kern_jail.c revision 167152
1210688Srpaulo/*- 2210688Srpaulo * ---------------------------------------------------------------------------- 3210688Srpaulo * "THE BEER-WARE LICENSE" (Revision 42): 4210688Srpaulo * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 5210688Srpaulo * can do whatever you want with this stuff. If we meet some day, and you think 6210688Srpaulo * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 7210688Srpaulo * ---------------------------------------------------------------------------- 8210688Srpaulo */ 9210688Srpaulo 10210688Srpaulo#include <sys/cdefs.h> 11210688Srpaulo__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 167152 2007-03-01 20:47:42Z pjd $"); 12210688Srpaulo 13210688Srpaulo#include "opt_mac.h" 14210688Srpaulo 15210688Srpaulo#include <sys/param.h> 16210688Srpaulo#include <sys/types.h> 17210688Srpaulo#include <sys/kernel.h> 18210688Srpaulo#include <sys/systm.h> 19210688Srpaulo#include <sys/errno.h> 20210688Srpaulo#include <sys/sysproto.h> 21210688Srpaulo#include <sys/malloc.h> 22210688Srpaulo#include <sys/priv.h> 23210688Srpaulo#include <sys/proc.h> 24210688Srpaulo#include <sys/taskqueue.h> 25210688Srpaulo#include <sys/jail.h> 26210688Srpaulo#include <sys/lock.h> 27210688Srpaulo#include <sys/mutex.h> 28210688Srpaulo#include <sys/namei.h> 29210688Srpaulo#include <sys/mount.h> 30210688Srpaulo#include <sys/queue.h> 31210688Srpaulo#include <sys/socket.h> 32210688Srpaulo#include <sys/syscallsubr.h> 33210688Srpaulo#include <sys/sysctl.h> 34210688Srpaulo#include <sys/vnode.h> 35210688Srpaulo#include <net/if.h> 36210688Srpaulo#include <netinet/in.h> 37210688Srpaulo 38210688Srpaulo#include <security/mac/mac_framework.h> 39210688Srpaulo 40210688SrpauloMALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); 41210688Srpaulo 42210688SrpauloSYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, 43210688Srpaulo "Jail rules"); 44210688Srpaulo 45210688Srpauloint jail_set_hostname_allowed = 1; 46210688SrpauloSYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, 47210688Srpaulo &jail_set_hostname_allowed, 0, 48210688Srpaulo "Processes in jail can set their hostnames"); 49210688Srpaulo 50210688Srpauloint jail_socket_unixiproute_only = 1; 51210688SrpauloSYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, 52210688Srpaulo &jail_socket_unixiproute_only, 0, 53210688Srpaulo "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); 54210688Srpaulo 55210688Srpauloint jail_sysvipc_allowed = 0; 56210688SrpauloSYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, 57210688Srpaulo &jail_sysvipc_allowed, 0, 58210688Srpaulo "Processes in jail can use System V IPC primitives"); 59210688Srpaulo 60210688Srpaulostatic int jail_enforce_statfs = 2; 61210688SrpauloSYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW, 62210688Srpaulo &jail_enforce_statfs, 0, 63210688Srpaulo "Processes in jail cannot see all mounted file systems"); 64210688Srpaulo 65210688Srpauloint jail_allow_raw_sockets = 0; 66210688SrpauloSYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, 67210688Srpaulo &jail_allow_raw_sockets, 0, 68210688Srpaulo "Prison root can create raw sockets"); 69210688Srpaulo 70210688Srpauloint jail_chflags_allowed = 0; 71210688SrpauloSYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, 72210688Srpaulo &jail_chflags_allowed, 0, 73210688Srpaulo "Processes in jail can alter system file flags"); 74210688Srpaulo 75210688Srpaulo/* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ 76210688Srpaulostruct prisonlist allprison; 77210688Srpaulostruct mtx allprison_mtx; 78210688Srpauloint lastprid = 0; 79210688Srpauloint prisoncount = 0; 80210688Srpaulo 81210688Srpaulostatic void init_prison(void *); 82210688Srpaulostatic void prison_complete(void *context, int pending); 83210688Srpaulostatic struct prison *prison_find(int); 84210688Srpaulostatic int sysctl_jail_list(SYSCTL_HANDLER_ARGS); 85210688Srpaulo 86210688Srpaulostatic void 87210688Srpauloinit_prison(void *data __unused) 88210688Srpaulo{ 89210688Srpaulo 90210688Srpaulo mtx_init(&allprison_mtx, "allprison", NULL, MTX_DEF); 91210688Srpaulo LIST_INIT(&allprison); 92210688Srpaulo} 93210688Srpaulo 94210688SrpauloSYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL); 95210688Srpaulo 96210688Srpaulo/* 97210688Srpaulo * MPSAFE 98210688Srpaulo * 99210688Srpaulo * struct jail_args { 100210688Srpaulo * struct jail *jail; 101210688Srpaulo * }; 102210688Srpaulo */ 103210688Srpauloint 104210688Srpaulojail(struct thread *td, struct jail_args *uap) 105210688Srpaulo{ 106210688Srpaulo struct nameidata nd; 107210688Srpaulo struct prison *pr, *tpr; 108210688Srpaulo struct jail j; 109210688Srpaulo struct jail_attach_args jaa; 110210688Srpaulo int vfslocked, error, tryprid; 111210688Srpaulo 112210688Srpaulo error = copyin(uap->jail, &j, sizeof(j)); 113210688Srpaulo if (error) 114 return (error); 115 if (j.version != 0) 116 return (EINVAL); 117 118 MALLOC(pr, struct prison *, sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO); 119 mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF); 120 pr->pr_ref = 1; 121 error = copyinstr(j.path, &pr->pr_path, sizeof(pr->pr_path), 0); 122 if (error) 123 goto e_killmtx; 124 NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | LOCKLEAF, UIO_SYSSPACE, 125 pr->pr_path, td); 126 error = namei(&nd); 127 if (error) 128 goto e_killmtx; 129 vfslocked = NDHASGIANT(&nd); 130 pr->pr_root = nd.ni_vp; 131 VOP_UNLOCK(nd.ni_vp, 0, td); 132 NDFREE(&nd, NDF_ONLY_PNBUF); 133 VFS_UNLOCK_GIANT(vfslocked); 134 error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0); 135 if (error) 136 goto e_dropvnref; 137 pr->pr_ip = j.ip_number; 138 pr->pr_linux = NULL; 139 pr->pr_securelevel = securelevel; 140 141 /* Determine next pr_id and add prison to allprison list. */ 142 mtx_lock(&allprison_mtx); 143 tryprid = lastprid + 1; 144 if (tryprid == JAIL_MAX) 145 tryprid = 1; 146next: 147 LIST_FOREACH(tpr, &allprison, pr_list) { 148 if (tpr->pr_id == tryprid) { 149 tryprid++; 150 if (tryprid == JAIL_MAX) { 151 mtx_unlock(&allprison_mtx); 152 error = EAGAIN; 153 goto e_dropvnref; 154 } 155 goto next; 156 } 157 } 158 pr->pr_id = jaa.jid = lastprid = tryprid; 159 LIST_INSERT_HEAD(&allprison, pr, pr_list); 160 prisoncount++; 161 mtx_unlock(&allprison_mtx); 162 163 error = jail_attach(td, &jaa); 164 if (error) 165 goto e_dropprref; 166 mtx_lock(&pr->pr_mtx); 167 pr->pr_ref--; 168 mtx_unlock(&pr->pr_mtx); 169 td->td_retval[0] = jaa.jid; 170 return (0); 171e_dropprref: 172 mtx_lock(&allprison_mtx); 173 LIST_REMOVE(pr, pr_list); 174 prisoncount--; 175 mtx_unlock(&allprison_mtx); 176e_dropvnref: 177 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 178 vrele(pr->pr_root); 179 VFS_UNLOCK_GIANT(vfslocked); 180e_killmtx: 181 mtx_destroy(&pr->pr_mtx); 182 FREE(pr, M_PRISON); 183 return (error); 184} 185 186/* 187 * MPSAFE 188 * 189 * struct jail_attach_args { 190 * int jid; 191 * }; 192 */ 193int 194jail_attach(struct thread *td, struct jail_attach_args *uap) 195{ 196 struct proc *p; 197 struct ucred *newcred, *oldcred; 198 struct prison *pr; 199 int vfslocked, error; 200 201 /* 202 * XXX: Note that there is a slight race here if two threads 203 * in the same privileged process attempt to attach to two 204 * different jails at the same time. It is important for 205 * user processes not to do this, or they might end up with 206 * a process root from one prison, but attached to the jail 207 * of another. 208 */ 209 error = priv_check(td, PRIV_JAIL_ATTACH); 210 if (error) 211 return (error); 212 213 p = td->td_proc; 214 mtx_lock(&allprison_mtx); 215 pr = prison_find(uap->jid); 216 if (pr == NULL) { 217 mtx_unlock(&allprison_mtx); 218 return (EINVAL); 219 } 220 pr->pr_ref++; 221 mtx_unlock(&pr->pr_mtx); 222 mtx_unlock(&allprison_mtx); 223 224 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 225 vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY, td); 226 if ((error = change_dir(pr->pr_root, td)) != 0) 227 goto e_unlock; 228#ifdef MAC 229 if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root))) 230 goto e_unlock; 231#endif 232 VOP_UNLOCK(pr->pr_root, 0, td); 233 change_root(pr->pr_root, td); 234 VFS_UNLOCK_GIANT(vfslocked); 235 236 newcred = crget(); 237 PROC_LOCK(p); 238 oldcred = p->p_ucred; 239 setsugid(p); 240 crcopy(newcred, oldcred); 241 newcred->cr_prison = pr; 242 p->p_ucred = newcred; 243 PROC_UNLOCK(p); 244 crfree(oldcred); 245 return (0); 246e_unlock: 247 VOP_UNLOCK(pr->pr_root, 0, td); 248 VFS_UNLOCK_GIANT(vfslocked); 249 mtx_lock(&pr->pr_mtx); 250 pr->pr_ref--; 251 mtx_unlock(&pr->pr_mtx); 252 return (error); 253} 254 255/* 256 * Returns a locked prison instance, or NULL on failure. 257 */ 258static struct prison * 259prison_find(int prid) 260{ 261 struct prison *pr; 262 263 mtx_assert(&allprison_mtx, MA_OWNED); 264 LIST_FOREACH(pr, &allprison, pr_list) { 265 if (pr->pr_id == prid) { 266 mtx_lock(&pr->pr_mtx); 267 return (pr); 268 } 269 } 270 return (NULL); 271} 272 273void 274prison_free(struct prison *pr) 275{ 276 277 mtx_lock(&allprison_mtx); 278 mtx_lock(&pr->pr_mtx); 279 pr->pr_ref--; 280 if (pr->pr_ref == 0) { 281 LIST_REMOVE(pr, pr_list); 282 mtx_unlock(&pr->pr_mtx); 283 prisoncount--; 284 mtx_unlock(&allprison_mtx); 285 286 TASK_INIT(&pr->pr_task, 0, prison_complete, pr); 287 taskqueue_enqueue(taskqueue_thread, &pr->pr_task); 288 return; 289 } 290 mtx_unlock(&pr->pr_mtx); 291 mtx_unlock(&allprison_mtx); 292} 293 294static void 295prison_complete(void *context, int pending) 296{ 297 struct prison *pr; 298 int vfslocked; 299 300 pr = (struct prison *)context; 301 302 vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount); 303 vrele(pr->pr_root); 304 VFS_UNLOCK_GIANT(vfslocked); 305 306 mtx_destroy(&pr->pr_mtx); 307 if (pr->pr_linux != NULL) 308 FREE(pr->pr_linux, M_PRISON); 309 FREE(pr, M_PRISON); 310} 311 312void 313prison_hold(struct prison *pr) 314{ 315 316 mtx_lock(&pr->pr_mtx); 317 pr->pr_ref++; 318 mtx_unlock(&pr->pr_mtx); 319} 320 321u_int32_t 322prison_getip(struct ucred *cred) 323{ 324 325 return (cred->cr_prison->pr_ip); 326} 327 328int 329prison_ip(struct ucred *cred, int flag, u_int32_t *ip) 330{ 331 u_int32_t tmp; 332 333 if (!jailed(cred)) 334 return (0); 335 if (flag) 336 tmp = *ip; 337 else 338 tmp = ntohl(*ip); 339 if (tmp == INADDR_ANY) { 340 if (flag) 341 *ip = cred->cr_prison->pr_ip; 342 else 343 *ip = htonl(cred->cr_prison->pr_ip); 344 return (0); 345 } 346 if (tmp == INADDR_LOOPBACK) { 347 if (flag) 348 *ip = cred->cr_prison->pr_ip; 349 else 350 *ip = htonl(cred->cr_prison->pr_ip); 351 return (0); 352 } 353 if (cred->cr_prison->pr_ip != tmp) 354 return (1); 355 return (0); 356} 357 358void 359prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip) 360{ 361 u_int32_t tmp; 362 363 if (!jailed(cred)) 364 return; 365 if (flag) 366 tmp = *ip; 367 else 368 tmp = ntohl(*ip); 369 if (tmp == INADDR_LOOPBACK) { 370 if (flag) 371 *ip = cred->cr_prison->pr_ip; 372 else 373 *ip = htonl(cred->cr_prison->pr_ip); 374 return; 375 } 376 return; 377} 378 379int 380prison_if(struct ucred *cred, struct sockaddr *sa) 381{ 382 struct sockaddr_in *sai; 383 int ok; 384 385 sai = (struct sockaddr_in *)sa; 386 if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only) 387 ok = 1; 388 else if (sai->sin_family != AF_INET) 389 ok = 0; 390 else if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr)) 391 ok = 1; 392 else 393 ok = 0; 394 return (ok); 395} 396 397/* 398 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH. 399 */ 400int 401prison_check(struct ucred *cred1, struct ucred *cred2) 402{ 403 404 if (jailed(cred1)) { 405 if (!jailed(cred2)) 406 return (ESRCH); 407 if (cred2->cr_prison != cred1->cr_prison) 408 return (ESRCH); 409 } 410 411 return (0); 412} 413 414/* 415 * Return 1 if the passed credential is in a jail, otherwise 0. 416 */ 417int 418jailed(struct ucred *cred) 419{ 420 421 return (cred->cr_prison != NULL); 422} 423 424/* 425 * Return the correct hostname for the passed credential. 426 */ 427void 428getcredhostname(struct ucred *cred, char *buf, size_t size) 429{ 430 431 if (jailed(cred)) { 432 mtx_lock(&cred->cr_prison->pr_mtx); 433 strlcpy(buf, cred->cr_prison->pr_host, size); 434 mtx_unlock(&cred->cr_prison->pr_mtx); 435 } else 436 strlcpy(buf, hostname, size); 437} 438 439/* 440 * Determine whether the subject represented by cred can "see" 441 * status of a mount point. 442 * Returns: 0 for permitted, ENOENT otherwise. 443 * XXX: This function should be called cr_canseemount() and should be 444 * placed in kern_prot.c. 445 */ 446int 447prison_canseemount(struct ucred *cred, struct mount *mp) 448{ 449 struct prison *pr; 450 struct statfs *sp; 451 size_t len; 452 453 if (!jailed(cred) || jail_enforce_statfs == 0) 454 return (0); 455 pr = cred->cr_prison; 456 if (pr->pr_root->v_mount == mp) 457 return (0); 458 if (jail_enforce_statfs == 2) 459 return (ENOENT); 460 /* 461 * If jail's chroot directory is set to "/" we should be able to see 462 * all mount-points from inside a jail. 463 * This is ugly check, but this is the only situation when jail's 464 * directory ends with '/'. 465 */ 466 if (strcmp(pr->pr_path, "/") == 0) 467 return (0); 468 len = strlen(pr->pr_path); 469 sp = &mp->mnt_stat; 470 if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0) 471 return (ENOENT); 472 /* 473 * Be sure that we don't have situation where jail's root directory 474 * is "/some/path" and mount point is "/some/pathpath". 475 */ 476 if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/') 477 return (ENOENT); 478 return (0); 479} 480 481void 482prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp) 483{ 484 char jpath[MAXPATHLEN]; 485 struct prison *pr; 486 size_t len; 487 488 if (!jailed(cred) || jail_enforce_statfs == 0) 489 return; 490 pr = cred->cr_prison; 491 if (prison_canseemount(cred, mp) != 0) { 492 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 493 strlcpy(sp->f_mntonname, "[restricted]", 494 sizeof(sp->f_mntonname)); 495 return; 496 } 497 if (pr->pr_root->v_mount == mp) { 498 /* 499 * Clear current buffer data, so we are sure nothing from 500 * the valid path left there. 501 */ 502 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 503 *sp->f_mntonname = '/'; 504 return; 505 } 506 /* 507 * If jail's chroot directory is set to "/" we should be able to see 508 * all mount-points from inside a jail. 509 */ 510 if (strcmp(pr->pr_path, "/") == 0) 511 return; 512 len = strlen(pr->pr_path); 513 strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath)); 514 /* 515 * Clear current buffer data, so we are sure nothing from 516 * the valid path left there. 517 */ 518 bzero(sp->f_mntonname, sizeof(sp->f_mntonname)); 519 if (*jpath == '\0') { 520 /* Should never happen. */ 521 *sp->f_mntonname = '/'; 522 } else { 523 strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname)); 524 } 525} 526 527/* 528 * Check with permission for a specific privilege is granted within jail. We 529 * have a specific list of accepted privileges; the rest are denied. 530 */ 531int 532prison_priv_check(struct ucred *cred, int priv) 533{ 534 535 if (!jailed(cred)) 536 return (0); 537 538 switch (priv) { 539 540 /* 541 * Allow ktrace privileges for root in jail. 542 */ 543 case PRIV_KTRACE: 544 545#if 0 546 /* 547 * Allow jailed processes to configure audit identity and 548 * submit audit records (login, etc). In the future we may 549 * want to further refine the relationship between audit and 550 * jail. 551 */ 552 case PRIV_AUDIT_GETAUDIT: 553 case PRIV_AUDIT_SETAUDIT: 554 case PRIV_AUDIT_SUBMIT: 555#endif 556 557 /* 558 * Allow jailed processes to manipulate process UNIX 559 * credentials in any way they see fit. 560 */ 561 case PRIV_CRED_SETUID: 562 case PRIV_CRED_SETEUID: 563 case PRIV_CRED_SETGID: 564 case PRIV_CRED_SETEGID: 565 case PRIV_CRED_SETGROUPS: 566 case PRIV_CRED_SETREUID: 567 case PRIV_CRED_SETREGID: 568 case PRIV_CRED_SETRESUID: 569 case PRIV_CRED_SETRESGID: 570 571 /* 572 * Jail implements visibility constraints already, so allow 573 * jailed root to override uid/gid-based constraints. 574 */ 575 case PRIV_SEEOTHERGIDS: 576 case PRIV_SEEOTHERUIDS: 577 578 /* 579 * Jail implements inter-process debugging limits already, so 580 * allow jailed root various debugging privileges. 581 */ 582 case PRIV_DEBUG_DIFFCRED: 583 case PRIV_DEBUG_SUGID: 584 case PRIV_DEBUG_UNPRIV: 585 586 /* 587 * Allow jail to set various resource limits and login 588 * properties, and for now, exceed process resource limits. 589 */ 590 case PRIV_PROC_LIMIT: 591 case PRIV_PROC_SETLOGIN: 592 case PRIV_PROC_SETRLIMIT: 593 594 /* 595 * System V and POSIX IPC privileges are granted in jail. 596 */ 597 case PRIV_IPC_READ: 598 case PRIV_IPC_WRITE: 599 case PRIV_IPC_ADMIN: 600 case PRIV_IPC_MSGSIZE: 601 case PRIV_MQ_ADMIN: 602 603 /* 604 * Jail implements its own inter-process limits, so allow 605 * root processes in jail to change scheduling on other 606 * processes in the same jail. Likewise for signalling. 607 */ 608 case PRIV_SCHED_DIFFCRED: 609 case PRIV_SIGNAL_DIFFCRED: 610 case PRIV_SIGNAL_SUGID: 611 612 /* 613 * Allow jailed processes to write to sysctls marked as jail 614 * writable. 615 */ 616 case PRIV_SYSCTL_WRITEJAIL: 617 618 /* 619 * Allow root in jail to manage a variety of quota 620 * properties. These should likely be conditional on a 621 * configuration option. 622 */ 623 case PRIV_VFS_GETQUOTA: 624 case PRIV_VFS_SETQUOTA: 625 626 /* 627 * Since Jail relies on chroot() to implement file system 628 * protections, grant many VFS privileges to root in jail. 629 * Be careful to exclude mount-related and NFS-related 630 * privileges. 631 */ 632 case PRIV_VFS_READ: 633 case PRIV_VFS_WRITE: 634 case PRIV_VFS_ADMIN: 635 case PRIV_VFS_EXEC: 636 case PRIV_VFS_LOOKUP: 637 case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ 638 case PRIV_VFS_CHFLAGS_DEV: 639 case PRIV_VFS_CHOWN: 640 case PRIV_VFS_CHROOT: 641 case PRIV_VFS_RETAINSUGID: 642 case PRIV_VFS_FCHROOT: 643 case PRIV_VFS_LINK: 644 case PRIV_VFS_SETGID: 645 case PRIV_VFS_STICKYFILE: 646 return (0); 647 648 /* 649 * Depending on the global setting, allow privilege of 650 * setting system flags. 651 */ 652 case PRIV_VFS_SYSFLAGS: 653 if (jail_chflags_allowed) 654 return (0); 655 else 656 return (EPERM); 657 658 /* 659 * Allow jailed root to bind reserved ports. 660 */ 661 case PRIV_NETINET_RESERVEDPORT: 662 return (0); 663 664 /* 665 * Conditionally allow creating raw sockets in jail. 666 */ 667 case PRIV_NETINET_RAW: 668 if (jail_allow_raw_sockets) 669 return (0); 670 else 671 return (EPERM); 672 673 /* 674 * Since jail implements its own visibility limits on netstat 675 * sysctls, allow getcred. This allows identd to work in 676 * jail. 677 */ 678 case PRIV_NETINET_GETCRED: 679 return (0); 680 681 default: 682 /* 683 * In all remaining cases, deny the privilege request. This 684 * includes almost all network privileges, many system 685 * configuration privileges. 686 */ 687 return (EPERM); 688 } 689} 690 691static int 692sysctl_jail_list(SYSCTL_HANDLER_ARGS) 693{ 694 struct xprison *xp, *sxp; 695 struct prison *pr; 696 int count, error; 697 698 if (jailed(req->td->td_ucred)) 699 return (0); 700retry: 701 mtx_lock(&allprison_mtx); 702 count = prisoncount; 703 mtx_unlock(&allprison_mtx); 704 705 if (count == 0) 706 return (0); 707 708 sxp = xp = malloc(sizeof(*xp) * count, M_TEMP, M_WAITOK | M_ZERO); 709 mtx_lock(&allprison_mtx); 710 if (count != prisoncount) { 711 mtx_unlock(&allprison_mtx); 712 free(sxp, M_TEMP); 713 goto retry; 714 } 715 716 LIST_FOREACH(pr, &allprison, pr_list) { 717 mtx_lock(&pr->pr_mtx); 718 xp->pr_version = XPRISON_VERSION; 719 xp->pr_id = pr->pr_id; 720 strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path)); 721 strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host)); 722 xp->pr_ip = pr->pr_ip; 723 mtx_unlock(&pr->pr_mtx); 724 xp++; 725 } 726 mtx_unlock(&allprison_mtx); 727 728 error = SYSCTL_OUT(req, sxp, sizeof(*sxp) * count); 729 free(sxp, M_TEMP); 730 if (error) 731 return (error); 732 return (0); 733} 734 735SYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD, 736 NULL, 0, sysctl_jail_list, "S", "List of active jails"); 737 738static int 739sysctl_jail_jailed(SYSCTL_HANDLER_ARGS) 740{ 741 int error, injail; 742 743 injail = jailed(req->td->td_ucred); 744 error = SYSCTL_OUT(req, &injail, sizeof(injail)); 745 746 return (error); 747} 748SYSCTL_PROC(_security_jail, OID_AUTO, jailed, CTLTYPE_INT | CTLFLAG_RD, 749 NULL, 0, sysctl_jail_jailed, "I", "Process in jail?"); 750