Changeset View
Changeset View
Standalone View
Standalone View
head/sys/kern/kern_jail.c
Show First 20 Lines • Show All 193 Lines • ▼ Show 20 Lines | static struct bool_flags pr_flag_allow[NBBY * NBPW] = { | ||||
{"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, | ||||
{"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, | ||||
{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, | {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, | ||||
{"allow.reserved_ports", "allow.noreserved_ports", | {"allow.reserved_ports", "allow.noreserved_ports", | ||||
PR_ALLOW_RESERVED_PORTS}, | PR_ALLOW_RESERVED_PORTS}, | ||||
{"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, | {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, | ||||
{"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug", | {"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug", | ||||
PR_ALLOW_UNPRIV_DEBUG}, | PR_ALLOW_UNPRIV_DEBUG}, | ||||
{"allow.suser", "allow.nosuser", PR_ALLOW_SUSER}, | |||||
}; | }; | ||||
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | const size_t pr_flag_allow_size = sizeof(pr_flag_allow); | ||||
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | \ | #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | \ | ||||
PR_ALLOW_RESERVED_PORTS | \ | PR_ALLOW_RESERVED_PORTS | \ | ||||
PR_ALLOW_UNPRIV_DEBUG) | PR_ALLOW_UNPRIV_DEBUG | \ | ||||
PR_ALLOW_SUSER) | |||||
#define JAIL_DEFAULT_ENFORCE_STATFS 2 | #define JAIL_DEFAULT_ENFORCE_STATFS 2 | ||||
#define JAIL_DEFAULT_DEVFS_RSNUM 0 | #define JAIL_DEFAULT_DEVFS_RSNUM 0 | ||||
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; | ||||
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; | ||||
static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; | static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; | ||||
#if defined(INET) || defined(INET6) | #if defined(INET) || defined(INET6) | ||||
static unsigned jail_max_af_ips = 255; | static unsigned jail_max_af_ips = 255; | ||||
#endif | #endif | ||||
▲ Show 20 Lines • Show All 3,594 Lines • ▼ Show 20 Lines | |||||
SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may lock (unlock) physical pages in memory"); | "B", "Jail may lock (unlock) physical pages in memory"); | ||||
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may bind sockets to reserved ports"); | "B", "Jail may bind sockets to reserved ports"); | ||||
SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may read the kernel message buffer"); | "B", "Jail may read the kernel message buffer"); | ||||
SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Unprivileged processes may use process debugging facilities"); | "B", "Unprivileged processes may use process debugging facilities"); | ||||
SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, | |||||
"B", "Processes in jail with uid 0 have privilege"); | |||||
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); | ||||
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, | ||||
"B", "Jail may mount/unmount jail-friendly file systems in general"); | "B", "Jail may mount/unmount jail-friendly file systems in general"); | ||||
/* | /* | ||||
* Add a dynamic parameter allow.<name>, or allow.<prefix>.<name>. Return | * Add a dynamic parameter allow.<name>, or allow.<prefix>.<name>. Return | ||||
* its associated bit in the pr_allow bitmask, or zero if the parameter was | * its associated bit in the pr_allow bitmask, or zero if the parameter was | ||||
▲ Show 20 Lines • Show All 434 Lines • Show Last 20 Lines |