kern_jail.c

Version: - FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10

    1 /*
    2  * ----------------------------------------------------------------------------
    3  * "THE BEER-WARE LICENSE" (Revision 42):
    4  * <phk@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
    5  * can do whatever you want with this stuff. If we meet some day, and you think
    6  * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
    7  * ----------------------------------------------------------------------------
    8  *
    9  * $FreeBSD$
   10  *
   11  */
   12 
   13 #include <sys/param.h>
   14 #include <sys/types.h>
   15 #include <sys/kernel.h>
   16 #include <sys/systm.h>
   17 #include <sys/errno.h>
   18 #include <sys/sysproto.h>
   19 #include <sys/malloc.h>
   20 #include <sys/proc.h>
   21 #include <sys/jail.h>
   22 #include <sys/socket.h>
   23 #include <sys/sysctl.h>
   24 #include <net/if.h>
   25 #include <netinet/in.h>
   26 
   27 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
   28 
   29 SYSCTL_NODE(, OID_AUTO, jail, CTLFLAG_RW, 0,
   30     "Jail rules");
   31 
   32 int     jail_set_hostname_allowed = 1;
   33 SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
   34     &jail_set_hostname_allowed, 0,
   35     "Processes in jail can set their hostnames");
   36 
   37 int     jail_socket_unixiproute_only = 1;
   38 SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
   39     &jail_socket_unixiproute_only, 0,
   40     "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
   41 
   42 int     jail_sysvipc_allowed = 0;
   43 SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
   44     &jail_sysvipc_allowed, 0,
   45     "Processes in jail can use System V IPC primitives");
   46 
   47 int
   48 jail(p, uap)
   49         struct proc *p;
   50         struct jail_args /* {
   51                 syscallarg(struct jail *) jail;
   52         } */ *uap;
   53 {
   54         int error;
   55         struct prison *pr;
   56         struct jail j;
   57         struct chroot_args ca;
   58 
   59         error = suser(p);
   60         if (error)
   61                 return (error);
   62         error = copyin(uap->jail, &j, sizeof j);
   63         if (error)
   64                 return (error);
   65         if (j.version != 0)
   66                 return (EINVAL);
   67         MALLOC(pr, struct prison *, sizeof *pr , M_PRISON, M_WAITOK);
   68         bzero((caddr_t)pr, sizeof *pr);
   69         error = copyinstr(j.hostname, &pr->pr_host, sizeof pr->pr_host, 0);
   70         if (error) 
   71                 goto bail;
   72         pr->pr_ip = j.ip_number;
   73 
   74         ca.path = j.path;
   75         error = chroot(p, &ca);
   76         if (error)
   77                 goto bail;
   78 
   79         pr->pr_ref++;
   80         p->p_prison = pr;
   81         p->p_flag |= P_JAILED;
   82         return (0);
   83 
   84 bail:
   85         FREE(pr, M_PRISON);
   86         return (error);
   87 }
   88 
   89 int
   90 prison_ip(struct proc *p, int flag, u_int32_t *ip)
   91 {
   92         u_int32_t tmp;
   93 
   94         if (!p->p_prison)
   95                 return (0);
   96         if (flag) 
   97                 tmp = *ip;
   98         else
   99                 tmp = ntohl(*ip);
  100         if (tmp == INADDR_ANY) {
  101                 if (flag) 
  102                         *ip = p->p_prison->pr_ip;
  103                 else
  104                         *ip = htonl(p->p_prison->pr_ip);
  105                 return (0);
  106         }
  107         if (tmp == INADDR_LOOPBACK) {
  108                 if (flag)
  109                         *ip = p->p_prison->pr_ip;
  110                 else
  111                         *ip = htonl(p->p_prison->pr_ip);
  112                 return (0);
  113         }
  114         if (p->p_prison->pr_ip != tmp)
  115                 return (1);
  116         return (0);
  117 }
  118 
  119 void
  120 prison_remote_ip(struct proc *p, int flag, u_int32_t *ip)
  121 {
  122         u_int32_t tmp;
  123 
  124         if (!p || !p->p_prison)
  125                 return;
  126         if (flag)
  127                 tmp = *ip;
  128         else
  129                 tmp = ntohl(*ip);
  130         if (tmp == INADDR_LOOPBACK) {
  131                 if (flag)
  132                         *ip = p->p_prison->pr_ip;
  133                 else
  134                         *ip = htonl(p->p_prison->pr_ip);
  135                 return;
  136         }
  137         return;
  138 }
  139 
  140 int
  141 prison_if(struct proc *p, struct sockaddr *sa)
  142 {
  143         struct sockaddr_in *sai = (struct sockaddr_in*) sa;
  144         int ok;
  145 
  146         if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
  147                 ok = 1;
  148         else if (sai->sin_family != AF_INET)
  149                 ok = 0;
  150         else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
  151                 ok = 1;
  152         else
  153                 ok = 0;
  154         return (ok);
  155 }

Cache object: c91bf7e66a20dc1f859d68ba6dfccf8f

[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.

FreeBSD/Linux Kernel Cross Reference sys/kern/kern_jail.c

FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_jail.c