diff options
| author | Jamie Gritton <jamie@FreeBSD.org> | 2009-07-25 14:48:57 +0000 |
|---|---|---|
| committer | Jamie Gritton <jamie@FreeBSD.org> | 2009-07-25 14:48:57 +0000 |
| commit | 7cbf72137fadbb75662d02cabe4c7a0b1d51ab6d (patch) | |
| tree | e2f5557445f7151dc18cefe88f9b884b83f55993 /sys/sys/jail.h | |
| parent | ea665f1079ef7d4116306aa20461f332baac98d9 (diff) | |
| download | src-7cbf72137fadbb75662d02cabe4c7a0b1d51ab6d.tar.gz src-7cbf72137fadbb75662d02cabe4c7a0b1d51ab6d.zip | |
Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.
Approved by: re (kib), bz (mentor)
Discussed with: rwatson
Notes
Notes:
svn path=/head/; revision=195870
Diffstat (limited to 'sys/sys/jail.h')
| -rw-r--r-- | sys/sys/jail.h | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 117e13401a27..d7457bfd4272 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -100,6 +100,10 @@ struct xprison { #define JAIL_SET_MASK 0x0f #define JAIL_GET_MASK 0x08 +#define JAIL_SYS_DISABLE 0 +#define JAIL_SYS_NEW 1 +#define JAIL_SYS_INHERIT 2 + #ifndef _KERNEL struct iovec; @@ -182,16 +186,18 @@ struct prison { /* Flag bits set via options */ #define PR_PERSIST 0x00000001 /* Can exist without processes */ #define PR_HOST 0x00000002 /* Virtualize hostname et al */ -#define PR_IP4_USER 0x00000004 /* Virtualize IPv4 addresses */ -#define PR_IP6_USER 0x00000008 /* Virtualize IPv6 addresses */ +#define PR_IP4_USER 0x00000004 /* Restrict IPv4 addresses */ +#define PR_IP6_USER 0x00000008 /* Restrict IPv6 addresses */ #define PR_VNET 0x00000010 /* Virtual network stack */ +#define PR_IP4_DISABLE 0x00000020 /* Disable IPv4 */ +#define PR_IP6_DISABLE 0x00000040 /* Disable IPv6 */ /* Internal flag bits */ #define PR_REMOVE 0x01000000 /* In process of being removed */ -#define PR_IP4 0x02000000 /* IPv4 virtualized by this jail or */ - /* an ancestor */ -#define PR_IP6 0x04000000 /* IPv6 virtualized by this jail or */ - /* an ancestor */ +#define PR_IP4 0x02000000 /* IPv4 restricted or disabled */ + /* by this jail or an ancestor */ +#define PR_IP6 0x04000000 /* IPv6 restricted or disabled */ + /* by this jail or an ancestor */ /* Flags for pr_allow */ #define PR_ALLOW_SET_HOSTNAME 0x0001 @@ -315,7 +321,11 @@ SYSCTL_DECL(_security_jail_param); CTLTYPE_STRUCT | CTLFLAG_MPSAFE | (access), NULL, len, \ sysctl_jail_param, fmt, descr) #define SYSCTL_JAIL_PARAM_NODE(module, descr) \ - SYSCTL_NODE(_security_jail_param, OID_AUTO, module, CTLFLAG_RW, 0, descr) + SYSCTL_NODE(_security_jail_param, OID_AUTO, module, 0, 0, descr) +#define SYSCTL_JAIL_PARAM_SYS_NODE(module, access, descr) \ + SYSCTL_JAIL_PARAM_NODE(module, descr); \ + SYSCTL_JAIL_PARAM(_##module, , CTLTYPE_INT | (access), "E,jailsys", \ + descr) /* * Kernel support functions for jail(). |