Commit | Line | Data |
---|---|---|
984263bc MD |
1 | /* |
2 | * ---------------------------------------------------------------------------- | |
3 | * "THE BEER-WARE LICENSE" (Revision 42): | |
4 | * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you | |
5 | * can do whatever you want with this stuff. If we meet some day, and you think | |
6 | * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp | |
7 | * ---------------------------------------------------------------------------- | |
8 | * | |
9 | * $FreeBSD: src/sys/sys/jail.h,v 1.8.2.2 2000/11/01 17:58:06 rwatson Exp $ | |
984263bc MD |
10 | */ |
11 | ||
12 | #ifndef _SYS_JAIL_H_ | |
13 | #define _SYS_JAIL_H_ | |
14 | ||
1bd40720 MD |
15 | #ifndef _SYS_TYPES_H_ |
16 | #include <sys/types.h> | |
17 | #endif | |
18 | #ifndef _SYS_PARAM_H_ | |
19 | #include <sys/param.h> | |
20 | #endif | |
3e4150ef VBD |
21 | #ifndef _SYS_QUEUE_H_ |
22 | #include <sys/queue.h> | |
23 | #endif | |
1bd40720 MD |
24 | #ifndef _SYS_UCRED_H_ |
25 | #include <sys/ucred.h> | |
26 | #endif | |
210a0869 | 27 | #ifndef _NET_IF_H_ |
3e4150ef VBD |
28 | #include <net/if.h> |
29 | #endif | |
1bd40720 | 30 | |
984263bc | 31 | struct jail { |
3e4150ef VBD |
32 | uint32_t version; |
33 | char *path; | |
34 | char *hostname; | |
35 | uint32_t n_ips; /* Number of ips */ | |
36 | struct sockaddr_storage *ips; | |
37 | }; | |
38 | ||
39 | struct jail_v0 { | |
b40e316c | 40 | uint32_t version; |
984263bc MD |
41 | char *path; |
42 | char *hostname; | |
b40e316c | 43 | uint32_t ip_number; |
984263bc MD |
44 | }; |
45 | ||
46 | #ifndef _KERNEL | |
47 | ||
b40e316c JS |
48 | int jail(struct jail *); |
49 | int jail_attach(int); | |
984263bc | 50 | |
5dfd06ac SS |
51 | #endif |
52 | ||
53 | #ifdef _KERNEL | |
984263bc | 54 | |
28623bf9 MD |
55 | #ifndef _SYS_NAMECACHE_H_ |
56 | #include <sys/namecache.h> | |
57 | #endif | |
58 | #ifndef _SYS_VARSYM_H_ | |
b40e316c | 59 | #include <sys/varsym.h> |
28623bf9 | 60 | #endif |
b40e316c | 61 | |
984263bc MD |
62 | #ifdef MALLOC_DECLARE |
63 | MALLOC_DECLARE(M_PRISON); | |
64 | #endif | |
65 | ||
5dfd06ac SS |
66 | #endif /* _KERNEL */ |
67 | ||
25e27214 AHJ |
68 | /* Jail capabilities */ |
69 | #define PRISON_CAP_ROOT 0 /* Catch-all during development */ | |
70 | ||
71 | /* System configuration capabilities */ | |
72 | #define PRISON_CAP_SYS_SET_HOSTNAME 1 /* Can set hostname */ | |
73 | #define PRISON_CAP_SYS_SYSVIPC 2 /* Can do SysV IPC calls */ | |
74 | ||
75 | /* Net specific capabiliites */ | |
76 | #define PRISON_CAP_NET_UNIXIPROUTE 20 /* Restrict to UNIX/IPv[46]/route | |
77 | sockets only */ | |
78 | #define PRISON_CAP_NET_RAW_SOCKETS 21 /* Can use raw sockets */ | |
2ea2781e | 79 | #define PRISON_CAP_NET_LISTEN_OVERRIDE 22 /* Can override wildcard on host */ |
25e27214 AHJ |
80 | |
81 | /* VFS specific capabilities */ | |
82 | #define PRISON_CAP_VFS_CHFLAGS 40 /* Can manipulate system file | |
83 | flags */ | |
645b0d2b AHJ |
84 | #define PRISON_CAP_VFS_MOUNT_NULLFS 45 /* Can mount nullfs(5) */ |
85 | #define PRISON_CAP_VFS_MOUNT_DEVFS 46 /* Can mount devfs(5) */ | |
86 | #define PRISON_CAP_VFS_MOUNT_TMPFS 47 /* Can mount tmpfs(5) */ | |
24687fff AHJ |
87 | #define PRISON_CAP_VFS_MOUNT_PROCFS 48 /* Can mount procfs(5) */ |
88 | #define PRISON_CAP_VFS_MOUNT_FUSEFS 49 /* Can mount fuse */ | |
25e27214 AHJ |
89 | |
90 | typedef __uint64_t prison_cap_t; | |
91 | ||
92 | #define PRISON_CAP_ISSET(mask, bit) (mask & (1LU << bit)) | |
93 | ||
5dfd06ac SS |
94 | #if defined(_KERNEL) || defined(_KERNEL_STRUCTURES) |
95 | ||
b40e316c JS |
96 | #define JAIL_MAX 999999 |
97 | ||
3e4150ef VBD |
98 | /* Used to store the IPs of the jail */ |
99 | ||
100 | struct jail_ip_storage { | |
3e4150ef | 101 | struct sockaddr_storage ip; |
bd544276 | 102 | SLIST_ENTRY(jail_ip_storage) entries; |
3e4150ef VBD |
103 | }; |
104 | ||
984263bc MD |
105 | /* |
106 | * This structure describes a prison. It is pointed to by all struct | |
e1c6b0c1 | 107 | * ucred's of the inmates. pr_ref keeps track of them and is used to |
984263bc MD |
108 | * delete the struture when the last inmate is dead. |
109 | */ | |
88681aec | 110 | struct sysctl_ctx_list; |
111 | struct sysctl_oid; | |
984263bc MD |
112 | |
113 | struct prison { | |
b40e316c JS |
114 | LIST_ENTRY(prison) pr_list; /* all prisons */ |
115 | int pr_id; /* prison id */ | |
116 | int pr_ref; /* reference count */ | |
28623bf9 | 117 | struct nchandle pr_root; /* namecache entry of root */ |
b40e316c | 118 | char pr_host[MAXHOSTNAMELEN]; /* host name */ |
3e4150ef | 119 | SLIST_HEAD(iplist, jail_ip_storage) pr_ips; /* list of IP addresses */ |
bd544276 VBD |
120 | struct sockaddr_in *local_ip4; /* cache for a loopback ipv4 address */ |
121 | struct sockaddr_in *nonlocal_ip4; /* cache for a non loopback ipv4 address */ | |
122 | struct sockaddr_in6 *local_ip6; /* cache for a loopback ipv6 address */ | |
123 | struct sockaddr_in6 *nonlocal_ip6; /* cache for a non loopback ipv6 address */ | |
b40e316c JS |
124 | void *pr_linux; /* Linux ABI emulation */ |
125 | int pr_securelevel; /* jail securelevel */ | |
126 | struct varsymset pr_varsymset; /* jail varsyms */ | |
7104f312 AHJ |
127 | |
128 | struct sysctl_ctx_list *pr_sysctl_ctx; | |
129 | struct sysctl_oid *pr_sysctl_tree; | |
130 | ||
25e27214 | 131 | prison_cap_t pr_caps; /* Prison capabilities */ |
984263bc MD |
132 | }; |
133 | ||
e1c6b0c1 AL |
134 | /* |
135 | * Kernel support functions for jail. | |
136 | */ | |
6ad50c19 | 137 | int jailed_ip(struct prison *, const struct sockaddr *); |
e1c6b0c1 AL |
138 | void prison_free(struct prison *); |
139 | void prison_hold(struct prison *); | |
140 | int prison_if(struct ucred *cred, struct sockaddr *sa); | |
bd544276 VBD |
141 | struct sockaddr * |
142 | prison_get_local(struct prison *pr, sa_family_t, struct sockaddr *); | |
143 | struct sockaddr * | |
144 | prison_get_nonlocal(struct prison *pr, sa_family_t, struct sockaddr *); | |
cd554aa4 | 145 | int prison_priv_check(struct ucred *cred, int priv); |
e1c6b0c1 | 146 | int prison_remote_ip(struct thread *td, struct sockaddr *ip); |
2ea2781e | 147 | int prison_local_ip(struct thread *td, struct sockaddr *ip); |
e1c6b0c1 | 148 | int prison_replace_wildcards(struct thread *td, struct sockaddr *ip); |
7104f312 AHJ |
149 | int prison_sysctl_create(struct prison *); |
150 | int prison_sysctl_done(struct prison *); | |
b40e316c JS |
151 | |
152 | /* | |
153 | * Return 1 if the passed credential is in a jail, otherwise 0. | |
1ee6e3c6 MD |
154 | * |
155 | * MPSAFE | |
b40e316c JS |
156 | */ |
157 | static __inline int | |
158 | jailed(struct ucred *cred) | |
159 | { | |
160 | return(cred->cr_prison != NULL); | |
161 | } | |
162 | ||
5dfd06ac | 163 | #endif /* _KERNEL || _KERNEL_STRUCTURES */ |
984263bc | 164 | #endif /* !_SYS_JAIL_H_ */ |