Page MenuHomeFreeBSD
Differential D27128 Diff 79728 head/sys/kern/kern_jail.c

Changeset View

Standalone View

View Options

head/sys/kern/kern_jail.c

Show First 20 LinesShow All 193 Lines▼ Show 20 Linesstatic struct bool_flags pr_flag_allow[NBBY * NBPW] = {
{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS},
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF},
{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK},
{"allow.reserved_ports", "allow.noreserved_ports", {"allow.reserved_ports", "allow.noreserved_ports",
PR_ALLOW_RESERVED_PORTS}, PR_ALLOW_RESERVED_PORTS},
{"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF},
{"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug", {"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug",
PR_ALLOW_UNPRIV_DEBUG}, PR_ALLOW_UNPRIV_DEBUG},
{"allow.suser", "allow.nosuser", PR_ALLOW_SUSER},
}; };
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | \ #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | \
PR_ALLOW_RESERVED_PORTS | \ PR_ALLOW_RESERVED_PORTS | \
PR_ALLOW_UNPRIV_DEBUG) PR_ALLOW_UNPRIV_DEBUG | \
PR_ALLOW_SUSER)
#define JAIL_DEFAULT_ENFORCE_STATFS 2 #define JAIL_DEFAULT_ENFORCE_STATFS 2
#define JAIL_DEFAULT_DEVFS_RSNUM 0 #define JAIL_DEFAULT_DEVFS_RSNUM 0
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM;
#if defined(INET) || defined(INET6) #if defined(INET) || defined(INET6)
static unsigned jail_max_af_ips = 255; static unsigned jail_max_af_ips = 255;
#endif #endif
▲ Show 20 LinesShow All 3,594 Lines▼ Show 20 Lines
SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may lock (unlock) physical pages in memory"); "B", "Jail may lock (unlock) physical pages in memory");
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may bind sockets to reserved ports"); "B", "Jail may bind sockets to reserved ports");
SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may read the kernel message buffer"); "B", "Jail may read the kernel message buffer");
SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW,
"B", "Unprivileged processes may use process debugging facilities"); "B", "Unprivileged processes may use process debugging facilities");
SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
"B", "Processes in jail with uid 0 have privilege");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount/unmount jail-friendly file systems in general"); "B", "Jail may mount/unmount jail-friendly file systems in general");
/* /*
* Add a dynamic parameter allow.<name>, or allow.<prefix>.<name>. Return * Add a dynamic parameter allow.<name>, or allow.<prefix>.<name>. Return
* its associated bit in the pr_allow bitmask, or zero if the parameter was * its associated bit in the pr_allow bitmask, or zero if the parameter was
▲ Show 20 LinesShow All 434 LinesShow Last 20 Lines