1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
/*-
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42):
* <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
*
* $FreeBSD$
*
*/
#ifndef _SYS_JAIL_H_
#define _SYS_JAIL_H_
#ifdef _KERNEL
struct jail_v0 {
u_int32_t version;
char *path;
char *hostname;
u_int32_t ip_number;
};
#endif
struct jail {
uint32_t version;
char *path;
char *hostname;
char *jailname;
uint32_t ip4s;
uint32_t ip6s;
struct in_addr *ip4;
struct in6_addr *ip6;
};
#define JAIL_API_VERSION 2
/*
* For all xprison structs, always keep the pr_version an int and
* the first variable so userspace can easily distinguish them.
*/
#ifndef _KERNEL
struct xprison_v1 {
int pr_version;
int pr_id;
char pr_path[MAXPATHLEN];
char pr_host[MAXHOSTNAMELEN];
u_int32_t pr_ip;
};
#endif
struct xprison {
int pr_version;
int pr_id;
int pr_state;
cpusetid_t pr_cpusetid;
char pr_path[MAXPATHLEN];
char pr_host[MAXHOSTNAMELEN];
char pr_name[MAXHOSTNAMELEN];
uint32_t pr_ip4s;
uint32_t pr_ip6s;
#if 0
/*
* sizeof(xprison) will be malloced + size needed for all
* IPv4 and IPv6 addesses. Offsets are based numbers of addresses.
*/
struct in_addr pr_ip4[];
struct in6_addr pr_ip6[];
#endif
};
#define XPRISON_VERSION 3
static const struct prison_state {
int pr_state;
const char * state_name;
} prison_states[] = {
#define PRISON_STATE_INVALID 0
{ PRISON_STATE_INVALID, "INVALID" },
#define PRISON_STATE_ALIVE 1
{ PRISON_STATE_ALIVE, "ALIVE" },
#define PRISON_STATE_DYING 2
{ PRISON_STATE_DYING, "DYING" },
};
#ifndef _KERNEL
int jail(struct jail *);
int jail_attach(int);
#else /* _KERNEL */
#include <sys/queue.h>
#include <sys/_lock.h>
#include <sys/_mutex.h>
#include <sys/_task.h>
#define JAIL_MAX 999999
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_PRISON);
#endif
#endif /* _KERNEL */
#if defined(_KERNEL) || defined(_WANT_PRISON)
#include <sys/osd.h>
struct cpuset;
/*
* This structure describes a prison. It is pointed to by all struct
* ucreds's of the inmates. pr_ref keeps track of them and is used to
* delete the struture when the last inmate is dead.
*
* Lock key:
* (a) allprison_lock
* (p) locked by pr_mtx
* (c) set only during creation before the structure is shared, no mutex
* required to read
* (d) set only during destruction of jail, no mutex needed
*/
struct prison {
LIST_ENTRY(prison) pr_list; /* (a) all prisons */
int pr_id; /* (c) prison id */
int pr_ref; /* (p) refcount */
int pr_state; /* (p) prison state */
int pr_nprocs; /* (p) process count */
char pr_path[MAXPATHLEN]; /* (c) chroot path */
struct cpuset *pr_cpuset; /* (p) cpuset */
struct vnode *pr_root; /* (c) vnode to rdir */
char pr_host[MAXHOSTNAMELEN]; /* (p) jail hostname */
char pr_name[MAXHOSTNAMELEN]; /* (c) admin jail name */
void *pr_linux; /* (p) linux abi */
int pr_securelevel; /* (p) securelevel */
struct task pr_task; /* (d) destroy task */
struct mtx pr_mtx;
struct osd pr_osd; /* (p) additional data */
int pr_ip4s; /* (c) number of v4 IPs */
struct in_addr *pr_ip4; /* (c) v4 IPs of jail */
int pr_ip6s; /* (c) number of v6 IPs */
struct in6_addr *pr_ip6; /* (c) v6 IPs of jail */
};
#endif /* _KERNEL || _WANT_PRISON */
#ifdef _KERNEL
/*
* Sysctl-set variables that determine global jail policy
*
* XXX MIB entries will need to be protected by a mutex.
*/
extern int jail_set_hostname_allowed;
extern int jail_socket_unixiproute_only;
extern int jail_sysvipc_allowed;
extern int jail_getfsstat_jailrootonly;
extern int jail_allow_raw_sockets;
extern int jail_chflags_allowed;
LIST_HEAD(prisonlist, prison);
extern struct prisonlist allprison;
extern struct sx allprison_lock;
/*
* Kernel support functions for jail().
*/
struct ucred;
struct mount;
struct sockaddr;
struct statfs;
struct thread;
int kern_jail(struct thread *, struct jail *);
int jailed(struct ucred *cred);
void getcredhostname(struct ucred *cred, char *, size_t);
int prison_check(struct ucred *cred1, struct ucred *cred2);
int prison_canseemount(struct ucred *cred, struct mount *mp);
void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
struct statfs *sp);
struct prison *prison_find(int prid);
void prison_free(struct prison *pr);
void prison_free_locked(struct prison *pr);
void prison_hold(struct prison *pr);
void prison_hold_locked(struct prison *pr);
void prison_proc_hold(struct prison *);
void prison_proc_free(struct prison *);
int prison_get_ip4(struct ucred *cred, struct in_addr *ia);
int prison_local_ip4(struct ucred *cred, struct in_addr *ia);
int prison_remote_ip4(struct ucred *cred, struct in_addr *ia);
int prison_check_ip4(struct ucred *cred, struct in_addr *ia);
#ifdef INET6
int prison_get_ip6(struct ucred *, struct in6_addr *);
int prison_local_ip6(struct ucred *, struct in6_addr *, int);
int prison_remote_ip6(struct ucred *, struct in6_addr *);
int prison_check_ip6(struct ucred *, struct in6_addr *);
#endif
int prison_check_af(struct ucred *cred, int af);
int prison_if(struct ucred *cred, struct sockaddr *sa);
int prison_priv_check(struct ucred *cred, int priv);
#endif /* _KERNEL */
#endif /* !_SYS_JAIL_H_ */
|