Changeset View
Changeset View
Standalone View
Standalone View
kern/kern_jail.c
Show First 20 Lines • Show All 194 Lines • ▼ Show 20 Lines | static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | ||||
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | ||||
{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, | {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, | ||||
{"allow.reserved_ports", "allow.noreserved_ports", | {"allow.reserved_ports", "allow.noreserved_ports", | ||||
PR_ALLOW_RESERVED_PORTS}, | PR_ALLOW_RESERVED_PORTS}, | ||||
{"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, | {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, | ||||
}; | }; | ||||
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | ||||
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) | #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS| PR_ALLOW_ICMP_ACCESS) | ||||
#define JAIL_DEFAULT_ENFORCE_STATFS 2 | #define JAIL_DEFAULT_ENFORCE_STATFS 2 | ||||
#define JAIL_DEFAULT_DEVFS_RSNUM 0 | #define JAIL_DEFAULT_DEVFS_RSNUM 0 | ||||
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | ||||
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | ||||
static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; | static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; | ||||
#if defined(INET) || defined(INET6) | #if defined(INET) || defined(INET6) | ||||
static unsigned jail_max_af_ips = 255; | static unsigned jail_max_af_ips = 255; | ||||
#endif | #endif | ||||
▲ Show 20 Lines • Show All 2,951 Lines • ▼ Show 20 Lines | #endif | ||||
*/ | */ | ||||
case PRIV_NETINET_IPFW: | case PRIV_NETINET_IPFW: | ||||
case PRIV_NETINET_DIVERT: | case PRIV_NETINET_DIVERT: | ||||
case PRIV_NETINET_PF: | case PRIV_NETINET_PF: | ||||
case PRIV_NETINET_DUMMYNET: | case PRIV_NETINET_DUMMYNET: | ||||
case PRIV_NETINET_CARP: | case PRIV_NETINET_CARP: | ||||
case PRIV_NETINET_MROUTE: | case PRIV_NETINET_MROUTE: | ||||
case PRIV_NETINET_RAW: | case PRIV_NETINET_RAW: | ||||
case PRIV_NETINET_ICMP_ACCESS: | |||||
case PRIV_NETINET_ADDRCTRL6: | case PRIV_NETINET_ADDRCTRL6: | ||||
case PRIV_NETINET_ND6: | case PRIV_NETINET_ND6: | ||||
case PRIV_NETINET_SCOPE6: | case PRIV_NETINET_SCOPE6: | ||||
case PRIV_NETINET_ALIFETIME6: | case PRIV_NETINET_ALIFETIME6: | ||||
case PRIV_NETINET_IPSEC: | case PRIV_NETINET_IPSEC: | ||||
case PRIV_NETINET_BINDANY: | case PRIV_NETINET_BINDANY: | ||||
#ifdef notyet | #ifdef notyet | ||||
▲ Show 20 Lines • Show All 199 Lines • ▼ Show 20 Lines | #endif | ||||
case PRIV_NETINET_SETHDROPTS: | case PRIV_NETINET_SETHDROPTS: | ||||
return (0); | return (0); | ||||
/* | /* | ||||
* Conditionally allow creating raw sockets in jail. | * Conditionally allow creating raw sockets in jail. | ||||
*/ | */ | ||||
case PRIV_NETINET_RAW: | case PRIV_NETINET_RAW: | ||||
if (cred->cr_prison->pr_allow & PR_ALLOW_RAW_SOCKETS) | if (cred->cr_prison->pr_allow & PR_ALLOW_RAW_SOCKETS) | ||||
return (0); | |||||
else | |||||
return (EPERM); | |||||
/* | |||||
* Conditionally allow ping. | |||||
*/ | |||||
case PRIV_NETINET_ICMP_ACCESS: | |||||
if (cred->cr_prison->pr_allow & PR_ALLOW_ICMP_ACCESS) | |||||
return (0); | return (0); | ||||
else | else | ||||
return (EPERM); | return (EPERM); | ||||
/* | /* | ||||
* Since jail implements its own visibility limits on netstat | * Since jail implements its own visibility limits on netstat | ||||
* sysctls, allow getcred. This allows identd to work in | * sysctls, allow getcred. This allows identd to work in | ||||
* jail. | * jail. | ||||
▲ Show 20 Lines • Show All 879 Lines • Show Last 20 Lines |