kern_jail.c revision 185029 
1/*-
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
8 */
9
10#include <sys/cdefs.h>
11__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 185029 2008-11-17 20:49:29Z pjd $");
12
13#include "opt_mac.h"
14
15#include <sys/param.h>
16#include <sys/types.h>
17#include <sys/kernel.h>
18#include <sys/systm.h>
19#include <sys/errno.h>
20#include <sys/sysproto.h>
21#include <sys/malloc.h>
22#include <sys/priv.h>
23#include <sys/proc.h>
24#include <sys/taskqueue.h>
25#include <sys/fcntl.h>
26#include <sys/jail.h>
27#include <sys/lock.h>
28#include <sys/mutex.h>
29#include <sys/sx.h>
30#include <sys/namei.h>
31#include <sys/mount.h>
32#include <sys/queue.h>
33#include <sys/socket.h>
34#include <sys/syscallsubr.h>
35#include <sys/sysctl.h>
36#include <sys/vnode.h>
37#include <sys/vimage.h>
38#include <sys/osd.h>
39#include <net/if.h>
40#include <netinet/in.h>
41
42#include <security/mac/mac_framework.h>
43
44MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
45
46SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
47    "Jail rules");
48
49int	jail_set_hostname_allowed = 1;
50SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
51    &jail_set_hostname_allowed, 0,
52    "Processes in jail can set their hostnames");
53
54int	jail_socket_unixiproute_only = 1;
55SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
56    &jail_socket_unixiproute_only, 0,
57    "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
58
59int	jail_sysvipc_allowed = 0;
60SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
61    &jail_sysvipc_allowed, 0,
62    "Processes in jail can use System V IPC primitives");
63
64static int jail_enforce_statfs = 2;
65SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW,
66    &jail_enforce_statfs, 0,
67    "Processes in jail cannot see all mounted file systems");
68
69int	jail_allow_raw_sockets = 0;
70SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
71    &jail_allow_raw_sockets, 0,
72    "Prison root can create raw sockets");
73
74int	jail_chflags_allowed = 0;
75SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
76    &jail_chflags_allowed, 0,
77    "Processes in jail can alter system file flags");
78
79int	jail_mount_allowed = 0;
80SYSCTL_INT(_security_jail, OID_AUTO, mount_allowed, CTLFLAG_RW,
81    &jail_mount_allowed, 0,
82    "Processes in jail can mount/unmount jail-friendly file systems");
83
84/* allprison, lastprid, and prisoncount are protected by allprison_lock. */
85struct	prisonlist allprison;
86struct	sx allprison_lock;
87int	lastprid = 0;
88int	prisoncount = 0;
89
90static void		 init_prison(void *);
91static void		 prison_complete(void *context, int pending);
92static int		 sysctl_jail_list(SYSCTL_HANDLER_ARGS);
93
94static void
95init_prison(void *data __unused)
96{
97
98	sx_init(&allprison_lock, "allprison");
99	LIST_INIT(&allprison);
100}
101
102SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL);
103
104/*
105 * struct jail_args {
106 *	struct jail *jail;
107 * };
108 */
109int
110jail(struct thread *td, struct jail_args *uap)
111{
112	struct nameidata nd;
113	struct prison *pr, *tpr;
114	struct jail j;
115	struct jail_attach_args jaa;
116	int vfslocked, error, tryprid;
117
118	error = copyin(uap->jail, &j, sizeof(j));
119	if (error)
120		return (error);
121	if (j.version != 0)
122		return (EINVAL);
123
124	pr = malloc(sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);
125	mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF);
126	pr->pr_ref = 1;
127	error = copyinstr(j.path, &pr->pr_path, sizeof(pr->pr_path), 0);
128	if (error)
129		goto e_killmtx;
130	NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | LOCKLEAF, UIO_SYSSPACE,
131	    pr->pr_path, td);
132	error = namei(&nd);
133	if (error)
134		goto e_killmtx;
135	vfslocked = NDHASGIANT(&nd);
136	pr->pr_root = nd.ni_vp;
137	VOP_UNLOCK(nd.ni_vp, 0);
138	NDFREE(&nd, NDF_ONLY_PNBUF);
139	VFS_UNLOCK_GIANT(vfslocked);
140	error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0);
141	if (error)
142		goto e_dropvnref;
143	pr->pr_ip = j.ip_number;
144	pr->pr_linux = NULL;
145	pr->pr_securelevel = securelevel;
146	bzero(&pr->pr_osd, sizeof(pr->pr_osd));
147
148	/* Determine next pr_id and add prison to allprison list. */
149	sx_xlock(&allprison_lock);
150	tryprid = lastprid + 1;
151	if (tryprid == JAIL_MAX)
152		tryprid = 1;
153next:
154	LIST_FOREACH(tpr, &allprison, pr_list) {
155		if (tpr->pr_id == tryprid) {
156			tryprid++;
157			if (tryprid == JAIL_MAX) {
158				sx_xunlock(&allprison_lock);
159				error = EAGAIN;
160				goto e_dropvnref;
161			}
162			goto next;
163		}
164	}
165	pr->pr_id = jaa.jid = lastprid = tryprid;
166	LIST_INSERT_HEAD(&allprison, pr, pr_list);
167	prisoncount++;
168	sx_xunlock(&allprison_lock);
169
170	error = jail_attach(td, &jaa);
171	if (error)
172		goto e_dropprref;
173	mtx_lock(&pr->pr_mtx);
174	pr->pr_ref--;
175	mtx_unlock(&pr->pr_mtx);
176	td->td_retval[0] = jaa.jid;
177	return (0);
178e_dropprref:
179	sx_xlock(&allprison_lock);
180	LIST_REMOVE(pr, pr_list);
181	prisoncount--;
182	sx_xunlock(&allprison_lock);
183e_dropvnref:
184	vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount);
185	vrele(pr->pr_root);
186	VFS_UNLOCK_GIANT(vfslocked);
187e_killmtx:
188	mtx_destroy(&pr->pr_mtx);
189	free(pr, M_PRISON);
190	return (error);
191}
192
193/*
194 * struct jail_attach_args {
195 *	int jid;
196 * };
197 */
198int
199jail_attach(struct thread *td, struct jail_attach_args *uap)
200{
201	struct proc *p;
202	struct ucred *newcred, *oldcred;
203	struct prison *pr;
204	int vfslocked, error;
205
206	/*
207	 * XXX: Note that there is a slight race here if two threads
208	 * in the same privileged process attempt to attach to two
209	 * different jails at the same time.  It is important for
210	 * user processes not to do this, or they might end up with
211	 * a process root from one prison, but attached to the jail
212	 * of another.
213	 */
214	error = priv_check(td, PRIV_JAIL_ATTACH);
215	if (error)
216		return (error);
217
218	p = td->td_proc;
219	sx_slock(&allprison_lock);
220	pr = prison_find(uap->jid);
221	if (pr == NULL) {
222		sx_sunlock(&allprison_lock);
223		return (EINVAL);
224	}
225	pr->pr_ref++;
226	mtx_unlock(&pr->pr_mtx);
227	sx_sunlock(&allprison_lock);
228
229	vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount);
230	vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY);
231	if ((error = change_dir(pr->pr_root, td)) != 0)
232		goto e_unlock;
233#ifdef MAC
234	if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root)))
235		goto e_unlock;
236#endif
237	VOP_UNLOCK(pr->pr_root, 0);
238	change_root(pr->pr_root, td);
239	VFS_UNLOCK_GIANT(vfslocked);
240
241	newcred = crget();
242	PROC_LOCK(p);
243	oldcred = p->p_ucred;
244	setsugid(p);
245	crcopy(newcred, oldcred);
246	newcred->cr_prison = pr;
247	p->p_ucred = newcred;
248	PROC_UNLOCK(p);
249	crfree(oldcred);
250	return (0);
251e_unlock:
252	VOP_UNLOCK(pr->pr_root, 0);
253	VFS_UNLOCK_GIANT(vfslocked);
254	mtx_lock(&pr->pr_mtx);
255	pr->pr_ref--;
256	mtx_unlock(&pr->pr_mtx);
257	return (error);
258}
259
260/*
261 * Returns a locked prison instance, or NULL on failure.
262 */
263struct prison *
264prison_find(int prid)
265{
266	struct prison *pr;
267
268	sx_assert(&allprison_lock, SX_LOCKED);
269	LIST_FOREACH(pr, &allprison, pr_list) {
270		if (pr->pr_id == prid) {
271			mtx_lock(&pr->pr_mtx);
272			if (pr->pr_ref == 0) {
273				mtx_unlock(&pr->pr_mtx);
274				break;
275			}
276			return (pr);
277		}
278	}
279	return (NULL);
280}
281
282void
283prison_free_locked(struct prison *pr)
284{
285
286	mtx_assert(&pr->pr_mtx, MA_OWNED);
287	pr->pr_ref--;
288	if (pr->pr_ref == 0) {
289		mtx_unlock(&pr->pr_mtx);
290		TASK_INIT(&pr->pr_task, 0, prison_complete, pr);
291		taskqueue_enqueue(taskqueue_thread, &pr->pr_task);
292		return;
293	}
294	mtx_unlock(&pr->pr_mtx);
295}
296
297void
298prison_free(struct prison *pr)
299{
300
301	mtx_lock(&pr->pr_mtx);
302	prison_free_locked(pr);
303}
304
305static void
306prison_complete(void *context, int pending)
307{
308	struct prison *pr;
309	int vfslocked;
310
311	pr = (struct prison *)context;
312
313	sx_xlock(&allprison_lock);
314	LIST_REMOVE(pr, pr_list);
315	prisoncount--;
316	sx_xunlock(&allprison_lock);
317
318	/* Free all OSD associated to this jail. */
319	osd_jail_exit(pr);
320
321	vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount);
322	vrele(pr->pr_root);
323	VFS_UNLOCK_GIANT(vfslocked);
324
325	mtx_destroy(&pr->pr_mtx);
326	if (pr->pr_linux != NULL)
327		free(pr->pr_linux, M_PRISON);
328	free(pr, M_PRISON);
329}
330
331void
332prison_hold_locked(struct prison *pr)
333{
334
335	mtx_assert(&pr->pr_mtx, MA_OWNED);
336	KASSERT(pr->pr_ref > 0,
337	    ("Trying to hold dead prison (id=%d).", pr->pr_id));
338	pr->pr_ref++;
339}
340
341void
342prison_hold(struct prison *pr)
343{
344
345	mtx_lock(&pr->pr_mtx);
346	prison_hold_locked(pr);
347	mtx_unlock(&pr->pr_mtx);
348}
349
350u_int32_t
351prison_getip(struct ucred *cred)
352{
353
354	return (cred->cr_prison->pr_ip);
355}
356
357int
358prison_ip(struct ucred *cred, int flag, u_int32_t *ip)
359{
360	u_int32_t tmp;
361
362	if (!jailed(cred))
363		return (0);
364	if (flag)
365		tmp = *ip;
366	else
367		tmp = ntohl(*ip);
368	if (tmp == INADDR_ANY) {
369		if (flag)
370			*ip = cred->cr_prison->pr_ip;
371		else
372			*ip = htonl(cred->cr_prison->pr_ip);
373		return (0);
374	}
375	if (tmp == INADDR_LOOPBACK) {
376		if (flag)
377			*ip = cred->cr_prison->pr_ip;
378		else
379			*ip = htonl(cred->cr_prison->pr_ip);
380		return (0);
381	}
382	if (cred->cr_prison->pr_ip != tmp)
383		return (1);
384	return (0);
385}
386
387void
388prison_remote_ip(struct ucred *cred, int flag, u_int32_t *ip)
389{
390	u_int32_t tmp;
391
392	if (!jailed(cred))
393		return;
394	if (flag)
395		tmp = *ip;
396	else
397		tmp = ntohl(*ip);
398	if (tmp == INADDR_LOOPBACK) {
399		if (flag)
400			*ip = cred->cr_prison->pr_ip;
401		else
402			*ip = htonl(cred->cr_prison->pr_ip);
403		return;
404	}
405	return;
406}
407
408int
409prison_if(struct ucred *cred, struct sockaddr *sa)
410{
411	struct sockaddr_in *sai;
412	int ok;
413
414	sai = (struct sockaddr_in *)sa;
415	if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
416		ok = 1;
417	else if (sai->sin_family != AF_INET)
418		ok = 0;
419	else if (cred->cr_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
420		ok = 1;
421	else
422		ok = 0;
423	return (ok);
424}
425
426/*
427 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH.
428 */
429int
430prison_check(struct ucred *cred1, struct ucred *cred2)
431{
432
433	if (jailed(cred1)) {
434		if (!jailed(cred2))
435			return (ESRCH);
436		if (cred2->cr_prison != cred1->cr_prison)
437			return (ESRCH);
438	}
439
440	return (0);
441}
442
443/*
444 * Return 1 if the passed credential is in a jail, otherwise 0.
445 */
446int
447jailed(struct ucred *cred)
448{
449
450	return (cred->cr_prison != NULL);
451}
452
453/*
454 * Return the correct hostname for the passed credential.
455 */
456void
457getcredhostname(struct ucred *cred, char *buf, size_t size)
458{
459	INIT_VPROCG(cred->cr_vimage->v_procg);
460
461	if (jailed(cred)) {
462		mtx_lock(&cred->cr_prison->pr_mtx);
463		strlcpy(buf, cred->cr_prison->pr_host, size);
464		mtx_unlock(&cred->cr_prison->pr_mtx);
465	} else {
466		mtx_lock(&hostname_mtx);
467		strlcpy(buf, V_hostname, size);
468		mtx_unlock(&hostname_mtx);
469	}
470}
471
472/*
473 * Determine whether the subject represented by cred can "see"
474 * status of a mount point.
475 * Returns: 0 for permitted, ENOENT otherwise.
476 * XXX: This function should be called cr_canseemount() and should be
477 *      placed in kern_prot.c.
478 */
479int
480prison_canseemount(struct ucred *cred, struct mount *mp)
481{
482	struct prison *pr;
483	struct statfs *sp;
484	size_t len;
485
486	if (!jailed(cred) || jail_enforce_statfs == 0)
487		return (0);
488	pr = cred->cr_prison;
489	if (pr->pr_root->v_mount == mp)
490		return (0);
491	if (jail_enforce_statfs == 2)
492		return (ENOENT);
493	/*
494	 * If jail's chroot directory is set to "/" we should be able to see
495	 * all mount-points from inside a jail.
496	 * This is ugly check, but this is the only situation when jail's
497	 * directory ends with '/'.
498	 */
499	if (strcmp(pr->pr_path, "/") == 0)
500		return (0);
501	len = strlen(pr->pr_path);
502	sp = &mp->mnt_stat;
503	if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0)
504		return (ENOENT);
505	/*
506	 * Be sure that we don't have situation where jail's root directory
507	 * is "/some/path" and mount point is "/some/pathpath".
508	 */
509	if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/')
510		return (ENOENT);
511	return (0);
512}
513
514void
515prison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp)
516{
517	char jpath[MAXPATHLEN];
518	struct prison *pr;
519	size_t len;
520
521	if (!jailed(cred) || jail_enforce_statfs == 0)
522		return;
523	pr = cred->cr_prison;
524	if (prison_canseemount(cred, mp) != 0) {
525		bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
526		strlcpy(sp->f_mntonname, "[restricted]",
527		    sizeof(sp->f_mntonname));
528		return;
529	}
530	if (pr->pr_root->v_mount == mp) {
531		/*
532		 * Clear current buffer data, so we are sure nothing from
533		 * the valid path left there.
534		 */
535		bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
536		*sp->f_mntonname = '/';
537		return;
538	}
539	/*
540	 * If jail's chroot directory is set to "/" we should be able to see
541	 * all mount-points from inside a jail.
542	 */
543	if (strcmp(pr->pr_path, "/") == 0)
544		return;
545	len = strlen(pr->pr_path);
546	strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath));
547	/*
548	 * Clear current buffer data, so we are sure nothing from
549	 * the valid path left there.
550	 */
551	bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
552	if (*jpath == '\0') {
553		/* Should never happen. */
554		*sp->f_mntonname = '/';
555	} else {
556		strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname));
557	}
558}
559
560/*
561 * Check with permission for a specific privilege is granted within jail.  We
562 * have a specific list of accepted privileges; the rest are denied.
563 */
564int
565prison_priv_check(struct ucred *cred, int priv)
566{
567
568	if (!jailed(cred))
569		return (0);
570
571	switch (priv) {
572
573		/*
574		 * Allow ktrace privileges for root in jail.
575		 */
576	case PRIV_KTRACE:
577
578#if 0
579		/*
580		 * Allow jailed processes to configure audit identity and
581		 * submit audit records (login, etc).  In the future we may
582		 * want to further refine the relationship between audit and
583		 * jail.
584		 */
585	case PRIV_AUDIT_GETAUDIT:
586	case PRIV_AUDIT_SETAUDIT:
587	case PRIV_AUDIT_SUBMIT:
588#endif
589
590		/*
591		 * Allow jailed processes to manipulate process UNIX
592		 * credentials in any way they see fit.
593		 */
594	case PRIV_CRED_SETUID:
595	case PRIV_CRED_SETEUID:
596	case PRIV_CRED_SETGID:
597	case PRIV_CRED_SETEGID:
598	case PRIV_CRED_SETGROUPS:
599	case PRIV_CRED_SETREUID:
600	case PRIV_CRED_SETREGID:
601	case PRIV_CRED_SETRESUID:
602	case PRIV_CRED_SETRESGID:
603
604		/*
605		 * Jail implements visibility constraints already, so allow
606		 * jailed root to override uid/gid-based constraints.
607		 */
608	case PRIV_SEEOTHERGIDS:
609	case PRIV_SEEOTHERUIDS:
610
611		/*
612		 * Jail implements inter-process debugging limits already, so
613		 * allow jailed root various debugging privileges.
614		 */
615	case PRIV_DEBUG_DIFFCRED:
616	case PRIV_DEBUG_SUGID:
617	case PRIV_DEBUG_UNPRIV:
618
619		/*
620		 * Allow jail to set various resource limits and login
621		 * properties, and for now, exceed process resource limits.
622		 */
623	case PRIV_PROC_LIMIT:
624	case PRIV_PROC_SETLOGIN:
625	case PRIV_PROC_SETRLIMIT:
626
627		/*
628		 * System V and POSIX IPC privileges are granted in jail.
629		 */
630	case PRIV_IPC_READ:
631	case PRIV_IPC_WRITE:
632	case PRIV_IPC_ADMIN:
633	case PRIV_IPC_MSGSIZE:
634	case PRIV_MQ_ADMIN:
635
636		/*
637		 * Jail implements its own inter-process limits, so allow
638		 * root processes in jail to change scheduling on other
639		 * processes in the same jail.  Likewise for signalling.
640		 */
641	case PRIV_SCHED_DIFFCRED:
642	case PRIV_SIGNAL_DIFFCRED:
643	case PRIV_SIGNAL_SUGID:
644
645		/*
646		 * Allow jailed processes to write to sysctls marked as jail
647		 * writable.
648		 */
649	case PRIV_SYSCTL_WRITEJAIL:
650
651		/*
652		 * Allow root in jail to manage a variety of quota
653		 * properties.  These should likely be conditional on a
654		 * configuration option.
655		 */
656	case PRIV_VFS_GETQUOTA:
657	case PRIV_VFS_SETQUOTA:
658
659		/*
660		 * Since Jail relies on chroot() to implement file system
661		 * protections, grant many VFS privileges to root in jail.
662		 * Be careful to exclude mount-related and NFS-related
663		 * privileges.
664		 */
665	case PRIV_VFS_READ:
666	case PRIV_VFS_WRITE:
667	case PRIV_VFS_ADMIN:
668	case PRIV_VFS_EXEC:
669	case PRIV_VFS_LOOKUP:
670	case PRIV_VFS_BLOCKRESERVE:	/* XXXRW: Slightly surprising. */
671	case PRIV_VFS_CHFLAGS_DEV:
672	case PRIV_VFS_CHOWN:
673	case PRIV_VFS_CHROOT:
674	case PRIV_VFS_RETAINSUGID:
675	case PRIV_VFS_FCHROOT:
676	case PRIV_VFS_LINK:
677	case PRIV_VFS_SETGID:
678	case PRIV_VFS_STAT:
679	case PRIV_VFS_STICKYFILE:
680		return (0);
681
682		/*
683		 * Depending on the global setting, allow privilege of
684		 * setting system flags.
685		 */
686	case PRIV_VFS_SYSFLAGS:
687		if (jail_chflags_allowed)
688			return (0);
689		else
690			return (EPERM);
691
692		/*
693		 * Depending on the global setting, allow privilege of
694		 * mounting/unmounting file systems.
695		 */
696	case PRIV_VFS_MOUNT:
697	case PRIV_VFS_UNMOUNT:
698	case PRIV_VFS_MOUNT_NONUSER:
699	case PRIV_VFS_MOUNT_OWNER:
700		if (jail_mount_allowed)
701			return (0);
702		else
703			return (EPERM);
704
705		/*
706		 * Allow jailed root to bind reserved ports and reuse in-use
707		 * ports.
708		 */
709	case PRIV_NETINET_RESERVEDPORT:
710	case PRIV_NETINET_REUSEPORT:
711		return (0);
712
713		/*
714		 * Allow jailed root to set certian IPv4/6 (option) headers.
715		 */
716	case PRIV_NETINET_SETHDROPTS:
717		return (0);
718
719		/*
720		 * Conditionally allow creating raw sockets in jail.
721		 */
722	case PRIV_NETINET_RAW:
723		if (jail_allow_raw_sockets)
724			return (0);
725		else
726			return (EPERM);
727
728		/*
729		 * Since jail implements its own visibility limits on netstat
730		 * sysctls, allow getcred.  This allows identd to work in
731		 * jail.
732		 */
733	case PRIV_NETINET_GETCRED:
734		return (0);
735
736	default:
737		/*
738		 * In all remaining cases, deny the privilege request.  This
739		 * includes almost all network privileges, many system
740		 * configuration privileges.
741		 */
742		return (EPERM);
743	}
744}
745
746static int
747sysctl_jail_list(SYSCTL_HANDLER_ARGS)
748{
749	struct xprison *xp, *sxp;
750	struct prison *pr;
751	int count, error;
752
753	if (jailed(req->td->td_ucred))
754		return (0);
755
756	sx_slock(&allprison_lock);
757	if ((count = prisoncount) == 0) {
758		sx_sunlock(&allprison_lock);
759		return (0);
760	}
761
762	sxp = xp = malloc(sizeof(*xp) * count, M_TEMP, M_WAITOK | M_ZERO);
763
764	LIST_FOREACH(pr, &allprison, pr_list) {
765		xp->pr_version = XPRISON_VERSION;
766		xp->pr_id = pr->pr_id;
767		xp->pr_ip = pr->pr_ip;
768		strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path));
769		mtx_lock(&pr->pr_mtx);
770		strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host));
771		mtx_unlock(&pr->pr_mtx);
772		xp++;
773	}
774	sx_sunlock(&allprison_lock);
775
776	error = SYSCTL_OUT(req, sxp, sizeof(*sxp) * count);
777	free(sxp, M_TEMP);
778	return (error);
779}
780
781SYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD,
782    NULL, 0, sysctl_jail_list, "S", "List of active jails");
783
784static int
785sysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
786{
787	int error, injail;
788
789	injail = jailed(req->td->td_ucred);
790	error = SYSCTL_OUT(req, &injail, sizeof(injail));
791
792	return (error);
793}
794SYSCTL_PROC(_security_jail, OID_AUTO, jailed, CTLTYPE_INT | CTLFLAG_RD,
795    NULL, 0, sysctl_jail_jailed, "I", "Process in jail?");
796