FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_jail.c
1 /*
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
8 *
9 * $FreeBSD: releng/5.1/sys/kern/kern_jail.c 126240 2004-02-25 20:03:35Z nectar $
10 *
11 */
12
13 #include <sys/cdefs.h>
14 __FBSDID("$FreeBSD: releng/5.1/sys/kern/kern_jail.c 126240 2004-02-25 20:03:35Z nectar $");
15
16 #include <sys/param.h>
17 #include <sys/types.h>
18 #include <sys/kernel.h>
19 #include <sys/systm.h>
20 #include <sys/errno.h>
21 #include <sys/sysproto.h>
22 #include <sys/malloc.h>
23 #include <sys/proc.h>
24 #include <sys/jail.h>
25 #include <sys/lock.h>
26 #include <sys/mutex.h>
27 #include <sys/namei.h>
28 #include <sys/queue.h>
29 #include <sys/socket.h>
30 #include <sys/syscallsubr.h>
31 #include <sys/sysctl.h>
32 #include <sys/vnode.h>
33 #include <net/if.h>
34 #include <netinet/in.h>
35
36 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
37
38 SYSCTL_DECL(_security);
39 SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
40 "Jail rules");
41
42 mp_fixme("these variables need a lock")
43
44 int jail_set_hostname_allowed = 1;
45 SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
46 &jail_set_hostname_allowed, 0,
47 "Processes in jail can set their hostnames");
48
49 int jail_socket_unixiproute_only = 1;
50 SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
51 &jail_socket_unixiproute_only, 0,
52 "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
53
54 int jail_sysvipc_allowed = 0;
55 SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
56 &jail_sysvipc_allowed, 0,
57 "Processes in jail can use System V IPC primitives");
58
59 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
60 struct prisonlist allprison;
61 struct mtx allprison_mtx;
62 int lastprid = 0;
63 int prisoncount = 0;
64
65 static void init_prison(void *);
66 static struct prison *prison_find(int);
67 static int sysctl_jail_list(SYSCTL_HANDLER_ARGS);
68
69 static void
70 init_prison(void *data __unused)
71 {
72
73 mtx_init(&allprison_mtx, "allprison", NULL, MTX_DEF);
74 LIST_INIT(&allprison);
75 }
76
77 SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL);
78
79 /*
80 * MPSAFE
81 *
82 * struct jail_args {
83 * struct jail *jail;
84 * };
85 */
86 int
87 jail(struct thread *td, struct jail_args *uap)
88 {
89 struct nameidata nd;
90 struct prison *pr, *tpr;
91 struct jail j;
92 struct jail_attach_args jaa;
93 int error, tryprid;
94
95 error = copyin(uap->jail, &j, sizeof(j));
96 if (error)
97 return (error);
98 if (j.version != 0)
99 return (EINVAL);
100
101 MALLOC(pr, struct prison *, sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);
102 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF);
103 pr->pr_ref = 1;
104 error = copyinstr(j.path, &pr->pr_path, sizeof(pr->pr_path), 0);
105 if (error)
106 goto e_killmtx;
107 mtx_lock(&Giant);
108 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, pr->pr_path, td);
109 error = namei(&nd);
110 if (error) {
111 mtx_unlock(&Giant);
112 goto e_killmtx;
113 }
114 pr->pr_root = nd.ni_vp;
115 VOP_UNLOCK(nd.ni_vp, 0, td);
116 NDFREE(&nd, NDF_ONLY_PNBUF);
117 mtx_unlock(&Giant);
118 error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0);
119 if (error)
120 goto e_dropvnref;
121 pr->pr_ip = j.ip_number;
122 pr->pr_linux = NULL;
123 pr->pr_securelevel = securelevel;
124
125 /* Determine next pr_id and add prison to allprison list. */
126 mtx_lock(&allprison_mtx);
127 tryprid = lastprid + 1;
128 if (tryprid == JAIL_MAX)
129 tryprid = 1;
130 next:
131 LIST_FOREACH(tpr, &allprison, pr_list) {
132 if (tpr->pr_id == tryprid) {
133 tryprid++;
134 if (tryprid == JAIL_MAX) {
135 mtx_unlock(&allprison_mtx);
136 error = EAGAIN;
137 goto e_dropvnref;
138 }
139 goto next;
140 }
141 }
142 pr->pr_id = jaa.jid = lastprid = tryprid;
143 LIST_INSERT_HEAD(&allprison, pr, pr_list);
144 prisoncount++;
145 mtx_unlock(&allprison_mtx);
146
147 error = jail_attach(td, &jaa);
148 if (error)
149 goto e_dropprref;
150 mtx_lock(&pr->pr_mtx);
151 pr->pr_ref--;
152 mtx_unlock(&pr->pr_mtx);
153 td->td_retval[0] = jaa.jid;
154 return (0);
155 e_dropprref:
156 mtx_lock(&allprison_mtx);
157 LIST_REMOVE(pr, pr_list);
158 prisoncount--;
159 mtx_unlock(&allprison_mtx);
160 e_dropvnref:
161 mtx_lock(&Giant);
162 vrele(pr->pr_root);
163 mtx_unlock(&Giant);
164 e_killmtx:
165 mtx_destroy(&pr->pr_mtx);
166 FREE(pr, M_PRISON);
167 return (error);
168 }
169
170 /*
171 * MPSAFE
172 *
173 * struct jail_attach_args {
174 * int jid;
175 * };
176 */
177 int
178 jail_attach(struct thread *td, struct jail_attach_args *uap)
179 {
180 struct proc *p;
181 struct ucred *newcred, *oldcred;
182 struct prison *pr;
183 int error;
184
185 /*
186 * XXX: Note that there is a slight race here if two threads
187 * in the same privileged process attempt to attach to two
188 * different jails at the same time. It is important for
189 * user processes not to do this, or they might end up with
190 * a process root from one prison, but attached to the jail
191 * of another.
192 */
193 error = suser(td);
194 if (error)
195 return (error);
196
197 p = td->td_proc;
198 mtx_lock(&allprison_mtx);
199 pr = prison_find(uap->jid);
200 if (pr == NULL) {
201 mtx_unlock(&allprison_mtx);
202 return (EINVAL);
203 }
204 pr->pr_ref++;
205 mtx_unlock(&pr->pr_mtx);
206 mtx_unlock(&allprison_mtx);
207
208 mtx_lock(&Giant);
209 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY, td);
210 if ((error = change_dir(pr->pr_root, td)) != 0)
211 goto e_unlock;
212 #ifdef MAC
213 if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root)))
214 goto e_unlock;
215 #endif
216 VOP_UNLOCK(pr->pr_root, 0, td);
217 change_root(pr->pr_root, td);
218 mtx_unlock(&Giant);
219
220 newcred = crget();
221 PROC_LOCK(p);
222 oldcred = p->p_ucred;
223 setsugid(p);
224 crcopy(newcred, oldcred);
225 newcred->cr_prison = pr;
226 p->p_ucred = newcred;
227 PROC_UNLOCK(p);
228 crfree(oldcred);
229 return (0);
230 e_unlock:
231 VOP_UNLOCK(pr->pr_root, 0, td);
232 mtx_unlock(&Giant);
233 mtx_lock(&pr->pr_mtx);
234 pr->pr_ref--;
235 mtx_unlock(&pr->pr_mtx);
236 return (error);
237 }
238
239 /*
240 * Returns a locked prison instance, or NULL on failure.
241 */
242 static struct prison *
243 prison_find(int prid)
244 {
245 struct prison *pr;
246
247 mtx_assert(&allprison_mtx, MA_OWNED);
248 LIST_FOREACH(pr, &allprison, pr_list) {
249 if (pr->pr_id == prid) {
250 mtx_lock(&pr->pr_mtx);
251 return (pr);
252 }
253 }
254 return (NULL);
255 }
256
257 void
258 prison_free(struct prison *pr)
259 {
260
261 mtx_assert(&Giant, MA_OWNED);
262 mtx_lock(&allprison_mtx);
263 mtx_lock(&pr->pr_mtx);
264 pr->pr_ref--;
265 if (pr->pr_ref == 0) {
266 LIST_REMOVE(pr, pr_list);
267 mtx_unlock(&pr->pr_mtx);
268 prisoncount--;
269 mtx_unlock(&allprison_mtx);
270 vrele(pr->pr_root);
271 mtx_destroy(&pr->pr_mtx);
272 if (pr->pr_linux != NULL)
273 FREE(pr->pr_linux, M_PRISON);
274 FREE(pr, M_PRISON);
275 return;
276 }
277 mtx_unlock(&pr->pr_mtx);
278 mtx_unlock(&allprison_mtx);
279 }
280
281 void
282 prison_hold(struct prison *pr)
283 {
284
285 mtx_lock(&pr->pr_mtx);
286 pr->pr_ref++;
287 mtx_unlock(&pr->pr_mtx);
288 }
289
290 u_int32_t
291 prison_getip(struct ucred *cred)
292 {
293
294 return (cred->cr_prison->pr_ip);
295 }
296
297 int
298 prison_ip(struct ucred *cred, int flag, u_int32_t *ip)
299 {
300 u_int32_t tmp;
301
302 if (!jailed(cred))
303 return (0);
304 if (flag)
305 tmp = *ip;
306 else
307 tmp = ntohl(*ip);
308 if (tmp == INADDR_ANY) {
309 if (flag)
310 *ip = cred->cr_prison->pr_ip;
311 else
312 *ip = htonl(cred->cr_prison->pr_ip);
313 return (0);
314 }
315 if (tmp == INADDR_LOOPBACK) {
316 if (flag)
317 *ip = cred->cr_prison->pr_ip;
318 else
319 *ip = htonl(cred->cr_prison->pr_ip);
320 return (0);
321 }
322 if (cred->cr_prison->pr_ip != tmp)
323 return (1);
324 return (0);
325 }
326
327 void
328 prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip)
329 {
330 u_int32_t tmp;
331
332 if (!jailed(cred))
333 return;
334 if (flag)
335 tmp = *ip;
336 else
337 tmp = ntohl(*ip);
338 if (tmp == INADDR_LOOPBACK) {
339 if (flag)
340 *ip = cred->cr_prison->pr_ip;
341 else
342 *ip = htonl(cred->cr_prison->pr_ip);
343 return;
344 }
345 return;
346 }
347
348 int
349 prison_if(struct ucred *cred, struct sockaddr *sa)
350 {
351 struct sockaddr_in *sai;
352 int ok;
353
354 sai = (struct sockaddr_in *)sa;
355 if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
356 ok = 1;
357 else if (sai->sin_family != AF_INET)
358 ok = 0;
359 else if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
360 ok = 1;
361 else
362 ok = 0;
363 return (ok);
364 }
365
366 /*
367 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH.
368 */
369 int
370 prison_check(struct ucred *cred1, struct ucred *cred2)
371 {
372
373 if (jailed(cred1)) {
374 if (!jailed(cred2))
375 return (ESRCH);
376 if (cred2->cr_prison != cred1->cr_prison)
377 return (ESRCH);
378 }
379
380 return (0);
381 }
382
383 /*
384 * Return 1 if the passed credential is in a jail, otherwise 0.
385 */
386 int
387 jailed(struct ucred *cred)
388 {
389
390 return (cred->cr_prison != NULL);
391 }
392
393 /*
394 * Return the correct hostname for the passed credential.
395 */
396 void
397 getcredhostname(struct ucred *cred, char *buf, size_t size)
398 {
399
400 if (jailed(cred)) {
401 mtx_lock(&cred->cr_prison->pr_mtx);
402 strlcpy(buf, cred->cr_prison->pr_host, size);
403 mtx_unlock(&cred->cr_prison->pr_mtx);
404 } else
405 strlcpy(buf, hostname, size);
406 }
407
408 static int
409 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
410 {
411 struct xprison *xp, *sxp;
412 struct prison *pr;
413 int count, error;
414
415 mtx_assert(&Giant, MA_OWNED);
416 retry:
417 mtx_lock(&allprison_mtx);
418 count = prisoncount;
419 mtx_unlock(&allprison_mtx);
420
421 if (count == 0)
422 return (0);
423
424 sxp = xp = malloc(sizeof(*xp) * count, M_TEMP, M_WAITOK | M_ZERO);
425 mtx_lock(&allprison_mtx);
426 if (count != prisoncount) {
427 mtx_unlock(&allprison_mtx);
428 free(sxp, M_TEMP);
429 goto retry;
430 }
431
432 LIST_FOREACH(pr, &allprison, pr_list) {
433 mtx_lock(&pr->pr_mtx);
434 xp->pr_version = XPRISON_VERSION;
435 xp->pr_id = pr->pr_id;
436 strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path));
437 strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host));
438 xp->pr_ip = pr->pr_ip;
439 mtx_unlock(&pr->pr_mtx);
440 xp++;
441 }
442 mtx_unlock(&allprison_mtx);
443
444 error = SYSCTL_OUT(req, sxp, sizeof(*sxp) * count);
445 free(sxp, M_TEMP);
446 if (error)
447 return (error);
448 return (0);
449 }
450
451 SYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD,
452 NULL, 0, sysctl_jail_list, "S", "List of active jails");
Cache object: f40514a5799c955b51843fedb7dc26b7
|