FreeBSD/Linux Kernel Cross Reference
sys/netinet/in_jail.c
1 /*-
2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2008 Bjoern A. Zeeb.
4 * Copyright (c) 2009 James Gritton.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31
32 #include "opt_ddb.h"
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35
36 #include <sys/param.h>
37 #include <sys/types.h>
38 #include <sys/kernel.h>
39 #include <sys/systm.h>
40 #include <sys/errno.h>
41 #include <sys/sysproto.h>
42 #include <sys/malloc.h>
43 #include <sys/osd.h>
44 #include <sys/priv.h>
45 #include <sys/proc.h>
46 #include <sys/taskqueue.h>
47 #include <sys/fcntl.h>
48 #include <sys/jail.h>
49 #include <sys/lock.h>
50 #include <sys/mutex.h>
51 #include <sys/racct.h>
52 #include <sys/refcount.h>
53 #include <sys/sx.h>
54 #include <sys/namei.h>
55 #include <sys/mount.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/syscallsubr.h>
59 #include <sys/sysctl.h>
60 #include <sys/vnode.h>
61
62 #include <net/if.h>
63 #include <net/vnet.h>
64
65 #include <netinet/in.h>
66
67 static in_addr_t
68 prison_primary_ip4(const struct prison *pr)
69 {
70
71 return (((const struct in_addr *)prison_ip_get0(pr, PR_INET))->s_addr);
72 }
73
74 int
75 prison_qcmp_v4(const void *ip1, const void *ip2)
76 {
77 in_addr_t iaa, iab;
78
79 /*
80 * We need to compare in HBO here to get the list sorted as expected
81 * by the result of the code. Sorting NBO addresses gives you
82 * interesting results. If you do not understand, do not try.
83 */
84 iaa = ntohl(((const struct in_addr *)ip1)->s_addr);
85 iab = ntohl(((const struct in_addr *)ip2)->s_addr);
86
87 /*
88 * Do not simply return the difference of the two numbers, the int is
89 * not wide enough.
90 */
91 if (iaa > iab)
92 return (1);
93 else if (iaa < iab)
94 return (-1);
95 else
96 return (0);
97 }
98
99 bool
100 prison_valid_v4(const void *ip)
101 {
102 in_addr_t ia = ((const struct in_addr *)ip)->s_addr;
103
104 /*
105 * We do not have to care about byte order for these
106 * checks so we will do them in NBO.
107 */
108 return (ia != INADDR_ANY && ia != INADDR_BROADCAST);
109 }
110
111 /*
112 * Pass back primary IPv4 address of this jail.
113 *
114 * If not restricted return success but do not alter the address. Caller has
115 * to make sure to initialize it correctly (e.g. INADDR_ANY).
116 *
117 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
118 * Address returned in NBO.
119 */
120 int
121 prison_get_ip4(struct ucred *cred, struct in_addr *ia)
122 {
123 struct prison *pr;
124
125 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
126 KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
127
128 pr = cred->cr_prison;
129 if (!(pr->pr_flags & PR_IP4))
130 return (0);
131 mtx_lock(&pr->pr_mtx);
132 if (!(pr->pr_flags & PR_IP4)) {
133 mtx_unlock(&pr->pr_mtx);
134 return (0);
135 }
136 if (pr->pr_addrs[PR_INET] == NULL) {
137 mtx_unlock(&pr->pr_mtx);
138 return (EAFNOSUPPORT);
139 }
140
141 ia->s_addr = prison_primary_ip4(pr);
142 mtx_unlock(&pr->pr_mtx);
143 return (0);
144 }
145
146 /*
147 * Return 1 if we should do proper source address selection or are not jailed.
148 * We will return 0 if we should bypass source address selection in favour
149 * of the primary jail IPv4 address. Only in this case *ia will be updated and
150 * returned in NBO.
151 * Return EAFNOSUPPORT, in case this jail does not allow IPv4.
152 */
153 int
154 prison_saddrsel_ip4(struct ucred *cred, struct in_addr *ia)
155 {
156 struct prison *pr;
157 struct in_addr lia;
158 int error;
159
160 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
161 KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
162
163 if (!jailed(cred))
164 return (1);
165
166 pr = cred->cr_prison;
167 if (pr->pr_flags & PR_IP4_SADDRSEL)
168 return (1);
169
170 lia.s_addr = INADDR_ANY;
171 error = prison_get_ip4(cred, &lia);
172 if (error)
173 return (error);
174 if (lia.s_addr == INADDR_ANY)
175 return (1);
176
177 ia->s_addr = lia.s_addr;
178 return (0);
179 }
180
181 /*
182 * Return true if pr1 and pr2 have the same IPv4 address restrictions.
183 */
184 int
185 prison_equal_ip4(struct prison *pr1, struct prison *pr2)
186 {
187
188 if (pr1 == pr2)
189 return (1);
190
191 /*
192 * No need to lock since the PR_IP4_USER flag can't be altered for
193 * existing prisons.
194 */
195 while (pr1 != &prison0 &&
196 #ifdef VIMAGE
197 !(pr1->pr_flags & PR_VNET) &&
198 #endif
199 !(pr1->pr_flags & PR_IP4_USER))
200 pr1 = pr1->pr_parent;
201 while (pr2 != &prison0 &&
202 #ifdef VIMAGE
203 !(pr2->pr_flags & PR_VNET) &&
204 #endif
205 !(pr2->pr_flags & PR_IP4_USER))
206 pr2 = pr2->pr_parent;
207 return (pr1 == pr2);
208 }
209
210 /*
211 * Make sure our (source) address is set to something meaningful to this
212 * jail.
213 *
214 * Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail,
215 * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
216 * doesn't allow IPv4. Address passed in in NBO and returned in NBO.
217 */
218 int
219 prison_local_ip4(struct ucred *cred, struct in_addr *ia)
220 {
221 struct prison *pr;
222 struct in_addr ia0;
223 int error;
224
225 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
226 KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
227
228 pr = cred->cr_prison;
229 if (!(pr->pr_flags & PR_IP4))
230 return (0);
231 mtx_lock(&pr->pr_mtx);
232 if (!(pr->pr_flags & PR_IP4)) {
233 mtx_unlock(&pr->pr_mtx);
234 return (0);
235 }
236 if (pr->pr_addrs[PR_INET] == NULL) {
237 mtx_unlock(&pr->pr_mtx);
238 return (EAFNOSUPPORT);
239 }
240
241 ia0.s_addr = ntohl(ia->s_addr);
242
243 if (ia0.s_addr == INADDR_ANY) {
244 /*
245 * In case there is only 1 IPv4 address, bind directly.
246 */
247 if (prison_ip_cnt(pr, PR_INET) == 1)
248 ia->s_addr = prison_primary_ip4(pr);
249 mtx_unlock(&pr->pr_mtx);
250 return (0);
251 }
252
253 error = prison_check_ip4_locked(pr, ia);
254 if (error == EADDRNOTAVAIL && ia0.s_addr == INADDR_LOOPBACK) {
255 ia->s_addr = prison_primary_ip4(pr);
256 error = 0;
257 }
258
259 mtx_unlock(&pr->pr_mtx);
260 return (error);
261 }
262
263 /*
264 * Rewrite destination address in case we will connect to loopback address.
265 *
266 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
267 * Address passed in in NBO and returned in NBO.
268 */
269 int
270 prison_remote_ip4(struct ucred *cred, struct in_addr *ia)
271 {
272 struct prison *pr;
273
274 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
275 KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
276
277 pr = cred->cr_prison;
278 if (!(pr->pr_flags & PR_IP4))
279 return (0);
280 mtx_lock(&pr->pr_mtx);
281 if (!(pr->pr_flags & PR_IP4)) {
282 mtx_unlock(&pr->pr_mtx);
283 return (0);
284 }
285 if (pr->pr_addrs[PR_INET] == NULL) {
286 mtx_unlock(&pr->pr_mtx);
287 return (EAFNOSUPPORT);
288 }
289
290 if (ntohl(ia->s_addr) == INADDR_LOOPBACK &&
291 prison_check_ip4_locked(pr, ia) == EADDRNOTAVAIL) {
292 ia->s_addr = prison_primary_ip4(pr);
293 mtx_unlock(&pr->pr_mtx);
294 return (0);
295 }
296
297 /*
298 * Return success because nothing had to be changed.
299 */
300 mtx_unlock(&pr->pr_mtx);
301 return (0);
302 }
303
304 /*
305 * Check if given address belongs to the jail referenced by cred/prison.
306 *
307 * Returns 0 if address belongs to jail,
308 * EADDRNOTAVAIL if the address doesn't belong to the jail.
309 */
310 int
311 prison_check_ip4_locked(const struct prison *pr, const struct in_addr *ia)
312 {
313
314 if (!(pr->pr_flags & PR_IP4))
315 return (0);
316
317 return (prison_ip_check(pr, PR_INET, ia));
318 }
319
320 int
321 prison_check_ip4(const struct ucred *cred, const struct in_addr *ia)
322 {
323 struct prison *pr;
324 int error;
325
326 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
327 KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
328
329 pr = cred->cr_prison;
330 if (!(pr->pr_flags & PR_IP4))
331 return (0);
332 mtx_lock(&pr->pr_mtx);
333 if (!(pr->pr_flags & PR_IP4)) {
334 mtx_unlock(&pr->pr_mtx);
335 return (0);
336 }
337 if (pr->pr_addrs[PR_INET] == NULL) {
338 mtx_unlock(&pr->pr_mtx);
339 return (EAFNOSUPPORT);
340 }
341
342 error = prison_check_ip4_locked(pr, ia);
343 mtx_unlock(&pr->pr_mtx);
344 return (error);
345 }
Cache object: fbc63e5f1f8b8df9dff9e962993fc47c
|