pr->pr_flags); 3960 for (fi = 0; fi < sizeof(pr_flag_names) / sizeof(pr_flag_names[0]); 3961 fi++) 3962 if (pr_flag_names[fi] != NULL && (pr->pr_flags & (1 << fi))) --- 68 unchanged lines hidden --- |