Changeset View
Changeset View
Standalone View
Standalone View
head/sys/kern/kern_jail.c
| Show First 20 Lines • Show All 184 Lines • ▼ Show 20 Lines | |||||
| static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | ||||
| {"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME}, | {"allow.set_hostname", "allow.noset_hostname", PR_ALLOW_SET_HOSTNAME}, | ||||
| {"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, | {"allow.sysvipc", "allow.nosysvipc", PR_ALLOW_SYSVIPC}, | ||||
| {"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, | {"allow.raw_sockets", "allow.noraw_sockets", PR_ALLOW_RAW_SOCKETS}, | ||||
| {"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, | {"allow.chflags", "allow.nochflags", PR_ALLOW_CHFLAGS}, | ||||
| {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, | {"allow.mount", "allow.nomount", PR_ALLOW_MOUNT}, | ||||
| {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | ||||
| {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | ||||
| {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, | |||||
| {"allow.reserved_ports", "allow.noreserved_ports", | {"allow.reserved_ports", "allow.noreserved_ports", | ||||
| PR_ALLOW_RESERVED_PORTS}, | PR_ALLOW_RESERVED_PORTS}, | ||||
| }; | }; | ||||
| const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | ||||
| #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | ||||
| #define JAIL_DEFAULT_ENFORCE_STATFS 2 | #define JAIL_DEFAULT_ENFORCE_STATFS 2 | ||||
| #define JAIL_DEFAULT_DEVFS_RSNUM 0 | #define JAIL_DEFAULT_DEVFS_RSNUM 0 | ||||
| ▲ Show 20 Lines • Show All 3,087 Lines • ▼ Show 20 Lines | #endif | ||||
| case PRIV_VFS_MOUNT_OWNER: | case PRIV_VFS_MOUNT_OWNER: | ||||
| if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && | if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT && | ||||
| cred->cr_prison->pr_enforce_statfs < 2) | cred->cr_prison->pr_enforce_statfs < 2) | ||||
| return (0); | return (0); | ||||
| else | else | ||||
| return (EPERM); | return (EPERM); | ||||
| /* | /* | ||||
| * Conditionnaly allow locking (unlocking) physical pages | |||||
| * in memory. | |||||
| */ | |||||
| case PRIV_VM_MLOCK: | |||||
| case PRIV_VM_MUNLOCK: | |||||
| if (cred->cr_prison->pr_allow & PR_ALLOW_MLOCK) | |||||
| return (0); | |||||
| else | |||||
| return (EPERM); | |||||
| /* | |||||
| * Conditionally allow jailed root to bind reserved ports. | * Conditionally allow jailed root to bind reserved ports. | ||||
| */ | */ | ||||
| case PRIV_NETINET_RESERVEDPORT: | case PRIV_NETINET_RESERVEDPORT: | ||||
| if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) | if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) | ||||
| return (0); | return (0); | ||||
| else | else | ||||
| return (EPERM); | return (EPERM); | ||||
| ▲ Show 20 Lines • Show All 443 Lines • ▼ Show 20 Lines | |||||
| SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW, | ||||
| "B", "Jail may create raw sockets"); | "B", "Jail may create raw sockets"); | ||||
| SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW, | ||||
| "B", "Jail may alter system file flags"); | "B", "Jail may alter system file flags"); | ||||
| SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, | ||||
| "B", "Jail may set file quotas"); | "B", "Jail may set file quotas"); | ||||
| SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, | ||||
| "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); | ||||
| SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, | |||||
| "B", "Jail may lock (unlock) physical pages in memory"); | |||||
| SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | ||||
| "B", "Jail may bind sockets to reserved ports"); | "B", "Jail may bind sockets to reserved ports"); | ||||
| SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | ||||
| SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | ||||
| "B", "Jail may mount/unmount jail-friendly file systems in general"); | "B", "Jail may mount/unmount jail-friendly file systems in general"); | ||||
| /* | /* | ||||
| ▲ Show 20 Lines • Show All 432 Lines • Show Last 20 Lines | |||||