Changeset View
Changeset View
Standalone View
Standalone View
lib/libjail/jail.c
Show All 33 Lines | |||||
#include <sys/jail.h> | #include <sys/jail.h> | ||||
#include <sys/linker.h> | #include <sys/linker.h> | ||||
#include <sys/socket.h> | #include <sys/socket.h> | ||||
#include <sys/sysctl.h> | #include <sys/sysctl.h> | ||||
#include <arpa/inet.h> | #include <arpa/inet.h> | ||||
#include <netinet/in.h> | #include <netinet/in.h> | ||||
#ifdef WITH_CASPER | |||||
oshogbo: You don't need that. | |||||
# include <sys/capsicum.h> | |||||
# include <libcasper.h> | |||||
# include <casper/cap_sysctl.h> | |||||
# include <casper/cap_jail.h> | |||||
#endif | |||||
#include <errno.h> | #include <errno.h> | ||||
#include <inttypes.h> | #include <inttypes.h> | ||||
#include <stdio.h> | #include <stdio.h> | ||||
#include <stdarg.h> | #include <stdarg.h> | ||||
#include <stdlib.h> | #include <stdlib.h> | ||||
#include <string.h> | #include <string.h> | ||||
#include "jail.h" | #include "jail.h" | ||||
Show All 13 Lines | |||||
static int kldload_param(const char *name); | static int kldload_param(const char *name); | ||||
static char *noname(const char *name); | static char *noname(const char *name); | ||||
static char *nononame(const char *name); | static char *nononame(const char *name); | ||||
char jail_errmsg[JAIL_ERRMSGLEN]; | char jail_errmsg[JAIL_ERRMSGLEN]; | ||||
static const char *bool_values[] = { "false", "true" }; | static const char *bool_values[] = { "false", "true" }; | ||||
static const char *jailsys_values[] = { "disable", "new", "inherit" }; | static const char *jailsys_values[] = { "disable", "new", "inherit" }; | ||||
#ifdef WITH_CASPER | |||||
Not Done Inline ActionsIf there is no casper the standard function will be used so you don't need to do distinguish between casper version and version without casper. oshogbo: If there is no casper the standard function will be used so you don't need to do distinguish… | |||||
static cap_channel_t *cap_h_sysctl = NULL; | |||||
static cap_channel_t *cap_h_jail_get = NULL; | |||||
static int | |||||
jail_cap_init_sysclt(const cap_channel_t *capcas) | |||||
{ | |||||
nvlist_t *limits; | |||||
cap_h_sysctl = cap_service_open(capcas, "system.sysctl"); | |||||
if (cap_h_sysctl == NULL) | |||||
return (-1); | |||||
limits = nvlist_create(0); | |||||
nvlist_add_number(limits, __DECONST(char *, SJPARAM), | |||||
CAP_SYSCTL_READ|CAP_SYSCTL_RECURSIVE); | |||||
return (cap_limit_set(cap_h_sysctl, limits)); | |||||
} | |||||
static int | |||||
jail_cap_init_jail(const cap_channel_t *capcas) | |||||
{ | |||||
cap_h_jail_get = cap_service_open(capcas, "system.jail"); | |||||
if (cap_h_jail_get == NULL) | |||||
return (-1); | |||||
return (0); | |||||
} | |||||
int | |||||
jail_cap_init() | |||||
{ | |||||
cap_channel_t *capcas; | |||||
int r; | |||||
capcas = cap_init(); | |||||
if (capcas == NULL) | |||||
return (-1); | |||||
r = jail_cap_init_sysclt(capcas); | |||||
if (r == 0) | |||||
r = jail_cap_init_jail(capcas); | |||||
cap_close(capcas); | |||||
return (r); | |||||
} | |||||
static int | |||||
hot_sysctl(const int *name, u_int namelen, void *oldp, size_t *oldplenp, | |||||
const void *newp, size_t newlen) | |||||
{ | |||||
int r; | |||||
r = sysctl(name, namelen, oldp, oldplenp, newp, newlen); | |||||
if (r < 0 && errno == EPERM && cap_h_sysctl != NULL) | |||||
r = cap_sysctl(cap_h_sysctl, name, namelen, oldp, oldplenp, | |||||
newp, newlen); | |||||
return (r); | |||||
} | |||||
static int | |||||
hot_jail_get(struct iovec *iov, u_int niov, int flags) | |||||
{ | |||||
int r; | |||||
r = jail_get(iov, niov, flags); | |||||
if (r < 0 && errno == ECAPMODE && cap_h_jail_get != NULL) | |||||
r = cap_jail_get(cap_h_jail_get, iov, niov, flags); | |||||
return (r); | |||||
} | |||||
Done Inline Actionstyle. oshogbo: tyle. | |||||
#define sysctl(name, namelen, oldp, oldlenp, newp, newlen) \ | |||||
hot_sysctl(name, namelen, oldp, oldlenp, newp, newlen) | |||||
#define jail_get(iovec, iov, niov) \ | |||||
hot_jail_get(iovec, iov, niov) | |||||
#else /* WITH_CASPER */ | |||||
int | |||||
jail_cap_init() { | |||||
return (0); | |||||
} | |||||
#endif /* !WITH_CASPER */ | |||||
/* | /* | ||||
* Import a null-terminated parameter list and set a jail with the flags | * Import a null-terminated parameter list and set a jail with the flags | ||||
* and parameters. | * and parameters. | ||||
*/ | */ | ||||
int | int | ||||
jail_setv(int flags, ...) | jail_setv(int flags, ...) | ||||
▲ Show 20 Lines • Show All 1,036 Lines • Show Last 20 Lines |
You don't need that.