FreeBSD/Linux Kernel Cross Reference
sys/kern/kern_jail.c
1 /*
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
8 */
9
10 #include <sys/cdefs.h>
11 __FBSDID("$FreeBSD: releng/5.2/sys/kern/kern_jail.c 126029 2004-02-19 23:26:39Z nectar $");
12
13 #include <sys/param.h>
14 #include <sys/types.h>
15 #include <sys/kernel.h>
16 #include <sys/systm.h>
17 #include <sys/errno.h>
18 #include <sys/sysproto.h>
19 #include <sys/malloc.h>
20 #include <sys/proc.h>
21 #include <sys/jail.h>
22 #include <sys/lock.h>
23 #include <sys/mutex.h>
24 #include <sys/namei.h>
25 #include <sys/queue.h>
26 #include <sys/socket.h>
27 #include <sys/syscallsubr.h>
28 #include <sys/sysctl.h>
29 #include <sys/vnode.h>
30 #include <net/if.h>
31 #include <netinet/in.h>
32
33 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
34
35 SYSCTL_DECL(_security);
36 SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
37 "Jail rules");
38
39 mp_fixme("these variables need a lock")
40
41 int jail_set_hostname_allowed = 1;
42 SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
43 &jail_set_hostname_allowed, 0,
44 "Processes in jail can set their hostnames");
45
46 int jail_socket_unixiproute_only = 1;
47 SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
48 &jail_socket_unixiproute_only, 0,
49 "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
50
51 int jail_sysvipc_allowed = 0;
52 SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
53 &jail_sysvipc_allowed, 0,
54 "Processes in jail can use System V IPC primitives");
55
56 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
57 struct prisonlist allprison;
58 struct mtx allprison_mtx;
59 int lastprid = 0;
60 int prisoncount = 0;
61
62 static void init_prison(void *);
63 static struct prison *prison_find(int);
64 static int sysctl_jail_list(SYSCTL_HANDLER_ARGS);
65
66 static void
67 init_prison(void *data __unused)
68 {
69
70 mtx_init(&allprison_mtx, "allprison", NULL, MTX_DEF);
71 LIST_INIT(&allprison);
72 }
73
74 SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL);
75
76 /*
77 * MPSAFE
78 *
79 * struct jail_args {
80 * struct jail *jail;
81 * };
82 */
83 int
84 jail(struct thread *td, struct jail_args *uap)
85 {
86 struct nameidata nd;
87 struct prison *pr, *tpr;
88 struct jail j;
89 struct jail_attach_args jaa;
90 int error, tryprid;
91
92 error = copyin(uap->jail, &j, sizeof(j));
93 if (error)
94 return (error);
95 if (j.version != 0)
96 return (EINVAL);
97
98 MALLOC(pr, struct prison *, sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);
99 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF);
100 pr->pr_ref = 1;
101 error = copyinstr(j.path, &pr->pr_path, sizeof(pr->pr_path), 0);
102 if (error)
103 goto e_killmtx;
104 mtx_lock(&Giant);
105 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, pr->pr_path, td);
106 error = namei(&nd);
107 if (error) {
108 mtx_unlock(&Giant);
109 goto e_killmtx;
110 }
111 pr->pr_root = nd.ni_vp;
112 VOP_UNLOCK(nd.ni_vp, 0, td);
113 NDFREE(&nd, NDF_ONLY_PNBUF);
114 mtx_unlock(&Giant);
115 error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0);
116 if (error)
117 goto e_dropvnref;
118 pr->pr_ip = j.ip_number;
119 pr->pr_linux = NULL;
120 pr->pr_securelevel = securelevel;
121
122 /* Determine next pr_id and add prison to allprison list. */
123 mtx_lock(&allprison_mtx);
124 tryprid = lastprid + 1;
125 if (tryprid == JAIL_MAX)
126 tryprid = 1;
127 next:
128 LIST_FOREACH(tpr, &allprison, pr_list) {
129 if (tpr->pr_id == tryprid) {
130 tryprid++;
131 if (tryprid == JAIL_MAX) {
132 mtx_unlock(&allprison_mtx);
133 error = EAGAIN;
134 goto e_dropvnref;
135 }
136 goto next;
137 }
138 }
139 pr->pr_id = jaa.jid = lastprid = tryprid;
140 LIST_INSERT_HEAD(&allprison, pr, pr_list);
141 prisoncount++;
142 mtx_unlock(&allprison_mtx);
143
144 error = jail_attach(td, &jaa);
145 if (error)
146 goto e_dropprref;
147 mtx_lock(&pr->pr_mtx);
148 pr->pr_ref--;
149 mtx_unlock(&pr->pr_mtx);
150 td->td_retval[0] = jaa.jid;
151 return (0);
152 e_dropprref:
153 mtx_lock(&allprison_mtx);
154 LIST_REMOVE(pr, pr_list);
155 prisoncount--;
156 mtx_unlock(&allprison_mtx);
157 e_dropvnref:
158 mtx_lock(&Giant);
159 vrele(pr->pr_root);
160 mtx_unlock(&Giant);
161 e_killmtx:
162 mtx_destroy(&pr->pr_mtx);
163 FREE(pr, M_PRISON);
164 return (error);
165 }
166
167 /*
168 * MPSAFE
169 *
170 * struct jail_attach_args {
171 * int jid;
172 * };
173 */
174 int
175 jail_attach(struct thread *td, struct jail_attach_args *uap)
176 {
177 struct proc *p;
178 struct ucred *newcred, *oldcred;
179 struct prison *pr;
180 int error;
181
182 /*
183 * XXX: Note that there is a slight race here if two threads
184 * in the same privileged process attempt to attach to two
185 * different jails at the same time. It is important for
186 * user processes not to do this, or they might end up with
187 * a process root from one prison, but attached to the jail
188 * of another.
189 */
190 error = suser(td);
191 if (error)
192 return (error);
193
194 p = td->td_proc;
195 mtx_lock(&allprison_mtx);
196 pr = prison_find(uap->jid);
197 if (pr == NULL) {
198 mtx_unlock(&allprison_mtx);
199 return (EINVAL);
200 }
201 pr->pr_ref++;
202 mtx_unlock(&pr->pr_mtx);
203 mtx_unlock(&allprison_mtx);
204
205 mtx_lock(&Giant);
206 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY, td);
207 if ((error = change_dir(pr->pr_root, td)) != 0)
208 goto e_unlock;
209 #ifdef MAC
210 if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root)))
211 goto e_unlock;
212 #endif
213 VOP_UNLOCK(pr->pr_root, 0, td);
214 change_root(pr->pr_root, td);
215 mtx_unlock(&Giant);
216
217 newcred = crget();
218 PROC_LOCK(p);
219 oldcred = p->p_ucred;
220 setsugid(p);
221 crcopy(newcred, oldcred);
222 newcred->cr_prison = pr;
223 p->p_ucred = newcred;
224 PROC_UNLOCK(p);
225 crfree(oldcred);
226 return (0);
227 e_unlock:
228 VOP_UNLOCK(pr->pr_root, 0, td);
229 mtx_unlock(&Giant);
230 mtx_lock(&pr->pr_mtx);
231 pr->pr_ref--;
232 mtx_unlock(&pr->pr_mtx);
233 return (error);
234 }
235
236 /*
237 * Returns a locked prison instance, or NULL on failure.
238 */
239 static struct prison *
240 prison_find(int prid)
241 {
242 struct prison *pr;
243
244 mtx_assert(&allprison_mtx, MA_OWNED);
245 LIST_FOREACH(pr, &allprison, pr_list) {
246 if (pr->pr_id == prid) {
247 mtx_lock(&pr->pr_mtx);
248 return (pr);
249 }
250 }
251 return (NULL);
252 }
253
254 void
255 prison_free(struct prison *pr)
256 {
257
258 mtx_assert(&Giant, MA_OWNED);
259 mtx_lock(&allprison_mtx);
260 mtx_lock(&pr->pr_mtx);
261 pr->pr_ref--;
262 if (pr->pr_ref == 0) {
263 LIST_REMOVE(pr, pr_list);
264 mtx_unlock(&pr->pr_mtx);
265 prisoncount--;
266 mtx_unlock(&allprison_mtx);
267 vrele(pr->pr_root);
268 mtx_destroy(&pr->pr_mtx);
269 if (pr->pr_linux != NULL)
270 FREE(pr->pr_linux, M_PRISON);
271 FREE(pr, M_PRISON);
272 return;
273 }
274 mtx_unlock(&pr->pr_mtx);
275 mtx_unlock(&allprison_mtx);
276 }
277
278 void
279 prison_hold(struct prison *pr)
280 {
281
282 mtx_lock(&pr->pr_mtx);
283 pr->pr_ref++;
284 mtx_unlock(&pr->pr_mtx);
285 }
286
287 u_int32_t
288 prison_getip(struct ucred *cred)
289 {
290
291 return (cred->cr_prison->pr_ip);
292 }
293
294 int
295 prison_ip(struct ucred *cred, int flag, u_int32_t *ip)
296 {
297 u_int32_t tmp;
298
299 if (!jailed(cred))
300 return (0);
301 if (flag)
302 tmp = *ip;
303 else
304 tmp = ntohl(*ip);
305 if (tmp == INADDR_ANY) {
306 if (flag)
307 *ip = cred->cr_prison->pr_ip;
308 else
309 *ip = htonl(cred->cr_prison->pr_ip);
310 return (0);
311 }
312 if (tmp == INADDR_LOOPBACK) {
313 if (flag)
314 *ip = cred->cr_prison->pr_ip;
315 else
316 *ip = htonl(cred->cr_prison->pr_ip);
317 return (0);
318 }
319 if (cred->cr_prison->pr_ip != tmp)
320 return (1);
321 return (0);
322 }
323
324 void
325 prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip)
326 {
327 u_int32_t tmp;
328
329 if (!jailed(cred))
330 return;
331 if (flag)
332 tmp = *ip;
333 else
334 tmp = ntohl(*ip);
335 if (tmp == INADDR_LOOPBACK) {
336 if (flag)
337 *ip = cred->cr_prison->pr_ip;
338 else
339 *ip = htonl(cred->cr_prison->pr_ip);
340 return;
341 }
342 return;
343 }
344
345 int
346 prison_if(struct ucred *cred, struct sockaddr *sa)
347 {
348 struct sockaddr_in *sai;
349 int ok;
350
351 sai = (struct sockaddr_in *)sa;
352 if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
353 ok = 1;
354 else if (sai->sin_family != AF_INET)
355 ok = 0;
356 else if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
357 ok = 1;
358 else
359 ok = 0;
360 return (ok);
361 }
362
363 /*
364 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH.
365 */
366 int
367 prison_check(struct ucred *cred1, struct ucred *cred2)
368 {
369
370 if (jailed(cred1)) {
371 if (!jailed(cred2))
372 return (ESRCH);
373 if (cred2->cr_prison != cred1->cr_prison)
374 return (ESRCH);
375 }
376
377 return (0);
378 }
379
380 /*
381 * Return 1 if the passed credential is in a jail, otherwise 0.
382 */
383 int
384 jailed(struct ucred *cred)
385 {
386
387 return (cred->cr_prison != NULL);
388 }
389
390 /*
391 * Return the correct hostname for the passed credential.
392 */
393 void
394 getcredhostname(struct ucred *cred, char *buf, size_t size)
395 {
396
397 if (jailed(cred)) {
398 mtx_lock(&cred->cr_prison->pr_mtx);
399 strlcpy(buf, cred->cr_prison->pr_host, size);
400 mtx_unlock(&cred->cr_prison->pr_mtx);
401 } else
402 strlcpy(buf, hostname, size);
403 }
404
405 static int
406 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
407 {
408 struct xprison *xp, *sxp;
409 struct prison *pr;
410 int count, error;
411
412 mtx_assert(&Giant, MA_OWNED);
413 retry:
414 mtx_lock(&allprison_mtx);
415 count = prisoncount;
416 mtx_unlock(&allprison_mtx);
417
418 if (count == 0)
419 return (0);
420
421 sxp = xp = malloc(sizeof(*xp) * count, M_TEMP, M_WAITOK | M_ZERO);
422 mtx_lock(&allprison_mtx);
423 if (count != prisoncount) {
424 mtx_unlock(&allprison_mtx);
425 free(sxp, M_TEMP);
426 goto retry;
427 }
428
429 LIST_FOREACH(pr, &allprison, pr_list) {
430 mtx_lock(&pr->pr_mtx);
431 xp->pr_version = XPRISON_VERSION;
432 xp->pr_id = pr->pr_id;
433 strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path));
434 strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host));
435 xp->pr_ip = pr->pr_ip;
436 mtx_unlock(&pr->pr_mtx);
437 xp++;
438 }
439 mtx_unlock(&allprison_mtx);
440
441 error = SYSCTL_OUT(req, sxp, sizeof(*sxp) * count);
442 free(sxp, M_TEMP);
443 if (error)
444 return (error);
445 return (0);
446 }
447
448 SYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD,
449 NULL, 0, sysctl_jail_list, "S", "List of active jails");
Cache object: 3ef287d58e761d55fa7ebeca1e5d1ee2
|