Changeset View
Changeset View
Standalone View
Standalone View
sys/kern/kern_jail.c
Show First 20 Lines • Show All 193 Lines • ▼ Show 20 Lines | static char *pr_allow_names[] = { | ||||
"allow.mount.devfs", | "allow.mount.devfs", | ||||
"allow.mount.nullfs", | "allow.mount.nullfs", | ||||
"allow.mount.zfs", | "allow.mount.zfs", | ||||
"allow.mount.procfs", | "allow.mount.procfs", | ||||
"allow.mount.tmpfs", | "allow.mount.tmpfs", | ||||
"allow.mount.fdescfs", | "allow.mount.fdescfs", | ||||
"allow.mount.linprocfs", | "allow.mount.linprocfs", | ||||
"allow.mount.linsysfs", | "allow.mount.linsysfs", | ||||
"allow.reserved_ports", | |||||
}; | }; | ||||
const size_t pr_allow_names_size = sizeof(pr_allow_names); | const size_t pr_allow_names_size = sizeof(pr_allow_names); | ||||
static char *pr_allow_nonames[] = { | static char *pr_allow_nonames[] = { | ||||
"allow.noset_hostname", | "allow.noset_hostname", | ||||
"allow.nosysvipc", | "allow.nosysvipc", | ||||
"allow.noraw_sockets", | "allow.noraw_sockets", | ||||
"allow.nochflags", | "allow.nochflags", | ||||
"allow.nomount", | "allow.nomount", | ||||
"allow.noquotas", | "allow.noquotas", | ||||
"allow.nosocket_af", | "allow.nosocket_af", | ||||
"allow.mount.nodevfs", | "allow.mount.nodevfs", | ||||
"allow.mount.nonullfs", | "allow.mount.nonullfs", | ||||
"allow.mount.nozfs", | "allow.mount.nozfs", | ||||
"allow.mount.noprocfs", | "allow.mount.noprocfs", | ||||
"allow.mount.notmpfs", | "allow.mount.notmpfs", | ||||
"allow.mount.nofdescfs", | "allow.mount.nofdescfs", | ||||
"allow.mount.nolinprocfs", | "allow.mount.nolinprocfs", | ||||
"allow.mount.nolinsysfs", | "allow.mount.nolinsysfs", | ||||
"allow.noreserved_ports", | |||||
}; | }; | ||||
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); | const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); | ||||
#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME | #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | ||||
#define JAIL_DEFAULT_ENFORCE_STATFS 2 | #define JAIL_DEFAULT_ENFORCE_STATFS 2 | ||||
#define JAIL_DEFAULT_DEVFS_RSNUM 0 | #define JAIL_DEFAULT_DEVFS_RSNUM 0 | ||||
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | ||||
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | ||||
static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; | static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; | ||||
#if defined(INET) || defined(INET6) | #if defined(INET) || defined(INET6) | ||||
static unsigned jail_max_af_ips = 255; | static unsigned jail_max_af_ips = 255; | ||||
#endif | #endif | ||||
▲ Show 20 Lines • Show All 3,066 Lines • ▼ Show 20 Lines | #endif | ||||
case PRIV_VFS_MOUNT_OWNER: | case PRIV_VFS_MOUNT_OWNER: | ||||
if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && | if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && | ||||
cred->cr_prison->pr_enforce_statfs < 2) | cred->cr_prison->pr_enforce_statfs < 2) | ||||
return (0); | return (0); | ||||
else | else | ||||
return (EPERM); | return (EPERM); | ||||
/* | /* | ||||
* Allow jailed root to bind reserved ports and reuse in-use | * Conditionally allow jailed root to bind reserved ports. | ||||
* ports. | |||||
*/ | */ | ||||
case PRIV_NETINET_RESERVEDPORT: | case PRIV_NETINET_RESERVEDPORT: | ||||
if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) | |||||
return (0); | |||||
else | |||||
smh: Personally I would remove the else, but this follows the existing file style. | |||||
Not Done Inline Actionskeeping this as-is, as it the style in the rest of this switch block allanjude: keeping this as-is, as it the style in the rest of this switch block | |||||
return (EPERM); | |||||
/* | |||||
* Allow jailed root to reuse in-use ports. | |||||
*/ | |||||
case PRIV_NETINET_REUSEPORT: | case PRIV_NETINET_REUSEPORT: | ||||
return (0); | return (0); | ||||
/* | /* | ||||
* Allow jailed root to set certain IPv4/6 (option) headers. | * Allow jailed root to set certain IPv4/6 (option) headers. | ||||
*/ | */ | ||||
case PRIV_NETINET_SETHDROPTS: | case PRIV_NETINET_SETHDROPTS: | ||||
return (0); | return (0); | ||||
▲ Show 20 Lines • Show All 464 Lines • ▼ Show 20 Lines | |||||
SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may create raw sockets"); | "B", "Jail may create raw sockets"); | ||||
SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may alter system file flags"); | "B", "Jail may alter system file flags"); | ||||
SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may set file quotas"); | "B", "Jail may set file quotas"); | ||||
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | ||||
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | |||||
"B", "Jail may bind sockets to reserved ports"); | |||||
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | ||||
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may mount/unmount jail-friendly file systems in general"); | "B", "Jail may mount/unmount jail-friendly file systems in general"); | ||||
SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may mount the devfs file system"); | "B", "Jail may mount the devfs file system"); | ||||
SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may mount the fdescfs file system"); | "B", "Jail may mount the fdescfs file system"); | ||||
▲ Show 20 Lines • Show All 308 Lines • Show Last 20 Lines |
Personally I would remove the else, but this follows the existing file style.