Changeset View
Changeset View
Standalone View
Standalone View
head/sys/kern/kern_jail.c
Show First 20 Lines • Show All 184 Lines • ▼ Show 20 Lines | |||||
static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | ||||
{"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME}, | {"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME}, | ||||
{"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, | {"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, | ||||
{"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, | {"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, | ||||
{"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, | {"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, | ||||
{"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, | {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, | ||||
{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | ||||
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | ||||
{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, | |||||
{"allow.reserved_ports", "allow.noreserved_ports", | {"allow.reserved_ports", "allow.noreserved_ports", | ||||
PR_ALLOW_RESERVED_PORTS}, | PR_ALLOW_RESERVED_PORTS}, | ||||
}; | }; | ||||
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | ||||
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | ||||
#define JAIL_DEFAULT_ENFORCE_STATFS 2 | #define JAIL_DEFAULT_ENFORCE_STATFS 2 | ||||
#define JAIL_DEFAULT_DEVFS_RSNUM 0 | #define JAIL_DEFAULT_DEVFS_RSNUM 0 | ||||
▲ Show 20 Lines • Show All 3,087 Lines • ▼ Show 20 Lines | #endif | ||||
case PRIV_VFS_MOUNT_OWNER: | case PRIV_VFS_MOUNT_OWNER: | ||||
if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && | if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && | ||||
cred->cr_prison->pr_enforce_statfs < 2) | cred->cr_prison->pr_enforce_statfs < 2) | ||||
return (0); | return (0); | ||||
else | else | ||||
return (EPERM); | return (EPERM); | ||||
/* | /* | ||||
* Conditionnaly allow locking (unlocking) physical pages | |||||
* in memory. | |||||
*/ | |||||
case PRIV_VM_MLOCK: | |||||
case PRIV_VM_MUNLOCK: | |||||
if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK) | |||||
return (0); | |||||
else | |||||
return (EPERM); | |||||
/* | |||||
* Conditionally allow jailed root to bind reserved ports. | * Conditionally allow jailed root to bind reserved ports. | ||||
*/ | */ | ||||
case PRIV_NETINET_RESERVEDPORT: | case PRIV_NETINET_RESERVEDPORT: | ||||
if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) | if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) | ||||
return (0); | return (0); | ||||
else | else | ||||
return (EPERM); | return (EPERM); | ||||
▲ Show 20 Lines • Show All 443 Lines • ▼ Show 20 Lines | |||||
SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may create raw sockets"); | "B", "Jail may create raw sockets"); | ||||
SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may alter system file flags"); | "B", "Jail may alter system file flags"); | ||||
SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may set file quotas"); | "B", "Jail may set file quotas"); | ||||
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | ||||
SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, | |||||
"B", "Jail may lock (unlock) physical pages in memory"); | |||||
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may bind sockets to reserved ports"); | "B", "Jail may bind sockets to reserved ports"); | ||||
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | ||||
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may mount/unmount jail-friendly file systems in general"); | "B", "Jail may mount/unmount jail-friendly file systems in general"); | ||||
/* | /* | ||||
▲ Show 20 Lines • Show All 432 Lines • Show Last 20 Lines |