FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_jail.c
1 /*-
2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2008 Bjoern A. Zeeb.
4 * Copyright (c) 2009 James Gritton.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31
32 #include "opt_compat.h"
33 #include "opt_ddb.h"
34 #include "opt_inet.h"
35 #include "opt_inet6.h"
36
37 #include <sys/param.h>
38 #include <sys/types.h>
39 #include <sys/kernel.h>
40 #include <sys/systm.h>
41 #include <sys/errno.h>
42 #include <sys/sysproto.h>
43 #include <sys/malloc.h>
44 #include <sys/osd.h>
45 #include <sys/priv.h>
46 #include <sys/proc.h>
47 #include <sys/taskqueue.h>
48 #include <sys/fcntl.h>
49 #include <sys/jail.h>
50 #include <sys/lock.h>
51 #include <sys/mutex.h>
52 #include <sys/racct.h>
53 #include <sys/rctl.h>
54 #include <sys/refcount.h>
55 #include <sys/sx.h>
56 #include <sys/sysent.h>
57 #include <sys/namei.h>
58 #include <sys/mount.h>
59 #include <sys/queue.h>
60 #include <sys/socket.h>
61 #include <sys/syscallsubr.h>
62 #include <sys/sysctl.h>
63 #include <sys/vnode.h>
64
65 #include <net/if.h>
66 #include <net/vnet.h>
67
68 #include <netinet/in.h>
69
70 #ifdef DDB
71 #include <ddb/ddb.h>
72 #endif /* DDB */
73
74 #include <security/mac/mac_framework.h>
75
76 #define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000"
77
78 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
79 static MALLOC_DEFINE(M_PRISON_RACCT, "prison_racct", "Prison racct structures");
80
81 /* Keep struct prison prison0 and some code in kern_jail_set() readable. */
82 #ifdef INET
83 #ifdef INET6
84 #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL|PR_IP6_SADDRSEL
85 #else
86 #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL
87 #endif
88 #else /* !INET */
89 #ifdef INET6
90 #define _PR_IP_SADDRSEL PR_IP6_SADDRSEL
91 #else
92 #define _PR_IP_SADDRSEL 0
93 #endif
94 #endif
95
96 /* prison0 describes what is "real" about the system. */
97 struct prison prison0 = {
98 .pr_id = 0,
99 .pr_name = "",
100 .pr_ref = 1,
101 .pr_uref = 1,
102 .pr_path = "/",
103 .pr_securelevel = -1,
104 .pr_devfs_rsnum = 0,
105 .pr_childmax = JAIL_MAX,
106 .pr_hostuuid = DEFAULT_HOSTUUID,
107 .pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children),
108 #ifdef VIMAGE
109 .pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL,
110 #else
111 .pr_flags = PR_HOST|_PR_IP_SADDRSEL,
112 #endif
113 .pr_allow = PR_ALLOW_ALL,
114 };
115 MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);
116
117 /* allprison, allprison_racct and lastprid are protected by allprison_lock. */
118 struct sx allprison_lock;
119 SX_SYSINIT(allprison_lock, &allprison_lock, "allprison");
120 struct prisonlist allprison = TAILQ_HEAD_INITIALIZER(allprison);
121 LIST_HEAD(, prison_racct) allprison_racct;
122 int lastprid = 0;
123
124 static int do_jail_attach(struct thread *td, struct prison *pr);
125 static void prison_complete(void *context, int pending);
126 static void prison_deref(struct prison *pr, int flags);
127 static char *prison_path(struct prison *pr1, struct prison *pr2);
128 static void prison_remove_one(struct prison *pr);
129 #ifdef RACCT
130 static void prison_racct_attach(struct prison *pr);
131 static void prison_racct_modify(struct prison *pr);
132 static void prison_racct_detach(struct prison *pr);
133 #endif
134
135 /* Flags for prison_deref */
136 #define PD_DEREF 0x01
137 #define PD_DEUREF 0x02
138 #define PD_LOCKED 0x04
139 #define PD_LIST_SLOCKED 0x08
140 #define PD_LIST_XLOCKED 0x10
141
142 /*
143 * Parameter names corresponding to PR_* flag values. Size values are for kvm
144 * as we cannot figure out the size of a sparse array, or an array without a
145 * terminating entry.
146 */
147 static char *pr_flag_names[] = {
148 [0] = "persist",
149 #ifdef INET
150 [7] = "ip4.saddrsel",
151 #endif
152 #ifdef INET6
153 [8] = "ip6.saddrsel",
154 #endif
155 };
156 const size_t pr_flag_names_size = sizeof(pr_flag_names);
157
158 static char *pr_flag_nonames[] = {
159 [0] = "nopersist",
160 #ifdef INET
161 [7] = "ip4.nosaddrsel",
162 #endif
163 #ifdef INET6
164 [8] = "ip6.nosaddrsel",
165 #endif
166 };
167 const size_t pr_flag_nonames_size = sizeof(pr_flag_nonames);
168
169 struct jailsys_flags {
170 const char *name;
171 unsigned disable;
172 unsigned new;
173 } pr_flag_jailsys[] = {
174 { "host", 0, PR_HOST },
175 #ifdef VIMAGE
176 { "vnet", 0, PR_VNET },
177 #endif
178 #ifdef INET
179 { "ip4", PR_IP4_USER, PR_IP4_USER },
180 #endif
181 #ifdef INET6
182 { "ip6", PR_IP6_USER, PR_IP6_USER },
183 #endif
184 };
185 const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys);
186
187 static char *pr_allow_names[] = {
188 "allow.set_hostname",
189 "allow.sysvipc",
190 "allow.raw_sockets",
191 "allow.chflags",
192 "allow.mount",
193 "allow.quotas",
194 "allow.socket_af",
195 "allow.mount.devfs",
196 "allow.mount.nullfs",
197 "allow.mount.zfs",
198 "allow.mount.procfs",
199 "allow.mount.tmpfs",
200 "allow.mount.fdescfs",
201 "allow.mount.linprocfs",
202 "allow.mount.linsysfs",
203 "allow.read_msgbuf",
204 };
205 const size_t pr_allow_names_size = sizeof(pr_allow_names);
206
207 static char *pr_allow_nonames[] = {
208 "allow.noset_hostname",
209 "allow.nosysvipc",
210 "allow.noraw_sockets",
211 "allow.nochflags",
212 "allow.nomount",
213 "allow.noquotas",
214 "allow.nosocket_af",
215 "allow.mount.nodevfs",
216 "allow.mount.nonullfs",
217 "allow.mount.nozfs",
218 "allow.mount.noprocfs",
219 "allow.mount.notmpfs",
220 "allow.mount.nofdescfs",
221 "allow.mount.nolinprocfs",
222 "allow.mount.nolinsysfs",
223 "allow.noread_msgbuf",
224 };
225 const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
226
227 #define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
228 #define JAIL_DEFAULT_ENFORCE_STATFS 2
229 #define JAIL_DEFAULT_DEVFS_RSNUM 0
230 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
231 static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
232 static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM;
233 #if defined(INET) || defined(INET6)
234 static unsigned jail_max_af_ips = 255;
235 #endif
236
237 /*
238 * Initialize the parts of prison0 that can't be static-initialized with
239 * constants. This is called from proc0_init() after creating thread0 cpuset.
240 */
241 void
242 prison0_init(void)
243 {
244
245 prison0.pr_cpuset = cpuset_ref(thread0.td_cpuset);
246 prison0.pr_osreldate = osreldate;
247 strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease));
248 }
249
250 /*
251 * struct jail_args {
252 * struct jail *jail;
253 * };
254 */
255 int
256 sys_jail(struct thread *td, struct jail_args *uap)
257 {
258 uint32_t version;
259 int error;
260 struct jail j;
261
262 error = copyin(uap->jail, &version, sizeof(uint32_t));
263 if (error)
264 return (error);
265
266 switch (version) {
267 case 0:
268 {
269 struct jail_v0 j0;
270
271 /* FreeBSD single IPv4 jails. */
272 bzero(&j, sizeof(struct jail));
273 error = copyin(uap->jail, &j0, sizeof(struct jail_v0));
274 if (error)
275 return (error);
276 j.version = j0.version;
277 j.path = j0.path;
278 j.hostname = j0.hostname;
279 j.ip4s = htonl(j0.ip_number); /* jail_v0 is host order */
280 break;
281 }
282
283 case 1:
284 /*
285 * Version 1 was used by multi-IPv4 jail implementations
286 * that never made it into the official kernel.
287 */
288 return (EINVAL);
289
290 case 2: /* JAIL_API_VERSION */
291 /* FreeBSD multi-IPv4/IPv6,noIP jails. */
292 error = copyin(uap->jail, &j, sizeof(struct jail));
293 if (error)
294 return (error);
295 break;
296
297 default:
298 /* Sci-Fi jails are not supported, sorry. */
299 return (EINVAL);
300 }
301 return (kern_jail(td, &j));
302 }
303
304 int
305 kern_jail(struct thread *td, struct jail *j)
306 {
307 struct iovec optiov[2 * (4 + nitems(pr_allow_names)
308 #ifdef INET
309 + 1
310 #endif
311 #ifdef INET6
312 + 1
313 #endif
314 )];
315 struct uio opt;
316 char *u_path, *u_hostname, *u_name;
317 #ifdef INET
318 uint32_t ip4s;
319 struct in_addr *u_ip4;
320 #endif
321 #ifdef INET6
322 struct in6_addr *u_ip6;
323 #endif
324 size_t tmplen;
325 int error, enforce_statfs, fi;
326
327 bzero(&optiov, sizeof(optiov));
328 opt.uio_iov = optiov;
329 opt.uio_iovcnt = 0;
330 opt.uio_offset = -1;
331 opt.uio_resid = -1;
332 opt.uio_segflg = UIO_SYSSPACE;
333 opt.uio_rw = UIO_READ;
334 opt.uio_td = td;
335
336 /* Set permissions for top-level jails from sysctls. */
337 if (!jailed(td->td_ucred)) {
338 for (fi = 0; fi < nitems(pr_allow_names); fi++) {
339 optiov[opt.uio_iovcnt].iov_base =
340 (jail_default_allow & (1 << fi))
341 ? pr_allow_names[fi] : pr_allow_nonames[fi];
342 optiov[opt.uio_iovcnt].iov_len =
343 strlen(optiov[opt.uio_iovcnt].iov_base) + 1;
344 opt.uio_iovcnt += 2;
345 }
346 optiov[opt.uio_iovcnt].iov_base = "enforce_statfs";
347 optiov[opt.uio_iovcnt].iov_len = sizeof("enforce_statfs");
348 opt.uio_iovcnt++;
349 enforce_statfs = jail_default_enforce_statfs;
350 optiov[opt.uio_iovcnt].iov_base = &enforce_statfs;
351 optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs);
352 opt.uio_iovcnt++;
353 }
354
355 tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN;
356 #ifdef INET
357 ip4s = (j->version == 0) ? 1 : j->ip4s;
358 if (ip4s > jail_max_af_ips)
359 return (EINVAL);
360 tmplen += ip4s * sizeof(struct in_addr);
361 #else
362 if (j->ip4s > 0)
363 return (EINVAL);
364 #endif
365 #ifdef INET6
366 if (j->ip6s > jail_max_af_ips)
367 return (EINVAL);
368 tmplen += j->ip6s * sizeof(struct in6_addr);
369 #else
370 if (j->ip6s > 0)
371 return (EINVAL);
372 #endif
373 u_path = malloc(tmplen, M_TEMP, M_WAITOK);
374 u_hostname = u_path + MAXPATHLEN;
375 u_name = u_hostname + MAXHOSTNAMELEN;
376 #ifdef INET
377 u_ip4 = (struct in_addr *)(u_name + MAXHOSTNAMELEN);
378 #endif
379 #ifdef INET6
380 #ifdef INET
381 u_ip6 = (struct in6_addr *)(u_ip4 + ip4s);
382 #else
383 u_ip6 = (struct in6_addr *)(u_name + MAXHOSTNAMELEN);
384 #endif
385 #endif
386 optiov[opt.uio_iovcnt].iov_base = "path";
387 optiov[opt.uio_iovcnt].iov_len = sizeof("path");
388 opt.uio_iovcnt++;
389 optiov[opt.uio_iovcnt].iov_base = u_path;
390 error = copyinstr(j->path, u_path, MAXPATHLEN,
391 &optiov[opt.uio_iovcnt].iov_len);
392 if (error) {
393 free(u_path, M_TEMP);
394 return (error);
395 }
396 opt.uio_iovcnt++;
397 optiov[opt.uio_iovcnt].iov_base = "host.hostname";
398 optiov[opt.uio_iovcnt].iov_len = sizeof("host.hostname");
399 opt.uio_iovcnt++;
400 optiov[opt.uio_iovcnt].iov_base = u_hostname;
401 error = copyinstr(j->hostname, u_hostname, MAXHOSTNAMELEN,
402 &optiov[opt.uio_iovcnt].iov_len);
403 if (error) {
404 free(u_path, M_TEMP);
405 return (error);
406 }
407 opt.uio_iovcnt++;
408 if (j->jailname != NULL) {
409 optiov[opt.uio_iovcnt].iov_base = "name";
410 optiov[opt.uio_iovcnt].iov_len = sizeof("name");
411 opt.uio_iovcnt++;
412 optiov[opt.uio_iovcnt].iov_base = u_name;
413 error = copyinstr(j->jailname, u_name, MAXHOSTNAMELEN,
414 &optiov[opt.uio_iovcnt].iov_len);
415 if (error) {
416 free(u_path, M_TEMP);
417 return (error);
418 }
419 opt.uio_iovcnt++;
420 }
421 #ifdef INET
422 optiov[opt.uio_iovcnt].iov_base = "ip4.addr";
423 optiov[opt.uio_iovcnt].iov_len = sizeof("ip4.addr");
424 opt.uio_iovcnt++;
425 optiov[opt.uio_iovcnt].iov_base = u_ip4;
426 optiov[opt.uio_iovcnt].iov_len = ip4s * sizeof(struct in_addr);
427 if (j->version == 0)
428 u_ip4->s_addr = j->ip4s;
429 else {
430 error = copyin(j->ip4, u_ip4, optiov[opt.uio_iovcnt].iov_len);
431 if (error) {
432 free(u_path, M_TEMP);
433 return (error);
434 }
435 }
436 opt.uio_iovcnt++;
437 #endif
438 #ifdef INET6
439 optiov[opt.uio_iovcnt].iov_base = "ip6.addr";
440 optiov[opt.uio_iovcnt].iov_len = sizeof("ip6.addr");
441 opt.uio_iovcnt++;
442 optiov[opt.uio_iovcnt].iov_base = u_ip6;
443 optiov[opt.uio_iovcnt].iov_len = j->ip6s * sizeof(struct in6_addr);
444 error = copyin(j->ip6, u_ip6, optiov[opt.uio_iovcnt].iov_len);
445 if (error) {
446 free(u_path, M_TEMP);
447 return (error);
448 }
449 opt.uio_iovcnt++;
450 #endif
451 KASSERT(opt.uio_iovcnt <= nitems(optiov),
452 ("kern_jail: too many iovecs (%d)", opt.uio_iovcnt));
453 error = kern_jail_set(td, &opt, JAIL_CREATE | JAIL_ATTACH);
454 free(u_path, M_TEMP);
455 return (error);
456 }
457
458
459 /*
460 * struct jail_set_args {
461 * struct iovec *iovp;
462 * unsigned int iovcnt;
463 * int flags;
464 * };
465 */
466 int
467 sys_jail_set(struct thread *td, struct jail_set_args *uap)
468 {
469 struct uio *auio;
470 int error;
471
472 /* Check that we have an even number of iovecs. */
473 if (uap->iovcnt & 1)
474 return (EINVAL);
475
476 error = copyinuio(uap->iovp, uap->iovcnt, &auio);
477 if (error)
478 return (error);
479 error = kern_jail_set(td, auio, uap->flags);
480 free(auio, M_IOV);
481 return (error);
482 }
483
484 int
485 kern_jail_set(struct thread *td, struct uio *optuio, int flags)
486 {
487 struct nameidata nd;
488 #ifdef INET
489 struct in_addr *ip4;
490 #endif
491 #ifdef INET6
492 struct in6_addr *ip6;
493 #endif
494 struct vfsopt *opt;
495 struct vfsoptlist *opts;
496 struct prison *pr, *deadpr, *mypr, *ppr, *tpr;
497 struct vnode *root;
498 char *domain, *errmsg, *host, *name, *namelc, *p, *path, *uuid;
499 char *g_path, *osrelstr;
500 #if defined(INET) || defined(INET6)
501 struct prison *tppr;
502 void *op;
503 #endif
504 unsigned long hid;
505 size_t namelen, onamelen, pnamelen;
506 int born, created, cuflags, descend, enforce;
507 int error, errmsg_len, errmsg_pos;
508 int gotchildmax, gotenforce, gothid, gotrsnum, gotslevel;
509 int fi, jid, jsys, len, level;
510 int childmax, osreldt, rsnum, slevel;
511 int fullpath_disabled;
512 #if defined(INET) || defined(INET6)
513 int ii, ij;
514 #endif
515 #ifdef INET
516 int ip4s, redo_ip4;
517 #endif
518 #ifdef INET6
519 int ip6s, redo_ip6;
520 #endif
521 uint64_t pr_allow, ch_allow, pr_flags, ch_flags;
522 unsigned tallow;
523 char numbuf[12];
524
525 error = priv_check(td, PRIV_JAIL_SET);
526 if (!error && (flags & JAIL_ATTACH))
527 error = priv_check(td, PRIV_JAIL_ATTACH);
528 if (error)
529 return (error);
530 mypr = td->td_ucred->cr_prison;
531 if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0)
532 return (EPERM);
533 if (flags & ~JAIL_SET_MASK)
534 return (EINVAL);
535
536 /*
537 * Check all the parameters before committing to anything. Not all
538 * errors can be caught early, but we may as well try. Also, this
539 * takes care of some expensive stuff (path lookup) before getting
540 * the allprison lock.
541 *
542 * XXX Jails are not filesystems, and jail parameters are not mount
543 * options. But it makes more sense to re-use the vfsopt code
544 * than duplicate it under a different name.
545 */
546 error = vfs_buildopts(optuio, &opts);
547 if (error)
548 return (error);
549 #ifdef INET
550 ip4 = NULL;
551 #endif
552 #ifdef INET6
553 ip6 = NULL;
554 #endif
555 g_path = NULL;
556
557 cuflags = flags & (JAIL_CREATE | JAIL_UPDATE);
558 if (!cuflags) {
559 error = EINVAL;
560 vfs_opterror(opts, "no valid operation (create or update)");
561 goto done_errmsg;
562 }
563
564 error = vfs_copyopt(opts, "jid", &jid, sizeof(jid));
565 if (error == ENOENT)
566 jid = 0;
567 else if (error != 0)
568 goto done_free;
569
570 error = vfs_copyopt(opts, "securelevel", &slevel, sizeof(slevel));
571 if (error == ENOENT)
572 gotslevel = 0;
573 else if (error != 0)
574 goto done_free;
575 else
576 gotslevel = 1;
577
578 error =
579 vfs_copyopt(opts, "children.max", &childmax, sizeof(childmax));
580 if (error == ENOENT)
581 gotchildmax = 0;
582 else if (error != 0)
583 goto done_free;
584 else
585 gotchildmax = 1;
586
587 error = vfs_copyopt(opts, "enforce_statfs", &enforce, sizeof(enforce));
588 if (error == ENOENT)
589 gotenforce = 0;
590 else if (error != 0)
591 goto done_free;
592 else if (enforce < 0 || enforce > 2) {
593 error = EINVAL;
594 goto done_free;
595 } else
596 gotenforce = 1;
597
598 error = vfs_copyopt(opts, "devfs_ruleset", &rsnum, sizeof(rsnum));
599 if (error == ENOENT)
600 gotrsnum = 0;
601 else if (error != 0)
602 goto done_free;
603 else
604 gotrsnum = 1;
605
606 pr_flags = ch_flags = 0;
607 for (fi = 0; fi < nitems(pr_flag_names); fi++) {
608 if (pr_flag_names[fi] == NULL)
609 continue;
610 vfs_flagopt(opts, pr_flag_names[fi], &pr_flags, 1 << fi);
611 vfs_flagopt(opts, pr_flag_nonames[fi], &ch_flags, 1 << fi);
612 }
613 ch_flags |= pr_flags;
614 for (fi = 0; fi < nitems(pr_flag_jailsys); fi++) {
615 error = vfs_copyopt(opts, pr_flag_jailsys[fi].name, &jsys,
616 sizeof(jsys));
617 if (error == ENOENT)
618 continue;
619 if (error != 0)
620 goto done_free;
621 switch (jsys) {
622 case JAIL_SYS_DISABLE:
623 if (!pr_flag_jailsys[fi].disable) {
624 error = EINVAL;
625 goto done_free;
626 }
627 pr_flags |= pr_flag_jailsys[fi].disable;
628 break;
629 case JAIL_SYS_NEW:
630 pr_flags |= pr_flag_jailsys[fi].new;
631 break;
632 case JAIL_SYS_INHERIT:
633 break;
634 default:
635 error = EINVAL;
636 goto done_free;
637 }
638 ch_flags |=
639 pr_flag_jailsys[fi].new | pr_flag_jailsys[fi].disable;
640 }
641 if ((flags & (JAIL_CREATE | JAIL_UPDATE | JAIL_ATTACH)) == JAIL_CREATE
642 && !(pr_flags & PR_PERSIST)) {
643 error = EINVAL;
644 vfs_opterror(opts, "new jail must persist or attach");
645 goto done_errmsg;
646 }
647 #ifdef VIMAGE
648 if ((flags & JAIL_UPDATE) && (ch_flags & PR_VNET)) {
649 error = EINVAL;
650 vfs_opterror(opts, "vnet cannot be changed after creation");
651 goto done_errmsg;
652 }
653 #endif
654 #ifdef INET
655 if ((flags & JAIL_UPDATE) && (ch_flags & PR_IP4_USER)) {
656 error = EINVAL;
657 vfs_opterror(opts, "ip4 cannot be changed after creation");
658 goto done_errmsg;
659 }
660 #endif
661 #ifdef INET6
662 if ((flags & JAIL_UPDATE) && (ch_flags & PR_IP6_USER)) {
663 error = EINVAL;
664 vfs_opterror(opts, "ip6 cannot be changed after creation");
665 goto done_errmsg;
666 }
667 #endif
668
669 pr_allow = ch_allow = 0;
670 for (fi = 0; fi < nitems(pr_allow_names); fi++) {
671 vfs_flagopt(opts, pr_allow_names[fi], &pr_allow, 1 << fi);
672 vfs_flagopt(opts, pr_allow_nonames[fi], &ch_allow, 1 << fi);
673 }
674 ch_allow |= pr_allow;
675
676 error = vfs_getopt(opts, "name", (void **)&name, &len);
677 if (error == ENOENT)
678 name = NULL;
679 else if (error != 0)
680 goto done_free;
681 else {
682 if (len == 0 || name[len - 1] != '\0') {
683 error = EINVAL;
684 goto done_free;
685 }
686 if (len > MAXHOSTNAMELEN) {
687 error = ENAMETOOLONG;
688 goto done_free;
689 }
690 }
691
692 error = vfs_getopt(opts, "host.hostname", (void **)&host, &len);
693 if (error == ENOENT)
694 host = NULL;
695 else if (error != 0)
696 goto done_free;
697 else {
698 ch_flags |= PR_HOST;
699 pr_flags |= PR_HOST;
700 if (len == 0 || host[len - 1] != '\0') {
701 error = EINVAL;
702 goto done_free;
703 }
704 if (len > MAXHOSTNAMELEN) {
705 error = ENAMETOOLONG;
706 goto done_free;
707 }
708 }
709
710 error = vfs_getopt(opts, "host.domainname", (void **)&domain, &len);
711 if (error == ENOENT)
712 domain = NULL;
713 else if (error != 0)
714 goto done_free;
715 else {
716 ch_flags |= PR_HOST;
717 pr_flags |= PR_HOST;
718 if (len == 0 || domain[len - 1] != '\0') {
719 error = EINVAL;
720 goto done_free;
721 }
722 if (len > MAXHOSTNAMELEN) {
723 error = ENAMETOOLONG;
724 goto done_free;
725 }
726 }
727
728 error = vfs_getopt(opts, "host.hostuuid", (void **)&uuid, &len);
729 if (error == ENOENT)
730 uuid = NULL;
731 else if (error != 0)
732 goto done_free;
733 else {
734 ch_flags |= PR_HOST;
735 pr_flags |= PR_HOST;
736 if (len == 0 || uuid[len - 1] != '\0') {
737 error = EINVAL;
738 goto done_free;
739 }
740 if (len > HOSTUUIDLEN) {
741 error = ENAMETOOLONG;
742 goto done_free;
743 }
744 }
745
746 #ifdef COMPAT_FREEBSD32
747 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
748 uint32_t hid32;
749
750 error = vfs_copyopt(opts, "host.hostid", &hid32, sizeof(hid32));
751 hid = hid32;
752 } else
753 #endif
754 error = vfs_copyopt(opts, "host.hostid", &hid, sizeof(hid));
755 if (error == ENOENT)
756 gothid = 0;
757 else if (error != 0)
758 goto done_free;
759 else {
760 gothid = 1;
761 ch_flags |= PR_HOST;
762 pr_flags |= PR_HOST;
763 }
764
765 #ifdef INET
766 error = vfs_getopt(opts, "ip4.addr", &op, &ip4s);
767 if (error == ENOENT)
768 ip4s = 0;
769 else if (error != 0)
770 goto done_free;
771 else if (ip4s & (sizeof(*ip4) - 1)) {
772 error = EINVAL;
773 goto done_free;
774 } else {
775 ch_flags |= PR_IP4_USER;
776 pr_flags |= PR_IP4_USER;
777 if (ip4s > 0) {
778 ip4s /= sizeof(*ip4);
779 if (ip4s > jail_max_af_ips) {
780 error = EINVAL;
781 vfs_opterror(opts, "too many IPv4 addresses");
782 goto done_errmsg;
783 }
784 ip4 = malloc(ip4s * sizeof(*ip4), M_PRISON, M_WAITOK);
785 bcopy(op, ip4, ip4s * sizeof(*ip4));
786 /*
787 * IP addresses are all sorted but ip[0] to preserve
788 * the primary IP address as given from userland.
789 * This special IP is used for unbound outgoing
790 * connections as well for "loopback" traffic in case
791 * source address selection cannot find any more fitting
792 * address to connect from.
793 */
794 if (ip4s > 1)
795 qsort(ip4 + 1, ip4s - 1, sizeof(*ip4),
796 prison_qcmp_v4);
797 /*
798 * Check for duplicate addresses and do some simple
799 * zero and broadcast checks. If users give other bogus
800 * addresses it is their problem.
801 *
802 * We do not have to care about byte order for these
803 * checks so we will do them in NBO.
804 */
805 for (ii = 0; ii < ip4s; ii++) {
806 if (ip4[ii].s_addr == INADDR_ANY ||
807 ip4[ii].s_addr == INADDR_BROADCAST) {
808 error = EINVAL;
809 goto done_free;
810 }
811 if ((ii+1) < ip4s &&
812 (ip4[0].s_addr == ip4[ii+1].s_addr ||
813 ip4[ii].s_addr == ip4[ii+1].s_addr)) {
814 error = EINVAL;
815 goto done_free;
816 }
817 }
818 }
819 }
820 #endif
821
822 #ifdef INET6
823 error = vfs_getopt(opts, "ip6.addr", &op, &ip6s);
824 if (error == ENOENT)
825 ip6s = 0;
826 else if (error != 0)
827 goto done_free;
828 else if (ip6s & (sizeof(*ip6) - 1)) {
829 error = EINVAL;
830 goto done_free;
831 } else {
832 ch_flags |= PR_IP6_USER;
833 pr_flags |= PR_IP6_USER;
834 if (ip6s > 0) {
835 ip6s /= sizeof(*ip6);
836 if (ip6s > jail_max_af_ips) {
837 error = EINVAL;
838 vfs_opterror(opts, "too many IPv6 addresses");
839 goto done_errmsg;
840 }
841 ip6 = malloc(ip6s * sizeof(*ip6), M_PRISON, M_WAITOK);
842 bcopy(op, ip6, ip6s * sizeof(*ip6));
843 if (ip6s > 1)
844 qsort(ip6 + 1, ip6s - 1, sizeof(*ip6),
845 prison_qcmp_v6);
846 for (ii = 0; ii < ip6s; ii++) {
847 if (IN6_IS_ADDR_UNSPECIFIED(&ip6[ii])) {
848 error = EINVAL;
849 goto done_free;
850 }
851 if ((ii+1) < ip6s &&
852 (IN6_ARE_ADDR_EQUAL(&ip6[0], &ip6[ii+1]) ||
853 IN6_ARE_ADDR_EQUAL(&ip6[ii], &ip6[ii+1])))
854 {
855 error = EINVAL;
856 goto done_free;
857 }
858 }
859 }
860 }
861 #endif
862
863 #if defined(VIMAGE) && (defined(INET) || defined(INET6))
864 if ((ch_flags & PR_VNET) && (ch_flags & (PR_IP4_USER | PR_IP6_USER))) {
865 error = EINVAL;
866 vfs_opterror(opts,
867 "vnet jails cannot have IP address restrictions");
868 goto done_errmsg;
869 }
870 #endif
871
872 error = vfs_getopt(opts, "osrelease", (void **)&osrelstr, &len);
873 if (error == ENOENT)
874 osrelstr = NULL;
875 else if (error != 0)
876 goto done_free;
877 else {
878 if (flags & JAIL_UPDATE) {
879 error = EINVAL;
880 vfs_opterror(opts,
881 "osrelease cannot be changed after creation");
882 goto done_errmsg;
883 }
884 if (len == 0 || osrelstr[len - 1] != '\0') {
885 error = EINVAL;
886 goto done_free;
887 }
888 if (len >= OSRELEASELEN) {
889 error = ENAMETOOLONG;
890 vfs_opterror(opts,
891 "osrelease string must be 1-%d bytes long",
892 OSRELEASELEN - 1);
893 goto done_errmsg;
894 }
895 }
896
897 error = vfs_copyopt(opts, "osreldate", &osreldt, sizeof(osreldt));
898 if (error == ENOENT)
899 osreldt = 0;
900 else if (error != 0)
901 goto done_free;
902 else {
903 if (flags & JAIL_UPDATE) {
904 error = EINVAL;
905 vfs_opterror(opts,
906 "osreldate cannot be changed after creation");
907 goto done_errmsg;
908 }
909 if (osreldt == 0) {
910 error = EINVAL;
911 vfs_opterror(opts, "osreldate cannot be 0");
912 goto done_errmsg;
913 }
914 }
915
916 fullpath_disabled = 0;
917 root = NULL;
918 error = vfs_getopt(opts, "path", (void **)&path, &len);
919 if (error == ENOENT)
920 path = NULL;
921 else if (error != 0)
922 goto done_free;
923 else {
924 if (flags & JAIL_UPDATE) {
925 error = EINVAL;
926 vfs_opterror(opts,
927 "path cannot be changed after creation");
928 goto done_errmsg;
929 }
930 if (len == 0 || path[len - 1] != '\0') {
931 error = EINVAL;
932 goto done_free;
933 }
934 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE,
935 path, td);
936 error = namei(&nd);
937 if (error)
938 goto done_free;
939 root = nd.ni_vp;
940 NDFREE(&nd, NDF_ONLY_PNBUF);
941 g_path = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
942 strlcpy(g_path, path, MAXPATHLEN);
943 error = vn_path_to_global_path(td, root, g_path, MAXPATHLEN);
944 if (error == 0)
945 path = g_path;
946 else if (error == ENODEV) {
947 /* proceed if sysctl debug.disablefullpath == 1 */
948 fullpath_disabled = 1;
949 if (len < 2 || (len == 2 && path[0] == '/'))
950 path = NULL;
951 } else {
952 /* exit on other errors */
953 goto done_free;
954 }
955 if (root->v_type != VDIR) {
956 error = ENOTDIR;
957 vput(root);
958 goto done_free;
959 }
960 VOP_UNLOCK(root, 0);
961 if (fullpath_disabled) {
962 /* Leave room for a real-root full pathname. */
963 if (len + (path[0] == '/' && strcmp(mypr->pr_path, "/")
964 ? strlen(mypr->pr_path) : 0) > MAXPATHLEN) {
965 error = ENAMETOOLONG;
966 vrele(root);
967 goto done_free;
968 }
969 }
970 }
971
972 /*
973 * Find the specified jail, or at least its parent.
974 * This abuses the file error codes ENOENT and EEXIST.
975 */
976 pr = NULL;
977 ppr = mypr;
978 if (cuflags == JAIL_CREATE && jid == 0 && name != NULL) {
979 namelc = strrchr(name, '.');
980 jid = strtoul(namelc != NULL ? namelc + 1 : name, &p, 10);
981 if (*p != '\0')
982 jid = 0;
983 }
984 sx_xlock(&allprison_lock);
985 if (jid != 0) {
986 /*
987 * See if a requested jid already exists. There is an
988 * information leak here if the jid exists but is not within
989 * the caller's jail hierarchy. Jail creators will get EEXIST
990 * even though they cannot see the jail, and CREATE | UPDATE
991 * will return ENOENT which is not normally a valid error.
992 */
993 if (jid < 0) {
994 error = EINVAL;
995 vfs_opterror(opts, "negative jid");
996 goto done_unlock_list;
997 }
998 pr = prison_find(jid);
999 if (pr != NULL) {
1000 ppr = pr->pr_parent;
1001 /* Create: jid must not exist. */
1002 if (cuflags == JAIL_CREATE) {
1003 mtx_unlock(&pr->pr_mtx);
1004 error = EEXIST;
1005 vfs_opterror(opts, "jail %d already exists",
1006 jid);
1007 goto done_unlock_list;
1008 }
1009 if (!prison_ischild(mypr, pr)) {
1010 mtx_unlock(&pr->pr_mtx);
1011 pr = NULL;
1012 } else if (pr->pr_uref == 0) {
1013 if (!(flags & JAIL_DYING)) {
1014 mtx_unlock(&pr->pr_mtx);
1015 error = ENOENT;
1016 vfs_opterror(opts, "jail %d is dying",
1017 jid);
1018 goto done_unlock_list;
1019 } else if ((flags & JAIL_ATTACH) ||
1020 (pr_flags & PR_PERSIST)) {
1021 /*
1022 * A dying jail might be resurrected
1023 * (via attach or persist), but first
1024 * it must determine if another jail
1025 * has claimed its name. Accomplish
1026 * this by implicitly re-setting the
1027 * name.
1028 */
1029 if (name == NULL)
1030 name = prison_name(mypr, pr);
1031 }
1032 }
1033 }
1034 if (pr == NULL) {
1035 /* Update: jid must exist. */
1036 if (cuflags == JAIL_UPDATE) {
1037 error = ENOENT;
1038 vfs_opterror(opts, "jail %d not found", jid);
1039 goto done_unlock_list;
1040 }
1041 }
1042 }
1043 /*
1044 * If the caller provided a name, look for a jail by that name.
1045 * This has different semantics for creates and updates keyed by jid
1046 * (where the name must not already exist in a different jail),
1047 * and updates keyed by the name itself (where the name must exist
1048 * because that is the jail being updated).
1049 */
1050 namelc = NULL;
1051 if (name != NULL) {
1052 namelc = strrchr(name, '.');
1053 if (namelc == NULL)
1054 namelc = name;
1055 else {
1056 /*
1057 * This is a hierarchical name. Split it into the
1058 * parent and child names, and make sure the parent
1059 * exists or matches an already found jail.
1060 */
1061 if (pr != NULL) {
1062 if (strncmp(name, ppr->pr_name, namelc - name)
1063 || ppr->pr_name[namelc - name] != '\0') {
1064 mtx_unlock(&pr->pr_mtx);
1065 error = EINVAL;
1066 vfs_opterror(opts,
1067 "cannot change jail's parent");
1068 goto done_unlock_list;
1069 }
1070 } else {
1071 *namelc = '\0';
1072 ppr = prison_find_name(mypr, name);
1073 if (ppr == NULL) {
1074 error = ENOENT;
1075 vfs_opterror(opts,
1076 "jail \"%s\" not found", name);
1077 goto done_unlock_list;
1078 }
1079 mtx_unlock(&ppr->pr_mtx);
1080 *namelc = '.';
1081 }
1082 namelc++;
1083 }
1084 if (namelc[0] != '\0') {
1085 pnamelen =
1086 (ppr == &prison0) ? 0 : strlen(ppr->pr_name) + 1;
1087 name_again:
1088 deadpr = NULL;
1089 FOREACH_PRISON_CHILD(ppr, tpr) {
1090 if (tpr != pr && tpr->pr_ref > 0 &&
1091 !strcmp(tpr->pr_name + pnamelen, namelc)) {
1092 if (pr == NULL &&
1093 cuflags != JAIL_CREATE) {
1094 mtx_lock(&tpr->pr_mtx);
1095 if (tpr->pr_ref > 0) {
1096 /*
1097 * Use this jail
1098 * for updates.
1099 */
1100 if (tpr->pr_uref > 0) {
1101 pr = tpr;
1102 break;
1103 }
1104 deadpr = tpr;
1105 }
1106 mtx_unlock(&tpr->pr_mtx);
1107 } else if (tpr->pr_uref > 0) {
1108 /*
1109 * Create, or update(jid):
1110 * name must not exist in an
1111 * active sibling jail.
1112 */
1113 error = EEXIST;
1114 if (pr != NULL)
1115 mtx_unlock(&pr->pr_mtx);
1116 vfs_opterror(opts,
1117 "jail \"%s\" already exists",
1118 name);
1119 goto done_unlock_list;
1120 }
1121 }
1122 }
1123 /* If no active jail is found, use a dying one. */
1124 if (deadpr != NULL && pr == NULL) {
1125 if (flags & JAIL_DYING) {
1126 mtx_lock(&deadpr->pr_mtx);
1127 if (deadpr->pr_ref == 0) {
1128 mtx_unlock(&deadpr->pr_mtx);
1129 goto name_again;
1130 }
1131 pr = deadpr;
1132 } else if (cuflags == JAIL_UPDATE) {
1133 error = ENOENT;
1134 vfs_opterror(opts,
1135 "jail \"%s\" is dying", name);
1136 goto done_unlock_list;
1137 }
1138 }
1139 /* Update: name must exist if no jid. */
1140 else if (cuflags == JAIL_UPDATE && pr == NULL) {
1141 error = ENOENT;
1142 vfs_opterror(opts, "jail \"%s\" not found",
1143 name);
1144 goto done_unlock_list;
1145 }
1146 }
1147 }
1148 /* Update: must provide a jid or name. */
1149 else if (cuflags == JAIL_UPDATE && pr == NULL) {
1150 error = ENOENT;
1151 vfs_opterror(opts, "update specified no jail");
1152 goto done_unlock_list;
1153 }
1154
1155 /* If there's no prison to update, create a new one and link it in. */
1156 if (pr == NULL) {
1157 for (tpr = mypr; tpr != NULL; tpr = tpr->pr_parent)
1158 if (tpr->pr_childcount >= tpr->pr_childmax) {
1159 error = EPERM;
1160 vfs_opterror(opts, "prison limit exceeded");
1161 goto done_unlock_list;
1162 }
1163 created = 1;
1164 mtx_lock(&ppr->pr_mtx);
1165 if (ppr->pr_ref == 0) {
1166 mtx_unlock(&ppr->pr_mtx);
1167 error = ENOENT;
1168 vfs_opterror(opts, "jail \"%s\" not found",
1169 prison_name(mypr, ppr));
1170 goto done_unlock_list;
1171 }
1172 ppr->pr_ref++;
1173 ppr->pr_uref++;
1174 mtx_unlock(&ppr->pr_mtx);
1175 pr = malloc(sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);
1176 if (jid == 0) {
1177 /* Find the next free jid. */
1178 jid = lastprid + 1;
1179 findnext:
1180 if (jid == JAIL_MAX)
1181 jid = 1;
1182 TAILQ_FOREACH(tpr, &allprison, pr_list) {
1183 if (tpr->pr_id < jid)
1184 continue;
1185 if (tpr->pr_id > jid || tpr->pr_ref == 0) {
1186 TAILQ_INSERT_BEFORE(tpr, pr, pr_list);
1187 break;
1188 }
1189 if (jid == lastprid) {
1190 error = EAGAIN;
1191 vfs_opterror(opts,
1192 "no available jail IDs");
1193 free(pr, M_PRISON);
1194 prison_deref(ppr, PD_DEREF |
1195 PD_DEUREF | PD_LIST_XLOCKED);
1196 goto done_releroot;
1197 }
1198 jid++;
1199 goto findnext;
1200 }
1201 lastprid = jid;
1202 } else {
1203 /*
1204 * The jail already has a jid (that did not yet exist),
1205 * so just find where to insert it.
1206 */
1207 TAILQ_FOREACH(tpr, &allprison, pr_list)
1208 if (tpr->pr_id >= jid) {
1209 TAILQ_INSERT_BEFORE(tpr, pr, pr_list);
1210 break;
1211 }
1212 }
1213 if (tpr == NULL)
1214 TAILQ_INSERT_TAIL(&allprison, pr, pr_list);
1215 LIST_INSERT_HEAD(&ppr->pr_children, pr, pr_sibling);
1216 for (tpr = ppr; tpr != NULL; tpr = tpr->pr_parent)
1217 tpr->pr_childcount++;
1218
1219 pr->pr_parent = ppr;
1220 pr->pr_id = jid;
1221
1222 /* Set some default values, and inherit some from the parent. */
1223 if (namelc == NULL)
1224 namelc = "";
1225 if (path == NULL) {
1226 path = "/";
1227 root = mypr->pr_root;
1228 vref(root);
1229 }
1230 strlcpy(pr->pr_hostuuid, DEFAULT_HOSTUUID, HOSTUUIDLEN);
1231 pr->pr_flags |= PR_HOST;
1232 #if defined(INET) || defined(INET6)
1233 #ifdef VIMAGE
1234 if (!(pr_flags & PR_VNET))
1235 #endif
1236 {
1237 #ifdef INET
1238 if (!(ch_flags & PR_IP4_USER))
1239 pr->pr_flags |= PR_IP4 | PR_IP4_USER;
1240 else if (!(pr_flags & PR_IP4_USER)) {
1241 pr->pr_flags |= ppr->pr_flags & PR_IP4;
1242 if (ppr->pr_ip4 != NULL) {
1243 pr->pr_ip4s = ppr->pr_ip4s;
1244 pr->pr_ip4 = malloc(pr->pr_ip4s *
1245 sizeof(struct in_addr), M_PRISON,
1246 M_WAITOK);
1247 bcopy(ppr->pr_ip4, pr->pr_ip4,
1248 pr->pr_ip4s * sizeof(*pr->pr_ip4));
1249 }
1250 }
1251 #endif
1252 #ifdef INET6
1253 if (!(ch_flags & PR_IP6_USER))
1254 pr->pr_flags |= PR_IP6 | PR_IP6_USER;
1255 else if (!(pr_flags & PR_IP6_USER)) {
1256 pr->pr_flags |= ppr->pr_flags & PR_IP6;
1257 if (ppr->pr_ip6 != NULL) {
1258 pr->pr_ip6s = ppr->pr_ip6s;
1259 pr->pr_ip6 = malloc(pr->pr_ip6s *
1260 sizeof(struct in6_addr), M_PRISON,
1261 M_WAITOK);
1262 bcopy(ppr->pr_ip6, pr->pr_ip6,
1263 pr->pr_ip6s * sizeof(*pr->pr_ip6));
1264 }
1265 }
1266 #endif
1267 }
1268 #endif
1269 /* Source address selection is always on by default. */
1270 pr->pr_flags |= _PR_IP_SADDRSEL;
1271
1272 pr->pr_securelevel = ppr->pr_securelevel;
1273 pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;
1274 pr->pr_enforce_statfs = jail_default_enforce_statfs;
1275 pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum;
1276
1277 pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
1278 if (osrelstr == NULL)
1279 strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
1280 sizeof(pr->pr_osrelease));
1281 else
1282 strlcpy(pr->pr_osrelease, osrelstr,
1283 sizeof(pr->pr_osrelease));
1284
1285 LIST_INIT(&pr->pr_children);
1286 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);
1287 TASK_INIT(&pr->pr_task, 0, prison_complete, pr);
1288
1289 #ifdef VIMAGE
1290 /* Allocate a new vnet if specified. */
1291 pr->pr_vnet = (pr_flags & PR_VNET)
1292 ? vnet_alloc() : ppr->pr_vnet;
1293 #endif
1294 /*
1295 * Allocate a dedicated cpuset for each jail.
1296 * Unlike other initial settings, this may return an erorr.
1297 */
1298 error = cpuset_create_root(ppr, &pr->pr_cpuset);
1299 if (error) {
1300 prison_deref(pr, PD_LIST_XLOCKED);
1301 goto done_releroot;
1302 }
1303
1304 mtx_lock(&pr->pr_mtx);
1305 /*
1306 * New prisons do not yet have a reference, because we do not
1307 * want others to see the incomplete prison once the
1308 * allprison_lock is downgraded.
1309 */
1310 } else {
1311 created = 0;
1312 /*
1313 * Grab a reference for existing prisons, to ensure they
1314 * continue to exist for the duration of the call.
1315 */
1316 pr->pr_ref++;
1317 #if defined(VIMAGE) && (defined(INET) || defined(INET6))
1318 if ((pr->pr_flags & PR_VNET) &&
1319 (ch_flags & (PR_IP4_USER | PR_IP6_USER))) {
1320 error = EINVAL;
1321 vfs_opterror(opts,
1322 "vnet jails cannot have IP address restrictions");
1323 goto done_deref_locked;
1324 }
1325 #endif
1326 #ifdef INET
1327 if (PR_IP4_USER & ch_flags & (pr_flags ^ pr->pr_flags)) {
1328 error = EINVAL;
1329 vfs_opterror(opts,
1330 "ip4 cannot be changed after creation");
1331 goto done_deref_locked;
1332 }
1333 #endif
1334 #ifdef INET6
1335 if (PR_IP6_USER & ch_flags & (pr_flags ^ pr->pr_flags)) {
1336 error = EINVAL;
1337 vfs_opterror(opts,
1338 "ip6 cannot be changed after creation");
1339 goto done_deref_locked;
1340 }
1341 #endif
1342 }
1343
1344 /* Do final error checking before setting anything. */
1345 if (gotslevel) {
1346 if (slevel < ppr->pr_securelevel) {
1347 error = EPERM;
1348 goto done_deref_locked;
1349 }
1350 }
1351 if (gotchildmax) {
1352 if (childmax >= ppr->pr_childmax) {
1353 error = EPERM;
1354 goto done_deref_locked;
1355 }
1356 }
1357 if (gotenforce) {
1358 if (enforce < ppr->pr_enforce_statfs) {
1359 error = EPERM;
1360 goto done_deref_locked;
1361 }
1362 }
1363 if (gotrsnum) {
1364 /*
1365 * devfs_rsnum is a uint16_t
1366 */
1367 if (rsnum < 0 || rsnum > 65535) {
1368 error = EINVAL;
1369 goto done_deref_locked;
1370 }
1371 /*
1372 * Nested jails always inherit parent's devfs ruleset
1373 */
1374 if (jailed(td->td_ucred)) {
1375 if (rsnum > 0 && rsnum != ppr->pr_devfs_rsnum) {
1376 error = EPERM;
1377 goto done_deref_locked;
1378 } else
1379 rsnum = ppr->pr_devfs_rsnum;
1380 }
1381 }
1382 #ifdef INET
1383 if (ip4s > 0) {
1384 if (ppr->pr_flags & PR_IP4) {
1385 /*
1386 * Make sure the new set of IP addresses is a
1387 * subset of the parent's list. Don't worry
1388 * about the parent being unlocked, as any
1389 * setting is done with allprison_lock held.
1390 */
1391 for (ij = 0; ij < ppr->pr_ip4s; ij++)
1392 if (ip4[0].s_addr == ppr->pr_ip4[ij].s_addr)
1393 break;
1394 if (ij == ppr->pr_ip4s) {
1395 error = EPERM;
1396 goto done_deref_locked;
1397 }
1398 if (ip4s > 1) {
1399 for (ii = ij = 1; ii < ip4s; ii++) {
1400 if (ip4[ii].s_addr ==
1401 ppr->pr_ip4[0].s_addr)
1402 continue;
1403 for (; ij < ppr->pr_ip4s; ij++)
1404 if (ip4[ii].s_addr ==
1405 ppr->pr_ip4[ij].s_addr)
1406 break;
1407 if (ij == ppr->pr_ip4s)
1408 break;
1409 }
1410 if (ij == ppr->pr_ip4s) {
1411 error = EPERM;
1412 goto done_deref_locked;
1413 }
1414 }
1415 }
1416 /*
1417 * Check for conflicting IP addresses. We permit them
1418 * if there is no more than one IP on each jail. If
1419 * there is a duplicate on a jail with more than one
1420 * IP stop checking and return error.
1421 */
1422 #ifdef VIMAGE
1423 for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
1424 if (tppr->pr_flags & PR_VNET)
1425 break;
1426 #else
1427 tppr = &prison0;
1428 #endif
1429 FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
1430 if (tpr == pr ||
1431 #ifdef VIMAGE
1432 (tpr != tppr && (tpr->pr_flags & PR_VNET)) ||
1433 #endif
1434 tpr->pr_uref == 0) {
1435 descend = 0;
1436 continue;
1437 }
1438 if (!(tpr->pr_flags & PR_IP4_USER))
1439 continue;
1440 descend = 0;
1441 if (tpr->pr_ip4 == NULL ||
1442 (ip4s == 1 && tpr->pr_ip4s == 1))
1443 continue;
1444 for (ii = 0; ii < ip4s; ii++) {
1445 if (prison_check_ip4_locked(tpr, &ip4[ii]) ==
1446 0) {
1447 error = EADDRINUSE;
1448 vfs_opterror(opts,
1449 "IPv4 addresses clash");
1450 goto done_deref_locked;
1451 }
1452 }
1453 }
1454 }
1455 #endif
1456 #ifdef INET6
1457 if (ip6s > 0) {
1458 if (ppr->pr_flags & PR_IP6) {
1459 /*
1460 * Make sure the new set of IP addresses is a
1461 * subset of the parent's list.
1462 */
1463 for (ij = 0; ij < ppr->pr_ip6s; ij++)
1464 if (IN6_ARE_ADDR_EQUAL(&ip6[0],
1465 &ppr->pr_ip6[ij]))
1466 break;
1467 if (ij == ppr->pr_ip6s) {
1468 error = EPERM;
1469 goto done_deref_locked;
1470 }
1471 if (ip6s > 1) {
1472 for (ii = ij = 1; ii < ip6s; ii++) {
1473 if (IN6_ARE_ADDR_EQUAL(&ip6[ii],
1474 &ppr->pr_ip6[0]))
1475 continue;
1476 for (; ij < ppr->pr_ip6s; ij++)
1477 if (IN6_ARE_ADDR_EQUAL(
1478 &ip6[ii], &ppr->pr_ip6[ij]))
1479 break;
1480 if (ij == ppr->pr_ip6s)
1481 break;
1482 }
1483 if (ij == ppr->pr_ip6s) {
1484 error = EPERM;
1485 goto done_deref_locked;
1486 }
1487 }
1488 }
1489 /* Check for conflicting IP addresses. */
1490 #ifdef VIMAGE
1491 for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
1492 if (tppr->pr_flags & PR_VNET)
1493 break;
1494 #else
1495 tppr = &prison0;
1496 #endif
1497 FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
1498 if (tpr == pr ||
1499 #ifdef VIMAGE
1500 (tpr != tppr && (tpr->pr_flags & PR_VNET)) ||
1501 #endif
1502 tpr->pr_uref == 0) {
1503 descend = 0;
1504 continue;
1505 }
1506 if (!(tpr->pr_flags & PR_IP6_USER))
1507 continue;
1508 descend = 0;
1509 if (tpr->pr_ip6 == NULL ||
1510 (ip6s == 1 && tpr->pr_ip6s == 1))
1511 continue;
1512 for (ii = 0; ii < ip6s; ii++) {
1513 if (prison_check_ip6_locked(tpr, &ip6[ii]) ==
1514 0) {
1515 error = EADDRINUSE;
1516 vfs_opterror(opts,
1517 "IPv6 addresses clash");
1518 goto done_deref_locked;
1519 }
1520 }
1521 }
1522 }
1523 #endif
1524 onamelen = namelen = 0;
1525 if (namelc != NULL) {
1526 /* Give a default name of the jid. Also allow the name to be
1527 * explicitly the jid - but not any other number, and only in
1528 * normal form (no leading zero/etc).
1529 */
1530 if (namelc[0] == '\0')
1531 snprintf(namelc = numbuf, sizeof(numbuf), "%d", jid);
1532 else if ((strtoul(namelc, &p, 10) != jid ||
1533 namelc[0] < '1' || namelc[0] > '9') && *p == '\0') {
1534 error = EINVAL;
1535 vfs_opterror(opts,
1536 "name cannot be numeric (unless it is the jid)");
1537 goto done_deref_locked;
1538 }
1539 /*
1540 * Make sure the name isn't too long for the prison or its
1541 * children.
1542 */
1543 pnamelen = (ppr == &prison0) ? 0 : strlen(ppr->pr_name) + 1;
1544 onamelen = strlen(pr->pr_name + pnamelen);
1545 namelen = strlen(namelc);
1546 if (pnamelen + namelen + 1 > sizeof(pr->pr_name)) {
1547 error = ENAMETOOLONG;
1548 goto done_deref_locked;
1549 }
1550 FOREACH_PRISON_DESCENDANT(pr, tpr, descend) {
1551 if (strlen(tpr->pr_name) + (namelen - onamelen) >=
1552 sizeof(pr->pr_name)) {
1553 error = ENAMETOOLONG;
1554 goto done_deref_locked;
1555 }
1556 }
1557 }
1558 if (pr_allow & ~ppr->pr_allow) {
1559 error = EPERM;
1560 goto done_deref_locked;
1561 }
1562
1563 /*
1564 * Let modules check their parameters. This requires unlocking and
1565 * then re-locking the prison, but this is still a valid state as long
1566 * as allprison_lock remains xlocked.
1567 */
1568 mtx_unlock(&pr->pr_mtx);
1569 error = osd_jail_call(pr, PR_METHOD_CHECK, opts);
1570 if (error != 0) {
1571 prison_deref(pr, created
1572 ? PD_LIST_XLOCKED
1573 : PD_DEREF | PD_LIST_XLOCKED);
1574 goto done_releroot;
1575 }
1576 mtx_lock(&pr->pr_mtx);
1577
1578 /* At this point, all valid parameters should have been noted. */
1579 TAILQ_FOREACH(opt, opts, link) {
1580 if (!opt->seen && strcmp(opt->name, "errmsg")) {
1581 error = EINVAL;
1582 vfs_opterror(opts, "unknown parameter: %s", opt->name);
1583 goto done_deref_locked;
1584 }
1585 }
1586
1587 /* Set the parameters of the prison. */
1588 #ifdef INET
1589 redo_ip4 = 0;
1590 if (pr_flags & PR_IP4_USER) {
1591 pr->pr_flags |= PR_IP4;
1592 free(pr->pr_ip4, M_PRISON);
1593 pr->pr_ip4s = ip4s;
1594 pr->pr_ip4 = ip4;
1595 ip4 = NULL;
1596 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) {
1597 #ifdef VIMAGE
1598 if (tpr->pr_flags & PR_VNET) {
1599 descend = 0;
1600 continue;
1601 }
1602 #endif
1603 if (prison_restrict_ip4(tpr, NULL)) {
1604 redo_ip4 = 1;
1605 descend = 0;
1606 }
1607 }
1608 }
1609 #endif
1610 #ifdef INET6
1611 redo_ip6 = 0;
1612 if (pr_flags & PR_IP6_USER) {
1613 pr->pr_flags |= PR_IP6;
1614 free(pr->pr_ip6, M_PRISON);
1615 pr->pr_ip6s = ip6s;
1616 pr->pr_ip6 = ip6;
1617 ip6 = NULL;
1618 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) {
1619 #ifdef VIMAGE
1620 if (tpr->pr_flags & PR_VNET) {
1621 descend = 0;
1622 continue;
1623 }
1624 #endif
1625 if (prison_restrict_ip6(tpr, NULL)) {
1626 redo_ip6 = 1;
1627 descend = 0;
1628 }
1629 }
1630 }
1631 #endif
1632 if (gotslevel) {
1633 pr->pr_securelevel = slevel;
1634 /* Set all child jails to be at least this level. */
1635 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend)
1636 if (tpr->pr_securelevel < slevel)
1637 tpr->pr_securelevel = slevel;
1638 }
1639 if (gotchildmax) {
1640 pr->pr_childmax = childmax;
1641 /* Set all child jails to under this limit. */
1642 FOREACH_PRISON_DESCENDANT_LOCKED_LEVEL(pr, tpr, descend, level)
1643 if (tpr->pr_childmax > childmax - level)
1644 tpr->pr_childmax = childmax > level
1645 ? childmax - level : 0;
1646 }
1647 if (gotenforce) {
1648 pr->pr_enforce_statfs = enforce;
1649 /* Pass this restriction on to the children. */
1650 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend)
1651 if (tpr->pr_enforce_statfs < enforce)
1652 tpr->pr_enforce_statfs = enforce;
1653 }
1654 if (gotrsnum) {
1655 pr->pr_devfs_rsnum = rsnum;
1656 /* Pass this restriction on to the children. */
1657 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend)
1658 tpr->pr_devfs_rsnum = rsnum;
1659 }
1660 if (namelc != NULL) {
1661 if (ppr == &prison0)
1662 strlcpy(pr->pr_name, namelc, sizeof(pr->pr_name));
1663 else
1664 snprintf(pr->pr_name, sizeof(pr->pr_name), "%s.%s",
1665 ppr->pr_name, namelc);
1666 /* Change this component of child names. */
1667 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) {
1668 bcopy(tpr->pr_name + onamelen, tpr->pr_name + namelen,
1669 strlen(tpr->pr_name + onamelen) + 1);
1670 bcopy(pr->pr_name, tpr->pr_name, namelen);
1671 }
1672 }
1673 if (path != NULL) {
1674 /* Try to keep a real-rooted full pathname. */
1675 if (fullpath_disabled && path[0] == '/' &&
1676 strcmp(mypr->pr_path, "/"))
1677 snprintf(pr->pr_path, sizeof(pr->pr_path), "%s%s",
1678 mypr->pr_path, path);
1679 else
1680 strlcpy(pr->pr_path, path, sizeof(pr->pr_path));
1681 pr->pr_root = root;
1682 }
1683 if (PR_HOST & ch_flags & ~pr_flags) {
1684 if (pr->pr_flags & PR_HOST) {
1685 /*
1686 * Copy the parent's host info. As with pr_ip4 above,
1687 * the lack of a lock on the parent is not a problem;
1688 * it is always set with allprison_lock at least
1689 * shared, and is held exclusively here.
1690 */
1691 strlcpy(pr->pr_hostname, pr->pr_parent->pr_hostname,
1692 sizeof(pr->pr_hostname));
1693 strlcpy(pr->pr_domainname, pr->pr_parent->pr_domainname,
1694 sizeof(pr->pr_domainname));
1695 strlcpy(pr->pr_hostuuid, pr->pr_parent->pr_hostuuid,
1696 sizeof(pr->pr_hostuuid));
1697 pr->pr_hostid = pr->pr_parent->pr_hostid;
1698 }
1699 } else if (host != NULL || domain != NULL || uuid != NULL || gothid) {
1700 /* Set this prison, and any descendants without PR_HOST. */
1701 if (host != NULL)
1702 strlcpy(pr->pr_hostname, host, sizeof(pr->pr_hostname));
1703 if (domain != NULL)
1704 strlcpy(pr->pr_domainname, domain,
1705 sizeof(pr->pr_domainname));
1706 if (uuid != NULL)
1707 strlcpy(pr->pr_hostuuid, uuid, sizeof(pr->pr_hostuuid));
1708 if (gothid)
1709 pr->pr_hostid = hid;
1710 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) {
1711 if (tpr->pr_flags & PR_HOST)
1712 descend = 0;
1713 else {
1714 if (host != NULL)
1715 strlcpy(tpr->pr_hostname,
1716 pr->pr_hostname,
1717 sizeof(tpr->pr_hostname));
1718 if (domain != NULL)
1719 strlcpy(tpr->pr_domainname,
1720 pr->pr_domainname,
1721 sizeof(tpr->pr_domainname));
1722 if (uuid != NULL)
1723 strlcpy(tpr->pr_hostuuid,
1724 pr->pr_hostuuid,
1725 sizeof(tpr->pr_hostuuid));
1726 if (gothid)
1727 tpr->pr_hostid = hid;
1728 }
1729 }
1730 }
1731 if ((tallow = ch_allow & ~pr_allow)) {
1732 /* Clear allow bits in all children. */
1733 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend)
1734 tpr->pr_allow &= ~tallow;
1735 }
1736 pr->pr_allow = (pr->pr_allow & ~ch_allow) | pr_allow;
1737 /*
1738 * Persistent prisons get an extra reference, and prisons losing their
1739 * persist flag lose that reference. Only do this for existing prisons
1740 * for now, so new ones will remain unseen until after the module
1741 * handlers have completed.
1742 */
1743 born = pr->pr_uref == 0;
1744 if (!created && (ch_flags & PR_PERSIST & (pr_flags ^ pr->pr_flags))) {
1745 if (pr_flags & PR_PERSIST) {
1746 pr->pr_ref++;
1747 pr->pr_uref++;
1748 } else {
1749 pr->pr_ref--;
1750 pr->pr_uref--;
1751 }
1752 }
1753 pr->pr_flags = (pr->pr_flags & ~ch_flags) | pr_flags;
1754 pr->pr_flags &= ~PR_REMOVE;
1755 mtx_unlock(&pr->pr_mtx);
1756
1757 #ifdef RACCT
1758 if (racct_enable && created)
1759 prison_racct_attach(pr);
1760 #endif
1761
1762 /* Locks may have prevented a complete restriction of child IP
1763 * addresses. If so, allocate some more memory and try again.
1764 */
1765 #ifdef INET
1766 while (redo_ip4) {
1767 ip4s = pr->pr_ip4s;
1768 ip4 = malloc(ip4s * sizeof(*ip4), M_PRISON, M_WAITOK);
1769 mtx_lock(&pr->pr_mtx);
1770 redo_ip4 = 0;
1771 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) {
1772 #ifdef VIMAGE
1773 if (tpr->pr_flags & PR_VNET) {
1774 descend = 0;
1775 continue;
1776 }
1777 #endif
1778 if (prison_restrict_ip4(tpr, ip4)) {
1779 if (ip4 != NULL)
1780 ip4 = NULL;
1781 else
1782 redo_ip4 = 1;
1783 }
1784 }
1785 mtx_unlock(&pr->pr_mtx);
1786 }
1787 #endif
1788 #ifdef INET6
1789 while (redo_ip6) {
1790 ip6s = pr->pr_ip6s;
1791 ip6 = malloc(ip6s * sizeof(*ip6), M_PRISON, M_WAITOK);
1792 mtx_lock(&pr->pr_mtx);
1793 redo_ip6 = 0;
1794 FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) {
1795 #ifdef VIMAGE
1796 if (tpr->pr_flags & PR_VNET) {
1797 descend = 0;
1798 continue;
1799 }
1800 #endif
1801 if (prison_restrict_ip6(tpr, ip6)) {
1802 if (ip6 != NULL)
1803 ip6 = NULL;
1804 else
1805 redo_ip6 = 1;
1806 }
1807 }
1808 mtx_unlock(&pr->pr_mtx);
1809 }
1810 #endif
1811
1812 /* Let the modules do their work. */
1813 sx_downgrade(&allprison_lock);
1814 if (born) {
1815 error = osd_jail_call(pr, PR_METHOD_CREATE, opts);
1816 if (error) {
1817 (void)osd_jail_call(pr, PR_METHOD_REMOVE, NULL);
1818 prison_deref(pr, created
1819 ? PD_LIST_SLOCKED
1820 : PD_DEREF | PD_LIST_SLOCKED);
1821 goto done_errmsg;
1822 }
1823 }
1824 error = osd_jail_call(pr, PR_METHOD_SET, opts);
1825 if (error) {
1826 if (born)
1827 (void)osd_jail_call(pr, PR_METHOD_REMOVE, NULL);
1828 prison_deref(pr, created
1829 ? PD_LIST_SLOCKED
1830 : PD_DEREF | PD_LIST_SLOCKED);
1831 goto done_errmsg;
1832 }
1833
1834 /* Attach this process to the prison if requested. */
1835 if (flags & JAIL_ATTACH) {
1836 mtx_lock(&pr->pr_mtx);
1837 error = do_jail_attach(td, pr);
1838 if (error) {
1839 vfs_opterror(opts, "attach failed");
1840 if (!created)
1841 prison_deref(pr, PD_DEREF);
1842 goto done_errmsg;
1843 }
1844 }
1845
1846 #ifdef RACCT
1847 if (racct_enable && !created) {
1848 if (!(flags & JAIL_ATTACH))
1849 sx_sunlock(&allprison_lock);
1850 prison_racct_modify(pr);
1851 if (!(flags & JAIL_ATTACH))
1852 sx_slock(&allprison_lock);
1853 }
1854 #endif
1855
1856 td->td_retval[0] = pr->pr_id;
1857
1858 /*
1859 * Now that it is all there, drop the temporary reference from existing
1860 * prisons. Or add a reference to newly created persistent prisons
1861 * (which was not done earlier so that the prison would not be publicly
1862 * visible).
1863 */
1864 if (!created) {
1865 prison_deref(pr, (flags & JAIL_ATTACH)
1866 ? PD_DEREF
1867 : PD_DEREF | PD_LIST_SLOCKED);
1868 } else {
1869 if (pr_flags & PR_PERSIST) {
1870 mtx_lock(&pr->pr_mtx);
1871 pr->pr_ref++;
1872 pr->pr_uref++;
1873 mtx_unlock(&pr->pr_mtx);
1874 }
1875 if (!(flags & JAIL_ATTACH))
1876 sx_sunlock(&allprison_lock);
1877 }
1878
1879 goto done_free;
1880
1881 done_deref_locked:
1882 prison_deref(pr, created
1883 ? PD_LOCKED | PD_LIST_XLOCKED
1884 : PD_DEREF | PD_LOCKED | PD_LIST_XLOCKED);
1885 goto done_releroot;
1886 done_unlock_list:
1887 sx_xunlock(&allprison_lock);
1888 done_releroot:
1889 if (root != NULL)
1890 vrele(root);
1891 done_errmsg:
1892 if (error) {
1893 if (vfs_getopt(opts, "errmsg", (void **)&errmsg,
1894 &errmsg_len) == 0 && errmsg_len > 0) {
1895 errmsg_pos = 2 * vfs_getopt_pos(opts, "errmsg") + 1;
1896 if (optuio->uio_segflg == UIO_SYSSPACE)
1897 bcopy(errmsg,
1898 optuio->uio_iov[errmsg_pos].iov_base,
1899 errmsg_len);
1900 else
1901 copyout(errmsg,
1902 optuio->uio_iov[errmsg_pos].iov_base,
1903 errmsg_len);
1904 }
1905 }
1906 done_free:
1907 #ifdef INET
1908 free(ip4, M_PRISON);
1909 #endif
1910 #ifdef INET6
1911 free(ip6, M_PRISON);
1912 #endif
1913 if (g_path != NULL)
1914 free(g_path, M_TEMP);
1915 vfs_freeopts(opts);
1916 return (error);
1917 }
1918
1919
1920 /*
1921 * struct jail_get_args {
1922 * struct iovec *iovp;
1923 * unsigned int iovcnt;
1924 * int flags;
1925 * };
1926 */
1927 int
1928 sys_jail_get(struct thread *td, struct jail_get_args *uap)
1929 {
1930 struct uio *auio;
1931 int error;
1932
1933 /* Check that we have an even number of iovecs. */
1934 if (uap->iovcnt & 1)
1935 return (EINVAL);
1936
1937 error = copyinuio(uap->iovp, uap->iovcnt, &auio);
1938 if (error)
1939 return (error);
1940 error = kern_jail_get(td, auio, uap->flags);
1941 if (error == 0)
1942 error = copyout(auio->uio_iov, uap->iovp,
1943 uap->iovcnt * sizeof (struct iovec));
1944 free(auio, M_IOV);
1945 return (error);
1946 }
1947
1948 int
1949 kern_jail_get(struct thread *td, struct uio *optuio, int flags)
1950 {
1951 struct prison *pr, *mypr;
1952 struct vfsopt *opt;
1953 struct vfsoptlist *opts;
1954 char *errmsg, *name;
1955 int error, errmsg_len, errmsg_pos, fi, i, jid, len, locked, pos;
1956
1957 if (flags & ~JAIL_GET_MASK)
1958 return (EINVAL);
1959
1960 /* Get the parameter list. */
1961 error = vfs_buildopts(optuio, &opts);
1962 if (error)
1963 return (error);
1964 errmsg_pos = vfs_getopt_pos(opts, "errmsg");
1965 mypr = td->td_ucred->cr_prison;
1966
1967 /*
1968 * Find the prison specified by one of: lastjid, jid, name.
1969 */
1970 sx_slock(&allprison_lock);
1971 error = vfs_copyopt(opts, "lastjid", &jid, sizeof(jid));
1972 if (error == 0) {
1973 TAILQ_FOREACH(pr, &allprison, pr_list) {
1974 if (pr->pr_id > jid && prison_ischild(mypr, pr)) {
1975 mtx_lock(&pr->pr_mtx);
1976 if (pr->pr_ref > 0 &&
1977 (pr->pr_uref > 0 || (flags & JAIL_DYING)))
1978 break;
1979 mtx_unlock(&pr->pr_mtx);
1980 }
1981 }
1982 if (pr != NULL)
1983 goto found_prison;
1984 error = ENOENT;
1985 vfs_opterror(opts, "no jail after %d", jid);
1986 goto done_unlock_list;
1987 } else if (error != ENOENT)
1988 goto done_unlock_list;
1989
1990 error = vfs_copyopt(opts, "jid", &jid, sizeof(jid));
1991 if (error == 0) {
1992 if (jid != 0) {
1993 pr = prison_find_child(mypr, jid);
1994 if (pr != NULL) {
1995 if (pr->pr_uref == 0 && !(flags & JAIL_DYING)) {
1996 mtx_unlock(&pr->pr_mtx);
1997 error = ENOENT;
1998 vfs_opterror(opts, "jail %d is dying",
1999 jid);
2000 goto done_unlock_list;
2001 }
2002 goto found_prison;
2003 }
2004 error = ENOENT;
2005 vfs_opterror(opts, "jail %d not found", jid);
2006 goto done_unlock_list;
2007 }
2008 } else if (error != ENOENT)
2009 goto done_unlock_list;
2010
2011 error = vfs_getopt(opts, "name", (void **)&name, &len);
2012 if (error == 0) {
2013 if (len == 0 || name[len - 1] != '\0') {
2014 error = EINVAL;
2015 goto done_unlock_list;
2016 }
2017 pr = prison_find_name(mypr, name);
2018 if (pr != NULL) {
2019 if (pr->pr_uref == 0 && !(flags & JAIL_DYING)) {
2020 mtx_unlock(&pr->pr_mtx);
2021 error = ENOENT;
2022 vfs_opterror(opts, "jail \"%s\" is dying",
2023 name);
2024 goto done_unlock_list;
2025 }
2026 goto found_prison;
2027 }
2028 error = ENOENT;
2029 vfs_opterror(opts, "jail \"%s\" not found", name);
2030 goto done_unlock_list;
2031 } else if (error != ENOENT)
2032 goto done_unlock_list;
2033
2034 vfs_opterror(opts, "no jail specified");
2035 error = ENOENT;
2036 goto done_unlock_list;
2037
2038 found_prison:
2039 /* Get the parameters of the prison. */
2040 pr->pr_ref++;
2041 locked = PD_LOCKED;
2042 td->td_retval[0] = pr->pr_id;
2043 error = vfs_setopt(opts, "jid", &pr->pr_id, sizeof(pr->pr_id));
2044 if (error != 0 && error != ENOENT)
2045 goto done_deref;
2046 i = (pr->pr_parent == mypr) ? 0 : pr->pr_parent->pr_id;
2047 error = vfs_setopt(opts, "parent", &i, sizeof(i));
2048 if (error != 0 && error != ENOENT)
2049 goto done_deref;
2050 error = vfs_setopts(opts, "name", prison_name(mypr, pr));
2051 if (error != 0 && error != ENOENT)
2052 goto done_deref;
2053 error = vfs_setopt(opts, "cpuset.id", &pr->pr_cpuset->cs_id,
2054 sizeof(pr->pr_cpuset->cs_id));
2055 if (error != 0 && error != ENOENT)
2056 goto done_deref;
2057 error = vfs_setopts(opts, "path", prison_path(mypr, pr));
2058 if (error != 0 && error != ENOENT)
2059 goto done_deref;
2060 #ifdef INET
2061 error = vfs_setopt_part(opts, "ip4.addr", pr->pr_ip4,
2062 pr->pr_ip4s * sizeof(*pr->pr_ip4));
2063 if (error != 0 && error != ENOENT)
2064 goto done_deref;
2065 #endif
2066 #ifdef INET6
2067 error = vfs_setopt_part(opts, "ip6.addr", pr->pr_ip6,
2068 pr->pr_ip6s * sizeof(*pr->pr_ip6));
2069 if (error != 0 && error != ENOENT)
2070 goto done_deref;
2071 #endif
2072 error = vfs_setopt(opts, "securelevel", &pr->pr_securelevel,
2073 sizeof(pr->pr_securelevel));
2074 if (error != 0 && error != ENOENT)
2075 goto done_deref;
2076 error = vfs_setopt(opts, "children.cur", &pr->pr_childcount,
2077 sizeof(pr->pr_childcount));
2078 if (error != 0 && error != ENOENT)
2079 goto done_deref;
2080 error = vfs_setopt(opts, "children.max", &pr->pr_childmax,
2081 sizeof(pr->pr_childmax));
2082 if (error != 0 && error != ENOENT)
2083 goto done_deref;
2084 error = vfs_setopts(opts, "host.hostname", pr->pr_hostname);
2085 if (error != 0 && error != ENOENT)
2086 goto done_deref;
2087 error = vfs_setopts(opts, "host.domainname", pr->pr_domainname);
2088 if (error != 0 && error != ENOENT)
2089 goto done_deref;
2090 error = vfs_setopts(opts, "host.hostuuid", pr->pr_hostuuid);
2091 if (error != 0 && error != ENOENT)
2092 goto done_deref;
2093 #ifdef COMPAT_FREEBSD32
2094 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
2095 uint32_t hid32 = pr->pr_hostid;
2096
2097 error = vfs_setopt(opts, "host.hostid", &hid32, sizeof(hid32));
2098 } else
2099 #endif
2100 error = vfs_setopt(opts, "host.hostid", &pr->pr_hostid,
2101 sizeof(pr->pr_hostid));
2102 if (error != 0 && error != ENOENT)
2103 goto done_deref;
2104 error = vfs_setopt(opts, "enforce_statfs", &pr->pr_enforce_statfs,
2105 sizeof(pr->pr_enforce_statfs));
2106 if (error != 0 && error != ENOENT)
2107 goto done_deref;
2108 error = vfs_setopt(opts, "devfs_ruleset", &pr->pr_devfs_rsnum,
2109 sizeof(pr->pr_devfs_rsnum));
2110 if (error != 0 && error != ENOENT)
2111 goto done_deref;
2112 for (fi = 0; fi < nitems(pr_flag_names); fi++) {
2113 if (pr_flag_names[fi] == NULL)
2114 continue;
2115 i = (pr->pr_flags & (1 << fi)) ? 1 : 0;
2116 error = vfs_setopt(opts, pr_flag_names[fi], &i, sizeof(i));
2117 if (error != 0 && error != ENOENT)
2118 goto done_deref;
2119 i = !i;
2120 error = vfs_setopt(opts, pr_flag_nonames[fi], &i, sizeof(i));
2121 if (error != 0 && error != ENOENT)
2122 goto done_deref;
2123 }
2124 for (fi = 0; fi < nitems(pr_flag_jailsys); fi++) {
2125 i = pr->pr_flags &
2126 (pr_flag_jailsys[fi].disable | pr_flag_jailsys[fi].new);
2127 i = pr_flag_jailsys[fi].disable &&
2128 (i == pr_flag_jailsys[fi].disable) ? JAIL_SYS_DISABLE
2129 : (i == pr_flag_jailsys[fi].new) ? JAIL_SYS_NEW
2130 : JAIL_SYS_INHERIT;
2131 error =
2132 vfs_setopt(opts, pr_flag_jailsys[fi].name, &i, sizeof(i));
2133 if (error != 0 && error != ENOENT)
2134 goto done_deref;
2135 }
2136 for (fi = 0; fi < nitems(pr_allow_names); fi++) {
2137 if (pr_allow_names[fi] == NULL)
2138 continue;
2139 i = (pr->pr_allow & (1 << fi)) ? 1 : 0;
2140 error = vfs_setopt(opts, pr_allow_names[fi], &i, sizeof(i));
2141 if (error != 0 && error != ENOENT)
2142 goto done_deref;
2143 i = !i;
2144 error = vfs_setopt(opts, pr_allow_nonames[fi], &i, sizeof(i));
2145 if (error != 0 && error != ENOENT)
2146 goto done_deref;
2147 }
2148 i = (pr->pr_uref == 0);
2149 error = vfs_setopt(opts, "dying", &i, sizeof(i));
2150 if (error != 0 && error != ENOENT)
2151 goto done_deref;
2152 i = !i;
2153 error = vfs_setopt(opts, "nodying", &i, sizeof(i));
2154 if (error != 0 && error != ENOENT)
2155 goto done_deref;
2156 error = vfs_setopt(opts, "osreldate", &pr->pr_osreldate,
2157 sizeof(pr->pr_osreldate));
2158 if (error != 0 && error != ENOENT)
2159 goto done_deref;
2160 error = vfs_setopts(opts, "osrelease", pr->pr_osrelease);
2161 if (error != 0 && error != ENOENT)
2162 goto done_deref;
2163
2164 /* Get the module parameters. */
2165 mtx_unlock(&pr->pr_mtx);
2166 locked = 0;
2167 error = osd_jail_call(pr, PR_METHOD_GET, opts);
2168 if (error)
2169 goto done_deref;
2170 prison_deref(pr, PD_DEREF | PD_LIST_SLOCKED);
2171
2172 /* By now, all parameters should have been noted. */
2173 TAILQ_FOREACH(opt, opts, link) {
2174 if (!opt->seen && strcmp(opt->name, "errmsg")) {
2175 error = EINVAL;
2176 vfs_opterror(opts, "unknown parameter: %s", opt->name);
2177 goto done_errmsg;
2178 }
2179 }
2180
2181 /* Write the fetched parameters back to userspace. */
2182 error = 0;
2183 TAILQ_FOREACH(opt, opts, link) {
2184 if (opt->pos >= 0 && opt->pos != errmsg_pos) {
2185 pos = 2 * opt->pos + 1;
2186 optuio->uio_iov[pos].iov_len = opt->len;
2187 if (opt->value != NULL) {
2188 if (optuio->uio_segflg == UIO_SYSSPACE) {
2189 bcopy(opt->value,
2190 optuio->uio_iov[pos].iov_base,
2191 opt->len);
2192 } else {
2193 error = copyout(opt->value,
2194 optuio->uio_iov[pos].iov_base,
2195 opt->len);
2196 if (error)
2197 break;
2198 }
2199 }
2200 }
2201 }
2202 goto done_errmsg;
2203
2204 done_deref:
2205 prison_deref(pr, locked | PD_DEREF | PD_LIST_SLOCKED);
2206 goto done_errmsg;
2207
2208 done_unlock_list:
2209 sx_sunlock(&allprison_lock);
2210 done_errmsg:
2211 if (error && errmsg_pos >= 0) {
2212 vfs_getopt(opts, "errmsg", (void **)&errmsg, &errmsg_len);
2213 errmsg_pos = 2 * errmsg_pos + 1;
2214 if (errmsg_len > 0) {
2215 if (optuio->uio_segflg == UIO_SYSSPACE)
2216 bcopy(errmsg,
2217 optuio->uio_iov[errmsg_pos].iov_base,
2218 errmsg_len);
2219 else
2220 copyout(errmsg,
2221 optuio->uio_iov[errmsg_pos].iov_base,
2222 errmsg_len);
2223 }
2224 }
2225 vfs_freeopts(opts);
2226 return (error);
2227 }
2228
2229
2230 /*
2231 * struct jail_remove_args {
2232 * int jid;
2233 * };
2234 */
2235 int
2236 sys_jail_remove(struct thread *td, struct jail_remove_args *uap)
2237 {
2238 struct prison *pr, *cpr, *lpr, *tpr;
2239 int descend, error;
2240
2241 error = priv_check(td, PRIV_JAIL_REMOVE);
2242 if (error)
2243 return (error);
2244
2245 sx_xlock(&allprison_lock);
2246 pr = prison_find_child(td->td_ucred->cr_prison, uap->jid);
2247 if (pr == NULL) {
2248 sx_xunlock(&allprison_lock);
2249 return (EINVAL);
2250 }
2251
2252 /* Remove all descendants of this prison, then remove this prison. */
2253 pr->pr_ref++;
2254 if (!LIST_EMPTY(&pr->pr_children)) {
2255 mtx_unlock(&pr->pr_mtx);
2256 lpr = NULL;
2257 FOREACH_PRISON_DESCENDANT(pr, cpr, descend) {
2258 mtx_lock(&cpr->pr_mtx);
2259 if (cpr->pr_ref > 0) {
2260 tpr = cpr;
2261 cpr->pr_ref++;
2262 } else {
2263 /* Already removed - do not do it again. */
2264 tpr = NULL;
2265 }
2266 mtx_unlock(&cpr->pr_mtx);
2267 if (lpr != NULL) {
2268 mtx_lock(&lpr->pr_mtx);
2269 prison_remove_one(lpr);
2270 sx_xlock(&allprison_lock);
2271 }
2272 lpr = tpr;
2273 }
2274 if (lpr != NULL) {
2275 mtx_lock(&lpr->pr_mtx);
2276 prison_remove_one(lpr);
2277 sx_xlock(&allprison_lock);
2278 }
2279 mtx_lock(&pr->pr_mtx);
2280 }
2281 prison_remove_one(pr);
2282 return (0);
2283 }
2284
2285 static void
2286 prison_remove_one(struct prison *pr)
2287 {
2288 struct proc *p;
2289 int deuref;
2290
2291 /*
2292 * Mark the prison as doomed, so it doesn't accidentally come back
2293 * to life. It may still be explicitly brought back by jail_set(2).
2294 */
2295 pr->pr_flags |= PR_REMOVE;
2296
2297 /* If the prison was persistent, it is not anymore. */
2298 deuref = 0;
2299 if (pr->pr_flags & PR_PERSIST) {
2300 pr->pr_ref--;
2301 deuref = PD_DEUREF;
2302 pr->pr_flags &= ~PR_PERSIST;
2303 }
2304
2305 /*
2306 * jail_remove added a reference. If that's the only one, remove
2307 * the prison now.
2308 */
2309 KASSERT(pr->pr_ref > 0,
2310 ("prison_remove_one removing a dead prison (jid=%d)", pr->pr_id));
2311 if (pr->pr_ref == 1) {
2312 prison_deref(pr,
2313 deuref | PD_DEREF | PD_LOCKED | PD_LIST_XLOCKED);
2314 return;
2315 }
2316
2317 mtx_unlock(&pr->pr_mtx);
2318 sx_xunlock(&allprison_lock);
2319 /*
2320 * Kill all processes unfortunate enough to be attached to this prison.
2321 */
2322 sx_slock(&allproc_lock);
2323 LIST_FOREACH(p, &allproc, p_list) {
2324 PROC_LOCK(p);
2325 if (p->p_state != PRS_NEW && p->p_ucred &&
2326 p->p_ucred->cr_prison == pr)
2327 kern_psignal(p, SIGKILL);
2328 PROC_UNLOCK(p);
2329 }
2330 sx_sunlock(&allproc_lock);
2331 /* Remove the temporary reference added by jail_remove. */
2332 prison_deref(pr, deuref | PD_DEREF);
2333 }
2334
2335
2336 /*
2337 * struct jail_attach_args {
2338 * int jid;
2339 * };
2340 */
2341 int
2342 sys_jail_attach(struct thread *td, struct jail_attach_args *uap)
2343 {
2344 struct prison *pr;
2345 int error;
2346
2347 error = priv_check(td, PRIV_JAIL_ATTACH);
2348 if (error)
2349 return (error);
2350
2351 /*
2352 * Start with exclusive hold on allprison_lock to ensure that a possible
2353 * PR_METHOD_REMOVE call isn't concurrent with jail_set or jail_remove.
2354 * But then immediately downgrade it since we don't need to stop
2355 * readers.
2356 */
2357 sx_xlock(&allprison_lock);
2358 sx_downgrade(&allprison_lock);
2359 pr = prison_find_child(td->td_ucred->cr_prison, uap->jid);
2360 if (pr == NULL) {
2361 sx_sunlock(&allprison_lock);
2362 return (EINVAL);
2363 }
2364
2365 /*
2366 * Do not allow a process to attach to a prison that is not
2367 * considered to be "alive".
2368 */
2369 if (pr->pr_uref == 0) {
2370 mtx_unlock(&pr->pr_mtx);
2371 sx_sunlock(&allprison_lock);
2372 return (EINVAL);
2373 }
2374
2375 return (do_jail_attach(td, pr));
2376 }
2377
2378 static int
2379 do_jail_attach(struct thread *td, struct prison *pr)
2380 {
2381 struct proc *p;
2382 struct ucred *newcred, *oldcred;
2383 int error;
2384
2385 /*
2386 * XXX: Note that there is a slight race here if two threads
2387 * in the same privileged process attempt to attach to two
2388 * different jails at the same time. It is important for
2389 * user processes not to do this, or they might end up with
2390 * a process root from one prison, but attached to the jail
2391 * of another.
2392 */
2393 pr->pr_ref++;
2394 pr->pr_uref++;
2395 mtx_unlock(&pr->pr_mtx);
2396
2397 /* Let modules do whatever they need to prepare for attaching. */
2398 error = osd_jail_call(pr, PR_METHOD_ATTACH, td);
2399 if (error) {
2400 prison_deref(pr, PD_DEREF | PD_DEUREF | PD_LIST_SLOCKED);
2401 return (error);
2402 }
2403 sx_sunlock(&allprison_lock);
2404
2405 /*
2406 * Reparent the newly attached process to this jail.
2407 */
2408 p = td->td_proc;
2409 error = cpuset_setproc_update_set(p, pr->pr_cpuset);
2410 if (error)
2411 goto e_revert_osd;
2412
2413 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY);
2414 if ((error = change_dir(pr->pr_root, td)) != 0)
2415 goto e_unlock;
2416 #ifdef MAC
2417 if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root)))
2418 goto e_unlock;
2419 #endif
2420 VOP_UNLOCK(pr->pr_root, 0);
2421 if ((error = pwd_chroot_chdir(td, pr->pr_root)))
2422 goto e_revert_osd;
2423
2424 newcred = crget();
2425 PROC_LOCK(p);
2426 oldcred = crcopysafe(p, newcred);
2427 newcred->cr_prison = pr;
2428 proc_set_cred(p, newcred);
2429 setsugid(p);
2430 #ifdef RACCT
2431 racct_proc_ucred_changed(p, oldcred, newcred);
2432 crhold(newcred);
2433 #endif
2434 PROC_UNLOCK(p);
2435 #ifdef RCTL
2436 rctl_proc_ucred_changed(p, newcred);
2437 crfree(newcred);
2438 #endif
2439 prison_deref(oldcred->cr_prison, PD_DEREF | PD_DEUREF);
2440 crfree(oldcred);
2441
2442 /*
2443 * If the prison was killed while changing credentials, die along
2444 * with it.
2445 */
2446 if (pr->pr_flags & PR_REMOVE) {
2447 PROC_LOCK(p);
2448 kern_psignal(p, SIGKILL);
2449 PROC_UNLOCK(p);
2450 }
2451
2452 return (0);
2453
2454 e_unlock:
2455 VOP_UNLOCK(pr->pr_root, 0);
2456 e_revert_osd:
2457 /* Tell modules this thread is still in its old jail after all. */
2458 (void)osd_jail_call(td->td_ucred->cr_prison, PR_METHOD_ATTACH, td);
2459 prison_deref(pr, PD_DEREF | PD_DEUREF);
2460 return (error);
2461 }
2462
2463
2464 /*
2465 * Returns a locked prison instance, or NULL on failure.
2466 */
2467 struct prison *
2468 prison_find(int prid)
2469 {
2470 struct prison *pr;
2471
2472 sx_assert(&allprison_lock, SX_LOCKED);
2473 TAILQ_FOREACH(pr, &allprison, pr_list) {
2474 if (pr->pr_id == prid) {
2475 mtx_lock(&pr->pr_mtx);
2476 if (pr->pr_ref > 0)
2477 return (pr);
2478 mtx_unlock(&pr->pr_mtx);
2479 }
2480 }
2481 return (NULL);
2482 }
2483
2484 /*
2485 * Find a prison that is a descendant of mypr. Returns a locked prison or NULL.
2486 */
2487 struct prison *
2488 prison_find_child(struct prison *mypr, int prid)
2489 {
2490 struct prison *pr;
2491 int descend;
2492
2493 sx_assert(&allprison_lock, SX_LOCKED);
2494 FOREACH_PRISON_DESCENDANT(mypr, pr, descend) {
2495 if (pr->pr_id == prid) {
2496 mtx_lock(&pr->pr_mtx);
2497 if (pr->pr_ref > 0)
2498 return (pr);
2499 mtx_unlock(&pr->pr_mtx);
2500 }
2501 }
2502 return (NULL);
2503 }
2504
2505 /*
2506 * Look for the name relative to mypr. Returns a locked prison or NULL.
2507 */
2508 struct prison *
2509 prison_find_name(struct prison *mypr, const char *name)
2510 {
2511 struct prison *pr, *deadpr;
2512 size_t mylen;
2513 int descend;
2514
2515 sx_assert(&allprison_lock, SX_LOCKED);
2516 mylen = (mypr == &prison0) ? 0 : strlen(mypr->pr_name) + 1;
2517 again:
2518 deadpr = NULL;
2519 FOREACH_PRISON_DESCENDANT(mypr, pr, descend) {
2520 if (!strcmp(pr->pr_name + mylen, name)) {
2521 mtx_lock(&pr->pr_mtx);
2522 if (pr->pr_ref > 0) {
2523 if (pr->pr_uref > 0)
2524 return (pr);
2525 deadpr = pr;
2526 }
2527 mtx_unlock(&pr->pr_mtx);
2528 }
2529 }
2530 /* There was no valid prison - perhaps there was a dying one. */
2531 if (deadpr != NULL) {
2532 mtx_lock(&deadpr->pr_mtx);
2533 if (deadpr->pr_ref == 0) {
2534 mtx_unlock(&deadpr->pr_mtx);
2535 goto again;
2536 }
2537 }
2538 return (deadpr);
2539 }
2540
2541 /*
2542 * See if a prison has the specific flag set.
2543 */
2544 int
2545 prison_flag(struct ucred *cred, unsigned flag)
2546 {
2547
2548 /* This is an atomic read, so no locking is necessary. */
2549 return (cred->cr_prison->pr_flags & flag);
2550 }
2551
2552 int
2553 prison_allow(struct ucred *cred, unsigned flag)
2554 {
2555
2556 /* This is an atomic read, so no locking is necessary. */
2557 return (cred->cr_prison->pr_allow & flag);
2558 }
2559
2560 /*
2561 * Remove a prison reference. If that was the last reference, remove the
2562 * prison itself - but not in this context in case there are locks held.
2563 */
2564 void
2565 prison_free_locked(struct prison *pr)
2566 {
2567 int ref;
2568
2569 mtx_assert(&pr->pr_mtx, MA_OWNED);
2570 ref = --pr->pr_ref;
2571 mtx_unlock(&pr->pr_mtx);
2572 if (ref == 0)
2573 taskqueue_enqueue(taskqueue_thread, &pr->pr_task);
2574 }
2575
2576 void
2577 prison_free(struct prison *pr)
2578 {
2579
2580 mtx_lock(&pr->pr_mtx);
2581 prison_free_locked(pr);
2582 }
2583
2584 /*
2585 * Complete a call to either prison_free or prison_proc_free.
2586 */
2587 static void
2588 prison_complete(void *context, int pending)
2589 {
2590 struct prison *pr = context;
2591
2592 sx_xlock(&allprison_lock);
2593 mtx_lock(&pr->pr_mtx);
2594 prison_deref(pr, pr->pr_uref
2595 ? PD_DEREF | PD_DEUREF | PD_LOCKED | PD_LIST_XLOCKED
2596 : PD_LOCKED | PD_LIST_XLOCKED);
2597 }
2598
2599 /*
2600 * Remove a prison reference (usually). This internal version assumes no
2601 * mutexes are held, except perhaps the prison itself. If there are no more
2602 * references, release and delist the prison. On completion, the prison lock
2603 * and the allprison lock are both unlocked.
2604 */
2605 static void
2606 prison_deref(struct prison *pr, int flags)
2607 {
2608 struct prison *ppr, *tpr;
2609 int ref, lasturef;
2610
2611 if (!(flags & PD_LOCKED))
2612 mtx_lock(&pr->pr_mtx);
2613 for (;;) {
2614 if (flags & PD_DEUREF) {
2615 KASSERT(pr->pr_uref > 0,
2616 ("prison_deref PD_DEUREF on a dead prison (jid=%d)",
2617 pr->pr_id));
2618 pr->pr_uref--;
2619 lasturef = pr->pr_uref == 0;
2620 if (lasturef)
2621 pr->pr_ref++;
2622 KASSERT(prison0.pr_uref != 0, ("prison0 pr_uref=0"));
2623 } else
2624 lasturef = 0;
2625 if (flags & PD_DEREF) {
2626 KASSERT(pr->pr_ref > 0,
2627 ("prison_deref PD_DEREF on a dead prison (jid=%d)",
2628 pr->pr_id));
2629 pr->pr_ref--;
2630 }
2631 ref = pr->pr_ref;
2632 mtx_unlock(&pr->pr_mtx);
2633
2634 /*
2635 * Tell the modules if the last user reference was removed
2636 * (even it sticks around in dying state).
2637 */
2638 if (lasturef) {
2639 if (!(flags & (PD_LIST_SLOCKED | PD_LIST_XLOCKED))) {
2640 sx_xlock(&allprison_lock);
2641 flags |= PD_LIST_XLOCKED;
2642 }
2643 (void)osd_jail_call(pr, PR_METHOD_REMOVE, NULL);
2644 mtx_lock(&pr->pr_mtx);
2645 ref = --pr->pr_ref;
2646 mtx_unlock(&pr->pr_mtx);
2647 }
2648
2649 /* If the prison still has references, nothing else to do. */
2650 if (ref > 0) {
2651 if (flags & PD_LIST_SLOCKED)
2652 sx_sunlock(&allprison_lock);
2653 else if (flags & PD_LIST_XLOCKED)
2654 sx_xunlock(&allprison_lock);
2655 return;
2656 }
2657
2658 if (flags & PD_LIST_SLOCKED) {
2659 if (!sx_try_upgrade(&allprison_lock)) {
2660 sx_sunlock(&allprison_lock);
2661 sx_xlock(&allprison_lock);
2662 }
2663 } else if (!(flags & PD_LIST_XLOCKED))
2664 sx_xlock(&allprison_lock);
2665
2666 TAILQ_REMOVE(&allprison, pr, pr_list);
2667 LIST_REMOVE(pr, pr_sibling);
2668 ppr = pr->pr_parent;
2669 for (tpr = ppr; tpr != NULL; tpr = tpr->pr_parent)
2670 tpr->pr_childcount--;
2671 sx_xunlock(&allprison_lock);
2672
2673 #ifdef VIMAGE
2674 if (pr->pr_vnet != ppr->pr_vnet)
2675 vnet_destroy(pr->pr_vnet);
2676 #endif
2677 if (pr->pr_root != NULL)
2678 vrele(pr->pr_root);
2679 mtx_destroy(&pr->pr_mtx);
2680 #ifdef INET
2681 free(pr->pr_ip4, M_PRISON);
2682 #endif
2683 #ifdef INET6
2684 free(pr->pr_ip6, M_PRISON);
2685 #endif
2686 if (pr->pr_cpuset != NULL)
2687 cpuset_rel(pr->pr_cpuset);
2688 osd_jail_exit(pr);
2689 #ifdef RACCT
2690 if (racct_enable)
2691 prison_racct_detach(pr);
2692 #endif
2693 free(pr, M_PRISON);
2694
2695 /* Removing a prison frees a reference on its parent. */
2696 pr = ppr;
2697 mtx_lock(&pr->pr_mtx);
2698 flags = PD_DEREF | PD_DEUREF;
2699 }
2700 }
2701
2702 void
2703 prison_hold_locked(struct prison *pr)
2704 {
2705
2706 mtx_assert(&pr->pr_mtx, MA_OWNED);
2707 KASSERT(pr->pr_ref > 0,
2708 ("Trying to hold dead prison (jid=%d).", pr->pr_id));
2709 pr->pr_ref++;
2710 }
2711
2712 void
2713 prison_hold(struct prison *pr)
2714 {
2715
2716 mtx_lock(&pr->pr_mtx);
2717 prison_hold_locked(pr);
2718 mtx_unlock(&pr->pr_mtx);
2719 }
2720
2721 void
2722 prison_proc_hold(struct prison *pr)
2723 {
2724
2725 mtx_lock(&pr->pr_mtx);
2726 KASSERT(pr->pr_uref > 0,
2727 ("Cannot add a process to a non-alive prison (jid=%d)", pr->pr_id));
2728 pr->pr_uref++;
2729 mtx_unlock(&pr->pr_mtx);
2730 }
2731
2732 void
2733 prison_proc_free(struct prison *pr)
2734 {
2735
2736 mtx_lock(&pr->pr_mtx);
2737 KASSERT(pr->pr_uref > 0,
2738 ("Trying to kill a process in a dead prison (jid=%d)", pr->pr_id));
2739 if (pr->pr_uref > 1)
2740 pr->pr_uref--;
2741 else {
2742 /*
2743 * Don't remove the last user reference in this context, which
2744 * is expected to be a process that is not only locked, but
2745 * also half dead.
2746 */
2747 pr->pr_ref++;
2748 mtx_unlock(&pr->pr_mtx);
2749 taskqueue_enqueue(taskqueue_thread, &pr->pr_task);
2750 return;
2751 }
2752 mtx_unlock(&pr->pr_mtx);
2753 }
2754
2755 /*
2756 * Check if a jail supports the given address family.
2757 *
2758 * Returns 0 if not jailed or the address family is supported, EAFNOSUPPORT
2759 * if not.
2760 */
2761 int
2762 prison_check_af(struct ucred *cred, int af)
2763 {
2764 struct prison *pr;
2765 int error;
2766
2767 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
2768
2769 pr = cred->cr_prison;
2770 #ifdef VIMAGE
2771 /* Prisons with their own network stack are not limited. */
2772 if (prison_owns_vnet(cred))
2773 return (0);
2774 #endif
2775
2776 error = 0;
2777 switch (af)
2778 {
2779 #ifdef INET
2780 case AF_INET:
2781 if (pr->pr_flags & PR_IP4)
2782 {
2783 mtx_lock(&pr->pr_mtx);
2784 if ((pr->pr_flags & PR_IP4) && pr->pr_ip4 == NULL)
2785 error = EAFNOSUPPORT;
2786 mtx_unlock(&pr->pr_mtx);
2787 }
2788 break;
2789 #endif
2790 #ifdef INET6
2791 case AF_INET6:
2792 if (pr->pr_flags & PR_IP6)
2793 {
2794 mtx_lock(&pr->pr_mtx);
2795 if ((pr->pr_flags & PR_IP6) && pr->pr_ip6 == NULL)
2796 error = EAFNOSUPPORT;
2797 mtx_unlock(&pr->pr_mtx);
2798 }
2799 break;
2800 #endif
2801 case AF_LOCAL:
2802 case AF_ROUTE:
2803 break;
2804 default:
2805 if (!(pr->pr_allow & PR_ALLOW_SOCKET_AF))
2806 error = EAFNOSUPPORT;
2807 }
2808 return (error);
2809 }
2810
2811 /*
2812 * Check if given address belongs to the jail referenced by cred (wrapper to
2813 * prison_check_ip[46]).
2814 *
2815 * Returns 0 if jail doesn't restrict the address family or if address belongs
2816 * to jail, EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if
2817 * the jail doesn't allow the address family. IPv4 Address passed in in NBO.
2818 */
2819 int
2820 prison_if(struct ucred *cred, struct sockaddr *sa)
2821 {
2822 #ifdef INET
2823 struct sockaddr_in *sai;
2824 #endif
2825 #ifdef INET6
2826 struct sockaddr_in6 *sai6;
2827 #endif
2828 int error;
2829
2830 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
2831 KASSERT(sa != NULL, ("%s: sa is NULL", __func__));
2832
2833 #ifdef VIMAGE
2834 if (prison_owns_vnet(cred))
2835 return (0);
2836 #endif
2837
2838 error = 0;
2839 switch (sa->sa_family)
2840 {
2841 #ifdef INET
2842 case AF_INET:
2843 sai = (struct sockaddr_in *)sa;
2844 error = prison_check_ip4(cred, &sai->sin_addr);
2845 break;
2846 #endif
2847 #ifdef INET6
2848 case AF_INET6:
2849 sai6 = (struct sockaddr_in6 *)sa;
2850 error = prison_check_ip6(cred, &sai6->sin6_addr);
2851 break;
2852 #endif
2853 default:
2854 if (!(cred->cr_prison->pr_allow & PR_ALLOW_SOCKET_AF))
2855 error = EAFNOSUPPORT;
2856 }
2857 return (error);
2858 }
2859
2860 /*
2861 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH.
2862 */
2863 int
2864 prison_check(struct ucred *cred1, struct ucred *cred2)
2865 {
2866
2867 return ((cred1->cr_prison == cred2->cr_prison ||
2868 prison_ischild(cred1->cr_prison, cred2->cr_prison)) ? 0 : ESRCH);
2869 }
2870
2871 /*
2872 * Return 1 if p2 is a child of p1, otherwise 0.
2873 */
2874 int
2875 prison_ischild(struct prison *pr1, struct prison *pr2)
2876 {
2877
2878 for (pr2 = pr2->pr_parent; pr2 != NULL; pr2 = pr2->pr_parent)
2879 if (pr1 == pr2)
2880 return (1);
2881 return (0);
2882 }
2883
2884 /*
2885 * Return 1 if the passed credential is in a jail, otherwise 0.
2886 */
2887 int
2888 jailed(struct ucred *cred)
2889 {
2890
2891 return (cred->cr_prison != &prison0);
2892 }
2893
2894 /*
2895 * Return 1 if the passed credential is in a jail and that jail does not
2896 * have its own virtual network stack, otherwise 0.
2897 */
2898 int
2899 jailed_without_vnet(struct ucred *cred)
2900 {
2901
2902 if (!jailed(cred))
2903 return (0);
2904 #ifdef VIMAGE
2905 if (prison_owns_vnet(cred))
2906 return (0);
2907 #endif
2908
2909 return (1);
2910 }
2911
2912 /*
2913 * Return the correct hostname (domainname, et al) for the passed credential.
2914 */
2915 void
2916 getcredhostname(struct ucred *cred, char *buf, size_t size)
2917 {
2918 struct prison *pr;
2919
2920 /*
2921 * A NULL credential can be used to shortcut to the physical
2922 * system's hostname.
2923 */
2924 pr = (cred != NULL) ? cred->cr_prison : &prison0;
2925 mtx_lock(&pr->pr_mtx);
2926 strlcpy(buf, pr->pr_hostname, size);
2927 mtx_unlock(&pr->pr_mtx);
2928 }
2929
2930 void
2931 getcreddomainname(struct ucred *cred, char *buf, size_t size)
2932 {
2933
2934 mtx_lock(&cred->cr_prison->pr_mtx);
2935 strlcpy(buf, cred->cr_prison->pr_domainname, size);
2936 mtx_unlock(&cred->cr_prison->pr_mtx);
2937 }
2938
2939 void
2940 getcredhostuuid(struct ucred *cred, char *buf, size_t size)
2941 {
2942
2943 mtx_lock(&cred->cr_prison->pr_mtx);
2944 strlcpy(buf, cred->cr_prison->pr_hostuuid, size);
2945 mtx_unlock(&cred->cr_prison->pr_mtx);
2946 }
2947
2948 void
2949 getcredhostid(struct ucred *cred, unsigned long *hostid)
2950 {
2951
2952 mtx_lock(&cred->cr_prison->pr_mtx);
2953 *hostid = cred->cr_prison->pr_hostid;
2954 mtx_unlock(&cred->cr_prison->pr_mtx);
2955 }
2956
2957 void
2958 getjailname(struct ucred *cred, char *name, size_t len)
2959 {
2960
2961 mtx_lock(&cred->cr_prison->pr_mtx);
2962 strlcpy(name, cred->cr_prison->pr_name, len);
2963 mtx_unlock(&cred->cr_prison->pr_mtx);
2964 }
2965
2966 #ifdef VIMAGE
2967 /*
2968 * Determine whether the prison represented by cred owns
2969 * its vnet rather than having it inherited.
2970 *
2971 * Returns 1 in case the prison owns the vnet, 0 otherwise.
2972 */
2973 int
2974 prison_owns_vnet(struct ucred *cred)
2975 {
2976
2977 /*
2978 * vnets cannot be added/removed after jail creation,
2979 * so no need to lock here.
2980 */
2981 return (cred->cr_prison->pr_flags & PR_VNET ? 1 : 0);
2982 }
2983 #endif
2984
2985 /*
2986 * Determine whether the subject represented by cred can "see"
2987 * status of a mount point.
2988 * Returns: 0 for permitted, ENOENT otherwise.
2989 * XXX: This function should be called cr_canseemount() and should be
2990 * placed in kern_prot.c.
2991 */
2992 int
2993 prison_canseemount(struct ucred *cred, struct mount *mp)
2994 {
2995 struct prison *pr;
2996 struct statfs *sp;
2997 size_t len;
2998
2999 pr = cred->cr_prison;
3000 if (pr->pr_enforce_statfs == 0)
3001 return (0);
3002 if (pr->pr_root->v_mount == mp)
3003 return (0);
3004 if (pr->pr_enforce_statfs == 2)
3005 return (ENOENT);
3006 /*
3007 * If jail's chroot directory is set to "/" we should be able to see
3008 * all mount-points from inside a jail.
3009 * This is ugly check, but this is the only situation when jail's
3010 * directory ends with '/'.
3011 */
3012 if (strcmp(pr->pr_path, "/") == 0)
3013 return (0);
3014 len = strlen(pr->pr_path);
3015 sp = &mp->mnt_stat;
3016 if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0)
3017 return (ENOENT);
3018 /*
3019 * Be sure that we don't have situation where jail's root directory
3020 * is "/some/path" and mount point is "/some/pathpath".
3021 */
3022 if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/')
3023 return (ENOENT);
3024 return (0);
3025 }
3026
3027 void
3028 prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp)
3029 {
3030 char jpath[MAXPATHLEN];
3031 struct prison *pr;
3032 size_t len;
3033
3034 pr = cred->cr_prison;
3035 if (pr->pr_enforce_statfs == 0)
3036 return;
3037 if (prison_canseemount(cred, mp) != 0) {
3038 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
3039 strlcpy(sp->f_mntonname, "[restricted]",
3040 sizeof(sp->f_mntonname));
3041 return;
3042 }
3043 if (pr->pr_root->v_mount == mp) {
3044 /*
3045 * Clear current buffer data, so we are sure nothing from
3046 * the valid path left there.
3047 */
3048 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
3049 *sp->f_mntonname = '/';
3050 return;
3051 }
3052 /*
3053 * If jail's chroot directory is set to "/" we should be able to see
3054 * all mount-points from inside a jail.
3055 */
3056 if (strcmp(pr->pr_path, "/") == 0)
3057 return;
3058 len = strlen(pr->pr_path);
3059 strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath));
3060 /*
3061 * Clear current buffer data, so we are sure nothing from
3062 * the valid path left there.
3063 */
3064 bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
3065 if (*jpath == '\0') {
3066 /* Should never happen. */
3067 *sp->f_mntonname = '/';
3068 } else {
3069 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname));
3070 }
3071 }
3072
3073 /*
3074 * Check with permission for a specific privilege is granted within jail. We
3075 * have a specific list of accepted privileges; the rest are denied.
3076 */
3077 int
3078 prison_priv_check(struct ucred *cred, int priv)
3079 {
3080
3081 if (!jailed(cred))
3082 return (0);
3083
3084 #ifdef VIMAGE
3085 /*
3086 * Privileges specific to prisons with a virtual network stack.
3087 * There might be a duplicate entry here in case the privilege
3088 * is only granted conditionally in the legacy jail case.
3089 */
3090 switch (priv) {
3091 #ifdef notyet
3092 /*
3093 * NFS-specific privileges.
3094 */
3095 case PRIV_NFS_DAEMON:
3096 case PRIV_NFS_LOCKD:
3097 #endif
3098 /*
3099 * Network stack privileges.
3100 */
3101 case PRIV_NET_BRIDGE:
3102 case PRIV_NET_GRE:
3103 case PRIV_NET_BPF:
3104 case PRIV_NET_RAW: /* Dup, cond. in legacy jail case. */
3105 case PRIV_NET_ROUTE:
3106 case PRIV_NET_TAP:
3107 case PRIV_NET_SETIFMTU:
3108 case PRIV_NET_SETIFFLAGS:
3109 case PRIV_NET_SETIFCAP:
3110 case PRIV_NET_SETIFDESCR:
3111 case PRIV_NET_SETIFNAME :
3112 case PRIV_NET_SETIFMETRIC:
3113 case PRIV_NET_SETIFPHYS:
3114 case PRIV_NET_SETIFMAC:
3115 case PRIV_NET_ADDMULTI:
3116 case PRIV_NET_DELMULTI:
3117 case PRIV_NET_HWIOCTL:
3118 case PRIV_NET_SETLLADDR:
3119 case PRIV_NET_ADDIFGROUP:
3120 case PRIV_NET_DELIFGROUP:
3121 case PRIV_NET_IFCREATE:
3122 case PRIV_NET_IFDESTROY:
3123 case PRIV_NET_ADDIFADDR:
3124 case PRIV_NET_DELIFADDR:
3125 case PRIV_NET_LAGG:
3126 case PRIV_NET_GIF:
3127 case PRIV_NET_SETIFVNET:
3128 case PRIV_NET_SETIFFIB:
3129
3130 /*
3131 * 802.11-related privileges.
3132 */
3133 case PRIV_NET80211_GETKEY:
3134 #ifdef notyet
3135 case PRIV_NET80211_MANAGE: /* XXX-BZ discuss with sam@ */
3136 #endif
3137
3138 #ifdef notyet
3139 /*
3140 * ATM privileges.
3141 */
3142 case PRIV_NETATM_CFG:
3143 case PRIV_NETATM_ADD:
3144 case PRIV_NETATM_DEL:
3145 case PRIV_NETATM_SET:
3146
3147 /*
3148 * Bluetooth privileges.
3149 */
3150 case PRIV_NETBLUETOOTH_RAW:
3151 #endif
3152
3153 /*
3154 * Netgraph and netgraph module privileges.
3155 */
3156 case PRIV_NETGRAPH_CONTROL:
3157 #ifdef notyet
3158 case PRIV_NETGRAPH_TTY:
3159 #endif
3160
3161 /*
3162 * IPv4 and IPv6 privileges.
3163 */
3164 case PRIV_NETINET_IPFW:
3165 case PRIV_NETINET_DIVERT:
3166 case PRIV_NETINET_PF:
3167 case PRIV_NETINET_DUMMYNET:
3168 case PRIV_NETINET_CARP:
3169 case PRIV_NETINET_MROUTE:
3170 case PRIV_NETINET_RAW:
3171 case PRIV_NETINET_ADDRCTRL6:
3172 case PRIV_NETINET_ND6:
3173 case PRIV_NETINET_SCOPE6:
3174 case PRIV_NETINET_ALIFETIME6:
3175 case PRIV_NETINET_IPSEC:
3176 case PRIV_NETINET_BINDANY:
3177
3178 #ifdef notyet
3179 /*
3180 * NCP privileges.
3181 */
3182 case PRIV_NETNCP:
3183
3184 /*
3185 * SMB privileges.
3186 */
3187 case PRIV_NETSMB:
3188 #endif
3189
3190 /*
3191 * No default: or deny here.
3192 * In case of no permit fall through to next switch().
3193 */
3194 if (cred->cr_prison->pr_flags & PR_VNET)
3195 return (0);
3196 }
3197 #endif /* VIMAGE */
3198
3199 switch (priv) {
3200
3201 /*
3202 * Allow ktrace privileges for root in jail.
3203 */
3204 case PRIV_KTRACE:
3205
3206 #if 0
3207 /*
3208 * Allow jailed processes to configure audit identity and
3209 * submit audit records (login, etc). In the future we may
3210 * want to further refine the relationship between audit and
3211 * jail.
3212 */
3213 case PRIV_AUDIT_GETAUDIT:
3214 case PRIV_AUDIT_SETAUDIT:
3215 case PRIV_AUDIT_SUBMIT:
3216 #endif
3217
3218 /*
3219 * Allow jailed processes to manipulate process UNIX
3220 * credentials in any way they see fit.
3221 */
3222 case PRIV_CRED_SETUID:
3223 case PRIV_CRED_SETEUID:
3224 case PRIV_CRED_SETGID:
3225 case PRIV_CRED_SETEGID:
3226 case PRIV_CRED_SETGROUPS:
3227 case PRIV_CRED_SETREUID:
3228 case PRIV_CRED_SETREGID:
3229 case PRIV_CRED_SETRESUID:
3230 case PRIV_CRED_SETRESGID:
3231
3232 /*
3233 * Jail implements visibility constraints already, so allow
3234 * jailed root to override uid/gid-based constraints.
3235 */
3236 case PRIV_SEEOTHERGIDS:
3237 case PRIV_SEEOTHERUIDS:
3238
3239 /*
3240 * Jail implements inter-process debugging limits already, so
3241 * allow jailed root various debugging privileges.
3242 */
3243 case PRIV_DEBUG_DIFFCRED:
3244 case PRIV_DEBUG_SUGID:
3245 case PRIV_DEBUG_UNPRIV:
3246
3247 /*
3248 * Allow jail to set various resource limits and login
3249 * properties, and for now, exceed process resource limits.
3250 */
3251 case PRIV_PROC_LIMIT:
3252 case PRIV_PROC_SETLOGIN:
3253 case PRIV_PROC_SETRLIMIT:
3254
3255 /*
3256 * System V and POSIX IPC privileges are granted in jail.
3257 */
3258 case PRIV_IPC_READ:
3259 case PRIV_IPC_WRITE:
3260 case PRIV_IPC_ADMIN:
3261 case PRIV_IPC_MSGSIZE:
3262 case PRIV_MQ_ADMIN:
3263
3264 /*
3265 * Jail operations within a jail work on child jails.
3266 */
3267 case PRIV_JAIL_ATTACH:
3268 case PRIV_JAIL_SET:
3269 case PRIV_JAIL_REMOVE:
3270
3271 /*
3272 * Jail implements its own inter-process limits, so allow
3273 * root processes in jail to change scheduling on other
3274 * processes in the same jail. Likewise for signalling.
3275 */
3276 case PRIV_SCHED_DIFFCRED:
3277 case PRIV_SCHED_CPUSET:
3278 case PRIV_SIGNAL_DIFFCRED:
3279 case PRIV_SIGNAL_SUGID:
3280
3281 /*
3282 * Allow jailed processes to write to sysctls marked as jail
3283 * writable.
3284 */
3285 case PRIV_SYSCTL_WRITEJAIL:
3286
3287 /*
3288 * Allow root in jail to manage a variety of quota
3289 * properties. These should likely be conditional on a
3290 * configuration option.
3291 */
3292 case PRIV_VFS_GETQUOTA:
3293 case PRIV_VFS_SETQUOTA:
3294
3295 /*
3296 * Since Jail relies on chroot() to implement file system
3297 * protections, grant many VFS privileges to root in jail.
3298 * Be careful to exclude mount-related and NFS-related
3299 * privileges.
3300 */
3301 case PRIV_VFS_READ:
3302 case PRIV_VFS_WRITE:
3303 case PRIV_VFS_ADMIN:
3304 case PRIV_VFS_EXEC:
3305 case PRIV_VFS_LOOKUP:
3306 case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */
3307 case PRIV_VFS_CHFLAGS_DEV:
3308 case PRIV_VFS_CHOWN:
3309 case PRIV_VFS_CHROOT:
3310 case PRIV_VFS_RETAINSUGID:
3311 case PRIV_VFS_FCHROOT:
3312 case PRIV_VFS_LINK:
3313 case PRIV_VFS_SETGID:
3314 case PRIV_VFS_STAT:
3315 case PRIV_VFS_STICKYFILE:
3316
3317 /*
3318 * As in the non-jail case, non-root users are expected to be
3319 * able to read kernel/phyiscal memory (provided /dev/[k]mem
3320 * exists in the jail and they have permission to access it).
3321 */
3322 case PRIV_KMEM_READ:
3323 return (0);
3324
3325 /*
3326 * Depending on the global setting, allow privilege of
3327 * setting system flags.
3328 */
3329 case PRIV_VFS_SYSFLAGS:
3330 if (cred->cr_prison->pr_allow & PR_ALLOW_CHFLAGS)
3331 return (0);
3332 else
3333 return (EPERM);
3334
3335 /*
3336 * Depending on the global setting, allow privilege of
3337 * mounting/unmounting file systems.
3338 */
3339 case PRIV_VFS_MOUNT:
3340 case PRIV_VFS_UNMOUNT:
3341 case PRIV_VFS_MOUNT_NONUSER:
3342 case PRIV_VFS_MOUNT_OWNER:
3343 if (cred->cr_prison->pr_allow & PR_ALLOW_MOUNT &&
3344 cred->cr_prison->pr_enforce_statfs < 2)
3345 return (0);
3346 else
3347 return (EPERM);
3348
3349 /*
3350 * Allow jailed root to bind reserved ports and reuse in-use
3351 * ports.
3352 */
3353 case PRIV_NETINET_RESERVEDPORT:
3354 case PRIV_NETINET_REUSEPORT:
3355 return (0);
3356
3357 /*
3358 * Allow jailed root to set certain IPv4/6 (option) headers.
3359 */
3360 case PRIV_NETINET_SETHDROPTS:
3361 return (0);
3362
3363 /*
3364 * Conditionally allow creating raw sockets in jail.
3365 */
3366 case PRIV_NETINET_RAW:
3367 if (cred->cr_prison->pr_allow & PR_ALLOW_RAW_SOCKETS)
3368 return (0);
3369 else
3370 return (EPERM);
3371
3372 /*
3373 * Since jail implements its own visibility limits on netstat
3374 * sysctls, allow getcred. This allows identd to work in
3375 * jail.
3376 */
3377 case PRIV_NETINET_GETCRED:
3378 return (0);
3379
3380 /*
3381 * Allow jailed root to set loginclass.
3382 */
3383 case PRIV_PROC_SETLOGINCLASS:
3384 return (0);
3385
3386 /*
3387 * Do not allow a process inside a jail to read the kernel
3388 * message buffer unless explicitly permitted.
3389 */
3390 case PRIV_MSGBUF:
3391 if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF)
3392 return (0);
3393 return (EPERM);
3394
3395 default:
3396 /*
3397 * In all remaining cases, deny the privilege request. This
3398 * includes almost all network privileges, many system
3399 * configuration privileges.
3400 */
3401 return (EPERM);
3402 }
3403 }
3404
3405 /*
3406 * Return the part of pr2's name that is relative to pr1, or the whole name
3407 * if it does not directly follow.
3408 */
3409
3410 char *
3411 prison_name(struct prison *pr1, struct prison *pr2)
3412 {
3413 char *name;
3414
3415 /* Jails see themselves as "" (if they see themselves at all). */
3416 if (pr1 == pr2)
3417 return "";
3418 name = pr2->pr_name;
3419 if (prison_ischild(pr1, pr2)) {
3420 /*
3421 * pr1 isn't locked (and allprison_lock may not be either)
3422 * so its length can't be counted on. But the number of dots
3423 * can be counted on - and counted.
3424 */
3425 for (; pr1 != &prison0; pr1 = pr1->pr_parent)
3426 name = strchr(name, '.') + 1;
3427 }
3428 return (name);
3429 }
3430
3431 /*
3432 * Return the part of pr2's path that is relative to pr1, or the whole path
3433 * if it does not directly follow.
3434 */
3435 static char *
3436 prison_path(struct prison *pr1, struct prison *pr2)
3437 {
3438 char *path1, *path2;
3439 int len1;
3440
3441 path1 = pr1->pr_path;
3442 path2 = pr2->pr_path;
3443 if (!strcmp(path1, "/"))
3444 return (path2);
3445 len1 = strlen(path1);
3446 if (strncmp(path1, path2, len1))
3447 return (path2);
3448 if (path2[len1] == '\0')
3449 return "/";
3450 if (path2[len1] == '/')
3451 return (path2 + len1);
3452 return (path2);
3453 }
3454
3455
3456 /*
3457 * Jail-related sysctls.
3458 */
3459 static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
3460 "Jails");
3461
3462 static int
3463 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
3464 {
3465 struct xprison *xp;
3466 struct prison *pr, *cpr;
3467 #ifdef INET
3468 struct in_addr *ip4 = NULL;
3469 int ip4s = 0;
3470 #endif
3471 #ifdef INET6
3472 struct in6_addr *ip6 = NULL;
3473 int ip6s = 0;
3474 #endif
3475 int descend, error;
3476
3477 xp = malloc(sizeof(*xp), M_TEMP, M_WAITOK);
3478 pr = req->td->td_ucred->cr_prison;
3479 error = 0;
3480 sx_slock(&allprison_lock);
3481 FOREACH_PRISON_DESCENDANT(pr, cpr, descend) {
3482 #if defined(INET) || defined(INET6)
3483 again:
3484 #endif
3485 mtx_lock(&cpr->pr_mtx);
3486 #ifdef INET
3487 if (cpr->pr_ip4s > 0) {
3488 if (ip4s < cpr->pr_ip4s) {
3489 ip4s = cpr->pr_ip4s;
3490 mtx_unlock(&cpr->pr_mtx);
3491 ip4 = realloc(ip4, ip4s *
3492 sizeof(struct in_addr), M_TEMP, M_WAITOK);
3493 goto again;
3494 }
3495 bcopy(cpr->pr_ip4, ip4,
3496 cpr->pr_ip4s * sizeof(struct in_addr));
3497 }
3498 #endif
3499 #ifdef INET6
3500 if (cpr->pr_ip6s > 0) {
3501 if (ip6s < cpr->pr_ip6s) {
3502 ip6s = cpr->pr_ip6s;
3503 mtx_unlock(&cpr->pr_mtx);
3504 ip6 = realloc(ip6, ip6s *
3505 sizeof(struct in6_addr), M_TEMP, M_WAITOK);
3506 goto again;
3507 }
3508 bcopy(cpr->pr_ip6, ip6,
3509 cpr->pr_ip6s * sizeof(struct in6_addr));
3510 }
3511 #endif
3512 if (cpr->pr_ref == 0) {
3513 mtx_unlock(&cpr->pr_mtx);
3514 continue;
3515 }
3516 bzero(xp, sizeof(*xp));
3517 xp->pr_version = XPRISON_VERSION;
3518 xp->pr_id = cpr->pr_id;
3519 xp->pr_state = cpr->pr_uref > 0
3520 ? PRISON_STATE_ALIVE : PRISON_STATE_DYING;
3521 strlcpy(xp->pr_path, prison_path(pr, cpr), sizeof(xp->pr_path));
3522 strlcpy(xp->pr_host, cpr->pr_hostname, sizeof(xp->pr_host));
3523 strlcpy(xp->pr_name, prison_name(pr, cpr), sizeof(xp->pr_name));
3524 #ifdef INET
3525 xp->pr_ip4s = cpr->pr_ip4s;
3526 #endif
3527 #ifdef INET6
3528 xp->pr_ip6s = cpr->pr_ip6s;
3529 #endif
3530 mtx_unlock(&cpr->pr_mtx);
3531 error = SYSCTL_OUT(req, xp, sizeof(*xp));
3532 if (error)
3533 break;
3534 #ifdef INET
3535 if (xp->pr_ip4s > 0) {
3536 error = SYSCTL_OUT(req, ip4,
3537 xp->pr_ip4s * sizeof(struct in_addr));
3538 if (error)
3539 break;
3540 }
3541 #endif
3542 #ifdef INET6
3543 if (xp->pr_ip6s > 0) {
3544 error = SYSCTL_OUT(req, ip6,
3545 xp->pr_ip6s * sizeof(struct in6_addr));
3546 if (error)
3547 break;
3548 }
3549 #endif
3550 }
3551 sx_sunlock(&allprison_lock);
3552 free(xp, M_TEMP);
3553 #ifdef INET
3554 free(ip4, M_TEMP);
3555 #endif
3556 #ifdef INET6
3557 free(ip6, M_TEMP);
3558 #endif
3559 return (error);
3560 }
3561
3562 SYSCTL_OID(_security_jail, OID_AUTO, list,
3563 CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
3564 sysctl_jail_list, "S", "List of active jails");
3565
3566 static int
3567 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
3568 {
3569 int error, injail;
3570
3571 injail = jailed(req->td->td_ucred);
3572 error = SYSCTL_OUT(req, &injail, sizeof(injail));
3573
3574 return (error);
3575 }
3576
3577 SYSCTL_PROC(_security_jail, OID_AUTO, jailed,
3578 CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
3579 sysctl_jail_jailed, "I", "Process in jail?");
3580
3581 static int
3582 sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
3583 {
3584 int error, havevnet;
3585 #ifdef VIMAGE
3586 struct ucred *cred = req->td->td_ucred;
3587
3588 havevnet = jailed(cred) && prison_owns_vnet(cred);
3589 #else
3590 havevnet = 0;
3591 #endif
3592 error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
3593
3594 return (error);
3595 }
3596
3597 SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
3598 CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
3599 sysctl_jail_vnet, "I", "Jail owns VNET?");
3600
3601 #if defined(INET) || defined(INET6)
3602 SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
3603 &jail_max_af_ips, 0,
3604 "Number of IP addresses a jail may have at most per address family (deprecated)");
3605 #endif
3606
3607 /*
3608 * Default parameters for jail(2) compatibility. For historical reasons,
3609 * the sysctl names have varying similarity to the parameter names. Prisons
3610 * just see their own parameters, and can't change them.
3611 */
3612 static int
3613 sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
3614 {
3615 struct prison *pr;
3616 int allow, error, i;
3617
3618 pr = req->td->td_ucred->cr_prison;
3619 allow = (pr == &prison0) ? jail_default_allow : pr->pr_allow;
3620
3621 /* Get the current flag value, and convert it to a boolean. */
3622 i = (allow & arg2) ? 1 : 0;
3623 if (arg1 != NULL)
3624 i = !i;
3625 error = sysctl_handle_int(oidp, &i, 0, req);
3626 if (error || !req->newptr)
3627 return (error);
3628 i = i ? arg2 : 0;
3629 if (arg1 != NULL)
3630 i ^= arg2;
3631 /*
3632 * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
3633 * for writing.
3634 */
3635 mtx_lock(&prison0.pr_mtx);
3636 jail_default_allow = (jail_default_allow & ~arg2) | i;
3637 mtx_unlock(&prison0.pr_mtx);
3638 return (0);
3639 }
3640
3641 SYSCTL_PROC(_security_jail, OID_AUTO, set_hostname_allowed,
3642 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3643 NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow, "I",
3644 "Processes in jail can set their hostnames (deprecated)");
3645 SYSCTL_PROC(_security_jail, OID_AUTO, socket_unixiproute_only,
3646 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3647 (void *)1, PR_ALLOW_SOCKET_AF, sysctl_jail_default_allow, "I",
3648 "Processes in jail are limited to creating UNIX/IP/route sockets only (deprecated)");
3649 SYSCTL_PROC(_security_jail, OID_AUTO, sysvipc_allowed,
3650 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3651 NULL, PR_ALLOW_SYSVIPC, sysctl_jail_default_allow, "I",
3652 "Processes in jail can use System V IPC primitives (deprecated)");
3653 SYSCTL_PROC(_security_jail, OID_AUTO, allow_raw_sockets,
3654 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3655 NULL, PR_ALLOW_RAW_SOCKETS, sysctl_jail_default_allow, "I",
3656 "Prison root can create raw sockets (deprecated)");
3657 SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed,
3658 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3659 NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I",
3660 "Processes in jail can alter system file flags (deprecated)");
3661 SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
3662 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3663 NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
3664 "Processes in jail can mount/unmount jail-friendly file systems (deprecated)");
3665 SYSCTL_PROC(_security_jail, OID_AUTO, mount_devfs_allowed,
3666 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3667 NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow, "I",
3668 "Processes in jail can mount the devfs file system (deprecated)");
3669 SYSCTL_PROC(_security_jail, OID_AUTO, mount_fdescfs_allowed,
3670 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3671 NULL, PR_ALLOW_MOUNT_FDESCFS, sysctl_jail_default_allow, "I",
3672 "Processes in jail can mount the fdescfs file system (deprecated)");
3673 SYSCTL_PROC(_security_jail, OID_AUTO, mount_nullfs_allowed,
3674 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3675 NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow, "I",
3676 "Processes in jail can mount the nullfs file system (deprecated)");
3677 SYSCTL_PROC(_security_jail, OID_AUTO, mount_procfs_allowed,
3678 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3679 NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
3680 "Processes in jail can mount the procfs file system (deprecated)");
3681 SYSCTL_PROC(_security_jail, OID_AUTO, mount_linprocfs_allowed,
3682 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3683 NULL, PR_ALLOW_MOUNT_LINPROCFS, sysctl_jail_default_allow, "I",
3684 "Processes in jail can mount the linprocfs file system (deprecated)");
3685 SYSCTL_PROC(_security_jail, OID_AUTO, mount_linsysfs_allowed,
3686 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3687 NULL, PR_ALLOW_MOUNT_LINSYSFS, sysctl_jail_default_allow, "I",
3688 "Processes in jail can mount the linsysfs file system (deprecated)");
3689 SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed,
3690 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3691 NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I",
3692 "Processes in jail can mount the tmpfs file system (deprecated)");
3693 SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
3694 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3695 NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
3696 "Processes in jail can mount the zfs file system (deprecated)");
3697
3698 static int
3699 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
3700 {
3701 struct prison *pr;
3702 int level, error;
3703
3704 pr = req->td->td_ucred->cr_prison;
3705 level = (pr == &prison0) ? *(int *)arg1 : *(int *)((char *)pr + arg2);
3706 error = sysctl_handle_int(oidp, &level, 0, req);
3707 if (error || !req->newptr)
3708 return (error);
3709 *(int *)arg1 = level;
3710 return (0);
3711 }
3712
3713 SYSCTL_PROC(_security_jail, OID_AUTO, enforce_statfs,
3714 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
3715 &jail_default_enforce_statfs, offsetof(struct prison, pr_enforce_statfs),
3716 sysctl_jail_default_level, "I",
3717 "Processes in jail cannot see all mounted file systems (deprecated)");
3718
3719 SYSCTL_PROC(_security_jail, OID_AUTO, devfs_ruleset,
3720 CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
3721 &jail_default_devfs_rsnum, offsetof(struct prison, pr_devfs_rsnum),
3722 sysctl_jail_default_level, "I",
3723 "Ruleset for the devfs filesystem in jail (deprecated)");
3724
3725 /*
3726 * Nodes to describe jail parameters. Maximum length of string parameters
3727 * is returned in the string itself, and the other parameters exist merely
3728 * to make themselves and their types known.
3729 */
3730 SYSCTL_NODE(_security_jail, OID_AUTO, param, CTLFLAG_RW, 0,
3731 "Jail parameters");
3732
3733 int
3734 sysctl_jail_param(SYSCTL_HANDLER_ARGS)
3735 {
3736 int i;
3737 long l;
3738 size_t s;
3739 char numbuf[12];
3740
3741 switch (oidp->oid_kind & CTLTYPE)
3742 {
3743 case CTLTYPE_LONG:
3744 case CTLTYPE_ULONG:
3745 l = 0;
3746 #ifdef SCTL_MASK32
3747 if (!(req->flags & SCTL_MASK32))
3748 #endif
3749 return (SYSCTL_OUT(req, &l, sizeof(l)));
3750 case CTLTYPE_INT:
3751 case CTLTYPE_UINT:
3752 i = 0;
3753 return (SYSCTL_OUT(req, &i, sizeof(i)));
3754 case CTLTYPE_STRING:
3755 snprintf(numbuf, sizeof(numbuf), "%jd", (intmax_t)arg2);
3756 return
3757 (sysctl_handle_string(oidp, numbuf, sizeof(numbuf), req));
3758 case CTLTYPE_STRUCT:
3759 s = (size_t)arg2;
3760 return (SYSCTL_OUT(req, &s, sizeof(s)));
3761 }
3762 return (0);
3763 }
3764
3765 /*
3766 * CTLFLAG_RDTUN in the following indicates jail parameters that can be set at
3767 * jail creation time but cannot be changed in an existing jail.
3768 */
3769 SYSCTL_JAIL_PARAM(, jid, CTLTYPE_INT | CTLFLAG_RDTUN, "I", "Jail ID");
3770 SYSCTL_JAIL_PARAM(, parent, CTLTYPE_INT | CTLFLAG_RD, "I", "Jail parent ID");
3771 SYSCTL_JAIL_PARAM_STRING(, name, CTLFLAG_RW, MAXHOSTNAMELEN, "Jail name");
3772 SYSCTL_JAIL_PARAM_STRING(, path, CTLFLAG_RDTUN, MAXPATHLEN, "Jail root path");
3773 SYSCTL_JAIL_PARAM(, securelevel, CTLTYPE_INT | CTLFLAG_RW,
3774 "I", "Jail secure level");
3775 SYSCTL_JAIL_PARAM(, osreldate, CTLTYPE_INT | CTLFLAG_RDTUN, "I",
3776 "Jail value for kern.osreldate and uname -K");
3777 SYSCTL_JAIL_PARAM_STRING(, osrelease, CTLFLAG_RDTUN, OSRELEASELEN,
3778 "Jail value for kern.osrelease and uname -r");
3779 SYSCTL_JAIL_PARAM(, enforce_statfs, CTLTYPE_INT | CTLFLAG_RW,
3780 "I", "Jail cannot see all mounted file systems");
3781 SYSCTL_JAIL_PARAM(, devfs_ruleset, CTLTYPE_INT | CTLFLAG_RW,
3782 "I", "Ruleset for in-jail devfs mounts");
3783 SYSCTL_JAIL_PARAM(, persist, CTLTYPE_INT | CTLFLAG_RW,
3784 "B", "Jail persistence");
3785 #ifdef VIMAGE
3786 SYSCTL_JAIL_PARAM(, vnet, CTLTYPE_INT | CTLFLAG_RDTUN,
3787 "E,jailsys", "Virtual network stack");
3788 #endif
3789 SYSCTL_JAIL_PARAM(, dying, CTLTYPE_INT | CTLFLAG_RD,
3790 "B", "Jail is in the process of shutting down");
3791
3792 SYSCTL_JAIL_PARAM_NODE(children, "Number of child jails");
3793 SYSCTL_JAIL_PARAM(_children, cur, CTLTYPE_INT | CTLFLAG_RD,
3794 "I", "Current number of child jails");
3795 SYSCTL_JAIL_PARAM(_children, max, CTLTYPE_INT | CTLFLAG_RW,
3796 "I", "Maximum number of child jails");
3797
3798 SYSCTL_JAIL_PARAM_SYS_NODE(host, CTLFLAG_RW, "Jail host info");
3799 SYSCTL_JAIL_PARAM_STRING(_host, hostname, CTLFLAG_RW, MAXHOSTNAMELEN,
3800 "Jail hostname");
3801 SYSCTL_JAIL_PARAM_STRING(_host, domainname, CTLFLAG_RW, MAXHOSTNAMELEN,
3802 "Jail NIS domainname");
3803 SYSCTL_JAIL_PARAM_STRING(_host, hostuuid, CTLFLAG_RW, HOSTUUIDLEN,
3804 "Jail host UUID");
3805 SYSCTL_JAIL_PARAM(_host, hostid, CTLTYPE_ULONG | CTLFLAG_RW,
3806 "LU", "Jail host ID");
3807
3808 SYSCTL_JAIL_PARAM_NODE(cpuset, "Jail cpuset");
3809 SYSCTL_JAIL_PARAM(_cpuset, id, CTLTYPE_INT | CTLFLAG_RD, "I", "Jail cpuset ID");
3810
3811 #ifdef INET
3812 SYSCTL_JAIL_PARAM_SYS_NODE(ip4, CTLFLAG_RDTUN,
3813 "Jail IPv4 address virtualization");
3814 SYSCTL_JAIL_PARAM_STRUCT(_ip4, addr, CTLFLAG_RW, sizeof(struct in_addr),
3815 "S,in_addr,a", "Jail IPv4 addresses");
3816 SYSCTL_JAIL_PARAM(_ip4, saddrsel, CTLTYPE_INT | CTLFLAG_RW,
3817 "B", "Do (not) use IPv4 source address selection rather than the "
3818 "primary jail IPv4 address.");
3819 #endif
3820 #ifdef INET6
3821 SYSCTL_JAIL_PARAM_SYS_NODE(ip6, CTLFLAG_RDTUN,
3822 "Jail IPv6 address virtualization");
3823 SYSCTL_JAIL_PARAM_STRUCT(_ip6, addr, CTLFLAG_RW, sizeof(struct in6_addr),
3824 "S,in6_addr,a", "Jail IPv6 addresses");
3825 SYSCTL_JAIL_PARAM(_ip6, saddrsel, CTLTYPE_INT | CTLFLAG_RW,
3826 "B", "Do (not) use IPv6 source address selection rather than the "
3827 "primary jail IPv6 address.");
3828 #endif
3829
3830 SYSCTL_JAIL_PARAM_NODE(allow, "Jail permission flags");
3831 SYSCTL_JAIL_PARAM(_allow, set_hostname, CTLTYPE_INT | CTLFLAG_RW,
3832 "B", "Jail may set hostname");
3833 SYSCTL_JAIL_PARAM(_allow, sysvipc, CTLTYPE_INT | CTLFLAG_RW,
3834 "B", "Jail may use SYSV IPC");
3835 SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW,
3836 "B", "Jail may create raw sockets");
3837 SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW,
3838 "B", "Jail may alter system file flags");
3839 SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW,
3840 "B", "Jail may set file quotas");
3841 SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
3842 "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
3843 SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW,
3844 "B", "Jail may read the kernel message buffer");
3845
3846 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
3847 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
3848 "B", "Jail may mount/unmount jail-friendly file systems in general");
3849 SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
3850 "B", "Jail may mount the devfs file system");
3851 SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
3852 "B", "Jail may mount the fdescfs file system");
3853 SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
3854 "B", "Jail may mount the nullfs file system");
3855 SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
3856 "B", "Jail may mount the procfs file system");
3857 SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW,
3858 "B", "Jail may mount the linprocfs file system");
3859 SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW,
3860 "B", "Jail may mount the linsysfs file system");
3861 SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
3862 "B", "Jail may mount the tmpfs file system");
3863 SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
3864 "B", "Jail may mount the zfs file system");
3865
3866 #ifdef RACCT
3867 void
3868 prison_racct_foreach(void (*callback)(struct racct *racct,
3869 void *arg2, void *arg3), void (*pre)(void), void (*post)(void),
3870 void *arg2, void *arg3)
3871 {
3872 struct prison_racct *prr;
3873
3874 ASSERT_RACCT_ENABLED();
3875
3876 sx_slock(&allprison_lock);
3877 if (pre != NULL)
3878 (pre)();
3879 LIST_FOREACH(prr, &allprison_racct, prr_next)
3880 (callback)(prr->prr_racct, arg2, arg3);
3881 if (post != NULL)
3882 (post)();
3883 sx_sunlock(&allprison_lock);
3884 }
3885
3886 static struct prison_racct *
3887 prison_racct_find_locked(const char *name)
3888 {
3889 struct prison_racct *prr;
3890
3891 ASSERT_RACCT_ENABLED();
3892 sx_assert(&allprison_lock, SA_XLOCKED);
3893
3894 if (name[0] == '\0' || strlen(name) >= MAXHOSTNAMELEN)
3895 return (NULL);
3896
3897 LIST_FOREACH(prr, &allprison_racct, prr_next) {
3898 if (strcmp(name, prr->prr_name) != 0)
3899 continue;
3900
3901 /* Found prison_racct with a matching name? */
3902 prison_racct_hold(prr);
3903 return (prr);
3904 }
3905
3906 /* Add new prison_racct. */
3907 prr = malloc(sizeof(*prr), M_PRISON_RACCT, M_ZERO | M_WAITOK);
3908 racct_create(&prr->prr_racct);
3909
3910 strcpy(prr->prr_name, name);
3911 refcount_init(&prr->prr_refcount, 1);
3912 LIST_INSERT_HEAD(&allprison_racct, prr, prr_next);
3913
3914 return (prr);
3915 }
3916
3917 struct prison_racct *
3918 prison_racct_find(const char *name)
3919 {
3920 struct prison_racct *prr;
3921
3922 ASSERT_RACCT_ENABLED();
3923
3924 sx_xlock(&allprison_lock);
3925 prr = prison_racct_find_locked(name);
3926 sx_xunlock(&allprison_lock);
3927 return (prr);
3928 }
3929
3930 void
3931 prison_racct_hold(struct prison_racct *prr)
3932 {
3933
3934 ASSERT_RACCT_ENABLED();
3935
3936 refcount_acquire(&prr->prr_refcount);
3937 }
3938
3939 static void
3940 prison_racct_free_locked(struct prison_racct *prr)
3941 {
3942
3943 ASSERT_RACCT_ENABLED();
3944 sx_assert(&allprison_lock, SA_XLOCKED);
3945
3946 if (refcount_release(&prr->prr_refcount)) {
3947 racct_destroy(&prr->prr_racct);
3948 LIST_REMOVE(prr, prr_next);
3949 free(prr, M_PRISON_RACCT);
3950 }
3951 }
3952
3953 void
3954 prison_racct_free(struct prison_racct *prr)
3955 {
3956 int old;
3957
3958 ASSERT_RACCT_ENABLED();
3959 sx_assert(&allprison_lock, SA_UNLOCKED);
3960
3961 old = prr->prr_refcount;
3962 if (old > 1 && atomic_cmpset_int(&prr->prr_refcount, old, old - 1))
3963 return;
3964
3965 sx_xlock(&allprison_lock);
3966 prison_racct_free_locked(prr);
3967 sx_xunlock(&allprison_lock);
3968 }
3969
3970 static void
3971 prison_racct_attach(struct prison *pr)
3972 {
3973 struct prison_racct *prr;
3974
3975 ASSERT_RACCT_ENABLED();
3976 sx_assert(&allprison_lock, SA_XLOCKED);
3977
3978 prr = prison_racct_find_locked(pr->pr_name);
3979 KASSERT(prr != NULL, ("cannot find prison_racct"));
3980
3981 pr->pr_prison_racct = prr;
3982 }
3983
3984 /*
3985 * Handle jail renaming. From the racct point of view, renaming means
3986 * moving from one prison_racct to another.
3987 */
3988 static void
3989 prison_racct_modify(struct prison *pr)
3990 {
3991 #ifdef RCTL
3992 struct proc *p;
3993 struct ucred *cred;
3994 #endif
3995 struct prison_racct *oldprr;
3996
3997 ASSERT_RACCT_ENABLED();
3998
3999 sx_slock(&allproc_lock);
4000 sx_xlock(&allprison_lock);
4001
4002 if (strcmp(pr->pr_name, pr->pr_prison_racct->prr_name) == 0) {
4003 sx_xunlock(&allprison_lock);
4004 sx_sunlock(&allproc_lock);
4005 return;
4006 }
4007
4008 oldprr = pr->pr_prison_racct;
4009 pr->pr_prison_racct = NULL;
4010
4011 prison_racct_attach(pr);
4012
4013 /*
4014 * Move resource utilisation records.
4015 */
4016 racct_move(pr->pr_prison_racct->prr_racct, oldprr->prr_racct);
4017
4018 #ifdef RCTL
4019 /*
4020 * Force rctl to reattach rules to processes.
4021 */
4022 FOREACH_PROC_IN_SYSTEM(p) {
4023 PROC_LOCK(p);
4024 cred = crhold(p->p_ucred);
4025 PROC_UNLOCK(p);
4026 rctl_proc_ucred_changed(p, cred);
4027 crfree(cred);
4028 }
4029 #endif
4030
4031 sx_sunlock(&allproc_lock);
4032 prison_racct_free_locked(oldprr);
4033 sx_xunlock(&allprison_lock);
4034 }
4035
4036 static void
4037 prison_racct_detach(struct prison *pr)
4038 {
4039
4040 ASSERT_RACCT_ENABLED();
4041 sx_assert(&allprison_lock, SA_UNLOCKED);
4042
4043 if (pr->pr_prison_racct == NULL)
4044 return;
4045 prison_racct_free(pr->pr_prison_racct);
4046 pr->pr_prison_racct = NULL;
4047 }
4048 #endif /* RACCT */
4049
4050 #ifdef DDB
4051
4052 static void
4053 db_show_prison(struct prison *pr)
4054 {
4055 int fi;
4056 #if defined(INET) || defined(INET6)
4057 int ii;
4058 #endif
4059 unsigned jsf;
4060 #ifdef INET
4061 char ip4buf[INET_ADDRSTRLEN];
4062 #endif
4063 #ifdef INET6
4064 char ip6buf[INET6_ADDRSTRLEN];
4065 #endif
4066
4067 db_printf("prison %p:\n", pr);
4068 db_printf(" jid = %d\n", pr->pr_id);
4069 db_printf(" name = %s\n", pr->pr_name);
4070 db_printf(" parent = %p\n", pr->pr_parent);
4071 db_printf(" ref = %d\n", pr->pr_ref);
4072 db_printf(" uref = %d\n", pr->pr_uref);
4073 db_printf(" path = %s\n", pr->pr_path);
4074 db_printf(" cpuset = %d\n", pr->pr_cpuset
4075 ? pr->pr_cpuset->cs_id : -1);
4076 #ifdef VIMAGE
4077 db_printf(" vnet = %p\n", pr->pr_vnet);
4078 #endif
4079 db_printf(" root = %p\n", pr->pr_root);
4080 db_printf(" securelevel = %d\n", pr->pr_securelevel);
4081 db_printf(" devfs_rsnum = %d\n", pr->pr_devfs_rsnum);
4082 db_printf(" children.max = %d\n", pr->pr_childmax);
4083 db_printf(" children.cur = %d\n", pr->pr_childcount);
4084 db_printf(" child = %p\n", LIST_FIRST(&pr->pr_children));
4085 db_printf(" sibling = %p\n", LIST_NEXT(pr, pr_sibling));
4086 db_printf(" flags = 0x%x", pr->pr_flags);
4087 for (fi = 0; fi < nitems(pr_flag_names); fi++)
4088 if (pr_flag_names[fi] != NULL && (pr->pr_flags & (1 << fi)))
4089 db_printf(" %s", pr_flag_names[fi]);
4090 for (fi = 0; fi < nitems(pr_flag_jailsys); fi++) {
4091 jsf = pr->pr_flags &
4092 (pr_flag_jailsys[fi].disable | pr_flag_jailsys[fi].new);
4093 db_printf(" %-16s= %s\n", pr_flag_jailsys[fi].name,
4094 pr_flag_jailsys[fi].disable &&
4095 (jsf == pr_flag_jailsys[fi].disable) ? "disable"
4096 : (jsf == pr_flag_jailsys[fi].new) ? "new"
4097 : "inherit");
4098 }
4099 db_printf(" allow = 0x%x", pr->pr_allow);
4100 for (fi = 0; fi < nitems(pr_allow_names); fi++)
4101 if (pr_allow_names[fi] != NULL && (pr->pr_allow & (1 << fi)))
4102 db_printf(" %s", pr_allow_names[fi]);
4103 db_printf("\n");
4104 db_printf(" enforce_statfs = %d\n", pr->pr_enforce_statfs);
4105 db_printf(" host.hostname = %s\n", pr->pr_hostname);
4106 db_printf(" host.domainname = %s\n", pr->pr_domainname);
4107 db_printf(" host.hostuuid = %s\n", pr->pr_hostuuid);
4108 db_printf(" host.hostid = %lu\n", pr->pr_hostid);
4109 #ifdef INET
4110 db_printf(" ip4s = %d\n", pr->pr_ip4s);
4111 for (ii = 0; ii < pr->pr_ip4s; ii++)
4112 db_printf(" %s %s\n",
4113 ii == 0 ? "ip4.addr =" : " ",
4114 inet_ntoa_r(pr->pr_ip4[ii], ip4buf));
4115 #endif
4116 #ifdef INET6
4117 db_printf(" ip6s = %d\n", pr->pr_ip6s);
4118 for (ii = 0; ii < pr->pr_ip6s; ii++)
4119 db_printf(" %s %s\n",
4120 ii == 0 ? "ip6.addr =" : " ",
4121 ip6_sprintf(ip6buf, &pr->pr_ip6[ii]));
4122 #endif
4123 }
4124
4125 DB_SHOW_COMMAND(prison, db_show_prison_command)
4126 {
4127 struct prison *pr;
4128
4129 if (!have_addr) {
4130 /*
4131 * Show all prisons in the list, and prison0 which is not
4132 * listed.
4133 */
4134 db_show_prison(&prison0);
4135 if (!db_pager_quit) {
4136 TAILQ_FOREACH(pr, &allprison, pr_list) {
4137 db_show_prison(pr);
4138 if (db_pager_quit)
4139 break;
4140 }
4141 }
4142 return;
4143 }
4144
4145 if (addr == 0)
4146 pr = &prison0;
4147 else {
4148 /* Look for a prison with the ID and with references. */
4149 TAILQ_FOREACH(pr, &allprison, pr_list)
4150 if (pr->pr_id == addr && pr->pr_ref > 0)
4151 break;
4152 if (pr == NULL)
4153 /* Look again, without requiring a reference. */
4154 TAILQ_FOREACH(pr, &allprison, pr_list)
4155 if (pr->pr_id == addr)
4156 break;
4157 if (pr == NULL)
4158 /* Assume address points to a valid prison. */
4159 pr = (struct prison *)addr;
4160 }
4161 db_show_prison(pr);
4162 }
4163
4164 #endif /* DDB */
Cache object: b0b1c02313458736b2adceb6f8cc8fef
|