1 /* 2 * ---------------------------------------------------------------------------- 3 * "THE BEER-WARE LICENSE" (Revision 42): 4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you 5 * can do whatever you want with this stuff. If we meet some day, and you think 6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 7 * ---------------------------------------------------------------------------- 8 * 9 * $FreeBSD: src/sys/sys/jail.h,v 1.8.2.2 2000/11/01 17:58:06 rwatson Exp $ 10 */ 11 12 #ifndef _SYS_JAIL_H_ 13 #define _SYS_JAIL_H_ 14 15 #ifndef _SYS_TYPES_H_ 16 #include <sys/types.h> 17 #endif 18 #ifndef _SYS_PARAM_H_ 19 #include <sys/param.h> 20 #endif 21 #ifndef _SYS_QUEUE_H_ 22 #include <sys/queue.h> 23 #endif 24 #ifndef _SYS_UCRED_H_ 25 #include <sys/ucred.h> 26 #endif 27 #ifndef _NET_IF_H_ 28 #include <net/if.h> 29 #endif 30 31 struct jail { 32 uint32_t version; 33 char *path; 34 char *hostname; 35 uint32_t n_ips; /* Number of ips */ 36 struct sockaddr_storage *ips; 37 }; 38 39 struct jail_v0 { 40 uint32_t version; 41 char *path; 42 char *hostname; 43 uint32_t ip_number; 44 }; 45 46 #ifndef _KERNEL 47 48 int jail(struct jail *); 49 int jail_attach(int); 50 51 #endif 52 53 #ifdef _KERNEL 54 55 #ifndef _SYS_NAMECACHE_H_ 56 #include <sys/namecache.h> 57 #endif 58 #ifndef _SYS_VARSYM_H_ 59 #include <sys/varsym.h> 60 #endif 61 62 #ifdef MALLOC_DECLARE 63 MALLOC_DECLARE(M_PRISON); 64 #endif 65 66 #endif /* _KERNEL */ 67 68 /* Jail capabilities */ 69 #define PRISON_CAP_ROOT 0 /* Catch-all during development */ 70 71 /* System configuration capabilities */ 72 #define PRISON_CAP_SYS_SET_HOSTNAME 1 /* Can set hostname */ 73 #define PRISON_CAP_SYS_SYSVIPC 2 /* Can do SysV IPC calls */ 74 75 /* Net specific capabiliites */ 76 #define PRISON_CAP_NET_UNIXIPROUTE 20 /* Restrict to UNIX/IPv[46]/route 77 sockets only */ 78 #define PRISON_CAP_NET_RAW_SOCKETS 21 /* Can use raw sockets */ 79 #define PRISON_CAP_NET_LISTEN_OVERRIDE 22 /* Can override wildcard on host */ 80 81 /* VFS specific capabilities */ 82 #define PRISON_CAP_VFS_CHFLAGS 40 /* Can manipulate system file 83 flags */ 84 #define PRISON_CAP_VFS_MOUNT_NULLFS 45 /* Can mount nullfs(5) */ 85 #define PRISON_CAP_VFS_MOUNT_DEVFS 46 /* Can mount devfs(5) */ 86 #define PRISON_CAP_VFS_MOUNT_TMPFS 47 /* Can mount tmpfs(5) */ 87 88 typedef __uint64_t prison_cap_t; 89 90 #define PRISON_CAP_ISSET(mask, bit) (mask & (1LU << bit)) 91 92 #if defined(_KERNEL) || defined(_KERNEL_STRUCTURES) 93 94 #define JAIL_MAX 999999 95 96 /* Used to store the IPs of the jail */ 97 98 struct jail_ip_storage { 99 struct sockaddr_storage ip; 100 SLIST_ENTRY(jail_ip_storage) entries; 101 }; 102 103 /* 104 * This structure describes a prison. It is pointed to by all struct 105 * ucred's of the inmates. pr_ref keeps track of them and is used to 106 * delete the struture when the last inmate is dead. 107 */ 108 struct sysctl_ctx_list; 109 struct sysctl_oid; 110 111 struct prison { 112 LIST_ENTRY(prison) pr_list; /* all prisons */ 113 int pr_id; /* prison id */ 114 int pr_ref; /* reference count */ 115 struct nchandle pr_root; /* namecache entry of root */ 116 char pr_host[MAXHOSTNAMELEN]; /* host name */ 117 SLIST_HEAD(iplist, jail_ip_storage) pr_ips; /* list of IP addresses */ 118 struct sockaddr_in *local_ip4; /* cache for a loopback ipv4 address */ 119 struct sockaddr_in *nonlocal_ip4; /* cache for a non loopback ipv4 address */ 120 struct sockaddr_in6 *local_ip6; /* cache for a loopback ipv6 address */ 121 struct sockaddr_in6 *nonlocal_ip6; /* cache for a non loopback ipv6 address */ 122 void *pr_linux; /* Linux ABI emulation */ 123 int pr_securelevel; /* jail securelevel */ 124 struct varsymset pr_varsymset; /* jail varsyms */ 125 126 struct sysctl_ctx_list *pr_sysctl_ctx; 127 struct sysctl_oid *pr_sysctl_tree; 128 129 prison_cap_t pr_caps; /* Prison capabilities */ 130 }; 131 132 /* 133 * Kernel support functions for jail. 134 */ 135 int jailed_ip(struct prison *, const struct sockaddr *); 136 void prison_free(struct prison *); 137 void prison_hold(struct prison *); 138 int prison_if(struct ucred *cred, struct sockaddr *sa); 139 struct sockaddr * 140 prison_get_local(struct prison *pr, sa_family_t, struct sockaddr *); 141 struct sockaddr * 142 prison_get_nonlocal(struct prison *pr, sa_family_t, struct sockaddr *); 143 int prison_priv_check(struct ucred *cred, int priv); 144 int prison_remote_ip(struct thread *td, struct sockaddr *ip); 145 int prison_local_ip(struct thread *td, struct sockaddr *ip); 146 int prison_replace_wildcards(struct thread *td, struct sockaddr *ip); 147 int prison_sysctl_create(struct prison *); 148 int prison_sysctl_done(struct prison *); 149 150 /* 151 * Return 1 if the passed credential is in a jail, otherwise 0. 152 * 153 * MPSAFE 154 */ 155 static __inline int 156 jailed(struct ucred *cred) 157 { 158 return(cred->cr_prison != NULL); 159 } 160 161 #endif /* _KERNEL || _KERNEL_STRUCTURES */ 162 #endif /* !_SYS_JAIL_H_ */ 163