FreeBSD/Linux Kernel Cross Reference
sys/sys/jail.h
1 /*-
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
8 *
9 * $FreeBSD$
10 *
11 */
12
13 #ifndef _SYS_JAIL_H_
14 #define _SYS_JAIL_H_
15
16 #ifdef _KERNEL
17 struct jail_v0 {
18 u_int32_t version;
19 char *path;
20 char *hostname;
21 u_int32_t ip_number;
22 };
23 #endif
24
25 struct jail {
26 uint32_t version;
27 char *path;
28 char *hostname;
29 char *jailname;
30 uint32_t ip4s;
31 uint32_t ip6s;
32 struct in_addr *ip4;
33 struct in6_addr *ip6;
34 };
35 #define JAIL_API_VERSION 2
36
37 /*
38 * For all xprison structs, always keep the pr_version an int and
39 * the first variable so userspace can easily distinguish them.
40 */
41 #ifndef _KERNEL
42 struct xprison_v1 {
43 int pr_version;
44 int pr_id;
45 char pr_path[MAXPATHLEN];
46 char pr_host[MAXHOSTNAMELEN];
47 u_int32_t pr_ip;
48 };
49 #endif
50
51 struct xprison {
52 int pr_version;
53 int pr_id;
54 int pr_state;
55 cpusetid_t pr_cpusetid;
56 char pr_path[MAXPATHLEN];
57 char pr_host[MAXHOSTNAMELEN];
58 char pr_name[MAXHOSTNAMELEN];
59 uint32_t pr_ip4s;
60 uint32_t pr_ip6s;
61 #if 0
62 /*
63 * sizeof(xprison) will be malloced + size needed for all
64 * IPv4 and IPv6 addesses. Offsets are based numbers of addresses.
65 */
66 struct in_addr pr_ip4[];
67 struct in6_addr pr_ip6[];
68 #endif
69 };
70 #define XPRISON_VERSION 3
71
72 static const struct prison_state {
73 int pr_state;
74 const char * state_name;
75 } prison_states[] = {
76 #define PRISON_STATE_INVALID 0
77 { PRISON_STATE_INVALID, "INVALID" },
78 #define PRISON_STATE_ALIVE 1
79 { PRISON_STATE_ALIVE, "ALIVE" },
80 #define PRISON_STATE_DYING 2
81 { PRISON_STATE_DYING, "DYING" },
82 };
83
84
85 #ifndef _KERNEL
86
87 int jail(struct jail *);
88 int jail_attach(int);
89
90 #else /* _KERNEL */
91
92 #include <sys/queue.h>
93 #include <sys/_lock.h>
94 #include <sys/_mutex.h>
95 #include <sys/_task.h>
96
97 #define JAIL_MAX 999999
98
99 #ifdef MALLOC_DECLARE
100 MALLOC_DECLARE(M_PRISON);
101 #endif
102 #endif /* _KERNEL */
103
104 struct cpuset;
105
106 /*
107 * This structure describes a prison. It is pointed to by all struct
108 * ucreds's of the inmates. pr_ref keeps track of them and is used to
109 * delete the struture when the last inmate is dead.
110 *
111 * Lock key:
112 * (a) allprison_lock
113 * (p) locked by pr_mtx
114 * (c) set only during creation before the structure is shared, no mutex
115 * required to read
116 * (d) set only during destruction of jail, no mutex needed
117 */
118 #if defined(_KERNEL) || defined(_WANT_PRISON)
119 struct prison {
120 LIST_ENTRY(prison) pr_list; /* (a) all prisons */
121 int pr_id; /* (c) prison id */
122 int pr_ref; /* (p) refcount */
123 int pr_state; /* (p) prison state */
124 int pr_nprocs; /* (p) process count */
125 char pr_path[MAXPATHLEN]; /* (c) chroot path */
126 struct cpuset *pr_cpuset; /* (p) cpuset */
127 struct vnode *pr_root; /* (c) vnode to rdir */
128 char pr_host[MAXHOSTNAMELEN]; /* (p) jail hostname */
129 char pr_name[MAXHOSTNAMELEN]; /* (c) admin jail name */
130 void *pr_linux; /* (p) linux abi */
131 int pr_securelevel; /* (p) securelevel */
132 struct task pr_task; /* (d) destroy task */
133 struct mtx pr_mtx;
134 void **pr_slots; /* (p) additional data */
135 int pr_ip4s; /* (c) number of v4 IPs */
136 struct in_addr *pr_ip4; /* (c) v4 IPs of jail */
137 int pr_ip6s; /* (c) number of v6 IPs */
138 struct in6_addr *pr_ip6; /* (c) v6 IPs of jail */
139 };
140 #endif /* _KERNEL || _WANT_PRISON */
141
142 #ifdef _KERNEL
143 /*
144 * Sysctl-set variables that determine global jail policy
145 *
146 * XXX MIB entries will need to be protected by a mutex.
147 */
148 extern int jail_set_hostname_allowed;
149 extern int jail_socket_unixiproute_only;
150 extern int jail_sysvipc_allowed;
151 extern int jail_getfsstat_jailrootonly;
152 extern int jail_allow_raw_sockets;
153 extern int jail_chflags_allowed;
154
155 LIST_HEAD(prisonlist, prison);
156 extern struct prisonlist allprison;
157 extern struct sx allprison_lock;
158
159 /*
160 * Kernel support functions for jail().
161 */
162 struct ucred;
163 struct mount;
164 struct sockaddr;
165 struct statfs;
166 struct thread;
167 int kern_jail(struct thread *, struct jail *);
168 int jailed(struct ucred *cred);
169 void getcredhostname(struct ucred *cred, char *, size_t);
170 int prison_check(struct ucred *cred1, struct ucred *cred2);
171 int prison_canseemount(struct ucred *cred, struct mount *mp);
172 void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
173 struct statfs *sp);
174 struct prison *prison_find(int prid);
175 void prison_free(struct prison *pr);
176 void prison_free_locked(struct prison *pr);
177 void prison_hold(struct prison *pr);
178 void prison_hold_locked(struct prison *pr);
179 void prison_proc_hold(struct prison *);
180 void prison_proc_free(struct prison *);
181 int prison_get_ip4(struct ucred *cred, struct in_addr *ia);
182 int prison_local_ip4(struct ucred *cred, struct in_addr *ia);
183 int prison_remote_ip4(struct ucred *cred, struct in_addr *ia);
184 int prison_check_ip4(struct ucred *cred, struct in_addr *ia);
185 #ifdef INET6
186 int prison_get_ip6(struct ucred *, struct in6_addr *);
187 int prison_local_ip6(struct ucred *, struct in6_addr *, int);
188 int prison_remote_ip6(struct ucred *, struct in6_addr *);
189 int prison_check_ip6(struct ucred *, struct in6_addr *);
190 #endif
191 int prison_check_af(struct ucred *cred, int af);
192 int prison_if(struct ucred *cred, struct sockaddr *sa);
193 int prison_priv_check(struct ucred *cred, int priv);
194
195 /*
196 * Kernel jail services.
197 */
198 struct prison_service;
199 typedef int (*prison_create_t)(struct prison_service *psrv, struct prison *pr);
200 typedef int (*prison_destroy_t)(struct prison_service *psrv, struct prison *pr);
201
202 struct prison_service *prison_service_register(const char *name,
203 prison_create_t create, prison_destroy_t destroy);
204 void prison_service_deregister(struct prison_service *psrv);
205
206 void prison_service_data_set(struct prison_service *psrv, struct prison *pr,
207 void *data);
208 void *prison_service_data_get(struct prison_service *psrv, struct prison *pr);
209 void *prison_service_data_del(struct prison_service *psrv, struct prison *pr);
210
211 #endif /* _KERNEL */
212 #endif /* !_SYS_JAIL_H_ */
Cache object: 27247f8bd857b65f3e5619f6ee1f739b
|