Page MenuHomeFreeBSD
Differential D14681 Diff 42156 head/sys/kern/kern_jail.c

Changeset View

Standalone View

View Options

head/sys/kern/kern_jail.c

Show First 20 LinesShow All 105 Lines▼ Show 20 Linesstruct prison prison0 = {
.pr_childmax = JAIL_MAX, .pr_childmax = JAIL_MAX,
.pr_hostuuid = DEFAULT_HOSTUUID, .pr_hostuuid = DEFAULT_HOSTUUID,
.pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children), .pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children),
#ifdef VIMAGE #ifdef VIMAGE
.pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL, .pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL,
#else #else
.pr_flags = PR_HOST|_PR_IP_SADDRSEL, .pr_flags = PR_HOST|_PR_IP_SADDRSEL,
#endif #endif
.pr_allow = PR_ALLOW_ALL, .pr_allow = PR_ALLOW_ALL_STATIC,
}; };
MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF); MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);
struct bool_flags { struct bool_flags {
const char *name; const char *name;
const char *noname; const char *noname;
unsigned flag; unsigned flag;
}; };
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Lines#ifdef INET
{"ip4", PR_IP4_USER, PR_IP4_USER}, {"ip4", PR_IP4_USER, PR_IP4_USER},
#endif #endif
#ifdef INET6 #ifdef INET6
{"ip6", PR_IP6_USER, PR_IP6_USER}, {"ip6", PR_IP6_USER, PR_IP6_USER},
#endif #endif
}; };
const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys); const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys);
static struct bool_flags pr_flag_allow[] = { /* Make this array full-size so dynamic parameters can be added. */
static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
{"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME}, {"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME},
{"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, {"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC},
{"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, {"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS},
{"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, {"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS},
{"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT},
{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS},
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF},
{"allow.mount.devfs", "allow.mount.nodevfs", PR_ALLOW_MOUNT_DEVFS},
{"allow.mount.nullfs", "allow.mount.nonullfs", PR_ALLOW_MOUNT_NULLFS},
{"allow.mount.zfs", "allow.mount.nozfs", PR_ALLOW_MOUNT_ZFS},
{"allow.mount.procfs", "allow.mount.noprocfs", PR_ALLOW_MOUNT_PROCFS},
{"allow.mount.tmpfs", "allow.mount.notmpfs", PR_ALLOW_MOUNT_TMPFS},
{"allow.mount.fdescfs", "allow.mount.nofdescfs",
PR_ALLOW_MOUNT_FDESCFS},
{"allow.mount.linprocfs", "allow.mount.nolinprocfs",
PR_ALLOW_MOUNT_LINPROCFS},
{"allow.mount.linsysfs", "allow.mount.nolinsysfs",
PR_ALLOW_MOUNT_LINSYSFS},
{"allow.reserved_ports", "allow.noreserved_ports", {"allow.reserved_ports", "allow.noreserved_ports",
PR_ALLOW_RESERVED_PORTS}, PR_ALLOW_RESERVED_PORTS},
}; };
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS)
#define JAIL_DEFAULT_ENFORCE_STATFS 2 #define JAIL_DEFAULT_ENFORCE_STATFS 2
#define JAIL_DEFAULT_DEVFS_RSNUM 0 #define JAIL_DEFAULT_DEVFS_RSNUM 0
▲ Show 20 LinesShow All 102 Lines▼ Show 20 Lines#endif
opt.uio_resid = -1; opt.uio_resid = -1;
opt.uio_segflg = UIO_SYSSPACE; opt.uio_segflg = UIO_SYSSPACE;
opt.uio_rw = UIO_READ; opt.uio_rw = UIO_READ;
opt.uio_td = td; opt.uio_td = td;
/* Set permissions for top-level jails from sysctls. */ /* Set permissions for top-level jails from sysctls. */
if (!jailed(td->td_ucred)) { if (!jailed(td->td_ucred)) {
for (bf = pr_flag_allow; for (bf = pr_flag_allow;
bf < pr_flag_allow + nitems(pr_flag_allow); bf < pr_flag_allow + nitems(pr_flag_allow) &&
bf->flag != 0;
bf++) { bf++) {
optiov[opt.uio_iovcnt].iov_base = __DECONST(char *, optiov[opt.uio_iovcnt].iov_base = __DECONST(char *,
(jail_default_allow & bf->flag) (jail_default_allow & bf->flag)
? bf->name : bf->noname); ? bf->name : bf->noname);
optiov[opt.uio_iovcnt].iov_len = optiov[opt.uio_iovcnt].iov_len =
strlen(optiov[opt.uio_iovcnt].iov_base) + 1; strlen(optiov[opt.uio_iovcnt].iov_base) + 1;
opt.uio_iovcnt += 2; opt.uio_iovcnt += 2;
} }
▲ Show 20 LinesShow All 319 Lines▼ Show 20 Lines if ((flags & JAIL_UPDATE) && (ch_flags & PR_IP6_USER)) {
error = EINVAL; error = EINVAL;
vfs_opterror(opts, "ip6 cannot be changed after creation"); vfs_opterror(opts, "ip6 cannot be changed after creation");
goto done_errmsg; goto done_errmsg;
} }
#endif #endif
pr_allow = ch_allow = 0; pr_allow = ch_allow = 0;
for (bf = pr_flag_allow; for (bf = pr_flag_allow;
bf < pr_flag_allow + nitems(pr_flag_allow); bf < pr_flag_allow + nitems(pr_flag_allow) && bf->flag != 0;
bf++) { bf++) {
vfs_flagopt(opts, bf->name, &pr_allow, bf->flag); vfs_flagopt(opts, bf->name, &pr_allow, bf->flag);
vfs_flagopt(opts, bf->noname, &ch_allow, bf->flag); vfs_flagopt(opts, bf->noname, &ch_allow, bf->flag);
} }
ch_allow |= pr_allow; ch_allow |= pr_allow;
error = vfs_getopt(opts, "name", (void **)&name, &len); error = vfs_getopt(opts, "name", (void **)&name, &len);
if (error == ENOENT) if (error == ENOENT)
▲ Show 20 LinesShow All 1,444 Lines▼ Show 20 Lines for (jsf = pr_flag_jailsys;
i = (f != 0 && f == jsf->disable) ? JAIL_SYS_DISABLE i = (f != 0 && f == jsf->disable) ? JAIL_SYS_DISABLE
: (f == jsf->new) ? JAIL_SYS_NEW : (f == jsf->new) ? JAIL_SYS_NEW
: JAIL_SYS_INHERIT; : JAIL_SYS_INHERIT;
error = vfs_setopt(opts, jsf->name, &i, sizeof(i)); error = vfs_setopt(opts, jsf->name, &i, sizeof(i));
if (error != 0 && error != ENOENT) if (error != 0 && error != ENOENT)
goto done_deref; goto done_deref;
} }
for (bf = pr_flag_allow; for (bf = pr_flag_allow;
bf < pr_flag_allow + nitems(pr_flag_allow); bf < pr_flag_allow + nitems(pr_flag_allow) && bf->flag != 0;
bf++) { bf++) {
i = (pr->pr_allow & bf->flag) ? 1 : 0; i = (pr->pr_allow & bf->flag) ? 1 : 0;
error = vfs_setopt(opts, bf->name, &i, sizeof(i)); error = vfs_setopt(opts, bf->name, &i, sizeof(i));
if (error != 0 && error != ENOENT) if (error != 0 && error != ENOENT)
goto done_deref; goto done_deref;
i = !i; i = !i;
error = vfs_setopt(opts, bf->noname, &i, sizeof(i)); error = vfs_setopt(opts, bf->noname, &i, sizeof(i));
if (error != 0 && error != ENOENT) if (error != 0 && error != ENOENT)
▲ Show 20 LinesShow All 1,483 Lines▼ Show 20 Lines
SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed, SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I", NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I",
"Processes in jail can alter system file flags (deprecated)"); "Processes in jail can alter system file flags (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
"Processes in jail can mount/unmount jail-friendly file systems (deprecated)"); "Processes in jail can mount/unmount jail-friendly file systems (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the devfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the fdescfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the nullfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the procfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the linprocfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the linsysfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the tmpfs file system (deprecated)");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the zfs file system (deprecated)");
static int static int
sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
{ {
struct prison *pr; struct prison *pr;
int level, error; int level, error;
pr = req->td->td_ucred->cr_prison; pr = req->td->td_ucred->cr_prison;
▲ Show 20 LinesShow All 136 Lines▼ Show 20 Lines
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may bind sockets to reserved ports"); "B", "Jail may bind sockets to reserved ports");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount/unmount jail-friendly file systems in general"); "B", "Jail may mount/unmount jail-friendly file systems in general");
SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the devfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the fdescfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the nullfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the procfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the linprocfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the linsysfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the tmpfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the zfs file system");
/*
* The VFS system will register jail-aware filesystems here. They each get
* a parameter allow.mount.xxxfs and a flag to check when a jailed user
* attempts to mount.
*/
void
prison_add_vfs(struct vfsconf *vfsp)
{
char *allow_name, *allow_noname, *mount_allowed;
struct bool_flags *bf;
#ifndef NO_SYSCTL_DESCR
char *descr;
#endif
unsigned allow_flag;
if (asprintf(&allow_name, M_PRISON, "allow.mount.%s", vfsp->vfc_name) <
0 || asprintf(&allow_noname, M_PRISON, "allow.mount.no%s",
vfsp->vfc_name) < 0) {
free(allow_name, M_PRISON);
return;
}
/*
* See if this parameter has already beed added, i.e. if the filesystem
* was previously loaded/unloaded.
*/
mtx_lock(&prison0.pr_mtx);
for (bf = pr_flag_allow;
bf < pr_flag_allow + nitems(pr_flag_allow) && bf->flag != 0;
bf++) {
if (strcmp(bf->name, allow_name) == 0) {
vfsp->vfc_prison_flag = bf->flag;
goto no_add;
}
}
/*
* Find a free bit in prison0's pr_allow, failing if there are none
* (which shouldn't happen as long as we keep track of how many
* filesystems are jail-aware).
*/
for (allow_flag = 1;; allow_flag <<= 1) {
if (allow_flag == 0)
goto no_add;
if ((prison0.pr_allow & allow_flag) == 0)
break;
}
/*
* Note the parameter in the next open slot in pr_flag_allow.
* Set the flag last so code that checks pr_flag_allow can do so
* without locking.
*/
for (bf = pr_flag_allow; bf->flag != 0; bf++)
if (bf == pr_flag_allow + nitems(pr_flag_allow)) {
/* This should never happen, but is not fatal. */
goto no_add;
}
prison0.pr_allow |= allow_flag;
bf->name = allow_name;
bf->noname = allow_noname;
bf->flag = allow_flag;
vfsp->vfc_prison_flag = allow_flag;
mtx_unlock(&prison0.pr_mtx);
/*
* Create sysctls for the paramter, and the back-compat global
* permission.
*/
#ifndef NO_SYSCTL_DESCR
(void)asprintf(&descr, M_TEMP, "Jail may mount the %s file system",
vfsp->vfc_name);
#endif
(void)SYSCTL_ADD_PROC(NULL,
SYSCTL_CHILDREN(&sysctl___security_jail_param_allow_mount),
OID_AUTO, vfsp->vfc_name, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, 0, sysctl_jail_param, "B", descr);
#ifndef NO_SYSCTL_DESCR
free(descr, M_TEMP);
#endif
if (asprintf(&mount_allowed, M_TEMP, "mount_%s_allowed",
vfsp->vfc_name) >= 0) {
#ifndef NO_SYSCTL_DESCR
(void)asprintf(&descr, M_TEMP,
"Processes in jail can mount the %s file system (deprecated)",
vfsp->vfc_name);
#endif
(void)SYSCTL_ADD_PROC(NULL,
SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO,
mount_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, allow_flag, sysctl_jail_default_allow, "I", descr);
#ifndef NO_SYSCTL_DESCR
free(descr, M_TEMP);
#endif
free(mount_allowed, M_TEMP);
}
return;
no_add:
mtx_unlock(&prison0.pr_mtx);
free(allow_name, M_PRISON);
free(allow_noname, M_PRISON);
}
#ifdef RACCT #ifdef RACCT
void void
prison_racct_foreach(void (*callback)(struct racct *racct, prison_racct_foreach(void (*callback)(struct racct *racct,
void *arg2, void *arg3), void (*pre)(void), void (*post)(void), void *arg2, void *arg3), void (*pre)(void), void (*post)(void),
void *arg2, void *arg3) void *arg2, void *arg3)
{ {
struct prison_racct *prr; struct prison_racct *prr;
▲ Show 20 LinesShow All 218 Lines▼ Show 20 Lines for (jsf = pr_flag_jailsys;
f = pr->pr_flags & (jsf->disable | jsf->new); f = pr->pr_flags & (jsf->disable | jsf->new);
db_printf(" %-16s= %s\n", jsf->name, db_printf(" %-16s= %s\n", jsf->name,
(f != 0 && f == jsf->disable) ? "disable" (f != 0 && f == jsf->disable) ? "disable"
: (f == jsf->new) ? "new" : (f == jsf->new) ? "new"
: "inherit"); : "inherit");
} }
db_printf(" allow = 0x%x", pr->pr_allow); db_printf(" allow = 0x%x", pr->pr_allow);
for (bf = pr_flag_allow; for (bf = pr_flag_allow;
bf < pr_flag_allow + nitems(pr_flag_allow); bf < pr_flag_allow + nitems(pr_flag_allow) && bf->flag != 0;
bf++) bf++)
if (pr->pr_allow & bf->flag) if (pr->pr_allow & bf->flag)
db_printf(" %s", bf->name); db_printf(" %s", bf->name);
db_printf("\n"); db_printf("\n");
db_printf(" enforce_statfs = %d\n", pr->pr_enforce_statfs); db_printf(" enforce_statfs = %d\n", pr->pr_enforce_statfs);
db_printf(" host.hostname = %s\n", pr->pr_hostname); db_printf(" host.hostname = %s\n", pr->pr_hostname);
db_printf(" host.domainname = %s\n", pr->pr_domainname); db_printf(" host.domainname = %s\n", pr->pr_domainname);
db_printf(" host.hostuuid = %s\n", pr->pr_hostuuid); db_printf(" host.hostuuid = %s\n", pr->pr_hostuuid);
▲ Show 20 LinesShow All 57 LinesShow Last 20 Lines