aboutsummaryrefslogblamecommitdiff
path: root/sys/kern/kern_jail.c
blob: 65201eb12951a8a3d7a62a16b75b73381663824b (plain) (tree)
1
2
3
4
5
6
7
8
   

                                                

                                        
                                    
                       
  



















                                                                             
   
 


                      


                      
 






                         
                    
                     
                     
                          
                      
                     
                       

                      
                      
                     
                         
                   
                       
                      
                      
                      
                       
                            
                       
                     
                      
 
                   

                     
                       
 

                    
                
 

                                       
                                                                      
                                          
 
                                                       
                                                                                
 














                                                                           







                                                        
                            
                                   
                                           
                                                                     
             
                                                          
     
                                                  
      
                                              


                                                             


                                
                              






                                 
                                                                              
                          

                                                                 
                                          
                     
 
                                                 
                                                                
                                                        
                                                       

                                                                     

                                                                 

                                                   
                                                   

                                                   
 
                            




                                                                      
 
  


                                                                              
   

                                             
           
                                                            

            
                                                            
      
  
                                                      
 

                                                 
             
                             
      
           
                                          

            
                                          
      
  
                                                            
 




                                                                  
                                                       






                                                                              
                                                         

                                                          
                                                                           

                                                                            
                                                         
  
                                                   
                                                        
 

                                                                    

                                                                  
                                         
                                         
                                                        
                                                                     
                                                               
                                   
                                      

      






                                                                              

                             



                                                                               

























                                                                                     

 





                          
                                                  
 

                         
                      
 


                                                              
 


                          
                                  
 

                                                


                                                                       


                                         
                                                                           

                      
 
               
                  

                                                                        
                   


                                      
                                                         


                                                                   





                                                            
                                   


   
                                            
 
                                                          






                               

                                           
                              
           
                      





                               
                                  











                                                               
                                        
                                                                  
                                                        



                                                                           


















                                                                          
     

                                

            


                                                    
     

                                
      


                                                  
           
                                                            


            
                                                  
     



























                                                                  
                                 


                                                                      


                                             
                 
                                 










                                                                              


                                             
                 
         











                                                                           
         

                         

                                                                     


                                                                   

 







                            
                                                          

















                                                               
 
                            
           
                            



                             

                                
                                                              
                           
                                                                       
                                

                                  
                                   
                            
                 
      
                          
                                           
                                                              
                                          
                                                                 
                                  
                                             
                                   
                   

           
                           

            
                           
      
                                                        
                               
                        






                                                         
                                       
                                                            
                               

                                   

          



                                                                           
          


                                                                           
           


                                             





                   
                      
 






                                                                            













                                                                          








                                                                           
                                                                               





                                              
                               

                               
 







                                                                          
                                




                                                                   
         
                             



                                                                          





                                       
                                            


                                               
                                                 

                                  
                                             






                                       
                                                    
         





                                                                              






                                                                            













                                                                           
 
                                
                                

                                                          


                                                                   


                             





















                                                                        

                                    









                                                        



































                                                                            
                       
                                                  
















                                                                                


                                                         
                         




                                             
                


                                        

                                                     
                                               

                                                                              
                         
                                                                              




                                                                            


                                                                                

                                     

                                                                      



















                                                                               

                         
         
      
 
            

                                                         
                         




                                             
                


                                        

                                                     
                                               

                                                                              
                         
                                                                              

                                                            

                                                                      











                                                                               

                         
         
      
 








                                                                               











                                                                          
                                                            
                                       



                                             

























                                                                          
















                                                                     
                                                                    



                                       

                                            


                                                                             
                                 
                                      
                        
                                                  




                                           

                                       
                                 
         
 
          
                                                           
                                                              
           
                  
                   
                     





                                                                          
                                  
                                  
                       


                                                           
                                        
                 






                                                                        
                                                            
                                                   
                                                             







                                                                   
                                 
                                            

                                                         



                                                                              


                                                                            
                                                
                         
                                                        




                                                                                


                                                                             
                                                         
                                                            


                                                                              
                                                        










                                                                             
                                                                             

                                 
                        



                                                                             
                                                









                                                                            
                      
                           



                                            




                                                                           
                                         

                                                                              


                                                                           
                                                        

                                 
                                               




                                                                           
                                                        
                                 







                                                                          
                                                         
                                              
                         
                                 
                 

                                        
                                                                             
            

                                                        
                                                
                                                                               
                                                               


                                                                             



                                                                        
                                                                 
                                                                             
                                                              
                                                 


                                                                            
                                                                       

                                                               
                                                                         


                                                                                
                                                                
                                         




                                                                     





                                                                          
                                                                      



                                                                            
                                                             



                                                                          
                                                        






                                                                           
                                                






                                                               
                                
         
 
                                                                              

                             



                                                                            
                                                
                         
                                       
                                           

                                                 

                                                                   
                                        
                 
                                 











                                                                           



                                                                     


                                                        
                 





                                                                               



                                                                
                                                                   

                                    

                                                                    
                                             
 
                                                                                

                                    

                                   
                                             

                                   

                                                                        




                                          
           
                                                      
                                                                     










                                                                               

            
                                                      
                                                                     










                                                                               

                 
      


                                                                       

                                                                  
                                                                    
                                                         
 

                                                                         

                                                                    
                    

                                                           
 




                                                       
                  

                                                                           
                   
                                                                

                                        
 
                                      
                                     
                  
                                                                             
                                                                    
                                                
                   
                



                                                                        
                                
                                    





                                                                              
                                        

                 




                                                                         
                                        






                                                                         
                                        

                 
         
 
                                                              


                                                   
                                        

                 


                                                   
                                        

                 


                                                       
                                        

                 


                                            
                   
                                                 
                                       
                                        

                  
                                                                     



                                                                        
                                                
                              


                                                            
           
                       
                                             










                                                                            
                                                










                                                                           
                                                      
                                 

                                                         
                                                        
                                 

                         





                                                                      
             
                                                                          

                                                     

                                
      

                                                               
             
                                                                         
      
                                                                
                                            








                                                             

                                                                             


                                                                    
                                                        



                                 
      
            
                       
                                             









                                                                     
                                                










                                                                                
                                                      
                                 

                                                         
                                                        
                                 

                         
                                                         
             
                                                                          

                                                     

                                
      

                                                               
             
                                                                         
      
                                                                
                                            








                                                             

                                                                             


                                                                    
                                                        

                                 
                 
         
      
                               
                             



                                                                             

                                                                             

                                                                              
                                       

                                                                             
                                        
                 
                  

                                                                          
                   



                                                                            
                                             
                                        




                                                                          
                                                


                         

                                                    
                              
                                
         
 





                                                                              
                              
                                                         

                                
                              
                             





                                                                               
                                        


                 

                                               
                     





                                           
                                                                    





                                                      




                                                             


            
                     





                                           
                                                                    





                                                      




                                                             
         
      
                        
                                            




                                                                    







                                                                               






                                                                  



                                                                  
                                                    
         
                             
                                    
                                                                          

                                                                           
                                                  






                                                                              
                           
                                                              
                                                                
                                   
                            
         







                                                                              





                                                                                




                                                                              
                                                                                
                                   

                                                           
                                 
                                                                                






                                                                    


                                                                      
                                                   


                                                                        
                                                 


                                                                      




                                                             
                                                             

                                                       





                                                                               
                                   

                                                                              

                                                       
                        
                                                      
                                             


                                                             
                                   
                                
                              
 
            
                                    


                                        









                                                                      





                                                      
















                                                                      





                                                      










                                                            

                                            
                                                                 
                   

                                                                  
                                                                        
                                        



                                                       

                                                                        
                                
         
 



                                                             
                                            
                            



                                                                            
                                                            
                                        


                 
            
                                       
                                                
                                                    
                                                    
                 
                                        




                                     





                                                                       

                                              
                                             

                                                       


                                                                           
                 
         
 







                                                              
                         
                            

                    
                                                                

                                                                
                                                                            







                                                                         








                            

                                     


                           
 
  



























                                                                             

                                                                         


































                                                                               






                            
                                                          





                                                          
                                









                                                         


   
                                                               
 

                                  
                                 


                                
                                                                     
                   
 

                                   
 

                                             
                  
                               
                                                    
                                       
                  
 



                                                                   
                                  


                                                                
                                                                          
                                                      

                                                                              



                                                        

                                             
                                          
                 

                                                            
                          
                                   
                          



                                                            
                                                          
                                         
                                                     

                                                            


                                                                              
                                                  




                                                                     
                                  

                                   
                          




                                                               
                                  
                 
                                                  
                                 
                                             
                                                                            


                                                                          
                                          




                                                                  
                          
                                   
                          


                                                
                  


                                               
                        
                            


                                                                       
                          


                                                               
                          
                                                                 
                                          
                          
                                                                    

                                          
                          
                                                                 
                                          
                          



                                                             
                          




                                                             
                          



                                                                    
                          


                                                                    
                          


                                                                  
                          
                                                                    
                                          
                          
                                                                        
                                          
                          
                                                                    
                                          
                          
                       
                                                  







                                                                               
                          

                                                                          
                                          
                          


                                                                      
                          




                                                                  
                                                  
                                  
                       
                                                                    
                                                  
                                  
         





                                                                    
                                       
                                                                   
                                                  
                                  
         
                                

                                                          


                                                                  
                                                  
                                  
                       
                                                                    
                                                  
                                  
         
                                

                                                         
                          


                                                           
                          

                                                                
                                          
                          

                                                                 
                          


                                        
                              
                                                       
                  



                                  





                                                                               
                                  
                 
         




















                                                                          
         
 





                                                              
                                       
                                                                











                                                                          
         


                           
 





                            
                                                                
 

                                            
 
                                                 
                  
                               
 
                                  
                                                                  
                         
                                            
                                

         
                                                                             
                        




                                                             
                                                  
                                          
                                                 


























                                                                           


                                                         
 





                                                                            
                                                              
                                        
                                              
                                     
                                            
         
 

                                                                         

                                                                             
           
                                               
                                                                              
                                                    
                                          
                       

         
                                
                                    
                                                  



                                                                               
                                   


                                                          
                                                 


                                  
                                                                  
                                  


  


                            

   
                                                                
 
                          
                  
 
                                                 

                               
 







                                                                                
                                                                  
                         
                                            

                                
 

                                                                             



                                            








                                                    
                  








                                                                    

                                       
                                






                                                                         
                                    
 


                                                            
                        

                                                            
                                  
 
                                                      


                                                       
                                                                        

                              
                                
                                                        
                                  
 
                          
                     
                                         
                                
                                  
                    

                                                      





                                            
      
                                                               
                        










                                                                         
                   
 
          
                                

                                                                          
                                  
                                                                           
                                                                 


                       


                                                        
               



                          
                                              
                                                

                                              
                                               
                                            



                                                                        
                                                
                              
                 

                                     



                      
  











                                                                                
                                               








                                                                        

               
                                                       

                                   

                     

                                              
                                                                   

                      

                                                         
                                              


                                               
                                            


                                                
                                                                        

                                          
                                              







                                                    



                                                                           




                                              






                                                  
                                                         


  









                                                                      

                                            




                              

                                                                  
 




                                                                        





                                                                    
   
    
                                     
 
                    
 
                                          



                                                       
                                
                      
                  
                                                                  

                                                
                                                                  
         

 



                              









                                                                       



                               
  









                                                                      

                                                                   
 
                          
                                                                                


                                       










                                                                     





                                                                       
                                                                               
                                                          





                                                                             
                                              
                                                                  
         


  

                                                             


                                           
                                    
 
                                  
                              





                                                                              
                                                        

                                                                
 
 
  





                                                                     



                                          

                                     
                              
 
                                

                                      



                                                                       
                  
                                        
                                                                

                                                                                
                                                                  
                                     


                                                                    

                                     
                                       
                                                               

                                                                               
                                                                
                 

                                                                  







                                                                             
                                                                           





                                                                  


                                                                        
                                                                
                                                

                 

                              
 




                                                               
                                                  

                                                      
                                         
 

                                                      

                                                                            
                                             










                                                                        
                                            
 




                                                                          
             

                                                            
      


                                            
           
                                            
      
            
                                            
      


                                                   
            
                                 
                                                 
      
                                    
         

 
  































                                                                            







                                                                           
                          



                                                              
                             
             
                                                                   
                                   
                           
      
 




                     






                                                                          



                      






                                                                          





                      
                                                         





                                             


                                                                            


                                                                              

   
                                                        
 
           
                                      

            
                                        
      
                  
 


                                                              




                                   

                              


                     
                                                     
                                                               
                      


                      
                                                       
                                                                 
                      

                
                                                                      
                                             
         
                       
 




                                                           
                                                      

 









                                                                             
 


                                                                     



                   
                                                                            
                                                               




                                 
                                                             
                               
                                                              
                               

                                                      











                                                                             
                                                             




                               

















                                                                        
                                                                             
   
    
                                                           
 
                          
 



                                                                    

                                                         
                                            
                                
 
 




                                                             
                                                           







                                                           
                                                         











                                                        








                                                       


















                                                             
  




                                                                     

   
                                                        
 


                          
 
                             

                                       

                                       
                                       




























                                                                              
                             

                                       
                                                































                                                                            
         

 






                                                                             

                          
 




                                                                         
                             




                                                                            


                           

























                                                                             
                                 



                                  
                                












                                 
                               



                                             

                                      


                  







































                                                           


















                                                              
                       




                                                            
     








                                                                            
      










































                                                                             




                              






                                                                     




                                                                         
                               










                                                                            

                                                                       
                   

                               










                                                                          



                                                                         
                                  


                              
                           
                                 






                                                                             






                                                                      
                                                                 










                                                                      
                                  



                                                                               
                    


                                      

                  







                                                                               










                                                                         
                                                                          

                                       







                                                                        
                                    


                           
                                                                            




                                     


                                                                    
                                                                     











                                                                             





                                                       
                  
                                                                          






                                                                     









                                                                            

















































                                                                             


                        
                                                                             

             


                                     
                           
                                




                                   
                                    

                     
                           
 
                                                   
                                          
                  
                                  

                                                     
       

                                       
           



                                                         



                                                                              

                                                                   
                 

            



                                                         



                                                                               

                                                                    
                 
      
                                           
                                                 


                                       
                                                 
                                       
                                                  
                                                              
                                                                                
                                                                            
                                                                                
           
                                           

            
                                           
      
                                         


                                                         
           




                                                                  


                 




                                                                   

                 
         
                                    






                          
                       

 


                                                          










                                                         
 


                                                       
 

















                                                             
                                              
 
                                   
                                                                  
                        
                                                                                      


      


                                                                            



                                              
                     

                                                                      






                                                          


                                                    
                                  
                               









                                                                    



                                                           
                                              
                                                                
                                                              
                                                              
                                              
                                                                  
                                                                                         
                                                      
                                              
                                                           
                                                                      
                                                        
                                              
                                                               
                                                       
                                                      
                                              
                                                           
                                                                  
                                                    
                                              
                                                         
                                                                                   









                                                                              
                                  
                               
                             



                                                     

                                                                             
                                   

                                                                          
                                                    

                                                                       
                                   
                                                             
 




                                                                          
                                                                            























                                                                
                                                                        








                                                                              



                                                                              





                                                                              
                                                                
                                                  
                                                                  
                                                  

                                                             

                                                            

                                                      

                                                      
                                          
      


                                                    





                                                           
                                                               

                                                                     





                                                                       




                                                                                

                                              

                                                                        


                                                                      

            

                                              

                                                                         


                                                                      










                                                                 

                                                           

                                                                         

                                                            

                                                                   

                                                                

                                                                            

                                                          
 


                                                                               

  


                                                                           
   


                                                                                
 
                              

                                                  


                               
                         
 






                                                                              
                                           
                         


          

                                                                          


                                  

                                                          

                                                        
                                              




                                    
                                                                     
                                                                       
                                          



                                                 
                                                     


                              

                                                                        

                                                                         
                                       

                                    


                                                    

                                  







                                                                            

                                    



                                                                      


                                                                       
                                                                    


                                                                      
                                                    


                                                                        



                                                                            
                                           
                                                                                




                                                                                
                                      
         
                          




                                     























                                                                           
 
 
            

                                                          

                                                                   
 
                                 
 

                               
                                  

                        

                                                       

                         

                                    
 




                                          
                               





























                                                                      

                               









                                             

                               


                                             



                                                  
                               








                                                   


                                           
 
                               

                                                
                                                             


                                  
                                      


                                    




                                      
                               

                                               





                                                           






                                                                      
           

                           
      

                                    

                               


                                  


                                                                      
                       
         










                                                                      
           






                                                     
                                                 

                             
      





                                         


                                      
 
                               

                                                

                                        




                                               
          


                                 
 

                                  

                                   
      
                   


                                     


                                      
 


                                                          
                                                            




                                                          


                                                          

                                                                 
                                                                 

                                                                

                                                                           
                                                           









                                                                               

                                 
                                                           
                                

                                                          


                                                   
                        
                                                                    


                                                                
                                                             
           


                                                          
                                                                        
                                                         

            


                                                          
                                                                        








                                                          










                                                                         

                       
         
 



                                                                        
                                                      
                                                                
                                      








                                                                        
                           
 
 
                
/*-
 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
 *
 * Copyright (c) 1999 Poul-Henning Kamp.
 * Copyright (c) 2008 Bjoern A. Zeeb.
 * Copyright (c) 2009 James Gritton.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");

#include "opt_ddb.h"
#include "opt_inet.h"
#include "opt_inet6.h"

#include <sys/param.h>
#include <sys/types.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/errno.h>
#include <sys/sysproto.h>
#include <sys/malloc.h>
#include <sys/osd.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/taskqueue.h>
#include <sys/fcntl.h>
#include <sys/jail.h>
#include <sys/linker.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/racct.h>
#include <sys/rctl.h>
#include <sys/refcount.h>
#include <sys/sx.h>
#include <sys/sysent.h>
#include <sys/namei.h>
#include <sys/mount.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/syscallsubr.h>
#include <sys/sysctl.h>
#include <sys/uuid.h>
#include <sys/vnode.h>

#include <net/if.h>
#include <net/vnet.h>

#include <netinet/in.h>

#ifdef DDB
#include <ddb/ddb.h>
#endif /* DDB */

#include <security/mac/mac_framework.h>

#define	DEFAULT_HOSTUUID	"00000000-0000-0000-0000-000000000000"
#define	PRISON0_HOSTUUID_MODULE	"hostuuid"

MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
static MALLOC_DEFINE(M_PRISON_RACCT, "prison_racct", "Prison racct structures");

/* Keep struct prison prison0 and some code in kern_jail_set() readable. */
#ifdef INET
#ifdef INET6
#define	_PR_IP_SADDRSEL	PR_IP4_SADDRSEL|PR_IP6_SADDRSEL
#else
#define	_PR_IP_SADDRSEL	PR_IP4_SADDRSEL
#endif
#else /* !INET */
#ifdef INET6
#define	_PR_IP_SADDRSEL	PR_IP6_SADDRSEL
#else
#define	_PR_IP_SADDRSEL	0
#endif
#endif

/* prison0 describes what is "real" about the system. */
struct prison prison0 = {
	.pr_id		= 0,
	.pr_name	= "0",
	.pr_ref		= 1,
	.pr_uref	= 1,
	.pr_path	= "/",
	.pr_securelevel	= -1,
	.pr_devfs_rsnum = 0,
	.pr_childmax	= JAIL_MAX,
	.pr_hostuuid	= DEFAULT_HOSTUUID,
	.pr_children	= LIST_HEAD_INITIALIZER(prison0.pr_children),
#ifdef VIMAGE
	.pr_flags	= PR_HOST|PR_VNET|_PR_IP_SADDRSEL,
#else
	.pr_flags	= PR_HOST|_PR_IP_SADDRSEL,
#endif
	.pr_allow	= PR_ALLOW_ALL_STATIC,
};
MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);

struct bool_flags {
	const char	*name;
	const char	*noname;
	volatile u_int	 flag;
};
struct jailsys_flags {
	const char	*name;
	unsigned	 disable;
	unsigned	 new;
};

/* allprison, allprison_racct and lastprid are protected by allprison_lock. */
struct	sx allprison_lock;
SX_SYSINIT(allprison_lock, &allprison_lock, "allprison");
struct	prisonlist allprison = TAILQ_HEAD_INITIALIZER(allprison);
LIST_HEAD(, prison_racct) allprison_racct;
int	lastprid = 0;

static int get_next_prid(struct prison **insprp);
static int do_jail_attach(struct thread *td, struct prison *pr);
static void prison_complete(void *context, int pending);
static void prison_deref(struct prison *pr, int flags);
static void prison_set_allow_locked(struct prison *pr, unsigned flag,
    int enable);
static char *prison_path(struct prison *pr1, struct prison *pr2);
static void prison_remove_one(struct prison *pr);
#ifdef RACCT
static void prison_racct_attach(struct prison *pr);
static void prison_racct_modify(struct prison *pr);
static void prison_racct_detach(struct prison *pr);
#endif

/* Flags for prison_deref */
#define	PD_DEREF	0x01	/* Decrement pr_ref */
#define	PD_DEUREF	0x02	/* Decrement pr_uref */
#define	PD_LOCKED	0x04	/* pr_mtx is held */
#define	PD_LIST_SLOCKED	0x08	/* allprison_lock is held shared */
#define	PD_LIST_XLOCKED	0x10	/* allprison_lock is held exclusive */

/*
 * Parameter names corresponding to PR_* flag values.  Size values are for kvm
 * as we cannot figure out the size of a sparse array, or an array without a
 * terminating entry.
 */
static struct bool_flags pr_flag_bool[] = {
	{"persist", "nopersist", PR_PERSIST},
#ifdef INET
	{"ip4.saddrsel", "ip4.nosaddrsel", PR_IP4_SADDRSEL},
#endif
#ifdef INET6
	{"ip6.saddrsel", "ip6.nosaddrsel", PR_IP6_SADDRSEL},
#endif
};
const size_t pr_flag_bool_size = sizeof(pr_flag_bool);

static struct jailsys_flags pr_flag_jailsys[] = {
	{"host", 0, PR_HOST},
#ifdef VIMAGE
	{"vnet", 0, PR_VNET},
#endif
#ifdef INET
	{"ip4", PR_IP4_USER, PR_IP4_USER},
#endif
#ifdef INET6
	{"ip6", PR_IP6_USER, PR_IP6_USER},
#endif
};
const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys);

/*
 * Make this array full-size so dynamic parameters can be added.
 * It is protected by prison0.mtx, but lockless reading is allowed
 * with an atomic check of the flag values.
 */
static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
	{"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME},
	{"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC},
	{"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS},
	{"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS},
	{"allow.mount", "allow.nomount", PR_ALLOW_MOUNT},
	{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS},
	{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF},
	{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK},
	{"allow.reserved_ports", "allow.noreserved_ports",
	 PR_ALLOW_RESERVED_PORTS},
	{"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF},
	{"allow.unprivileged_proc_debug"