Changeset View
Standalone View
sys/sys/jail.h
Show First 20 Lines • Show All 171 Lines • ▼ Show 20 Lines | struct prison { | ||||||||
LIST_ENTRY(prison) pr_sibling; /* (a) next in parent's list */ | LIST_ENTRY(prison) pr_sibling; /* (a) next in parent's list */ | ||||||||
struct prison *pr_parent; /* (c) containing jail */ | struct prison *pr_parent; /* (c) containing jail */ | ||||||||
struct mtx pr_mtx; | struct mtx pr_mtx; | ||||||||
struct task pr_task; /* (c) destroy task */ | struct task pr_task; /* (c) destroy task */ | ||||||||
struct osd pr_osd; /* (p) additional data */ | struct osd pr_osd; /* (p) additional data */ | ||||||||
struct cpuset *pr_cpuset; /* (p) cpuset */ | struct cpuset *pr_cpuset; /* (p) cpuset */ | ||||||||
struct vnet *pr_vnet; /* (c) network stack */ | struct vnet *pr_vnet; /* (c) network stack */ | ||||||||
struct vnode *pr_root; /* (c) vnode to rdir */ | struct vnode *pr_root; /* (c) vnode to rdir */ | ||||||||
int pr_ip4s; /* (p) number of v4 IPs */ | uint32_t pr_ip4s; /* (p) number of v4 IPs */ | ||||||||
int pr_ip6s; /* (p) number of v6 IPs */ | uint32_t pr_ip6s; /* (p) number of v6 IPs */ | ||||||||
jamie: The removed ip_ip4s and pr_ip6s should probably be replaced by some spares to preserve struct… | |||||||||
Done Inline ActionsWhat ports kernel modules are known to use struct prison and dereference its fields directly, instead of jail.h KPI? glebius: What ports kernel modules are known to use struct prison and dereference its fields directly… | |||||||||
Not Done Inline ActionsI don't really know that any actually exist; it's more of a habit I've always been in, that I think was in place when I started. But then, I'm not familiar with the ports codebase. I know that within the kernel itself, there's a lot of bare use of pr_allow and pr_hostname, and wouldn't be surprised if that was reflected elsewhere. jamie: I don't really know that any actually exist; it's more of a habit I've always been in, that I… | |||||||||
Done Inline ActionsI'd rather not add placeholders (I'd even vote for deleting pr_pspare[3], if asked) and discourage non KPI use of the structure. In the last years we are aiming towards this policy (already done to struct socket, struct inpcb, *pcb, struct ifnet). The fact that we have it hidden under defined(_WANT_PRISON) tells me that same policy is also desired for prison. Cc @pjd who added _WANT_PRSION. glebius: I'd rather not add placeholders (I'd even vote for deleting pr_pspare[3], if asked) and… | |||||||||
Not Done Inline ActionsI wasn't thinking userland - I'm pretty sure nothing there uses struct prison. I thought this was for kernel modules that refer to struct prison, and making sure they don't link into a kernel with an altered structure. jamie: I wasn't thinking userland - I'm pretty sure nothing there uses struct prison. I thought this… | |||||||||
Done Inline ActionsWe guarantee binary compatibility for kernel modules only in the stable branches. In the main branch we change structures all the time. This change is not planned for merging. glebius: We guarantee binary compatibility for kernel modules only in the stable branches. In the main… | |||||||||
struct in_addr *pr_ip4; /* (p) v4 IPs of jail */ | struct in_addr *pr_ip4; /* (p) v4 IPs of jail */ | ||||||||
struct in6_addr *pr_ip6; /* (p) v6 IPs of jail */ | struct in6_addr *pr_ip6; /* (p) v6 IPs of jail */ | ||||||||
struct prison_racct *pr_prison_racct; /* (c) racct jail proxy */ | struct prison_racct *pr_prison_racct; /* (c) racct jail proxy */ | ||||||||
void *pr_sparep[3]; | void *pr_sparep[3]; | ||||||||
int pr_childcount; /* (a) number of child jails */ | int pr_childcount; /* (a) number of child jails */ | ||||||||
int pr_childmax; /* (p) maximum child jails */ | int pr_childmax; /* (p) maximum child jails */ | ||||||||
unsigned pr_allow; /* (p) PR_ALLOW_* flags */ | unsigned pr_allow; /* (p) PR_ALLOW_* flags */ | ||||||||
int pr_securelevel; /* (p) securelevel */ | int pr_securelevel; /* (p) securelevel */ | ||||||||
▲ Show 20 Lines • Show All 239 Lines • ▼ Show 20 Lines | |||||||||
void prison_proc_hold(struct prison *); | void prison_proc_hold(struct prison *); | ||||||||
void prison_proc_free(struct prison *); | void prison_proc_free(struct prison *); | ||||||||
void prison_set_allow(struct ucred *cred, unsigned flag, int enable); | void prison_set_allow(struct ucred *cred, unsigned flag, int enable); | ||||||||
int prison_ischild(struct prison *, struct prison *); | int prison_ischild(struct prison *, struct prison *); | ||||||||
bool prison_isalive(struct prison *); | bool prison_isalive(struct prison *); | ||||||||
bool prison_isvalid(struct prison *); | bool prison_isvalid(struct prison *); | ||||||||
int prison_equal_ip4(struct prison *, struct prison *); | int prison_equal_ip4(struct prison *, struct prison *); | ||||||||
int prison_get_ip4(struct ucred *cred, struct in_addr *ia); | int prison_get_ip4(struct ucred *cred, struct in_addr *ia); | ||||||||
int prison_local_ip4(struct ucred *cred, struct in_addr *ia); | int prison_local_ip4(struct ucred *cred, struct in_addr *ia); | ||||||||
Not Done Inline Actions
markj: | |||||||||
int prison_remote_ip4(struct ucred *cred, struct in_addr *ia); | int prison_remote_ip4(struct ucred *cred, struct in_addr *ia); | ||||||||
int prison_check_ip4(const struct ucred *, const struct in_addr *); | int prison_check_ip4(const struct ucred *, const struct in_addr *); | ||||||||
int prison_check_ip4_locked(const struct prison *, const struct in_addr *); | int prison_check_ip4_locked(const struct prison *, const struct in_addr *); | ||||||||
int prison_saddrsel_ip4(struct ucred *, struct in_addr *); | int prison_saddrsel_ip4(struct ucred *, struct in_addr *); | ||||||||
int prison_restrict_ip4(struct prison *, struct in_addr *); | |||||||||
int prison_qcmp_v4(const void *, const void *); | int prison_qcmp_v4(const void *, const void *); | ||||||||
#ifdef INET6 | #ifdef INET6 | ||||||||
int prison_equal_ip6(struct prison *, struct prison *); | int prison_equal_ip6(struct prison *, struct prison *); | ||||||||
int prison_get_ip6(struct ucred *, struct in6_addr *); | int prison_get_ip6(struct ucred *, struct in6_addr *); | ||||||||
int prison_local_ip6(struct ucred *, struct in6_addr *, int); | int prison_local_ip6(struct ucred *, struct in6_addr *, int); | ||||||||
int prison_remote_ip6(struct ucred *, struct in6_addr *); | int prison_remote_ip6(struct ucred *, struct in6_addr *); | ||||||||
int prison_check_ip6(const struct ucred *, const struct in6_addr *); | int prison_check_ip6(const struct ucred *, const struct in6_addr *); | ||||||||
int prison_check_ip6_locked(const struct prison *, const struct in6_addr *); | int prison_check_ip6_locked(const struct prison *, const struct in6_addr *); | ||||||||
int prison_saddrsel_ip6(struct ucred *, struct in6_addr *); | int prison_saddrsel_ip6(struct ucred *, struct in6_addr *); | ||||||||
int prison_restrict_ip6(struct prison *, struct in6_addr *); | |||||||||
int prison_qcmp_v6(const void *, const void *); | int prison_qcmp_v6(const void *, const void *); | ||||||||
#endif | #endif | ||||||||
int prison_check_af(struct ucred *cred, int af); | int prison_check_af(struct ucred *cred, int af); | ||||||||
int prison_if(struct ucred *cred, const struct sockaddr *sa); | int prison_if(struct ucred *cred, const struct sockaddr *sa); | ||||||||
char *prison_name(struct prison *, struct prison *); | char *prison_name(struct prison *, struct prison *); | ||||||||
int prison_priv_check(struct ucred *cred, int priv); | int prison_priv_check(struct ucred *cred, int priv); | ||||||||
int sysctl_jail_param(SYSCTL_HANDLER_ARGS); | int sysctl_jail_param(SYSCTL_HANDLER_ARGS); | ||||||||
unsigned prison_add_allow(const char *prefix, const char *name, | unsigned prison_add_allow(const char *prefix, const char *name, | ||||||||
Show All 11 Lines |
The removed ip_ip4s and pr_ip6s should probably be replaced by some spares to preserve struct offsets. Or maybe a version bump (and then could IMHO remove the other spares).