sys/kern/kern_jail.c

139804Simp/*-
185435Sbz * Copyright (c) 1999 Poul-Henning Kamp.
185435Sbz * Copyright (c) 2008 Bjoern A. Zeeb.
185435Sbz * All rights reserved.
185404Sbz *
185404Sbz * Redistribution and use in source and binary forms, with or without
185404Sbz * modification, are permitted provided that the following conditions
185404Sbz * are met:
185404Sbz * 1. Redistributions of source code must retain the above copyright
185404Sbz *    notice, this list of conditions and the following disclaimer.
185404Sbz * 2. Redistributions in binary form must reproduce the above copyright
185404Sbz *    notice, this list of conditions and the following disclaimer in the
185404Sbz *    documentation and/or other materials provided with the distribution.
185404Sbz *
185404Sbz * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
185404Sbz * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
185404Sbz * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
185404Sbz * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
185404Sbz * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
185404Sbz * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
185404Sbz * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
185404Sbz * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
185404Sbz * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
185404Sbz * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
185404Sbz * SUCH DAMAGE.
46197Sphk */
46155Sphk
116182Sobrien#include <sys/cdefs.h>
116182Sobrien__FBSDID("$FreeBSD: head/sys/kern/kern_jail.c 185435 2008-11-29 14:32:14Z bz $");
116182Sobrien
185435Sbz#include "opt_ddb.h"
185435Sbz#include "opt_inet.h"
185435Sbz#include "opt_inet6.h"
131177Spjd#include "opt_mac.h"
131177Spjd
46155Sphk#include <sys/param.h>
46155Sphk#include <sys/types.h>
46155Sphk#include <sys/kernel.h>
46155Sphk#include <sys/systm.h>
46155Sphk#include <sys/errno.h>
46155Sphk#include <sys/sysproto.h>
46155Sphk#include <sys/malloc.h>
164032Srwatson#include <sys/priv.h>
46155Sphk#include <sys/proc.h>
124882Srwatson#include <sys/taskqueue.h>
177785Skib#include <sys/fcntl.h>
46155Sphk#include <sys/jail.h>
87275Srwatson#include <sys/lock.h>
87275Srwatson#include <sys/mutex.h>
168401Spjd#include <sys/sx.h>
113275Smike#include <sys/namei.h>
147185Spjd#include <sys/mount.h>
113275Smike#include <sys/queue.h>
46155Sphk#include <sys/socket.h>
113275Smike#include <sys/syscallsubr.h>
57163Srwatson#include <sys/sysctl.h>
113275Smike#include <sys/vnode.h>
181803Sbz#include <sys/vimage.h>
185029Spjd#include <sys/osd.h>
46155Sphk#include <net/if.h>
46155Sphk#include <netinet/in.h>
185435Sbz#ifdef DDB
185435Sbz#include <ddb/ddb.h>
185435Sbz#ifdef INET6
185435Sbz#include <netinet6/in6_var.h>
185435Sbz#endif /* INET6 */
185435Sbz#endif /* DDB */
46155Sphk
163606Srwatson#include <security/mac/mac_framework.h>
163606Srwatson
46155SphkMALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
46155Sphk
89414SarrSYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
57163Srwatson    "Jail rules");
57163Srwatson
57163Srwatsonint	jail_set_hostname_allowed = 1;
89414SarrSYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
57163Srwatson    &jail_set_hostname_allowed, 0,
57163Srwatson    "Processes in jail can set their hostnames");
57163Srwatson
61235Srwatsonint	jail_socket_unixiproute_only = 1;
89414SarrSYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
61235Srwatson    &jail_socket_unixiproute_only, 0,
185435Sbz    "Processes in jail are limited to creating UNIX/IP/route sockets only");
61235Srwatson
68024Srwatsonint	jail_sysvipc_allowed = 0;
89414SarrSYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
68024Srwatson    &jail_sysvipc_allowed, 0,
68024Srwatson    "Processes in jail can use System V IPC primitives");
68024Srwatson
147185Spjdstatic int jail_enforce_statfs = 2;
147185SpjdSYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW,
147185Spjd    &jail_enforce_statfs, 0,
147185Spjd    "Processes in jail cannot see all mounted file systems");
125804Srwatson
128664Sbmilekicint	jail_allow_raw_sockets = 0;
128664SbmilekicSYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
128664Sbmilekic    &jail_allow_raw_sockets, 0,
128664Sbmilekic    "Prison root can create raw sockets");
128664Sbmilekic
141543Scpercivaint	jail_chflags_allowed = 0;
141543ScpercivaSYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
141543Scperciva    &jail_chflags_allowed, 0,
141543Scperciva    "Processes in jail can alter system file flags");
141543Scperciva
168396Spjdint	jail_mount_allowed = 0;
168396SpjdSYSCTL_INT(_security_jail, OID_AUTO, mount_allowed, CTLFLAG_RW,
168396Spjd    &jail_mount_allowed, 0,
168396Spjd    "Processes in jail can mount/unmount jail-friendly file systems");
168396Spjd
185435Sbzint	jail_max_af_ips = 255;
185435SbzSYSCTL_INT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
185435Sbz    &jail_max_af_ips, 0,
185435Sbz    "Number of IP addresses a jail may have at most per address family");
185435Sbz
179881Sdelphij/* allprison, lastprid, and prisoncount are protected by allprison_lock. */
179881Sdelphijstruct	prisonlist allprison;
168401Spjdstruct	sx allprison_lock;
179881Sdelphijint	lastprid = 0;
113275Smikeint	prisoncount = 0;
113275Smike
113275Smikestatic void		 init_prison(void *);
124882Srwatsonstatic void		 prison_complete(void *context, int pending);
113275Smikestatic int		 sysctl_jail_list(SYSCTL_HANDLER_ARGS);
185435Sbz#ifdef INET
185435Sbzstatic int		_prison_check_ip4(struct prison *, struct in_addr *);
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbzstatic int		_prison_check_ip6(struct prison *, struct in6_addr *);
185435Sbz#endif
113275Smike
113275Smikestatic void
113275Smikeinit_prison(void *data __unused)
113275Smike{
113275Smike
179881Sdelphij	sx_init(&allprison_lock, "allprison");
179881Sdelphij	LIST_INIT(&allprison);
113275Smike}
113275Smike
113275SmikeSYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL);
113275Smike
185435Sbz#ifdef INET
185435Sbzstatic int
185435Sbzqcmp_v4(const void *ip1, const void *ip2)
185435Sbz{
185435Sbz	in_addr_t iaa, iab;
185435Sbz
185435Sbz	/*
185435Sbz	 * We need to compare in HBO here to get the list sorted as expected
185435Sbz	 * by the result of the code.  Sorting NBO addresses gives you
185435Sbz	 * interesting results.  If you do not understand, do not try.
185435Sbz	 */
185435Sbz	iaa = ntohl(((const struct in_addr *)ip1)->s_addr);
185435Sbz	iab = ntohl(((const struct in_addr *)ip2)->s_addr);
185435Sbz
185435Sbz	/*
185435Sbz	 * Do not simply return the difference of the two numbers, the int is
185435Sbz	 * not wide enough.
185435Sbz	 */
185435Sbz	if (iaa > iab)
185435Sbz		return (1);
185435Sbz	else if (iaa < iab)
185435Sbz		return (-1);
185435Sbz	else
185435Sbz		return (0);
185435Sbz}
185435Sbz#endif
185435Sbz
185435Sbz#ifdef INET6
185435Sbzstatic int
185435Sbzqcmp_v6(const void *ip1, const void *ip2)
185435Sbz{
185435Sbz	const struct in6_addr *ia6a, *ia6b;
185435Sbz	int i, rc;
185435Sbz
185435Sbz	ia6a = (const struct in6_addr *)ip1;
185435Sbz	ia6b = (const struct in6_addr *)ip2;
185435Sbz
185435Sbz	rc = 0;
185435Sbz	for (i=0; rc == 0 && i < sizeof(struct in6_addr); i++) {
185435Sbz		if (ia6a->s6_addr[i] > ia6b->s6_addr[i])
185435Sbz			rc = 1;
185435Sbz		else if (ia6a->s6_addr[i] < ia6b->s6_addr[i])
185435Sbz			rc = -1;
185435Sbz	}
185435Sbz	return (rc);
185435Sbz}
185435Sbz#endif
185435Sbz
185435Sbz#if defined(INET) || defined(INET6)
185435Sbzstatic int
185435Sbzprison_check_conflicting_ips(struct prison *p)
185435Sbz{
185435Sbz	struct prison *pr;
185435Sbz	int i;
185435Sbz
185435Sbz	sx_assert(&allprison_lock, SX_LOCKED);
185435Sbz
185435Sbz	if (p->pr_ip4s == 0 && p->pr_ip6s == 0)
185435Sbz		return (0);
185435Sbz
185435Sbz	LIST_FOREACH(pr, &allprison, pr_list) {
185435Sbz		/*
185435Sbz		 * Skip 'dying' prisons to avoid problems when
185435Sbz		 * restarting multi-IP jails.
185435Sbz		 */
185435Sbz		if (pr->pr_state == PRISON_STATE_DYING)
185435Sbz			continue;
185435Sbz
185435Sbz		/*
185435Sbz		 * We permit conflicting IPs if there is no
185435Sbz		 * more than 1 IP on eeach jail.
185435Sbz		 * In case there is one duplicate on a jail with
185435Sbz		 * more than one IP stop checking and return error.
185435Sbz		 */
185435Sbz#ifdef INET
185435Sbz		if ((p->pr_ip4s >= 1 && pr->pr_ip4s > 1) ||
185435Sbz		    (p->pr_ip4s > 1 && pr->pr_ip4s >= 1)) {
185435Sbz			for (i = 0; i < p->pr_ip4s; i++) {
185435Sbz				if (_prison_check_ip4(pr, &p->pr_ip4[i]))
185435Sbz					return (EINVAL);
185435Sbz			}
185435Sbz		}
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz		if ((p->pr_ip6s >= 1 && pr->pr_ip6s > 1) ||
185435Sbz		    (p->pr_ip6s > 1 && pr->pr_ip6s >= 1)) {
185435Sbz			for (i = 0; i < p->pr_ip6s; i++) {
185435Sbz				if (_prison_check_ip6(pr, &p->pr_ip6[i]))
185435Sbz					return (EINVAL);
185435Sbz			}
185435Sbz		}
185435Sbz#endif
185435Sbz	}
185435Sbz
185435Sbz	return (0);
185435Sbz}
185435Sbz
185435Sbzstatic int
185435Sbzjail_copyin_ips(struct jail *j)
185435Sbz{
185435Sbz#ifdef INET
185435Sbz	struct in_addr  *ip4;
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz	struct in6_addr *ip6;
185435Sbz#endif
185435Sbz	int error, i;
185435Sbz
185435Sbz	/*
185435Sbz	 * Copy in addresses, check for duplicate addresses and do some
185435Sbz	 * simple 0 and broadcast checks. If users give other bogus addresses
185435Sbz	 * it is their problem.
185435Sbz	 *
185435Sbz	 * IP addresses are all sorted but ip[0] to preserve the primary IP
185435Sbz	 * address as given from userland.  This special IP is used for
185435Sbz	 * unbound outgoing connections as well for "loopback" traffic.
185435Sbz	 */
185435Sbz#ifdef INET
185435Sbz	ip4 = NULL;
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz	ip6 = NULL;
185435Sbz#endif
185435Sbz#ifdef INET
185435Sbz	if (j->ip4s > 0) {
185435Sbz		ip4 = (struct in_addr *)malloc(j->ip4s * sizeof(struct in_addr),
185435Sbz		    M_PRISON, M_WAITOK | M_ZERO);
185435Sbz		error = copyin(j->ip4, ip4, j->ip4s * sizeof(struct in_addr));
185435Sbz		if (error)
185435Sbz			goto e_free_ip;
185435Sbz		/* Sort all but the first IPv4 address. */
185435Sbz		if (j->ip4s > 1)
185435Sbz			qsort((ip4 + 1), j->ip4s - 1,
185435Sbz			    sizeof(struct in_addr), qcmp_v4);
185435Sbz
185435Sbz		/*
185435Sbz		 * We do not have to care about byte order for these checks
185435Sbz		 * so we will do them in NBO.
185435Sbz		 */
185435Sbz		for (i=0; i<j->ip4s; i++) {
185435Sbz			if (ip4[i].s_addr == htonl(INADDR_ANY) ||
185435Sbz			    ip4[i].s_addr == htonl(INADDR_BROADCAST)) {
185435Sbz				error = EINVAL;
185435Sbz				goto e_free_ip;
185435Sbz			}
185435Sbz			if ((i+1) < j->ip4s &&
185435Sbz			    (ip4[0].s_addr == ip4[i+1].s_addr ||
185435Sbz			    ip4[i].s_addr == ip4[i+1].s_addr)) {
185435Sbz				error = EINVAL;
185435Sbz				goto e_free_ip;
185435Sbz			}
185435Sbz		}
185435Sbz
185435Sbz		j->ip4 = ip4;
185435Sbz	}
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz	if (j->ip6s > 0) {
185435Sbz		ip6 = (struct in6_addr *)malloc(j->ip6s * sizeof(struct in6_addr),
185435Sbz		    M_PRISON, M_WAITOK | M_ZERO);
185435Sbz		error = copyin(j->ip6, ip6, j->ip6s * sizeof(struct in6_addr));
185435Sbz		if (error)
185435Sbz			goto e_free_ip;
185435Sbz		/* Sort all but the first IPv6 address. */
185435Sbz		if (j->ip6s > 1)
185435Sbz			qsort((ip6 + 1), j->ip6s - 1,
185435Sbz			    sizeof(struct in6_addr), qcmp_v6);
185435Sbz		for (i=0; i<j->ip6s; i++) {
185435Sbz			if (IN6_IS_ADDR_UNSPECIFIED(&ip6[i])) {
185435Sbz				error = EINVAL;
185435Sbz				goto e_free_ip;
185435Sbz			}
185435Sbz			if ((i+1) < j->ip6s &&
185435Sbz			    (IN6_ARE_ADDR_EQUAL(&ip6[0], &ip6[i+1]) ||
185435Sbz			    IN6_ARE_ADDR_EQUAL(&ip6[i], &ip6[i+1]))) {
185435Sbz				error = EINVAL;
185435Sbz				goto e_free_ip;
185435Sbz			}
185435Sbz		}
185435Sbz
185435Sbz		j->ip6 = ip6;
185435Sbz	}
185435Sbz#endif
185435Sbz	return (0);
185435Sbz
185435Sbze_free_ip:
185435Sbz#ifdef INET6
185435Sbz	free(ip6, M_PRISON);
185435Sbz#endif
185435Sbz#ifdef INET
185435Sbz	free(ip4, M_PRISON);
185435Sbz#endif
185435Sbz	return (error);
185435Sbz}
185435Sbz#endif /* INET || INET6 */
185435Sbz
185435Sbzstatic int
185435Sbzjail_handle_ips(struct jail *j)
185435Sbz{
185435Sbz#if defined(INET) || defined(INET6)
185435Sbz	int error;
185435Sbz#endif
185435Sbz
185435Sbz	/*
185435Sbz	 * Finish conversion for older versions, copyin and setup IPs.
185435Sbz	 */
185435Sbz	switch (j->version) {
185435Sbz	case 0:
185435Sbz	{
185435Sbz#ifdef INET
185435Sbz		/* FreeBSD single IPv4 jails. */
185435Sbz		struct in_addr *ip4;
185435Sbz
185435Sbz		if (j->ip4s == INADDR_ANY || j->ip4s == INADDR_BROADCAST)
185435Sbz			return (EINVAL);
185435Sbz		ip4 = (struct in_addr *)malloc(sizeof(struct in_addr),
185435Sbz		    M_PRISON, M_WAITOK | M_ZERO);
185435Sbz
185435Sbz		/*
185435Sbz		 * Jail version 0 still used HBO for the IPv4 address.
185435Sbz		 */
185435Sbz		ip4->s_addr = htonl(j->ip4s);
185435Sbz		j->ip4s = 1;
185435Sbz		j->ip4 = ip4;
185435Sbz		break;
185435Sbz#else
185435Sbz		return (EINVAL);
185435Sbz#endif
185435Sbz	}
185435Sbz
185435Sbz	case 1:
185435Sbz		/*
185435Sbz		 * Version 1 was used by multi-IPv4 jail implementations
185435Sbz		 * that never made it into the official kernel.
185435Sbz		 * We should never hit this here; jail() should catch it.
185435Sbz		 */
185435Sbz		return (EINVAL);
185435Sbz
185435Sbz	case 2:	/* JAIL_API_VERSION */
185435Sbz		/* FreeBSD multi-IPv4/IPv6,noIP jails. */
185435Sbz#if defined(INET) || defined(INET6)
185435Sbz#ifdef INET
185435Sbz		if (j->ip4s > jail_max_af_ips)
185435Sbz			return (EINVAL);
185435Sbz#else
185435Sbz		if (j->ip4s != 0)
185435Sbz			return (EINVAL);
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz		if (j->ip6s > jail_max_af_ips)
185435Sbz			return (EINVAL);
185435Sbz#else
185435Sbz		if (j->ip6s != 0)
185435Sbz			return (EINVAL);
185435Sbz#endif
185435Sbz		error = jail_copyin_ips(j);
185435Sbz		if (error)
185435Sbz			return (error);
185435Sbz#endif
185435Sbz		break;
185435Sbz
185435Sbz	default:
185435Sbz		/* Sci-Fi jails are not supported, sorry. */
185435Sbz		return (EINVAL);
185435Sbz	}
185435Sbz
185435Sbz	return (0);
185435Sbz}
185435Sbz
185435Sbz
82710Sdillon/*
114168Smike * struct jail_args {
114168Smike *	struct jail *jail;
114168Smike * };
82710Sdillon */
46155Sphkint
114168Smikejail(struct thread *td, struct jail_args *uap)
46155Sphk{
185435Sbz	uint32_t version;
185435Sbz	int error;
185435Sbz	struct jail j;
185435Sbz
185435Sbz	error = copyin(uap->jail, &version, sizeof(uint32_t));
185435Sbz	if (error)
185435Sbz		return (error);
185435Sbz
185435Sbz	switch (version) {
185435Sbz	case 0:
185435Sbz		/* FreeBSD single IPv4 jails. */
185435Sbz	{
185435Sbz		struct jail_v0 j0;
185435Sbz
185435Sbz		bzero(&j, sizeof(struct jail));
185435Sbz		error = copyin(uap->jail, &j0, sizeof(struct jail_v0));
185435Sbz		if (error)
185435Sbz			return (error);
185435Sbz		j.version = j0.version;
185435Sbz		j.path = j0.path;
185435Sbz		j.hostname = j0.hostname;
185435Sbz		j.ip4s = j0.ip_number;
185435Sbz		break;
185435Sbz	}
185435Sbz
185435Sbz	case 1:
185435Sbz		/*
185435Sbz		 * Version 1 was used by multi-IPv4 jail implementations
185435Sbz		 * that never made it into the official kernel.
185435Sbz		 */
185435Sbz		return (EINVAL);
185435Sbz
185435Sbz	case 2:	/* JAIL_API_VERSION */
185435Sbz		/* FreeBSD multi-IPv4/IPv6,noIP jails. */
185435Sbz		error = copyin(uap->jail, &j, sizeof(struct jail));
185435Sbz		if (error)
185435Sbz			return (error);
185435Sbz		break;
185435Sbz
185435Sbz	default:
185435Sbz		/* Sci-Fi jails are not supported, sorry. */
185435Sbz		return (EINVAL);
185435Sbz	}
185435Sbz	return (kern_jail(td, &j));
185435Sbz}
185435Sbz
185435Sbzint
185435Sbzkern_jail(struct thread *td, struct jail *j)
185435Sbz{
113275Smike	struct nameidata nd;
179881Sdelphij	struct prison *pr, *tpr;
113275Smike	struct jail_attach_args jaa;
179881Sdelphij	int vfslocked, error, tryprid;
46155Sphk
185435Sbz	KASSERT(j != NULL, ("%s: j is NULL", __func__));
185435Sbz
185435Sbz	/* Handle addresses - convert old structs, copyin, check IPs. */
185435Sbz	error = jail_handle_ips(j);
46155Sphk	if (error)
84828Sjhb		return (error);
84828Sjhb
185435Sbz	/* Allocate struct prison and fill it with life. */
184205Sdes	pr = malloc(sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);
93818Sjhb	mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF);
113275Smike	pr->pr_ref = 1;
185435Sbz	error = copyinstr(j->path, &pr->pr_path, sizeof(pr->pr_path), NULL);
113275Smike	if (error)
113275Smike		goto e_killmtx;
150652Scsjp	NDINIT(&nd, LOOKUP, MPSAFE | FOLLOW | LOCKLEAF, UIO_SYSSPACE,
150652Scsjp	    pr->pr_path, td);
113275Smike	error = namei(&nd);
150652Scsjp	if (error)
113275Smike		goto e_killmtx;
150652Scsjp	vfslocked = NDHASGIANT(&nd);
113275Smike	pr->pr_root = nd.ni_vp;
175294Sattilio	VOP_UNLOCK(nd.ni_vp, 0);
113275Smike	NDFREE(&nd, NDF_ONLY_PNBUF);
150652Scsjp	VFS_UNLOCK_GIANT(vfslocked);
185435Sbz	error = copyinstr(j->hostname, &pr->pr_host, sizeof(pr->pr_host), NULL);
84828Sjhb	if (error)
113275Smike		goto e_dropvnref;
185435Sbz	if (j->jailname != NULL) {
185435Sbz		error = copyinstr(j->jailname, &pr->pr_name,
185435Sbz		    sizeof(pr->pr_name), NULL);
185435Sbz		if (error)
185435Sbz			goto e_dropvnref;
185435Sbz	}
185435Sbz	if (j->ip4s > 0) {
185435Sbz		pr->pr_ip4 = j->ip4;
185435Sbz		pr->pr_ip4s = j->ip4s;
185435Sbz	}
185435Sbz#ifdef INET6
185435Sbz	if (j->ip6s > 0) {
185435Sbz		pr->pr_ip6 = j->ip6;
185435Sbz		pr->pr_ip6s = j->ip6s;
185435Sbz	}
185435Sbz#endif
113275Smike	pr->pr_linux = NULL;
113275Smike	pr->pr_securelevel = securelevel;
185029Spjd	bzero(&pr->pr_osd, sizeof(pr->pr_osd));
113275Smike
185435Sbz	/*
185435Sbz	 * Pre-set prison state to ALIVE upon cration.  This is needed so we
185435Sbz	 * can later attach the process to it, etc (avoiding another extra
185435Sbz	 * state for ther process of creation, complicating things).
185435Sbz	 */
185435Sbz	pr->pr_state = PRISON_STATE_ALIVE;
185435Sbz
185435Sbz	/* Allocate a dedicated cpuset for each jail. */
185435Sbz	error = cpuset_create_root(td, &pr->pr_cpuset);
185435Sbz	if (error)
185435Sbz		goto e_dropvnref;
185435Sbz
185435Sbz	sx_xlock(&allprison_lock);
185435Sbz	/* Make sure we cannot run into problems with ambiguous bind()ings. */
185435Sbz	error = prison_check_conflicting_ips(pr);
185435Sbz	if (error) {
185435Sbz		sx_xunlock(&allprison_lock);
185435Sbz		goto e_dropcpuset;
185435Sbz	}
185435Sbz
179881Sdelphij	/* Determine next pr_id and add prison to allprison list. */
179881Sdelphij	tryprid = lastprid + 1;
179881Sdelphij	if (tryprid == JAIL_MAX)
179881Sdelphij		tryprid = 1;
179881Sdelphijnext:
179881Sdelphij	LIST_FOREACH(tpr, &allprison, pr_list) {
179881Sdelphij		if (tpr->pr_id == tryprid) {
179881Sdelphij			tryprid++;
179881Sdelphij			if (tryprid == JAIL_MAX) {
179881Sdelphij				sx_xunlock(&allprison_lock);
179881Sdelphij				error = EAGAIN;
185435Sbz				goto e_dropcpuset;
179881Sdelphij			}
179881Sdelphij			goto next;
179881Sdelphij		}
179881Sdelphij	}
179881Sdelphij	pr->pr_id = jaa.jid = lastprid = tryprid;
113275Smike	LIST_INSERT_HEAD(&allprison, pr, pr_list);
113275Smike	prisoncount++;
185029Spjd	sx_xunlock(&allprison_lock);
113275Smike
113275Smike	error = jail_attach(td, &jaa);
113275Smike	if (error)
113275Smike		goto e_dropprref;
113275Smike	mtx_lock(&pr->pr_mtx);
113275Smike	pr->pr_ref--;
113275Smike	mtx_unlock(&pr->pr_mtx);
113275Smike	td->td_retval[0] = jaa.jid;
113275Smike	return (0);
113275Smikee_dropprref:
168401Spjd	sx_xlock(&allprison_lock);
113275Smike	LIST_REMOVE(pr, pr_list);
113275Smike	prisoncount--;
185029Spjd	sx_xunlock(&allprison_lock);
185435Sbze_dropcpuset:
185435Sbz	cpuset_rel(pr->pr_cpuset);
113275Smikee_dropvnref:
150652Scsjp	vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount);
113275Smike	vrele(pr->pr_root);
150652Scsjp	VFS_UNLOCK_GIANT(vfslocked);
113275Smikee_killmtx:
113275Smike	mtx_destroy(&pr->pr_mtx);
184205Sdes	free(pr, M_PRISON);
185435Sbz#ifdef INET6
185435Sbz	free(j->ip6, M_PRISON);
185435Sbz#endif
185435Sbz#ifdef INET
185435Sbz	free(j->ip4, M_PRISON);
185435Sbz#endif
113275Smike	return (error);
113275Smike}
113275Smike
113275Smike/*
114168Smike * struct jail_attach_args {
114168Smike *	int jid;
114168Smike * };
113275Smike */
113275Smikeint
114168Smikejail_attach(struct thread *td, struct jail_attach_args *uap)
113275Smike{
113275Smike	struct proc *p;
113275Smike	struct ucred *newcred, *oldcred;
113275Smike	struct prison *pr;
150652Scsjp	int vfslocked, error;
167309Spjd
126023Snectar	/*
126023Snectar	 * XXX: Note that there is a slight race here if two threads
126023Snectar	 * in the same privileged process attempt to attach to two
126023Snectar	 * different jails at the same time.  It is important for
126023Snectar	 * user processes not to do this, or they might end up with
126023Snectar	 * a process root from one prison, but attached to the jail
126023Snectar	 * of another.
126023Snectar	 */
164032Srwatson	error = priv_check(td, PRIV_JAIL_ATTACH);
126023Snectar	if (error)
126023Snectar		return (error);
126023Snectar
113275Smike	p = td->td_proc;
168401Spjd	sx_slock(&allprison_lock);
113275Smike	pr = prison_find(uap->jid);
113275Smike	if (pr == NULL) {
168401Spjd		sx_sunlock(&allprison_lock);
113275Smike		return (EINVAL);
113275Smike	}
185435Sbz
185435Sbz	/*
185435Sbz	 * Do not allow a process to attach to a prison that is not
185435Sbz	 * considered to be "ALIVE".
185435Sbz	 */
185435Sbz	if (pr->pr_state != PRISON_STATE_ALIVE) {
185435Sbz		mtx_unlock(&pr->pr_mtx);
185435Sbz		sx_sunlock(&allprison_lock);
185435Sbz		return (EINVAL);
185435Sbz	}
113275Smike	pr->pr_ref++;
113275Smike	mtx_unlock(&pr->pr_mtx);
168401Spjd	sx_sunlock(&allprison_lock);
113275Smike
185435Sbz	/*
185435Sbz	 * Reparent the newly attached process to this jail.
185435Sbz	 */
185435Sbz	error = cpuset_setproc_update_set(p, pr->pr_cpuset);
185435Sbz	if (error)
185435Sbz		goto e_unref;
185435Sbz
150652Scsjp	vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount);
175202Sattilio	vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY);
113275Smike	if ((error = change_dir(pr->pr_root, td)) != 0)
113275Smike		goto e_unlock;
113275Smike#ifdef MAC
172930Srwatson	if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root)))
113275Smike		goto e_unlock;
113275Smike#endif
175294Sattilio	VOP_UNLOCK(pr->pr_root, 0);
113275Smike	change_root(pr->pr_root, td);
150652Scsjp	VFS_UNLOCK_GIANT(vfslocked);
113275Smike
84828Sjhb	newcred = crget();
84828Sjhb	PROC_LOCK(p);
84828Sjhb	oldcred = p->p_ucred;
113275Smike	setsugid(p);
84828Sjhb	crcopy(newcred, oldcred);
113630Sjhb	newcred->cr_prison = pr;
84828Sjhb	p->p_ucred = newcred;
185435Sbz	prison_proc_hold(pr);
84828Sjhb	PROC_UNLOCK(p);
84828Sjhb	crfree(oldcred);
46155Sphk	return (0);
113275Smikee_unlock:
175294Sattilio	VOP_UNLOCK(pr->pr_root, 0);
150652Scsjp	VFS_UNLOCK_GIANT(vfslocked);
185435Sbze_unref:
113275Smike	mtx_lock(&pr->pr_mtx);
113275Smike	pr->pr_ref--;
113275Smike	mtx_unlock(&pr->pr_mtx);
46155Sphk	return (error);
46155Sphk}
46155Sphk
113275Smike/*
113275Smike * Returns a locked prison instance, or NULL on failure.
113275Smike */
168399Spjdstruct prison *
113275Smikeprison_find(int prid)
113275Smike{
113275Smike	struct prison *pr;
113275Smike
168401Spjd	sx_assert(&allprison_lock, SX_LOCKED);
113275Smike	LIST_FOREACH(pr, &allprison, pr_list) {
113275Smike		if (pr->pr_id == prid) {
113275Smike			mtx_lock(&pr->pr_mtx);
168489Spjd			if (pr->pr_ref == 0) {
168489Spjd				mtx_unlock(&pr->pr_mtx);
168489Spjd				break;
168489Spjd			}
113275Smike			return (pr);
113275Smike		}
113275Smike	}
113275Smike	return (NULL);
113275Smike}
113275Smike
72786Srwatsonvoid
185029Spjdprison_free_locked(struct prison *pr)
72786Srwatson{
72786Srwatson
185029Spjd	mtx_assert(&pr->pr_mtx, MA_OWNED);
72786Srwatson	pr->pr_ref--;
72786Srwatson	if (pr->pr_ref == 0) {
168483Spjd		mtx_unlock(&pr->pr_mtx);
124882Srwatson		TASK_INIT(&pr->pr_task, 0, prison_complete, pr);
144660Sjeff		taskqueue_enqueue(taskqueue_thread, &pr->pr_task);
87275Srwatson		return;
72786Srwatson	}
87275Srwatson	mtx_unlock(&pr->pr_mtx);
72786Srwatson}
72786Srwatson
185029Spjdvoid
185029Spjdprison_free(struct prison *pr)
185029Spjd{
185029Spjd
185029Spjd	mtx_lock(&pr->pr_mtx);
185029Spjd	prison_free_locked(pr);
185029Spjd}
185029Spjd
124882Srwatsonstatic void
124882Srwatsonprison_complete(void *context, int pending)
124882Srwatson{
124882Srwatson	struct prison *pr;
150652Scsjp	int vfslocked;
124882Srwatson
124882Srwatson	pr = (struct prison *)context;
124882Srwatson
168489Spjd	sx_xlock(&allprison_lock);
168489Spjd	LIST_REMOVE(pr, pr_list);
168489Spjd	prisoncount--;
185029Spjd	sx_xunlock(&allprison_lock);
168489Spjd
185435Sbz	cpuset_rel(pr->pr_cpuset);
185435Sbz
185029Spjd	/* Free all OSD associated to this jail. */
185029Spjd	osd_jail_exit(pr);
185029Spjd
150652Scsjp	vfslocked = VFS_LOCK_GIANT(pr->pr_root->v_mount);
124882Srwatson	vrele(pr->pr_root);
150652Scsjp	VFS_UNLOCK_GIANT(vfslocked);
124882Srwatson
124882Srwatson	mtx_destroy(&pr->pr_mtx);
185435Sbz	free(pr->pr_linux, M_PRISON);
185435Sbz#ifdef INET6
185435Sbz	free(pr->pr_ip6, M_PRISON);
185435Sbz#endif
185435Sbz#ifdef INET
185435Sbz	free(pr->pr_ip4, M_PRISON);
185435Sbz#endif
184205Sdes	free(pr, M_PRISON);
124882Srwatson}
124882Srwatson
72786Srwatsonvoid
185029Spjdprison_hold_locked(struct prison *pr)
72786Srwatson{
72786Srwatson
185029Spjd	mtx_assert(&pr->pr_mtx, MA_OWNED);
168489Spjd	KASSERT(pr->pr_ref > 0,
168489Spjd	    ("Trying to hold dead prison (id=%d).", pr->pr_id));
72786Srwatson	pr->pr_ref++;
185029Spjd}
185029Spjd
185029Spjdvoid
185029Spjdprison_hold(struct prison *pr)
185029Spjd{
185029Spjd
185029Spjd	mtx_lock(&pr->pr_mtx);
185029Spjd	prison_hold_locked(pr);
87275Srwatson	mtx_unlock(&pr->pr_mtx);
72786Srwatson}
72786Srwatson
185435Sbzvoid
185435Sbzprison_proc_hold(struct prison *pr)
87275Srwatson{
87275Srwatson
185435Sbz	mtx_lock(&pr->pr_mtx);
185435Sbz	KASSERT(pr->pr_state == PRISON_STATE_ALIVE,
185435Sbz	    ("Cannot add a process to a non-alive prison (id=%d).", pr->pr_id));
185435Sbz	pr->pr_nprocs++;
185435Sbz	mtx_unlock(&pr->pr_mtx);
87275Srwatson}
87275Srwatson
185435Sbzvoid
185435Sbzprison_proc_free(struct prison *pr)
185435Sbz{
185435Sbz
185435Sbz	mtx_lock(&pr->pr_mtx);
185435Sbz	KASSERT(pr->pr_state == PRISON_STATE_ALIVE && pr->pr_nprocs > 0,
185435Sbz	    ("Trying to kill a process in a dead prison (id=%d).", pr->pr_id));
185435Sbz	pr->pr_nprocs--;
185435Sbz	if (pr->pr_nprocs == 0)
185435Sbz		pr->pr_state = PRISON_STATE_DYING;
185435Sbz	mtx_unlock(&pr->pr_mtx);
185435Sbz}
185435Sbz
185435Sbz
185435Sbz#ifdef INET
185435Sbz/*
185435Sbz * Pass back primary IPv4 address of this jail.
185435Sbz *
185435Sbz * If not jailed return success but do not alter the address.  Caller has to
185435Sbz * make sure to intialize it correctly (INADDR_ANY).
185435Sbz *
185435Sbz * Returns 0 on success, 1 on error.  Address returned in NBO.
185435Sbz */
46155Sphkint
185435Sbzprison_getip4(struct ucred *cred, struct in_addr *ia)
46155Sphk{
46155Sphk
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
185435Sbz
72786Srwatson	if (!jailed(cred))
185435Sbz		/* Do not change address passed in. */
46155Sphk		return (0);
185435Sbz
185435Sbz	if (cred->cr_prison->pr_ip4 == NULL)
185435Sbz		return (1);
185435Sbz
185435Sbz	ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr;
185435Sbz	return (0);
185435Sbz}
185435Sbz
185435Sbz/*
185435Sbz * Make sure our (source) address is set to something meaningful to this
185435Sbz * jail.
185435Sbz *
185435Sbz * Returns 0 on success, 1 on error.  Address passed in in NBO and returned
185435Sbz * in NBO.
185435Sbz */
185435Sbzint
185435Sbzprison_local_ip4(struct ucred *cred, struct in_addr *ia)
185435Sbz{
185435Sbz	struct in_addr ia0;
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
46155Sphk		return (0);
185435Sbz	if (cred->cr_prison->pr_ip4 == NULL)
185435Sbz		return (1);
185435Sbz
185435Sbz	ia0.s_addr = ntohl(ia->s_addr);
185435Sbz	if (ia0.s_addr == INADDR_LOOPBACK) {
185435Sbz		ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr;
185435Sbz		return (0);
46155Sphk	}
185435Sbz
185435Sbz	/*
185435Sbz	 * In case there is only 1 IPv4 address, bind directly.
185435Sbz	 */
185435Sbz	if (ia0.s_addr == INADDR_ANY && cred->cr_prison->pr_ip4s == 1) {
185435Sbz		ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr;
185435Sbz		return (0);
185435Sbz	}
185435Sbz
185435Sbz	if (ia0.s_addr == INADDR_ANY || prison_check_ip4(cred, ia))
185435Sbz		return (0);
185435Sbz
185435Sbz	return (1);
185435Sbz}
185435Sbz
185435Sbz/*
185435Sbz * Rewrite destination address in case we will connect to loopback address.
185435Sbz *
185435Sbz * Returns 0 on success, 1 on error.  Address passed in in NBO and returned
185435Sbz * in NBO.
185435Sbz */
185435Sbzint
185435Sbzprison_remote_ip4(struct ucred *cred, struct in_addr *ia)
185435Sbz{
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
185435Sbz		return (0);
185435Sbz	if (cred->cr_prison->pr_ip4 == NULL)
185435Sbz		return (1);
185435Sbz	if (ntohl(ia->s_addr) == INADDR_LOOPBACK) {
185435Sbz		ia->s_addr = cred->cr_prison->pr_ip4[0].s_addr;
185435Sbz		return (0);
185435Sbz	}
185435Sbz
185435Sbz	/*
185435Sbz	 * Return success because nothing had to be changed.
185435Sbz	 */
185435Sbz	return (0);
185435Sbz}
185435Sbz
185435Sbz/*
185435Sbz * Check if given address belongs to the jail referenced by cred.
185435Sbz *
185435Sbz * Returns 1 if address belongs to jail, 0 if not.  Address passed in in NBO.
185435Sbz */
185435Sbzstatic int
185435Sbz_prison_check_ip4(struct prison *pr, struct in_addr *ia)
185435Sbz{
185435Sbz	int i, a, z, d;
185435Sbz
185435Sbz	if (pr->pr_ip4 == NULL)
185435Sbz		return (0);
185435Sbz
185435Sbz	/*
185435Sbz	 * Check the primary IP.
185435Sbz	 */
185435Sbz	if (pr->pr_ip4[0].s_addr == ia->s_addr)
185435Sbz		return (1);
185435Sbz
185435Sbz	/*
185435Sbz	 * All the other IPs are sorted so we can do a binary search.
185435Sbz	 */
185435Sbz	a = 0;
185435Sbz	z = pr->pr_ip4s - 2;
185435Sbz	while (a <= z) {
185435Sbz		i = (a + z) / 2;
185435Sbz		d = qcmp_v4(&pr->pr_ip4[i+1], ia);
185435Sbz		if (d > 0)
185435Sbz			z = i - 1;
185435Sbz		else if (d < 0)
185435Sbz			a = i + 1;
81114Srwatson		else
185435Sbz			return (1);
185435Sbz	}
185435Sbz	return (0);
185435Sbz}
185435Sbz
185435Sbzint
185435Sbzprison_check_ip4(struct ucred *cred, struct in_addr *ia)
185435Sbz{
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
185435Sbz		return (1);
185435Sbz
185435Sbz	return (_prison_check_ip4(cred->cr_prison, ia));
185435Sbz}
185435Sbz#endif
185435Sbz
185435Sbz#ifdef INET6
185435Sbz/*
185435Sbz * Pass back primary IPv6 address for this jail.
185435Sbz *
185435Sbz * If not jailed return success but do not alter the address.  Caller has to
185435Sbz * make sure to intialize it correctly (IN6ADDR_ANY_INIT).
185435Sbz *
185435Sbz * Returns 0 on success, 1 on error.
185435Sbz */
185435Sbzint
185435Sbzprison_getip6(struct ucred *cred, struct in6_addr *ia6)
185435Sbz{
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
81114Srwatson		return (0);
185435Sbz	if (cred->cr_prison->pr_ip6 == NULL)
185435Sbz		return (1);
185435Sbz	bcopy(&cred->cr_prison->pr_ip6[0], ia6, sizeof(struct in6_addr));
185435Sbz	return (0);
185435Sbz}
185435Sbz
185435Sbz/*
185435Sbz * Make sure our (source) address is set to something meaningful to this jail.
185435Sbz *
185435Sbz * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0)
185435Sbz * when needed while binding.
185435Sbz *
185435Sbz * Returns 0 on success, 1 on error.
185435Sbz */
185435Sbzint
185435Sbzprison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only)
185435Sbz{
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
185435Sbz		return (0);
185435Sbz	if (cred->cr_prison->pr_ip6 == NULL)
185435Sbz		return (1);
185435Sbz	if (IN6_IS_ADDR_LOOPBACK(ia6)) {
185435Sbz		bcopy(&cred->cr_prison->pr_ip6[0], ia6,
185435Sbz		    sizeof(struct in6_addr));
185435Sbz		return (0);
81114Srwatson	}
185435Sbz
185435Sbz	/*
185435Sbz	 * In case there is only 1 IPv6 address, and v6only is true, then
185435Sbz	 * bind directly.
185435Sbz	 */
185435Sbz	if (v6only != 0 && IN6_IS_ADDR_UNSPECIFIED(ia6) &&
185435Sbz	    cred->cr_prison->pr_ip6s == 1) {
185435Sbz		bcopy(&cred->cr_prison->pr_ip6[0], ia6,
185435Sbz		    sizeof(struct in6_addr));
185435Sbz		return (0);
185435Sbz	}
185435Sbz	if (IN6_IS_ADDR_UNSPECIFIED(ia6) || prison_check_ip6(cred, ia6))
185435Sbz		return (0);
185435Sbz	return (1);
185435Sbz}
185435Sbz
185435Sbz/*
185435Sbz * Rewrite destination address in case we will connect to loopback address.
185435Sbz *
185435Sbz * Returns 0 on success, 1 on error.
185435Sbz */
185435Sbzint
185435Sbzprison_remote_ip6(struct ucred *cred, struct in6_addr *ia6)
185435Sbz{
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
185435Sbz		return (0);
185435Sbz	if (cred->cr_prison->pr_ip6 == NULL)
46155Sphk		return (1);
185435Sbz	if (IN6_IS_ADDR_LOOPBACK(ia6)) {
185435Sbz		bcopy(&cred->cr_prison->pr_ip6[0], ia6,
185435Sbz		    sizeof(struct in6_addr));
185435Sbz		return (0);
185435Sbz	}
185435Sbz
185435Sbz	/*
185435Sbz	 * Return success because nothing had to be changed.
185435Sbz	 */
46155Sphk	return (0);
46155Sphk}
46155Sphk
185435Sbz/*
185435Sbz * Check if given address belongs to the jail referenced by cred.
185435Sbz *
185435Sbz * Returns 1 if address belongs to jail, 0 if not.
185435Sbz */
185435Sbzstatic int
185435Sbz_prison_check_ip6(struct prison *pr, struct in6_addr *ia6)
46155Sphk{
185435Sbz	int i, a, z, d;
46155Sphk
185435Sbz	if (pr->pr_ip6 == NULL)
185435Sbz		return (0);
185435Sbz
185435Sbz	/*
185435Sbz	 * Check the primary IP.
185435Sbz	 */
185435Sbz	if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[0], ia6))
185435Sbz		return (1);
185435Sbz
185435Sbz	/*
185435Sbz	 * All the other IPs are sorted so we can do a binary search.
185435Sbz	 */
185435Sbz	a = 0;
185435Sbz	z = pr->pr_ip6s - 2;
185435Sbz	while (a <= z) {
185435Sbz		i = (a + z) / 2;
185435Sbz		d = qcmp_v6(&pr->pr_ip6[i+1], ia6);
185435Sbz		if (d > 0)
185435Sbz			z = i - 1;
185435Sbz		else if (d < 0)
185435Sbz			a = i + 1;
46155Sphk		else
185435Sbz			return (1);
46155Sphk	}
185435Sbz	return (0);
46155Sphk}
46155Sphk
46155Sphkint
185435Sbzprison_check_ip6(struct ucred *cred, struct in6_addr *ia6)
185435Sbz{
185435Sbz
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
185435Sbz
185435Sbz	if (!jailed(cred))
185435Sbz		return (1);
185435Sbz
185435Sbz	return (_prison_check_ip6(cred->cr_prison, ia6));
185435Sbz}
185435Sbz#endif
185435Sbz
185435Sbz/*
185435Sbz * Check if given address belongs to the jail referenced by cred (wrapper to
185435Sbz * prison_check_ip[46]).
185435Sbz *
185435Sbz * Returns 1 if address belongs to jail, 0 if not.  IPv4 Address passed in in
185435Sbz * NBO.
185435Sbz */
185435Sbzint
72786Srwatsonprison_if(struct ucred *cred, struct sockaddr *sa)
46155Sphk{
185435Sbz#ifdef INET
114168Smike	struct sockaddr_in *sai;
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz	struct sockaddr_in6 *sai6;
185435Sbz#endif
46155Sphk	int ok;
46155Sphk
185435Sbz	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
185435Sbz	KASSERT(sa != NULL, ("%s: sa is NULL", __func__));
185435Sbz
185435Sbz	ok = 0;
185435Sbz	switch(sa->sa_family)
185435Sbz	{
185435Sbz#ifdef INET
185435Sbz	case AF_INET:
185435Sbz		sai = (struct sockaddr_in *)sa;
185435Sbz		if (prison_check_ip4(cred, &sai->sin_addr))
185435Sbz			ok = 1;
185435Sbz		break;
185435Sbz
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz	case AF_INET6:
185435Sbz		sai6 = (struct sockaddr_in6 *)sa;
185435Sbz		if (prison_check_ip6(cred, (struct in6_addr *)&sai6->sin6_addr))
185435Sbz			ok = 1;
185435Sbz		break;
185435Sbz
185435Sbz#endif
185435Sbz	default:
185435Sbz		if (!jail_socket_unixiproute_only)
185435Sbz			ok = 1;
185435Sbz	}
46155Sphk	return (ok);
46155Sphk}
72786Srwatson
72786Srwatson/*
72786Srwatson * Return 0 if jails permit p1 to frob p2, otherwise ESRCH.
72786Srwatson */
72786Srwatsonint
114168Smikeprison_check(struct ucred *cred1, struct ucred *cred2)
72786Srwatson{
72786Srwatson
72786Srwatson	if (jailed(cred1)) {
72786Srwatson		if (!jailed(cred2))
72786Srwatson			return (ESRCH);
72786Srwatson		if (cred2->cr_prison != cred1->cr_prison)
72786Srwatson			return (ESRCH);
72786Srwatson	}
72786Srwatson
72786Srwatson	return (0);
72786Srwatson}
72786Srwatson
72786Srwatson/*
72786Srwatson * Return 1 if the passed credential is in a jail, otherwise 0.
72786Srwatson */
72786Srwatsonint
114168Smikejailed(struct ucred *cred)
72786Srwatson{
72786Srwatson
72786Srwatson	return (cred->cr_prison != NULL);
72786Srwatson}
91384Srobert
91384Srobert/*
91384Srobert * Return the correct hostname for the passed credential.
91384Srobert */
91391Srobertvoid
114168Smikegetcredhostname(struct ucred *cred, char *buf, size_t size)
91384Srobert{
183550Szec	INIT_VPROCG(cred->cr_vimage->v_procg);
91384Srobert
91391Srobert	if (jailed(cred)) {
91391Srobert		mtx_lock(&cred->cr_prison->pr_mtx);
105354Srobert		strlcpy(buf, cred->cr_prison->pr_host, size);
91391Srobert		mtx_unlock(&cred->cr_prison->pr_mtx);
180291Srwatson	} else {
180291Srwatson		mtx_lock(&hostname_mtx);
181803Sbz		strlcpy(buf, V_hostname, size);
180291Srwatson		mtx_unlock(&hostname_mtx);
180291Srwatson	}
91384Srobert}
113275Smike
125804Srwatson/*
147185Spjd * Determine whether the subject represented by cred can "see"
147185Spjd * status of a mount point.
147185Spjd * Returns: 0 for permitted, ENOENT otherwise.
147185Spjd * XXX: This function should be called cr_canseemount() and should be
147185Spjd *      placed in kern_prot.c.
125804Srwatson */
125804Srwatsonint
147185Spjdprison_canseemount(struct ucred *cred, struct mount *mp)
125804Srwatson{
147185Spjd	struct prison *pr;
147185Spjd	struct statfs *sp;
147185Spjd	size_t len;
125804Srwatson
147185Spjd	if (!jailed(cred) || jail_enforce_statfs == 0)
147185Spjd		return (0);
147185Spjd	pr = cred->cr_prison;
147185Spjd	if (pr->pr_root->v_mount == mp)
147185Spjd		return (0);
147185Spjd	if (jail_enforce_statfs == 2)
147185Spjd		return (ENOENT);
147185Spjd	/*
147185Spjd	 * If jail's chroot directory is set to "/" we should be able to see
147185Spjd	 * all mount-points from inside a jail.
147185Spjd	 * This is ugly check, but this is the only situation when jail's
147185Spjd	 * directory ends with '/'.
147185Spjd	 */
147185Spjd	if (strcmp(pr->pr_path, "/") == 0)
147185Spjd		return (0);
147185Spjd	len = strlen(pr->pr_path);
147185Spjd	sp = &mp->mnt_stat;
147185Spjd	if (strncmp(pr->pr_path, sp->f_mntonname, len) != 0)
147185Spjd		return (ENOENT);
147185Spjd	/*
147185Spjd	 * Be sure that we don't have situation where jail's root directory
147185Spjd	 * is "/some/path" and mount point is "/some/pathpath".
147185Spjd	 */
147185Spjd	if (sp->f_mntonname[len] != '\0' && sp->f_mntonname[len] != '/')
147185Spjd		return (ENOENT);
147185Spjd	return (0);
147185Spjd}
147185Spjd
147185Spjdvoid
147185Spjdprison_enforce_statfs(struct ucred *cred, struct mount *mp, struct statfs *sp)
147185Spjd{
147185Spjd	char jpath[MAXPATHLEN];
147185Spjd	struct prison *pr;
147185Spjd	size_t len;
147185Spjd
147185Spjd	if (!jailed(cred) || jail_enforce_statfs == 0)
147185Spjd		return;
147185Spjd	pr = cred->cr_prison;
147185Spjd	if (prison_canseemount(cred, mp) != 0) {
147185Spjd		bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
147185Spjd		strlcpy(sp->f_mntonname, "[restricted]",
147185Spjd		    sizeof(sp->f_mntonname));
147185Spjd		return;
125804Srwatson	}
147185Spjd	if (pr->pr_root->v_mount == mp) {
147185Spjd		/*
147185Spjd		 * Clear current buffer data, so we are sure nothing from
147185Spjd		 * the valid path left there.
147185Spjd		 */
147185Spjd		bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
147185Spjd		*sp->f_mntonname = '/';
147185Spjd		return;
147185Spjd	}
147185Spjd	/*
147185Spjd	 * If jail's chroot directory is set to "/" we should be able to see
147185Spjd	 * all mount-points from inside a jail.
147185Spjd	 */
147185Spjd	if (strcmp(pr->pr_path, "/") == 0)
147185Spjd		return;
147185Spjd	len = strlen(pr->pr_path);
147185Spjd	strlcpy(jpath, sp->f_mntonname + len, sizeof(jpath));
147185Spjd	/*
147185Spjd	 * Clear current buffer data, so we are sure nothing from
147185Spjd	 * the valid path left there.
147185Spjd	 */
147185Spjd	bzero(sp->f_mntonname, sizeof(sp->f_mntonname));
147185Spjd	if (*jpath == '\0') {
147185Spjd		/* Should never happen. */
147185Spjd		*sp->f_mntonname = '/';
147185Spjd	} else {
147185Spjd		strlcpy(sp->f_mntonname, jpath, sizeof(sp->f_mntonname));
147185Spjd	}
125804Srwatson}
125804Srwatson
164032Srwatson/*
164032Srwatson * Check with permission for a specific privilege is granted within jail.  We
164032Srwatson * have a specific list of accepted privileges; the rest are denied.
164032Srwatson */
164032Srwatsonint
164032Srwatsonprison_priv_check(struct ucred *cred, int priv)
164032Srwatson{
164032Srwatson
164032Srwatson	if (!jailed(cred))
164032Srwatson		return (0);
164032Srwatson
164032Srwatson	switch (priv) {
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Allow ktrace privileges for root in jail.
164032Srwatson		 */
164032Srwatson	case PRIV_KTRACE:
164032Srwatson
166827Srwatson#if 0
164032Srwatson		/*
164032Srwatson		 * Allow jailed processes to configure audit identity and
164032Srwatson		 * submit audit records (login, etc).  In the future we may
164032Srwatson		 * want to further refine the relationship between audit and
164032Srwatson		 * jail.
164032Srwatson		 */
164032Srwatson	case PRIV_AUDIT_GETAUDIT:
164032Srwatson	case PRIV_AUDIT_SETAUDIT:
164032Srwatson	case PRIV_AUDIT_SUBMIT:
166827Srwatson#endif
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Allow jailed processes to manipulate process UNIX
164032Srwatson		 * credentials in any way they see fit.
164032Srwatson		 */
164032Srwatson	case PRIV_CRED_SETUID:
164032Srwatson	case PRIV_CRED_SETEUID:
164032Srwatson	case PRIV_CRED_SETGID:
164032Srwatson	case PRIV_CRED_SETEGID:
164032Srwatson	case PRIV_CRED_SETGROUPS:
164032Srwatson	case PRIV_CRED_SETREUID:
164032Srwatson	case PRIV_CRED_SETREGID:
164032Srwatson	case PRIV_CRED_SETRESUID:
164032Srwatson	case PRIV_CRED_SETRESGID:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Jail implements visibility constraints already, so allow
164032Srwatson		 * jailed root to override uid/gid-based constraints.
164032Srwatson		 */
164032Srwatson	case PRIV_SEEOTHERGIDS:
164032Srwatson	case PRIV_SEEOTHERUIDS:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Jail implements inter-process debugging limits already, so
164032Srwatson		 * allow jailed root various debugging privileges.
164032Srwatson		 */
164032Srwatson	case PRIV_DEBUG_DIFFCRED:
164032Srwatson	case PRIV_DEBUG_SUGID:
164032Srwatson	case PRIV_DEBUG_UNPRIV:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Allow jail to set various resource limits and login
164032Srwatson		 * properties, and for now, exceed process resource limits.
164032Srwatson		 */
164032Srwatson	case PRIV_PROC_LIMIT:
164032Srwatson	case PRIV_PROC_SETLOGIN:
164032Srwatson	case PRIV_PROC_SETRLIMIT:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * System V and POSIX IPC privileges are granted in jail.
164032Srwatson		 */
164032Srwatson	case PRIV_IPC_READ:
164032Srwatson	case PRIV_IPC_WRITE:
164032Srwatson	case PRIV_IPC_ADMIN:
164032Srwatson	case PRIV_IPC_MSGSIZE:
164032Srwatson	case PRIV_MQ_ADMIN:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Jail implements its own inter-process limits, so allow
164032Srwatson		 * root processes in jail to change scheduling on other
164032Srwatson		 * processes in the same jail.  Likewise for signalling.
164032Srwatson		 */
164032Srwatson	case PRIV_SCHED_DIFFCRED:
185435Sbz	case PRIV_SCHED_CPUSET:
164032Srwatson	case PRIV_SIGNAL_DIFFCRED:
164032Srwatson	case PRIV_SIGNAL_SUGID:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Allow jailed processes to write to sysctls marked as jail
164032Srwatson		 * writable.
164032Srwatson		 */
164032Srwatson	case PRIV_SYSCTL_WRITEJAIL:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Allow root in jail to manage a variety of quota
166831Srwatson		 * properties.  These should likely be conditional on a
166831Srwatson		 * configuration option.
164032Srwatson		 */
166832Srwatson	case PRIV_VFS_GETQUOTA:
166832Srwatson	case PRIV_VFS_SETQUOTA:
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Since Jail relies on chroot() to implement file system
164032Srwatson		 * protections, grant many VFS privileges to root in jail.
164032Srwatson		 * Be careful to exclude mount-related and NFS-related
164032Srwatson		 * privileges.
164032Srwatson		 */
164032Srwatson	case PRIV_VFS_READ:
164032Srwatson	case PRIV_VFS_WRITE:
164032Srwatson	case PRIV_VFS_ADMIN:
164032Srwatson	case PRIV_VFS_EXEC:
164032Srwatson	case PRIV_VFS_LOOKUP:
164032Srwatson	case PRIV_VFS_BLOCKRESERVE:	/* XXXRW: Slightly surprising. */
164032Srwatson	case PRIV_VFS_CHFLAGS_DEV:
164032Srwatson	case PRIV_VFS_CHOWN:
164032Srwatson	case PRIV_VFS_CHROOT:
167152Spjd	case PRIV_VFS_RETAINSUGID:
164032Srwatson	case PRIV_VFS_FCHROOT:
164032Srwatson	case PRIV_VFS_LINK:
164032Srwatson	case PRIV_VFS_SETGID:
172860Srwatson	case PRIV_VFS_STAT:
164032Srwatson	case PRIV_VFS_STICKYFILE:
164032Srwatson		return (0);
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Depending on the global setting, allow privilege of
164032Srwatson		 * setting system flags.
164032Srwatson		 */
164032Srwatson	case PRIV_VFS_SYSFLAGS:
164032Srwatson		if (jail_chflags_allowed)
164032Srwatson			return (0);
164032Srwatson		else
164032Srwatson			return (EPERM);
164032Srwatson
164032Srwatson		/*
168396Spjd		 * Depending on the global setting, allow privilege of
168396Spjd		 * mounting/unmounting file systems.
168396Spjd		 */
168396Spjd	case PRIV_VFS_MOUNT:
168396Spjd	case PRIV_VFS_UNMOUNT:
168396Spjd	case PRIV_VFS_MOUNT_NONUSER:
168699Spjd	case PRIV_VFS_MOUNT_OWNER:
168396Spjd		if (jail_mount_allowed)
168396Spjd			return (0);
168396Spjd		else
168396Spjd			return (EPERM);
168396Spjd
168396Spjd		/*
168591Srwatson		 * Allow jailed root to bind reserved ports and reuse in-use
168591Srwatson		 * ports.
164032Srwatson		 */
164032Srwatson	case PRIV_NETINET_RESERVEDPORT:
168591Srwatson	case PRIV_NETINET_REUSEPORT:
164032Srwatson		return (0);
164032Srwatson
164032Srwatson		/*
175630Sbz		 * Allow jailed root to set certian IPv4/6 (option) headers.
175630Sbz		 */
175630Sbz	case PRIV_NETINET_SETHDROPTS:
175630Sbz		return (0);
175630Sbz
175630Sbz		/*
164032Srwatson		 * Conditionally allow creating raw sockets in jail.
164032Srwatson		 */
164032Srwatson	case PRIV_NETINET_RAW:
164032Srwatson		if (jail_allow_raw_sockets)
164032Srwatson			return (0);
164032Srwatson		else
164032Srwatson			return (EPERM);
164032Srwatson
164032Srwatson		/*
164032Srwatson		 * Since jail implements its own visibility limits on netstat
164032Srwatson		 * sysctls, allow getcred.  This allows identd to work in
164032Srwatson		 * jail.
164032Srwatson		 */
164032Srwatson	case PRIV_NETINET_GETCRED:
164032Srwatson		return (0);
164032Srwatson
164032Srwatson	default:
164032Srwatson		/*
164032Srwatson		 * In all remaining cases, deny the privilege request.  This
164032Srwatson		 * includes almost all network privileges, many system
164032Srwatson		 * configuration privileges.
164032Srwatson		 */
164032Srwatson		return (EPERM);
164032Srwatson	}
164032Srwatson}
164032Srwatson
113275Smikestatic int
113275Smikesysctl_jail_list(SYSCTL_HANDLER_ARGS)
113275Smike{
113275Smike	struct xprison *xp, *sxp;
113275Smike	struct prison *pr;
185435Sbz	char *p;
185435Sbz	size_t len;
113275Smike	int count, error;
113275Smike
127020Spjd	if (jailed(req->td->td_ucred))
125806Srwatson		return (0);
113275Smike
168401Spjd	sx_slock(&allprison_lock);
168401Spjd	if ((count = prisoncount) == 0) {
168401Spjd		sx_sunlock(&allprison_lock);
113275Smike		return (0);
168401Spjd	}
113275Smike
185435Sbz	len = sizeof(*xp) * count;
185435Sbz	LIST_FOREACH(pr, &allprison, pr_list) {
185435Sbz#ifdef INET
185435Sbz		len += pr->pr_ip4s * sizeof(struct in_addr);
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz		len += pr->pr_ip6s * sizeof(struct in6_addr);
185435Sbz#endif
185435Sbz	}
167309Spjd
185435Sbz	sxp = xp = malloc(len, M_TEMP, M_WAITOK | M_ZERO);
185435Sbz
113275Smike	LIST_FOREACH(pr, &allprison, pr_list) {
113275Smike		xp->pr_version = XPRISON_VERSION;
113275Smike		xp->pr_id = pr->pr_id;
185435Sbz		xp->pr_state = pr->pr_state;
185435Sbz		xp->pr_cpusetid = pr->pr_cpuset->cs_id;
113275Smike		strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path));
168487Spjd		mtx_lock(&pr->pr_mtx);
113275Smike		strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host));
185435Sbz		strlcpy(xp->pr_name, pr->pr_name, sizeof(xp->pr_name));
113275Smike		mtx_unlock(&pr->pr_mtx);
185435Sbz#ifdef INET
185435Sbz		xp->pr_ip4s = pr->pr_ip4s;
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz		xp->pr_ip6s = pr->pr_ip6s;
185435Sbz#endif
185435Sbz		p = (char *)(xp + 1);
185435Sbz#ifdef INET
185435Sbz		if (pr->pr_ip4s > 0) {
185435Sbz			bcopy(pr->pr_ip4, (struct in_addr *)p,
185435Sbz			    pr->pr_ip4s * sizeof(struct in_addr));
185435Sbz			p += (pr->pr_ip4s * sizeof(struct in_addr));
185435Sbz		}
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz		if (pr->pr_ip6s > 0) {
185435Sbz			bcopy(pr->pr_ip6, (struct in6_addr *)p,
185435Sbz			    pr->pr_ip6s * sizeof(struct in6_addr));
185435Sbz			p += (pr->pr_ip6s * sizeof(struct in6_addr));
185435Sbz		}
185435Sbz#endif
185435Sbz		xp = (struct xprison *)p;
113275Smike	}
168401Spjd	sx_sunlock(&allprison_lock);
113275Smike
185435Sbz	error = SYSCTL_OUT(req, sxp, len);
113275Smike	free(sxp, M_TEMP);
167354Spjd	return (error);
113275Smike}
113275Smike
113275SmikeSYSCTL_OID(_security_jail, OID_AUTO, list, CTLTYPE_STRUCT | CTLFLAG_RD,
113275Smike    NULL, 0, sysctl_jail_list, "S", "List of active jails");
126004Spjd
126004Spjdstatic int
126004Spjdsysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
126004Spjd{
126004Spjd	int error, injail;
126004Spjd
126004Spjd	injail = jailed(req->td->td_ucred);
126004Spjd	error = SYSCTL_OUT(req, &injail, sizeof(injail));
126004Spjd
126004Spjd	return (error);
126004Spjd}
126004SpjdSYSCTL_PROC(_security_jail, OID_AUTO, jailed, CTLTYPE_INT | CTLFLAG_RD,
126004Spjd    NULL, 0, sysctl_jail_jailed, "I", "Process in jail?");
185435Sbz
185435Sbz#ifdef DDB
185435SbzDB_SHOW_COMMAND(jails, db_show_jails)
185435Sbz{
185435Sbz	struct prison *pr;
185435Sbz#ifdef INET
185435Sbz	struct in_addr ia;
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz	char ip6buf[INET6_ADDRSTRLEN];
185435Sbz#endif
185435Sbz	const char *state;
185435Sbz#if defined(INET) || defined(INET6)
185435Sbz	int i;
185435Sbz#endif
185435Sbz
185435Sbz	db_printf(
185435Sbz	    "   JID  pr_ref  pr_nprocs  pr_ip4s  pr_ip6s\n");
185435Sbz	db_printf(
185435Sbz	    "        Hostname                      Path\n");
185435Sbz	db_printf(
185435Sbz	    "        Name                          State\n");
185435Sbz	db_printf(
185435Sbz	    "        Cpusetid\n");
185435Sbz	db_printf(
185435Sbz	    "        IP Address(es)\n");
185435Sbz	LIST_FOREACH(pr, &allprison, pr_list) {
185435Sbz		db_printf("%6d  %6d  %9d  %7d  %7d\n",
185435Sbz		    pr->pr_id, pr->pr_ref, pr->pr_nprocs,
185435Sbz		    pr->pr_ip4s, pr->pr_ip6s);
185435Sbz		db_printf("%6s  %-29.29s %.74s\n",
185435Sbz		    "", pr->pr_host, pr->pr_path);
185435Sbz		if (pr->pr_state < 0 || pr->pr_state > (int)((sizeof(
185435Sbz		    prison_states) / sizeof(struct prison_state))))
185435Sbz			state = "(bogus)";
185435Sbz		else
185435Sbz			state = prison_states[pr->pr_state].state_name;
185435Sbz		db_printf("%6s  %-29.29s %.74s\n",
185435Sbz		    "", (pr->pr_name != NULL) ? pr->pr_name : "", state);
185435Sbz		db_printf("%6s  %-6d\n",
185435Sbz		    "", pr->pr_cpuset->cs_id);
185435Sbz#ifdef INET
185435Sbz		for (i=0; i < pr->pr_ip4s; i++) {
185435Sbz			ia.s_addr = pr->pr_ip4[i].s_addr;
185435Sbz			db_printf("%6s  %s\n", "", inet_ntoa(ia));
185435Sbz		}
185435Sbz#endif
185435Sbz#ifdef INET6
185435Sbz		for (i=0; i < pr->pr_ip6s; i++)
185435Sbz			db_printf("%6s  %s\n",
185435Sbz			    "", ip6_sprintf(ip6buf, &pr->pr_ip6[i]));
185435Sbz#endif /* INET6 */
185435Sbz		if (db_pager_quit)
185435Sbz			break;
185435Sbz	}
185435Sbz}
185435Sbz#endif /* DDB */