#include <sys/cdefs.h>#include "opt_compat.h"#include "opt_ddb.h"#include "opt_inet.h"#include "opt_inet6.h"#include <sys/param.h>#include <sys/types.h>#include <sys/kernel.h>#include <sys/systm.h>#include <sys/errno.h>#include <sys/sysproto.h>#include <sys/malloc.h>#include <sys/osd.h>#include <sys/priv.h>#include <sys/proc.h>#include <sys/taskqueue.h>#include <sys/fcntl.h>#include <sys/jail.h>#include <sys/lock.h>#include <sys/mutex.h>#include <sys/racct.h>#include <sys/refcount.h>#include <sys/sx.h>#include <sys/sysent.h>#include <sys/namei.h>#include <sys/mount.h>#include <sys/queue.h>#include <sys/socket.h>#include <sys/syscallsubr.h>#include <sys/sysctl.h>#include <sys/vnode.h>#include <net/if.h>#include <net/vnet.h>#include <netinet/in.h>#include <security/mac/mac_framework.h>
Go to the source code of this file.
Data Structures | |
| struct | jailsys_flags |
Macros | |
| #define | DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000" |
| #define | _PR_IP_SADDRSEL 0 |
| #define | PD_DEREF 0x01 |
| #define | PD_DEUREF 0x02 |
| #define | PD_LOCKED 0x04 |
| #define | PD_LIST_SLOCKED 0x08 |
| #define | PD_LIST_XLOCKED 0x10 |
| #define | JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME |
| #define | JAIL_DEFAULT_ENFORCE_STATFS 2 |
| #define | JAIL_DEFAULT_DEVFS_RSNUM 0 |
Functions | |
| __FBSDID ("$BSDSUniX$") | |
| MALLOC_DEFINE (M_PRISON,"prison","Prison structures") | |
| static | MALLOC_DEFINE (M_PRISON_RACCT,"prison_racct","Prison racct structures") |
| MTX_SYSINIT (prison0,&prison0.pr_mtx,"jail mutex", MTX_DEF) | |
| SX_SYSINIT (allprison_lock,&allprison_lock,"allprison") | |
| LIST_HEAD (prison_racct) | |
| int | sys_jail (struct thread *td, struct jail_args *uap) |
| int | kern_jail (struct thread *td, struct jail *j) |
| int | sys_jail_set (struct thread *td, struct jail_set_args *uap) |
| int | kern_jail_set (struct thread *td, struct uio *optuio, int flags) |
| int | sys_jail_get (struct thread *td, struct jail_get_args *uap) |
| int | kern_jail_get (struct thread *td, struct uio *optuio, int flags) |
| int | sys_jail_remove (struct thread *td, struct jail_remove_args *uap) |
| static void | prison_remove_one (struct prison *pr) |
| int | sys_jail_attach (struct thread *td, struct jail_attach_args *uap) |
| static int | do_jail_attach (struct thread *td, struct prison *pr) |
| struct prison * | prison_find (int prid) |
| struct prison * | prison_find_child (struct prison *mypr, int prid) |
| struct prison * | prison_find_name (struct prison *mypr, const char *name) |
| int | prison_flag (struct ucred *cred, unsigned flag) |
| int | prison_allow (struct ucred *cred, unsigned flag) |
| void | prison_free_locked (struct prison *pr) |
| void | prison_free (struct prison *pr) |
| static void | prison_complete (void *context, int pending) |
| static void | prison_deref (struct prison *pr, int flags) |
| void | prison_hold_locked (struct prison *pr) |
| void | prison_hold (struct prison *pr) |
| void | prison_proc_hold (struct prison *pr) |
| void | prison_proc_free (struct prison *pr) |
| int | prison_check_af (struct ucred *cred, int af) |
| int | prison_if (struct ucred *cred, struct sockaddr *sa) |
| int | prison_check (struct ucred *cred1, struct ucred *cred2) |
| int | prison_ischild (struct prison *pr1, struct prison *pr2) |
| int | jailed (struct ucred *cred) |
| int | jailed_without_vnet (struct ucred *cred) |
| void | getcredhostname (struct ucred *cred, char *buf, size_t size) |
| void | getcreddomainname (struct ucred *cred, char *buf, size_t size) |
| void | getcredhostuuid (struct ucred *cred, char *buf, size_t size) |
| void | getcredhostid (struct ucred *cred, unsigned long *hostid) |
| int | prison_canseemount (struct ucred *cred, struct mount *mp) |
| void | prison_enforce_statfs (struct ucred *cred, struct mount *mp, struct statfs *sp) |
| int | prison_priv_check (struct ucred *cred, int priv) |
| char * | prison_name (struct prison *pr1, struct prison *pr2) |
| static char * | prison_path (struct prison *pr1, struct prison *pr2) |
| static | SYSCTL_NODE (_security, OID_AUTO, jail, CTLFLAG_RW, 0,"Jails") |
| static int | sysctl_jail_list (SYSCTL_HANDLER_ARGS) |
| SYSCTL_OID (_security_jail, OID_AUTO, list, CTLTYPE_STRUCT|CTLFLAG_RD|CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_list,"S","List of active jails") | |
| static int | sysctl_jail_jailed (SYSCTL_HANDLER_ARGS) |
| SYSCTL_PROC (_security_jail, OID_AUTO, jailed, CTLTYPE_INT|CTLFLAG_RD|CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_jailed,"I","Process in jail?") | |
| static int | sysctl_jail_vnet (SYSCTL_HANDLER_ARGS) |
| SYSCTL_PROC (_security_jail, OID_AUTO, vnet, CTLTYPE_INT|CTLFLAG_RD|CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_vnet,"I","Jail owns VNET?") | |
| static int | sysctl_jail_default_allow (SYSCTL_HANDLER_ARGS) |
| SYSCTL_PROC (_security_jail, OID_AUTO, set_hostname_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow,"I","Processes in jail can set their hostnames") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, socket_unixiproute_only, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE,(void *) 1, PR_ALLOW_SOCKET_AF, sysctl_jail_default_allow,"I","Processes in jail are limited to creating UNIX/IP/route sockets only") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, sysvipc_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_SYSVIPC, sysctl_jail_default_allow,"I","Processes in jail can use System V IPC primitives") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, allow_raw_sockets, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_RAW_SOCKETS, sysctl_jail_default_allow,"I","Prison root can create raw sockets") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, chflags_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow,"I","Processes in jail can alter system file flags") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, mount_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow,"I","Processes in jail can mount/unmount jail-friendly file systems") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, mount_devfs_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_DEVFS, sysctl_jail_default_allow,"I","Processes in jail can mount the devfs file system") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, mount_nullfs_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_NULLFS, sysctl_jail_default_allow,"I","Processes in jail can mount the nullfs file system") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, mount_procfs_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow,"I","Processes in jail can mount the procfs file system") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, mount_zfs_allowed, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow,"I","Processes in jail can mount the zfs file system") | |
| static int | sysctl_jail_default_level (SYSCTL_HANDLER_ARGS) |
| SYSCTL_PROC (_security_jail, OID_AUTO, enforce_statfs, CTLTYPE_INT|CTLFLAG_RW|CTLFLAG_MPSAFE,&jail_default_enforce_statfs, offsetof(struct prison, pr_enforce_statfs), sysctl_jail_default_level,"I","Processes in jail cannot see all mounted file systems") | |
| SYSCTL_PROC (_security_jail, OID_AUTO, devfs_ruleset, CTLTYPE_INT|CTLFLAG_RD|CTLFLAG_MPSAFE,&jail_default_devfs_rsnum, offsetof(struct prison, pr_devfs_rsnum), sysctl_jail_default_level,"I","Ruleset for the devfs filesystem in jail") | |
| SYSCTL_NODE (_security_jail, OID_AUTO, param, CTLFLAG_RW, 0,"Jail parameters") | |
| int | sysctl_jail_param (SYSCTL_HANDLER_ARGS) |
| SYSCTL_JAIL_PARAM (, jid, CTLTYPE_INT|CTLFLAG_RDTUN,"I","Jail ID") | |
| SYSCTL_JAIL_PARAM (, parent, CTLTYPE_INT|CTLFLAG_RD,"I","Jail parent ID") | |
| SYSCTL_JAIL_PARAM_STRING (, name, CTLFLAG_RW, MAXHOSTNAMELEN,"Jail name") | |
| SYSCTL_JAIL_PARAM_STRING (, path, CTLFLAG_RDTUN, MAXPATHLEN,"Jail root path") | |
| SYSCTL_JAIL_PARAM (, securelevel, CTLTYPE_INT|CTLFLAG_RW,"I","Jail secure level") | |
| SYSCTL_JAIL_PARAM (, enforce_statfs, CTLTYPE_INT|CTLFLAG_RW,"I","Jail cannot see all mounted file systems") | |
| SYSCTL_JAIL_PARAM (, devfs_ruleset, CTLTYPE_INT|CTLFLAG_RW,"I","Ruleset for in-jail devfs mounts") | |
| SYSCTL_JAIL_PARAM (, persist, CTLTYPE_INT|CTLFLAG_RW,"B","Jail persistence") | |
| SYSCTL_JAIL_PARAM (, dying, CTLTYPE_INT|CTLFLAG_RD,"B","Jail is in the process of shutting down") | |
| SYSCTL_JAIL_PARAM_NODE (children,"Number of child jails") | |
| SYSCTL_JAIL_PARAM (_children, cur, CTLTYPE_INT|CTLFLAG_RD,"I","Current number of child jails") | |
| SYSCTL_JAIL_PARAM (_children, max, CTLTYPE_INT|CTLFLAG_RW,"I","Maximum number of child jails") | |
| SYSCTL_JAIL_PARAM_SYS_NODE (host, CTLFLAG_RW,"Jail host info") | |
| SYSCTL_JAIL_PARAM_STRING (_host, hostname, CTLFLAG_RW, MAXHOSTNAMELEN,"Jail hostname") | |
| SYSCTL_JAIL_PARAM_STRING (_host, domainname, CTLFLAG_RW, MAXHOSTNAMELEN,"Jail NIS domainname") | |
| SYSCTL_JAIL_PARAM_STRING (_host, hostuuid, CTLFLAG_RW, HOSTUUIDLEN,"Jail host UUID") | |
| SYSCTL_JAIL_PARAM (_host, hostid, CTLTYPE_ULONG|CTLFLAG_RW,"LU","Jail host ID") | |
| SYSCTL_JAIL_PARAM_NODE (cpuset,"Jail cpuset") | |
| SYSCTL_JAIL_PARAM (_cpuset, id, CTLTYPE_INT|CTLFLAG_RD,"I","Jail cpuset ID") | |
| SYSCTL_JAIL_PARAM_NODE (allow,"Jail permission flags") | |
| SYSCTL_JAIL_PARAM (_allow, set_hostname, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may set hostname") | |
| SYSCTL_JAIL_PARAM (_allow, sysvipc, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may use SYSV IPC") | |
| SYSCTL_JAIL_PARAM (_allow, raw_sockets, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may create raw sockets") | |
| SYSCTL_JAIL_PARAM (_allow, chflags, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may alter system file flags") | |
| SYSCTL_JAIL_PARAM (_allow, quotas, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may set file quotas") | |
| SYSCTL_JAIL_PARAM (_allow, socket_af, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may create sockets other than just UNIX/IPv4/IPv6/route") | |
| SYSCTL_JAIL_PARAM_SUBNODE (allow, mount,"Jail mount/unmount permission flags") | |
| SYSCTL_JAIL_PARAM (_allow_mount,, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may mount/unmount jail-friendly file systems in general") | |
| SYSCTL_JAIL_PARAM (_allow_mount, devfs, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may mount the devfs file system") | |
| SYSCTL_JAIL_PARAM (_allow_mount, nullfs, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may mount the nullfs file system") | |
| SYSCTL_JAIL_PARAM (_allow_mount, procfs, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may mount the procfs file system") | |
| SYSCTL_JAIL_PARAM (_allow_mount, zfs, CTLTYPE_INT|CTLFLAG_RW,"B","Jail may mount the zfs file system") | |
| void | prison_racct_foreach (void(*callback)(struct racct *racct, void *arg2, void *arg3), void *arg2, void *arg3) |
| static struct prison_racct * | prison_racct_find_locked (const char *name) |
| struct prison_racct * | prison_racct_find (const char *name) |
| void | prison_racct_hold (struct prison_racct *prr) |
| static void | prison_racct_free_locked (struct prison_racct *prr) |
| void | prison_racct_free (struct prison_racct *prr) |
Variables | |
| struct prison | prison0 |
| struct sx | allprison_lock |
| struct prisonlist | allprison = TAILQ_HEAD_INITIALIZER(allprison) |
| const size_t | pr_flag_names_size = sizeof(pr_flag_names) |
| static char * | pr_flag_nonames [] |
| const size_t | pr_flag_nonames_size = sizeof(pr_flag_nonames) |
| struct jailsys_flags | pr_flag_jailsys [] |
| const size_t | pr_flag_jailsys_size = sizeof(pr_flag_jailsys) |
| static char * | pr_allow_names [] |
| const size_t | pr_allow_names_size = sizeof(pr_allow_names) |
| static char * | pr_allow_nonames [] |
| const size_t | pr_allow_nonames_size = sizeof(pr_allow_nonames) |
| static unsigned | jail_default_allow = JAIL_DEFAULT_ALLOW |
| static int | jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS |
| static int | jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM |
Macro Definition Documentation
| #define _PR_IP_SADDRSEL 0 |
Definition at line 94 of file kern_jail.c.
Referenced by kern_jail_set().
| #define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000" |
Definition at line 78 of file kern_jail.c.
Referenced by kern_jail_set().
| #define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME |
Definition at line 227 of file kern_jail.c.
Referenced by kern_jail_set().
| #define JAIL_DEFAULT_DEVFS_RSNUM 0 |
Definition at line 229 of file kern_jail.c.
| #define JAIL_DEFAULT_ENFORCE_STATFS 2 |
Definition at line 228 of file kern_jail.c.
Referenced by kern_jail_set().
| #define PD_DEREF 0x01 |
Referenced by do_jail_attach(), kern_jail_get(), kern_jail_set(), prison_deref(), and prison_remove_one().
| #define PD_DEUREF 0x02 |
Referenced by do_jail_attach(), kern_jail_set(), prison_deref(), prison_proc_free(), and prison_remove_one().
| #define PD_LIST_SLOCKED 0x08 |
Referenced by do_jail_attach(), kern_jail_get(), kern_jail_set(), and prison_deref().
| #define PD_LIST_XLOCKED 0x10 |
Referenced by kern_jail_set(), prison_deref(), and prison_remove_one().
| #define PD_LOCKED 0x04 |
Referenced by kern_jail_get(), kern_jail_set(), prison_deref(), prison_proc_free(), and prison_remove_one().
Function Documentation
| __FBSDID | ( | "$BSDSUniX$" | ) |
|
static |
Definition at line 2338 of file kern_jail.c.
References allprison_lock, change_dir(), change_root(), cpuset_setproc_update_set(), crcopy(), crfree(), crget(), PD_DEREF, PD_DEUREF, PD_LIST_SLOCKED, pr, prison_deref(), and setsugid().
Referenced by kern_jail_set(), and sys_jail_attach().
| void getcreddomainname | ( | struct ucred * | cred, |
| char * | buf, | ||
| size_t | size | ||
| ) |
Definition at line 3517 of file kern_jail.c.
| void getcredhostid | ( | struct ucred * | cred, |
| unsigned long * | hostid | ||
| ) |
Definition at line 3535 of file kern_jail.c.
| void getcredhostname | ( | struct ucred * | cred, |
| char * | buf, | ||
| size_t | size | ||
| ) |
Definition at line 3502 of file kern_jail.c.
Referenced by expand_name().
| void getcredhostuuid | ( | struct ucred * | cred, |
| char * | buf, | ||
| size_t | size | ||
| ) |
Definition at line 3526 of file kern_jail.c.
| int jailed | ( | struct ucred * | cred | ) |
Definition at line 3474 of file kern_jail.c.
References prison0.
Referenced by cpuset_lookup(), cpuset_modify(), fill_kinfo_proc_only(), jailed_without_vnet(), kern_jail(), kern_jail_set(), prison_priv_check(), sys_unmount(), sysctl_jail_jailed(), sysctl_jail_vnet(), vfs_domount(), and vfs_suser().
| int jailed_without_vnet | ( | struct ucred * | cred | ) |
Definition at line 3485 of file kern_jail.c.
References jailed().
| int kern_jail | ( | struct thread * | td, |
| struct jail * | j | ||
| ) |
Definition at line 340 of file kern_jail.c.
References free(), jail_default_enforce_statfs, jailed(), kern_jail_set(), malloc(), and pr_allow_names.
Referenced by sys_jail().
| int kern_jail_get | ( | struct thread * | td, |
| struct uio * | optuio, | ||
| int | flags | ||
| ) |
Definition at line 1923 of file kern_jail.c.
References allprison, allprison_lock, jailsys_flags::disable, name, jailsys_flags::new, PD_DEREF, PD_LIST_SLOCKED, PD_LOCKED, pr, pr_allow_names, pr_flag_jailsys, prison_deref(), prison_find_child(), prison_find_name(), prison_ischild(), prison_name(), prison_path(), vfs_buildopts(), vfs_copyopt(), vfs_freeopts(), vfs_getopt(), vfs_getopt_pos(), vfs_opterror(), vfs_setopt(), vfs_setopt_part(), and vfs_setopts().
Referenced by sys_jail_get().
| int kern_jail_set | ( | struct thread * | td, |
| struct uio * | optuio, | ||
| int | flags | ||
| ) |
Definition at line 522 of file kern_jail.c.
References _PR_IP_SADDRSEL, allprison, allprison_lock, cpuset_create_root(), DEFAULT_HOSTUUID, jailsys_flags::disable, do_jail_attach(), free(), JAIL_DEFAULT_ALLOW, JAIL_DEFAULT_ENFORCE_STATFS, jailed(), level, malloc(), mtx_init(), name, namei(), NDFREE(), jailsys_flags::new, path, PD_DEREF, PD_DEUREF, PD_LIST_SLOCKED, PD_LIST_XLOCKED, PD_LOCKED, pr, pr_allow_names, pr_flag_jailsys, prison0, prison_deref(), prison_find(), prison_find_name(), prison_ischild(), prison_name(), priv_check(), snprintf(), vfs_buildopts(), vfs_copyopt(), vfs_flagopt(), vfs_freeopts(), vfs_getopt(), vfs_getopt_pos(), vfs_opterror(), vn_path_to_global_path(), vput(), vref(), and vrele().
Referenced by kern_jail(), and sys_jail_set().
| LIST_HEAD | ( | prison_racct | ) |
Definition at line 123 of file kern_jail.c.
| MALLOC_DEFINE | ( | M_PRISON | , |
| "prison" | , | ||
| "Prison structures" | |||
| ) |
|
static |
| MTX_SYSINIT | ( | prison0 | , |
| &prison0. | pr_mtx, | ||
| "jail mutex" | , | ||
| MTX_DEF | |||
| ) |
| int prison_allow | ( | struct ucred * | cred, |
| unsigned | flag | ||
| ) |
Definition at line 2502 of file kern_jail.c.
Referenced by kern_msgctl(), kern_msgrcv(), kern_msgsnd(), kern_semctl(), kern_shmat(), kern_shmctl(), sys_msgget(), sys_quotactl(), sys_semget(), sys_semop(), sys_shmdt(), and sys_shmget().
| int prison_canseemount | ( | struct ucred * | cred, |
| struct mount * | mp | ||
| ) |
Definition at line 3570 of file kern_jail.c.
References pr.
Referenced by kern_fhstatfs(), kern_getfsstat(), and prison_enforce_statfs().
| int prison_check | ( | struct ucred * | cred1, |
| struct ucred * | cred2 | ||
| ) |
Definition at line 3450 of file kern_jail.c.
References prison_ischild().
Referenced by cr_cansee(), cr_canseesocket(), cr_cansignal(), p_candebug(), p_cansched(), p_canwait(), and vfs_suser().
| int prison_check_af | ( | struct ucred * | cred, |
| int | af | ||
| ) |
Definition at line 3348 of file kern_jail.c.
References pr.
Referenced by socreate().
|
static |
Definition at line 2537 of file kern_jail.c.
References prison_deref().
Referenced by prison_free_locked().
|
static |
Definition at line 2550 of file kern_jail.c.
References allprison, allprison_lock, cpuset_rel(), free(), mtx_destroy(), PD_DEREF, PD_DEUREF, PD_LIST_SLOCKED, PD_LIST_XLOCKED, PD_LOCKED, prison0, and vrele().
Referenced by do_jail_attach(), kern_jail_get(), kern_jail_set(), prison_complete(), prison_proc_free(), and prison_remove_one().
| void prison_enforce_statfs | ( | struct ucred * | cred, |
| struct mount * | mp, | ||
| struct statfs * | sp | ||
| ) |
Definition at line 3605 of file kern_jail.c.
References pr, and prison_canseemount().
Referenced by kern_fstatfs(), kern_getfsstat(), and kern_statfs().
| struct prison* prison_find | ( | int | prid | ) |
Definition at line 2417 of file kern_jail.c.
References allprison, allprison_lock, and pr.
Referenced by kern_jail_set().
| struct prison* prison_find_child | ( | struct prison * | mypr, |
| int | prid | ||
| ) |
Definition at line 2437 of file kern_jail.c.
References allprison_lock, and pr.
Referenced by cpuset_which(), kern_jail_get(), sys_jail_attach(), and sys_jail_remove().
| struct prison* prison_find_name | ( | struct prison * | mypr, |
| const char * | name | ||
| ) |
Definition at line 2458 of file kern_jail.c.
References allprison_lock, pr, and prison0.
Referenced by kern_jail_get(), and kern_jail_set().
| int prison_flag | ( | struct ucred * | cred, |
| unsigned | flag | ||
| ) |
Definition at line 2494 of file kern_jail.c.
| void prison_free | ( | struct prison * | pr | ) |
Definition at line 2529 of file kern_jail.c.
References prison_free_locked().
Referenced by crfree().
| void prison_free_locked | ( | struct prison * | pr | ) |
Definition at line 2514 of file kern_jail.c.
References prison_complete(), and taskqueue_enqueue().
Referenced by prison_free().
| void prison_hold | ( | struct prison * | pr | ) |
Definition at line 2632 of file kern_jail.c.
References prison_hold_locked().
Referenced by crcopy(), and vfs_hang_addrlist().
| void prison_hold_locked | ( | struct prison * | pr | ) |
Definition at line 2622 of file kern_jail.c.
Referenced by prison_hold().
| int prison_if | ( | struct ucred * | cred, |
| struct sockaddr * | sa | ||
| ) |
Definition at line 3406 of file kern_jail.c.
| int prison_ischild | ( | struct prison * | pr1, |
| struct prison * | pr2 | ||
| ) |
Definition at line 3461 of file kern_jail.c.
Referenced by kern_jail_get(), kern_jail_set(), prison_check(), and prison_name().
| char* prison_name | ( | struct prison * | pr1, |
| struct prison * | pr2 | ||
| ) |
Definition at line 3983 of file kern_jail.c.
References name, prison0, and prison_ischild().
Referenced by kern_jail_get(), kern_jail_set(), and sysctl_jail_list().
|
static |
Definition at line 4008 of file kern_jail.c.
Referenced by kern_jail_get(), and sysctl_jail_list().
| int prison_priv_check | ( | struct ucred * | cred, |
| int | priv | ||
| ) |
Definition at line 3655 of file kern_jail.c.
References jailed().
Referenced by priv_check_cred().
| void prison_proc_free | ( | struct prison * | pr | ) |
Definition at line 2652 of file kern_jail.c.
References PD_DEUREF, PD_LOCKED, and prison_deref().
Referenced by exit1().
| void prison_proc_hold | ( | struct prison * | pr | ) |
Definition at line 2641 of file kern_jail.c.
Referenced by do_fork().
| struct prison_racct* prison_racct_find | ( | const char * | name | ) |
Definition at line 4447 of file kern_jail.c.
References allprison_lock, and prison_racct_find_locked().
|
static |
Definition at line 4417 of file kern_jail.c.
References allprison_lock, malloc(), prison_racct_hold(), and racct_create().
Referenced by prison_racct_find().
| void prison_racct_foreach | ( | void(*)(struct racct *racct, void *arg2, void *arg3) | callback, |
| void * | arg2, | ||
| void * | arg3 | ||
| ) |
Definition at line 4405 of file kern_jail.c.
References allprison_lock, and callback.
| void prison_racct_free | ( | struct prison_racct * | prr | ) |
Definition at line 4478 of file kern_jail.c.
References allprison_lock, and prison_racct_free_locked().
|
static |
Definition at line 4465 of file kern_jail.c.
References allprison_lock, free(), and racct_destroy().
Referenced by prison_racct_free().
| void prison_racct_hold | ( | struct prison_racct * | prr | ) |
Definition at line 4458 of file kern_jail.c.
Referenced by prison_racct_find_locked().
|
static |
Definition at line 2258 of file kern_jail.c.
References allprison_lock, allproc, allproc_lock, kern_psignal(), PD_DEREF, PD_DEUREF, PD_LIST_XLOCKED, PD_LOCKED, and prison_deref().
Referenced by sys_jail_remove().
| SX_SYSINIT | ( | allprison_lock | , |
| & | allprison_lock, | ||
| "allprison" | |||
| ) |
| int sys_jail | ( | struct thread * | td, |
| struct jail_args * | uap | ||
| ) |
Definition at line 291 of file kern_jail.c.
References kern_jail().
| int sys_jail_attach | ( | struct thread * | td, |
| struct jail_attach_args * | uap | ||
| ) |
Definition at line 2308 of file kern_jail.c.
References allprison_lock, do_jail_attach(), pr, prison_find_child(), and priv_check().
| int sys_jail_get | ( | struct thread * | td, |
| struct jail_get_args * | uap | ||
| ) |
Definition at line 1902 of file kern_jail.c.
References copyinuio(), free(), and kern_jail_get().
| int sys_jail_remove | ( | struct thread * | td, |
| struct jail_remove_args * | uap | ||
| ) |
Definition at line 2206 of file kern_jail.c.
References allprison_lock, pr, prison_find_child(), prison_remove_one(), and priv_check().
| int sys_jail_set | ( | struct thread * | td, |
| struct jail_set_args * | uap | ||
| ) |
Definition at line 504 of file kern_jail.c.
References copyinuio(), free(), and kern_jail_set().
|
static |
Definition at line 4185 of file kern_jail.c.
References pr, prison0, and sysctl_handle_int().
|
static |
Definition at line 4255 of file kern_jail.c.
References level, pr, prison0, and sysctl_handle_int().
|
static |
Definition at line 4139 of file kern_jail.c.
References jailed().
|
static |
Definition at line 4035 of file kern_jail.c.
References allprison_lock, free(), malloc(), pr, prison_name(), prison_path(), and realloc().
| int sysctl_jail_param | ( | SYSCTL_HANDLER_ARGS | ) |
Definition at line 4290 of file kern_jail.c.
References snprintf(), and sysctl_handle_string().
| SYSCTL_JAIL_PARAM | ( | jid | , |
| CTLTYPE_INT| | CTLFLAG_RDTUN, | ||
| "I" | , | ||
| "Jail ID" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | securelevel | , |
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "I" | , | ||
| "Jail secure level" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | enforce_statfs | , |
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "I" | , | ||
| "Jail cannot see all mounted file systems" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | devfs_ruleset | , |
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "I" | , | ||
| "Ruleset for in-jail devfs mounts" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | persist | , |
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail persistence" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | dying | , |
| CTLTYPE_INT| | CTLFLAG_RD, | ||
| "B" | , | ||
| "Jail is in the process of shutting down" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _children | , |
| cur | , | ||
| CTLTYPE_INT| | CTLFLAG_RD, | ||
| "I" | , | ||
| "Current number of child jails" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _children | , |
| max | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "I" | , | ||
| "Maximum number of child jails" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _host | , |
| hostid | , | ||
| CTLTYPE_ULONG| | CTLFLAG_RW, | ||
| "LU" | , | ||
| "Jail host ID" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _cpuset | , |
| id | , | ||
| CTLTYPE_INT| | CTLFLAG_RD, | ||
| "I" | , | ||
| "Jail cpuset ID" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow | , |
| set_hostname | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may set hostname" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow | , |
| sysvipc | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may use SYSV IPC" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow | , |
| raw_sockets | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may create raw sockets" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow | , |
| chflags | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may alter system file flags" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow | , |
| quotas | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may set file quotas" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow | , |
| socket_af | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may create sockets other than just UNIX/IPv4/IPv6/route" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow_mount | , |
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may mount/unmount jail-friendly file systems in general" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow_mount | , |
| devfs | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may mount the devfs file system" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow_mount | , |
| nullfs | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may mount the nullfs file system" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow_mount | , |
| procfs | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may mount the procfs file system" | |||
| ) |
| SYSCTL_JAIL_PARAM | ( | _allow_mount | , |
| zfs | , | ||
| CTLTYPE_INT| | CTLFLAG_RW, | ||
| "B" | , | ||
| "Jail may mount the zfs file system" | |||
| ) |
| SYSCTL_JAIL_PARAM_NODE | ( | children | , |
| "Number of child jails" | |||
| ) |
| SYSCTL_JAIL_PARAM_NODE | ( | cpuset | , |
| "Jail cpuset" | |||
| ) |
| SYSCTL_JAIL_PARAM_NODE | ( | allow | , |
| "Jail permission flags" | |||
| ) |
| SYSCTL_JAIL_PARAM_STRING | ( | _host | , |
| hostname | , | ||
| CTLFLAG_RW | , | ||
| MAXHOSTNAMELEN | , | ||
| "Jail hostname" | |||
| ) |
| SYSCTL_JAIL_PARAM_STRING | ( | _host | , |
| domainname | , | ||
| CTLFLAG_RW | , | ||
| MAXHOSTNAMELEN | , | ||
| "Jail NIS domainname" | |||
| ) |
| SYSCTL_JAIL_PARAM_STRING | ( | _host | , |
| hostuuid | , | ||
| CTLFLAG_RW | , | ||
| HOSTUUIDLEN | , | ||
| "Jail host UUID" | |||
| ) |
| SYSCTL_JAIL_PARAM_SUBNODE | ( | allow | , |
| mount | , | ||
| "Jail mount/unmount permission flags" | |||
| ) |
| SYSCTL_JAIL_PARAM_SYS_NODE | ( | host | , |
| CTLFLAG_RW | , | ||
| "Jail host info" | |||
| ) |
|
static |
Definition at line 4154 of file kern_jail.c.
References jailed().
|
static |
| SYSCTL_NODE | ( | _security_jail | , |
| OID_AUTO | , | ||
| param | , | ||
| CTLFLAG_RW | , | ||
| 0 | , | ||
| "Jail parameters" | |||
| ) |
| SYSCTL_OID | ( | _security_jail | , |
| OID_AUTO | , | ||
| list | , | ||
| CTLTYPE_STRUCT|CTLFLAG_RD| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| 0 | , | ||
| sysctl_jail_list | , | ||
| "S" | , | ||
| "List of active jails" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| jailed | , | ||
| CTLTYPE_INT|CTLFLAG_RD| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| 0 | , | ||
| sysctl_jail_jailed | , | ||
| "I" | , | ||
| "Process in jail?" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| vnet | , | ||
| CTLTYPE_INT|CTLFLAG_RD| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| 0 | , | ||
| sysctl_jail_vnet | , | ||
| "I" | , | ||
| "Jail owns VNET?" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| set_hostname_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_SET_HOSTNAME | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can set their hostnames" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| socket_unixiproute_only | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| (void *) | 1, | ||
| PR_ALLOW_SOCKET_AF | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail are limited to creating UNIX/IP/route sockets only" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| sysvipc_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_SYSVIPC | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can use System V IPC primitives" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| allow_raw_sockets | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_RAW_SOCKETS | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Prison root can create raw sockets" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| chflags_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_CHFLAGS | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can alter system file flags" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| mount_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_MOUNT | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can mount/unmount jail-friendly file systems" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| mount_devfs_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_MOUNT_DEVFS | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can mount the devfs file system" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| mount_nullfs_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_MOUNT_NULLFS | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can mount the nullfs file system" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| mount_procfs_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_MOUNT_PROCFS | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can mount the procfs file system" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| mount_zfs_allowed | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| NULL | , | ||
| PR_ALLOW_MOUNT_ZFS | , | ||
| sysctl_jail_default_allow | , | ||
| "I" | , | ||
| "Processes in jail can mount the zfs file system" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| enforce_statfs | , | ||
| CTLTYPE_INT|CTLFLAG_RW| | CTLFLAG_MPSAFE, | ||
| & | jail_default_enforce_statfs, | ||
| offsetof(struct prison, pr_enforce_statfs) | , | ||
| sysctl_jail_default_level | , | ||
| "I" | , | ||
| "Processes in jail cannot see all mounted file systems" | |||
| ) |
| SYSCTL_PROC | ( | _security_jail | , |
| OID_AUTO | , | ||
| devfs_ruleset | , | ||
| CTLTYPE_INT|CTLFLAG_RD| | CTLFLAG_MPSAFE, | ||
| & | jail_default_devfs_rsnum, | ||
| offsetof(struct prison, pr_devfs_rsnum) | , | ||
| sysctl_jail_default_level | , | ||
| "I" | , | ||
| "Ruleset for the devfs filesystem in jail" | |||
| ) |
Variable Documentation
| struct prisonlist allprison = TAILQ_HEAD_INITIALIZER(allprison) |
Definition at line 122 of file kern_jail.c.
Referenced by kern_jail_get(), kern_jail_set(), mountcheckdirs(), prison_deref(), and prison_find().
| struct sx allprison_lock |
Definition at line 120 of file kern_jail.c.
Referenced by cpuset_which(), do_jail_attach(), kern_jail_get(), kern_jail_set(), mountcheckdirs(), prison_deref(), prison_find(), prison_find_child(), prison_find_name(), prison_racct_find(), prison_racct_find_locked(), prison_racct_foreach(), prison_racct_free(), prison_racct_free_locked(), prison_remove_one(), sys_jail_attach(), sys_jail_remove(), sysctl_hostid(), sysctl_hostname(), sysctl_jail_list(), and sysctl_kern_securelvl().
|
static |
Definition at line 230 of file kern_jail.c.
|
static |
Definition at line 232 of file kern_jail.c.
|
static |
Definition at line 231 of file kern_jail.c.
Referenced by kern_jail().
|
static |
Definition at line 197 of file kern_jail.c.
Referenced by kern_jail(), kern_jail_get(), and kern_jail_set().
| const size_t pr_allow_names_size = sizeof(pr_allow_names) |
Definition at line 210 of file kern_jail.c.
|
static |
Definition at line 212 of file kern_jail.c.
| const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames) |
Definition at line 225 of file kern_jail.c.
| struct jailsys_flags pr_flag_jailsys[] |
Referenced by kern_jail_get(), and kern_jail_set().
| const size_t pr_flag_jailsys_size = sizeof(pr_flag_jailsys) |
Definition at line 195 of file kern_jail.c.
| const size_t pr_flag_names_size = sizeof(pr_flag_names) |
Definition at line 166 of file kern_jail.c.
|
static |
Definition at line 168 of file kern_jail.c.
| const size_t pr_flag_nonames_size = sizeof(pr_flag_nonames) |
Definition at line 177 of file kern_jail.c.
| struct prison prison0 |
Definition at line 99 of file kern_jail.c.
Referenced by getcredhostname(), jailed(), kern_jail_set(), linker_file_unload(), linker_load_file(), mkdumpheader(), mountcheckdirs(), prison_deref(), prison_find_name(), prison_name(), proc0_init(), sysctl_jail_default_allow(), sysctl_jail_default_level(), vfs_hang_addrlist(), and vfs_mountroot().
