Changeset View
Changeset View
Standalone View
Standalone View
sys/kern/kern_jail.c
Show First 20 Lines • Show All 188 Lines • ▼ Show 20 Lines | static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | ||||
{"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, | {"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, | ||||
{"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, | {"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, | ||||
{"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, | {"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, | ||||
{"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, | {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, | ||||
{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | ||||
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | ||||
{"allow.reserved_ports", "allow.noreserved_ports", | {"allow.reserved_ports", "allow.noreserved_ports", | ||||
PR_ALLOW_RESERVED_PORTS}, | PR_ALLOW_RESERVED_PORTS}, | ||||
{"allow.vmm", "allow.novmm", PR_ALLOW_VMM}, | |||||
}; | }; | ||||
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | ||||
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | ||||
#define JAIL_DEFAULT_ENFORCE_STATFS 2 | #define JAIL_DEFAULT_ENFORCE_STATFS 2 | ||||
#define JAIL_DEFAULT_DEVFS_RSNUM 0 | #define JAIL_DEFAULT_DEVFS_RSNUM 0 | ||||
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | ||||
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | ||||
▲ Show 20 Lines • Show All 3,416 Lines • ▼ Show 20 Lines | |||||
SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed, | SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed, | ||||
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, | ||||
NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I", | NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I", | ||||
"Processes in jail can alter system file flags (deprecated)"); | "Processes in jail can alter system file flags (deprecated)"); | ||||
SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, | SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, | ||||
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, | CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, | ||||
NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", | NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", | ||||
"Processes in jail can mount/unmount jail-friendly file systems (deprecated)"); | "Processes in jail can mount/unmount jail-friendly file systems (deprecated)"); | ||||
SYSCTL_PROC(_security_jail, OID_AUTO, vmm, | |||||
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, | |||||
NULL, PR_ALLOW_VMM, sysctl_jail_default_allow, "I", | |||||
"Jail can use vmm"); | |||||
static int | static int | ||||
sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) | sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) | ||||
{ | { | ||||
struct prison *pr; | struct prison *pr; | ||||
int level, error; | int level, error; | ||||
pr = req->td->td_ucred->cr_prison; | pr = req->td->td_ucred->cr_prison; | ||||
▲ Show 20 Lines • Show All 132 Lines • ▼ Show 20 Lines | |||||
SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may alter system file flags"); | "B", "Jail may alter system file flags"); | ||||
SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may set file quotas"); | "B", "Jail may set file quotas"); | ||||
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | ||||
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may bind sockets to reserved ports"); | "B", "Jail may bind sockets to reserved ports"); | ||||
SYSCTL_JAIL_PARAM(_allow, vmm, CTLTYPE_INT | CTLFLAG_RW, | |||||
"B", "Jail may use vmm"); | |||||
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | ||||
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may mount/unmount jail-friendly file systems in general"); | "B", "Jail may mount/unmount jail-friendly file systems in general"); | ||||
/* | /* | ||||
* The VFS system will register jail-aware filesystems here. They each get | * The VFS system will register jail-aware filesystems here. They each get | ||||
* a parameter allow.mount.xxxfs and a flag to check when a jailed user | * a parameter allow.mount.xxxfs and a flag to check when a jailed user | ||||
▲ Show 20 Lines • Show All 440 Lines • Show Last 20 Lines |