jail.h revision 295951 
1/*-
2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2009 James Gritton.
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 *
27 * $FreeBSD: stable/10/sys/sys/jail.h 295951 2016-02-24 02:34:11Z araujo $
28 */
29
30#ifndef _SYS_JAIL_H_
31#define _SYS_JAIL_H_
32
33#ifdef _KERNEL
34struct jail_v0 {
35	u_int32_t	version;
36	char		*path;
37	char		*hostname;
38	u_int32_t	ip_number;
39};
40#endif
41
42struct jail {
43	uint32_t	version;
44	char		*path;
45	char		*hostname;
46	char		*jailname;
47	uint32_t	ip4s;
48	uint32_t	ip6s;
49	struct in_addr	*ip4;
50	struct in6_addr	*ip6;
51};
52#define	JAIL_API_VERSION	2
53
54/*
55 * For all xprison structs, always keep the pr_version an int and
56 * the first variable so userspace can easily distinguish them.
57 */
58#ifndef _KERNEL
59struct xprison_v1 {
60	int		 pr_version;
61	int		 pr_id;
62	char		 pr_path[MAXPATHLEN];
63	char		 pr_host[MAXHOSTNAMELEN];
64	u_int32_t	 pr_ip;
65};
66#endif
67
68struct xprison {
69	int		 pr_version;
70	int		 pr_id;
71	int		 pr_state;
72	cpusetid_t	 pr_cpusetid;
73	char		 pr_path[MAXPATHLEN];
74	char		 pr_host[MAXHOSTNAMELEN];
75	char		 pr_name[MAXHOSTNAMELEN];
76	uint32_t	 pr_ip4s;
77	uint32_t	 pr_ip6s;
78#if 0
79	/*
80	 * sizeof(xprison) will be malloced + size needed for all
81	 * IPv4 and IPv6 addesses. Offsets are based numbers of addresses.
82	 */
83	struct in_addr	 pr_ip4[];
84	struct in6_addr	 pr_ip6[];
85#endif
86};
87#define	XPRISON_VERSION		3
88
89#define	PRISON_STATE_INVALID	0
90#define	PRISON_STATE_ALIVE	1
91#define	PRISON_STATE_DYING	2
92
93/*
94 * Flags for jail_set and jail_get.
95 */
96#define	JAIL_CREATE	0x01	/* Create jail if it doesn't exist */
97#define	JAIL_UPDATE	0x02	/* Update parameters of existing jail */
98#define	JAIL_ATTACH	0x04	/* Attach to jail upon creation */
99#define	JAIL_DYING	0x08	/* Allow getting a dying jail */
100#define	JAIL_SET_MASK	0x0f
101#define	JAIL_GET_MASK	0x08
102
103#define	JAIL_SYS_DISABLE	0
104#define	JAIL_SYS_NEW		1
105#define	JAIL_SYS_INHERIT	2
106
107#ifndef _KERNEL
108
109struct iovec;
110
111int jail(struct jail *);
112int jail_set(struct iovec *, unsigned int, int);
113int jail_get(struct iovec *, unsigned int, int);
114int jail_attach(int);
115int jail_remove(int);
116
117#else /* _KERNEL */
118
119#include <sys/queue.h>
120#include <sys/sysctl.h>
121#include <sys/lock.h>
122#include <sys/mutex.h>
123#include <sys/_task.h>
124
125#define JAIL_MAX	999999
126
127#ifdef MALLOC_DECLARE
128MALLOC_DECLARE(M_PRISON);
129#endif
130#endif /* _KERNEL */
131
132#if defined(_KERNEL) || defined(_WANT_PRISON)
133
134#include <sys/osd.h>
135
136#define	HOSTUUIDLEN	64
137#define	OSRELEASELEN	32
138
139struct racct;
140struct prison_racct;
141
142/*
143 * This structure describes a prison.  It is pointed to by all struct
144 * ucreds's of the inmates.  pr_ref keeps track of them and is used to
145 * delete the struture when the last inmate is dead.
146 *
147 * Lock key:
148 *   (a) allprison_lock
149 *   (p) locked by pr_mtx
150 *   (c) set only during creation before the structure is shared, no mutex
151 *       required to read
152 *   (d) set only during destruction of jail, no mutex needed
153 */
154struct prison {
155	TAILQ_ENTRY(prison) pr_list;			/* (a) all prisons */
156	int		 pr_id;				/* (c) prison id */
157	int		 pr_ref;			/* (p) refcount */
158	int		 pr_uref;			/* (p) user (alive) refcount */
159	unsigned	 pr_flags;			/* (p) PR_* flags */
160	LIST_HEAD(, prison) pr_children;		/* (a) list of child jails */
161	LIST_ENTRY(prison) pr_sibling;			/* (a) next in parent's list */
162	struct prison	*pr_parent;			/* (c) containing jail */
163	struct mtx	 pr_mtx;
164	struct task	 pr_task;			/* (d) destroy task */
165	struct osd	 pr_osd;			/* (p) additional data */
166	struct cpuset	*pr_cpuset;			/* (p) cpuset */
167	struct vnet	*pr_vnet;			/* (c) network stack */
168	struct vnode	*pr_root;			/* (c) vnode to rdir */
169	int		 pr_ip4s;			/* (p) number of v4 IPs */
170	int		 pr_ip6s;			/* (p) number of v6 IPs */
171	struct in_addr	*pr_ip4;			/* (p) v4 IPs of jail */
172	struct in6_addr	*pr_ip6;			/* (p) v6 IPs of jail */
173	struct prison_racct *pr_prison_racct;		/* (c) racct jail proxy */
174	void		*pr_sparep[3];
175	int		 pr_childcount;			/* (a) number of child jails */
176	int		 pr_childmax;			/* (p) maximum child jails */
177	unsigned	 pr_allow;			/* (p) PR_ALLOW_* flags */
178	int		 pr_securelevel;		/* (p) securelevel */
179	int		 pr_enforce_statfs;		/* (p) statfs permission */
180	int		 pr_devfs_rsnum;		/* (p) devfs ruleset */
181	int		 pr_spare[3];
182	int		 pr_osreldate;			/* (c) kern.osreldate value */
183	unsigned long	 pr_hostid;			/* (p) jail hostid */
184	char		 pr_name[MAXHOSTNAMELEN];	/* (p) admin jail name */
185	char		 pr_path[MAXPATHLEN];		/* (c) chroot path */
186	char		 pr_hostname[MAXHOSTNAMELEN];	/* (p) jail hostname */
187	char		 pr_domainname[MAXHOSTNAMELEN];	/* (p) jail domainname */
188	char		 pr_hostuuid[HOSTUUIDLEN];	/* (p) jail hostuuid */
189	char		 pr_osrelease[OSRELEASELEN];	/* (c) kern.osrelease value */
190};
191
192struct prison_racct {
193	LIST_ENTRY(prison_racct) prr_next;
194	char		prr_name[MAXHOSTNAMELEN];
195	u_int		prr_refcount;
196	struct racct	*prr_racct;
197};
198#endif /* _KERNEL || _WANT_PRISON */
199
200#ifdef _KERNEL
201/* Flag bits set via options */
202#define	PR_PERSIST	0x00000001	/* Can exist without processes */
203#define	PR_HOST		0x00000002	/* Virtualize hostname et al */
204#define	PR_IP4_USER	0x00000004	/* Restrict IPv4 addresses */
205#define	PR_IP6_USER	0x00000008	/* Restrict IPv6 addresses */
206#define	PR_VNET		0x00000010	/* Virtual network stack */
207#define	PR_IP4_DISABLE	0x00000020	/* Disable IPv4 */
208#define	PR_IP6_DISABLE	0x00000040	/* Disable IPv6 */
209#define	PR_IP4_SADDRSEL	0x00000080	/* Do IPv4 src addr sel. or use the */
210					/* primary jail address. */
211#define	PR_IP6_SADDRSEL	0x00000100	/* Do IPv6 src addr sel. or use the */
212					/* primary jail address. */
213
214/* Internal flag bits */
215#define	PR_REMOVE	0x01000000	/* In process of being removed */
216#define	PR_IP4		0x02000000	/* IPv4 restricted or disabled */
217					/* by this jail or an ancestor */
218#define	PR_IP6		0x04000000	/* IPv6 restricted or disabled */
219					/* by this jail or an ancestor */
220
221/* Flags for pr_allow */
222#define	PR_ALLOW_SET_HOSTNAME		0x0001
223#define	PR_ALLOW_SYSVIPC		0x0002
224#define	PR_ALLOW_RAW_SOCKETS		0x0004
225#define	PR_ALLOW_CHFLAGS		0x0008
226#define	PR_ALLOW_MOUNT			0x0010
227#define	PR_ALLOW_QUOTAS			0x0020
228#define	PR_ALLOW_SOCKET_AF		0x0040
229#define	PR_ALLOW_MOUNT_DEVFS		0x0080
230#define	PR_ALLOW_MOUNT_NULLFS		0x0100
231#define	PR_ALLOW_MOUNT_ZFS		0x0200
232#define	PR_ALLOW_MOUNT_PROCFS		0x0400
233#define	PR_ALLOW_MOUNT_TMPFS		0x0800
234#define	PR_ALLOW_MOUNT_FDESCFS		0x1000
235#define	PR_ALLOW_MOUNT_LINPROCFS	0x2000
236#define	PR_ALLOW_MOUNT_LINSYSFS		0x4000
237#define	PR_ALLOW_ALL			0x7fff
238
239/*
240 * OSD methods
241 */
242#define	PR_METHOD_CREATE	0
243#define	PR_METHOD_GET		1
244#define	PR_METHOD_SET		2
245#define	PR_METHOD_CHECK		3
246#define	PR_METHOD_ATTACH	4
247#define	PR_MAXMETHOD		5
248
249/*
250 * Lock/unlock a prison.
251 * XXX These exist not so much for general convenience, but to be useable in
252 *     the FOREACH_PRISON_DESCENDANT_LOCKED macro which can't handle them in
253 *     non-function form as currently defined.
254 */
255static __inline void
256prison_lock(struct prison *pr)
257{
258
259	mtx_lock(&pr->pr_mtx);
260}
261
262static __inline void
263prison_unlock(struct prison *pr)
264{
265
266	mtx_unlock(&pr->pr_mtx);
267}
268
269/* Traverse a prison's immediate children. */
270#define	FOREACH_PRISON_CHILD(ppr, cpr)					\
271	LIST_FOREACH(cpr, &(ppr)->pr_children, pr_sibling)
272
273/*
274 * Preorder traversal of all of a prison's descendants.
275 * This ugly loop allows the macro to be followed by a single block
276 * as expected in a looping primitive.
277 */
278#define	FOREACH_PRISON_DESCENDANT(ppr, cpr, descend)			\
279	for ((cpr) = (ppr), (descend) = 1;				\
280	    ((cpr) = (((descend) && !LIST_EMPTY(&(cpr)->pr_children))	\
281	      ? LIST_FIRST(&(cpr)->pr_children)				\
282	      : ((cpr) == (ppr)						\
283		 ? NULL							\
284		 : (((descend) = LIST_NEXT(cpr, pr_sibling) != NULL)	\
285		    ? LIST_NEXT(cpr, pr_sibling)			\
286		    : (cpr)->pr_parent))));)				\
287		if (!(descend))						\
288			;						\
289		else
290
291/*
292 * As above, but lock descendants on the way down and unlock on the way up.
293 */
294#define	FOREACH_PRISON_DESCENDANT_LOCKED(ppr, cpr, descend)		\
295	for ((cpr) = (ppr), (descend) = 1;				\
296	    ((cpr) = (((descend) && !LIST_EMPTY(&(cpr)->pr_children))	\
297	      ? LIST_FIRST(&(cpr)->pr_children)				\
298	      : ((cpr) == (ppr)						\
299		 ? NULL							\
300		 : ((prison_unlock(cpr),				\
301		    (descend) = LIST_NEXT(cpr, pr_sibling) != NULL)	\
302		    ? LIST_NEXT(cpr, pr_sibling)			\
303		    : (cpr)->pr_parent))));)				\
304		if ((descend) ? (prison_lock(cpr), 0) : 1)		\
305			;						\
306		else
307
308/*
309 * As above, but also keep track of the level descended to.
310 */
311#define	FOREACH_PRISON_DESCENDANT_LOCKED_LEVEL(ppr, cpr, descend, level)\
312	for ((cpr) = (ppr), (descend) = 1, (level) = 0;			\
313	    ((cpr) = (((descend) && !LIST_EMPTY(&(cpr)->pr_children))	\
314	      ? (level++, LIST_FIRST(&(cpr)->pr_children))		\
315	      : ((cpr) == (ppr)						\
316		 ? NULL							\
317		 : ((prison_unlock(cpr),				\
318		    (descend) = LIST_NEXT(cpr, pr_sibling) != NULL)	\
319		    ? LIST_NEXT(cpr, pr_sibling)			\
320		    : (level--, (cpr)->pr_parent)))));)			\
321		if ((descend) ? (prison_lock(cpr), 0) : 1)		\
322			;						\
323		else
324
325/*
326 * Attributes of the physical system, and the root of the jail tree.
327 */
328extern struct	prison prison0;
329
330TAILQ_HEAD(prisonlist, prison);
331extern struct	prisonlist allprison;
332extern struct	sx allprison_lock;
333
334/*
335 * Sysctls to describe jail parameters.
336 */
337SYSCTL_DECL(_security_jail_param);
338
339#define	SYSCTL_JAIL_PARAM(module, param, type, fmt, descr)		\
340    SYSCTL_PROC(_security_jail_param ## module, OID_AUTO, param,	\
341	(type) | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_param, fmt, descr)
342#define	SYSCTL_JAIL_PARAM_STRING(module, param, access, len, descr)	\
343    SYSCTL_PROC(_security_jail_param ## module, OID_AUTO, param,	\
344	CTLTYPE_STRING | CTLFLAG_MPSAFE | (access), NULL, len,		\
345	sysctl_jail_param, "A", descr)
346#define	SYSCTL_JAIL_PARAM_STRUCT(module, param, access, len, fmt, descr)\
347    SYSCTL_PROC(_security_jail_param ## module, OID_AUTO, param,	\
348	CTLTYPE_STRUCT | CTLFLAG_MPSAFE | (access), NULL, len,		\
349	sysctl_jail_param, fmt, descr)
350#define	SYSCTL_JAIL_PARAM_NODE(module, descr)				\
351    SYSCTL_NODE(_security_jail_param, OID_AUTO, module, 0, 0, descr)
352#define	SYSCTL_JAIL_PARAM_SUBNODE(parent, module, descr)		\
353    SYSCTL_NODE(_security_jail_param_##parent, OID_AUTO, module, 0, 0, descr)
354#define	SYSCTL_JAIL_PARAM_SYS_NODE(module, access, descr)		\
355    SYSCTL_JAIL_PARAM_NODE(module, descr);				\
356    SYSCTL_JAIL_PARAM(_##module, , CTLTYPE_INT | (access), "E,jailsys",	\
357	descr)
358
359/*
360 * Kernel support functions for jail().
361 */
362struct ucred;
363struct mount;
364struct sockaddr;
365struct statfs;
366int jailed(struct ucred *cred);
367int jailed_without_vnet(struct ucred *);
368void getcredhostname(struct ucred *, char *, size_t);
369void getcreddomainname(struct ucred *, char *, size_t);
370void getcredhostuuid(struct ucred *, char *, size_t);
371void getcredhostid(struct ucred *, unsigned long *);
372void prison0_init(void);
373int prison_allow(struct ucred *, unsigned);
374int prison_check(struct ucred *cred1, struct ucred *cred2);
375int prison_owns_vnet(struct ucred *);
376int prison_canseemount(struct ucred *cred, struct mount *mp);
377void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
378    struct statfs *sp);
379struct prison *prison_find(int prid);
380struct prison *prison_find_child(struct prison *, int);
381struct prison *prison_find_name(struct prison *, const char *);
382int prison_flag(struct ucred *, unsigned);
383void prison_free(struct prison *pr);
384void prison_free_locked(struct prison *pr);
385void prison_hold(struct prison *pr);
386void prison_hold_locked(struct prison *pr);
387void prison_proc_hold(struct prison *);
388void prison_proc_free(struct prison *);
389int prison_ischild(struct prison *, struct prison *);
390int prison_equal_ip4(struct prison *, struct prison *);
391int prison_get_ip4(struct ucred *cred, struct in_addr *ia);
392int prison_local_ip4(struct ucred *cred, struct in_addr *ia);
393int prison_remote_ip4(struct ucred *cred, struct in_addr *ia);
394int prison_check_ip4(struct ucred *cred, struct in_addr *ia);
395int prison_saddrsel_ip4(struct ucred *, struct in_addr *);
396#ifdef INET6
397int prison_equal_ip6(struct prison *, struct prison *);
398int prison_get_ip6(struct ucred *, struct in6_addr *);
399int prison_local_ip6(struct ucred *, struct in6_addr *, int);
400int prison_remote_ip6(struct ucred *, struct in6_addr *);
401int prison_check_ip6(struct ucred *, struct in6_addr *);
402int prison_saddrsel_ip6(struct ucred *, struct in6_addr *);
403#endif
404int prison_check_af(struct ucred *cred, int af);
405int prison_if(struct ucred *cred, struct sockaddr *sa);
406char *prison_name(struct prison *, struct prison *);
407int prison_priv_check(struct ucred *cred, int priv);
408int sysctl_jail_param(SYSCTL_HANDLER_ARGS);
409void prison_racct_foreach(void (*callback)(struct racct *racct,
410    void *arg2, void *arg3), void *arg2, void *arg3);
411struct prison_racct *prison_racct_find(const char *name);
412void prison_racct_hold(struct prison_racct *prr);
413void prison_racct_free(struct prison_racct *prr);
414
415#endif /* _KERNEL */
416#endif /* !_SYS_JAIL_H_ */
417