projects / dragonfly.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
nrelease - fix/improve livecd
[dragonfly.git] / sys / sys / jail.h
CommitLineData
984263bc
MD		 1/*
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
8 *
9 * $FreeBSD: src/sys/sys/jail.h,v 1.8.2.2 2000/11/01 17:58:06 rwatson Exp $
984263bc
MD		 10 */
11
12#ifndef _SYS_JAIL_H_
13#define _SYS_JAIL_H_
14
1bd40720
MD		 15#ifndef _SYS_TYPES_H_
16#include <sys/types.h>
17#endif
18#ifndef _SYS_PARAM_H_
19#include <sys/param.h>
20#endif
3e4150ef
VBD		 21#ifndef _SYS_QUEUE_H_
22#include <sys/queue.h>
23#endif
1bd40720
MD		 24#ifndef _SYS_UCRED_H_
25#include <sys/ucred.h>
26#endif
210a0869 27#ifndef _NET_IF_H_
3e4150ef
VBD		 28#include <net/if.h>
29#endif
1bd40720 30
984263bc 31struct jail {
3e4150ef
VBD		 32 uint32_t version;
33 char *path;
34 char *hostname;
35 uint32_t n_ips; /* Number of ips */
36 struct sockaddr_storage *ips;
37};
38
39struct jail_v0 {
b40e316c 40 uint32_t version;
984263bc
MD		 41 char *path;
42 char *hostname;
b40e316c 43 uint32_t ip_number;
984263bc
MD		 44};
45
46#ifndef _KERNEL
47
b40e316c
JS		 48int jail(struct jail *);
49int jail_attach(int);
984263bc 50
5dfd06ac
SS		 51#endif
52
53#ifdef _KERNEL
984263bc 54
28623bf9
MD		 55#ifndef _SYS_NAMECACHE_H_
56#include <sys/namecache.h>
57#endif
58#ifndef _SYS_VARSYM_H_
b40e316c 59#include <sys/varsym.h>
28623bf9 60#endif
b40e316c 61
984263bc
MD		 62#ifdef MALLOC_DECLARE
63MALLOC_DECLARE(M_PRISON);
64#endif
65
5dfd06ac
SS		 66#endif /* _KERNEL */
67
25e27214
AHJ		 68/* Jail capabilities */
69#define PRISON_CAP_ROOT 0 /* Catch-all during development */
70
71/* System configuration capabilities */
72#define PRISON_CAP_SYS_SET_HOSTNAME 1 /* Can set hostname */
73#define PRISON_CAP_SYS_SYSVIPC 2 /* Can do SysV IPC calls */
74
75/* Net specific capabiliites */
76#define PRISON_CAP_NET_UNIXIPROUTE 20 /* Restrict to UNIX/IPv[46]/route
77 sockets only */
78#define PRISON_CAP_NET_RAW_SOCKETS 21 /* Can use raw sockets */
2ea2781e 79#define PRISON_CAP_NET_LISTEN_OVERRIDE 22 /* Can override wildcard on host */
25e27214
AHJ		 80
81/* VFS specific capabilities */
82#define PRISON_CAP_VFS_CHFLAGS 40 /* Can manipulate system file
83 flags */
645b0d2b
AHJ		 84#define PRISON_CAP_VFS_MOUNT_NULLFS 45 /* Can mount nullfs(5) */
85#define PRISON_CAP_VFS_MOUNT_DEVFS 46 /* Can mount devfs(5) */
86#define PRISON_CAP_VFS_MOUNT_TMPFS 47 /* Can mount tmpfs(5) */
24687fff
AHJ		 87#define PRISON_CAP_VFS_MOUNT_PROCFS 48 /* Can mount procfs(5) */
88#define PRISON_CAP_VFS_MOUNT_FUSEFS 49 /* Can mount fuse */
25e27214
AHJ		 89
90typedef __uint64_t prison_cap_t;
91
92#define PRISON_CAP_ISSET(mask, bit) (mask & (1LU << bit))
93
5dfd06ac
SS		 94#if defined(_KERNEL) || defined(_KERNEL_STRUCTURES)
95
b40e316c
JS		 96#define JAIL_MAX 999999
97
3e4150ef
VBD		 98/* Used to store the IPs of the jail */
99
100struct jail_ip_storage {
3e4150ef 101 struct sockaddr_storage ip;
bd544276 102 SLIST_ENTRY(jail_ip_storage) entries;
3e4150ef
VBD		 103};
104
984263bc
MD		 105/*
106 * This structure describes a prison. It is pointed to by all struct
e1c6b0c1 107 * ucred's of the inmates. pr_ref keeps track of them and is used to
984263bc
MD		 108 * delete the struture when the last inmate is dead.
109 */
88681aec 110struct sysctl_ctx_list;
111struct sysctl_oid;
984263bc
MD		 112
113struct prison {
b40e316c
JS		 114 LIST_ENTRY(prison) pr_list; /* all prisons */
115 int pr_id; /* prison id */
116 int pr_ref; /* reference count */
28623bf9 117 struct nchandle pr_root; /* namecache entry of root */
b40e316c 118 char pr_host[MAXHOSTNAMELEN]; /* host name */
3e4150ef 119 SLIST_HEAD(iplist, jail_ip_storage) pr_ips; /* list of IP addresses */
bd544276
VBD		 120 struct sockaddr_in *local_ip4; /* cache for a loopback ipv4 address */
121 struct sockaddr_in *nonlocal_ip4; /* cache for a non loopback ipv4 address */
122 struct sockaddr_in6 *local_ip6; /* cache for a loopback ipv6 address */
123 struct sockaddr_in6 *nonlocal_ip6; /* cache for a non loopback ipv6 address */
b40e316c
JS		 124 void *pr_linux; /* Linux ABI emulation */
125 int pr_securelevel; /* jail securelevel */
126 struct varsymset pr_varsymset; /* jail varsyms */
7104f312
AHJ		 127
128 struct sysctl_ctx_list *pr_sysctl_ctx;
129 struct sysctl_oid *pr_sysctl_tree;
130
25e27214 131 prison_cap_t pr_caps; /* Prison capabilities */
984263bc
MD		 132};
133
e1c6b0c1
AL		 134/*
135 * Kernel support functions for jail.
136 */
6ad50c19 137int jailed_ip(struct prison *, const struct sockaddr *);
e1c6b0c1
AL		 138void prison_free(struct prison *);
139void prison_hold(struct prison *);
140int prison_if(struct ucred *cred, struct sockaddr *sa);
bd544276
VBD		 141struct sockaddr *
142 prison_get_local(struct prison *pr, sa_family_t, struct sockaddr *);
143struct sockaddr *
144 prison_get_nonlocal(struct prison *pr, sa_family_t, struct sockaddr *);
cd554aa4 145int prison_priv_check(struct ucred *cred, int priv);
e1c6b0c1 146int prison_remote_ip(struct thread *td, struct sockaddr *ip);
2ea2781e 147int prison_local_ip(struct thread *td, struct sockaddr *ip);
e1c6b0c1 148int prison_replace_wildcards(struct thread *td, struct sockaddr *ip);
7104f312
AHJ		 149int prison_sysctl_create(struct prison *);
150int prison_sysctl_done(struct prison *);
b40e316c
JS		 151
152/*
153 * Return 1 if the passed credential is in a jail, otherwise 0.
1ee6e3c6
MD		 154 *
155 * MPSAFE
b40e316c
JS		 156 */
157static __inline int
158jailed(struct ucred *cred)
159{
160 return(cred->cr_prison != NULL);
161}
162
5dfd06ac 163#endif /* _KERNEL || _KERNEL_STRUCTURES */
984263bc 164#endif /* !_SYS_JAIL_H_ */
DragonFly Project Source