FreeBSD/Linux Kernel Cross Reference
sys/sys/jail.h
1 /*-
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
8 *
9 * $FreeBSD$
10 *
11 */
12
13 #ifndef _SYS_JAIL_H_
14 #define _SYS_JAIL_H_
15
16 #ifdef _KERNEL
17 #include <sys/osd.h>
18
19 struct jail_v0 {
20 u_int32_t version;
21 char *path;
22 char *hostname;
23 u_int32_t ip_number;
24 };
25 #endif
26
27 struct jail {
28 uint32_t version;
29 char *path;
30 char *hostname;
31 char *jailname;
32 uint32_t ip4s;
33 uint32_t ip6s;
34 struct in_addr *ip4;
35 struct in6_addr *ip6;
36 };
37 #define JAIL_API_VERSION 2
38
39 /*
40 * For all xprison structs, always keep the pr_version an int and
41 * the first variable so userspace can easily distinguish them.
42 */
43 #ifndef _KERNEL
44 struct xprison_v1 {
45 int pr_version;
46 int pr_id;
47 char pr_path[MAXPATHLEN];
48 char pr_host[MAXHOSTNAMELEN];
49 u_int32_t pr_ip;
50 };
51 #endif
52
53 struct xprison {
54 int pr_version;
55 int pr_id;
56 int pr_state;
57 cpusetid_t pr_cpusetid;
58 char pr_path[MAXPATHLEN];
59 char pr_host[MAXHOSTNAMELEN];
60 char pr_name[MAXHOSTNAMELEN];
61 uint32_t pr_ip4s;
62 uint32_t pr_ip6s;
63 #if 0
64 /*
65 * sizeof(xprison) will be malloced + size needed for all
66 * IPv4 and IPv6 addesses. Offsets are based numbers of addresses.
67 */
68 struct in_addr pr_ip4[];
69 struct in6_addr pr_ip6[];
70 #endif
71 };
72 #define XPRISON_VERSION 3
73
74 static const struct prison_state {
75 int pr_state;
76 const char * state_name;
77 } prison_states[] = {
78 #define PRISON_STATE_INVALID 0
79 { PRISON_STATE_INVALID, "INVALID" },
80 #define PRISON_STATE_ALIVE 1
81 { PRISON_STATE_ALIVE, "ALIVE" },
82 #define PRISON_STATE_DYING 2
83 { PRISON_STATE_DYING, "DYING" },
84 };
85
86
87 #ifndef _KERNEL
88
89 int jail(struct jail *);
90 int jail_attach(int);
91
92 #else /* _KERNEL */
93
94 #include <sys/queue.h>
95 #include <sys/_lock.h>
96 #include <sys/_mutex.h>
97 #include <sys/_task.h>
98
99 #define JAIL_MAX 999999
100
101 #ifdef MALLOC_DECLARE
102 MALLOC_DECLARE(M_PRISON);
103 #endif
104 #endif /* _KERNEL */
105
106 struct cpuset;
107
108 /*
109 * This structure describes a prison. It is pointed to by all struct
110 * ucreds's of the inmates. pr_ref keeps track of them and is used to
111 * delete the struture when the last inmate is dead.
112 *
113 * Lock key:
114 * (a) allprison_lock
115 * (p) locked by pr_mtx
116 * (c) set only during creation before the structure is shared, no mutex
117 * required to read
118 * (d) set only during destruction of jail, no mutex needed
119 */
120 #if defined(_KERNEL) || defined(_WANT_PRISON)
121 struct prison {
122 LIST_ENTRY(prison) pr_list; /* (a) all prisons */
123 int pr_id; /* (c) prison id */
124 int pr_ref; /* (p) refcount */
125 int pr_state; /* (p) prison state */
126 int pr_nprocs; /* (p) process count */
127 char pr_path[MAXPATHLEN]; /* (c) chroot path */
128 struct cpuset *pr_cpuset; /* (p) cpuset */
129 struct vnode *pr_root; /* (c) vnode to rdir */
130 char pr_host[MAXHOSTNAMELEN]; /* (p) jail hostname */
131 char pr_name[MAXHOSTNAMELEN]; /* (c) admin jail name */
132 void *pr_linux; /* (p) linux abi */
133 int pr_securelevel; /* (p) securelevel */
134 struct task pr_task; /* (d) destroy task */
135 struct mtx pr_mtx;
136 void **pr_slots; /* (p) additional data */
137 int pr_ip4s; /* (c) number of v4 IPs */
138 struct in_addr *pr_ip4; /* (c) v4 IPs of jail */
139 int pr_ip6s; /* (c) number of v6 IPs */
140 struct in6_addr *pr_ip6; /* (c) v6 IPs of jail */
141 struct osd pr_osd;
142 };
143 #endif /* _KERNEL || _WANT_PRISON */
144
145 #ifdef _KERNEL
146 /*
147 * Flag bits set via options or internally
148 */
149 #define PR_PERSIST 0x00000001 /* Can exist without processes */
150 #define PR_REMOVE 0x01000000 /* In process of being removed */
151
152 /*
153 * OSD methods
154 */
155 #define PR_METHOD_CREATE 0
156 #define PR_METHOD_GET 1
157 #define PR_METHOD_SET 2
158 #define PR_METHOD_CHECK 3
159 #define PR_METHOD_ATTACH 4
160 #define PR_MAXMETHOD 5
161
162 /*
163 * Sysctl-set variables that determine global jail policy
164 *
165 * XXX MIB entries will need to be protected by a mutex.
166 */
167 extern int jail_set_hostname_allowed;
168 extern int jail_socket_unixiproute_only;
169 extern int jail_sysvipc_allowed;
170 extern int jail_getfsstat_jailrootonly;
171 extern int jail_allow_raw_sockets;
172 extern int jail_chflags_allowed;
173
174 LIST_HEAD(prisonlist, prison);
175 extern struct prisonlist allprison;
176 extern struct sx allprison_lock;
177
178 /*
179 * Kernel support functions for jail().
180 */
181 struct ucred;
182 struct mount;
183 struct sockaddr;
184 struct statfs;
185 struct thread;
186 int kern_jail(struct thread *, struct jail *);
187 int jailed(struct ucred *cred);
188 void getcredhostname(struct ucred *cred, char *, size_t);
189 int prison_check(struct ucred *cred1, struct ucred *cred2);
190 int prison_canseemount(struct ucred *cred, struct mount *mp);
191 void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
192 struct statfs *sp);
193 struct prison *prison_find(int prid);
194 void prison_free(struct prison *pr);
195 void prison_free_locked(struct prison *pr);
196 void prison_hold(struct prison *pr);
197 void prison_hold_locked(struct prison *pr);
198 void prison_proc_hold(struct prison *);
199 void prison_proc_free(struct prison *);
200 int prison_get_ip4(struct ucred *cred, struct in_addr *ia);
201 int prison_local_ip4(struct ucred *cred, struct in_addr *ia);
202 int prison_remote_ip4(struct ucred *cred, struct in_addr *ia);
203 int prison_check_ip4(struct ucred *cred, struct in_addr *ia);
204 int prison_saddrsel_ip4(struct ucred *, struct in_addr *);
205 #ifdef INET6
206 int prison_get_ip6(struct ucred *, struct in6_addr *);
207 int prison_local_ip6(struct ucred *, struct in6_addr *, int);
208 int prison_remote_ip6(struct ucred *, struct in6_addr *);
209 int prison_check_ip6(struct ucred *, struct in6_addr *);
210 int prison_saddrsel_ip6(struct ucred *, struct in6_addr *);
211 #endif
212 int prison_check_af(struct ucred *cred, int af);
213 int prison_if(struct ucred *cred, struct sockaddr *sa);
214 int prison_priv_check(struct ucred *cred, int priv);
215
216 /*
217 * Kernel jail services.
218 */
219 struct prison_service;
220 typedef int (*prison_create_t)(struct prison_service *psrv, struct prison *pr);
221 typedef int (*prison_destroy_t)(struct prison_service *psrv, struct prison *pr);
222
223 struct prison_service *prison_service_register(const char *name,
224 prison_create_t create, prison_destroy_t destroy);
225 void prison_service_deregister(struct prison_service *psrv);
226
227 void prison_service_data_set(struct prison_service *psrv, struct prison *pr,
228 void *data);
229 void *prison_service_data_get(struct prison_service *psrv, struct prison *pr);
230 void *prison_service_data_del(struct prison_service *psrv, struct prison *pr);
231
232 #endif /* _KERNEL */
233 #endif /* !_SYS_JAIL_H_ */
Cache object: e9e25cd226929151d8a254ac906d2594
|