1 /* 2 * ---------------------------------------------------------------------------- 3 * "THE BEER-WARE LICENSE" (Revision 42): 4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you 5 * can do whatever you want with this stuff. If we meet some day, and you think 6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 7 * ---------------------------------------------------------------------------- 8 * 9 * $FreeBSD: src/sys/sys/jail.h,v 1.8.2.2 2000/11/01 17:58:06 rwatson Exp $ 10 */ 11 12 #ifndef _SYS_JAIL_H_ 13 #define _SYS_JAIL_H_ 14 15 #ifndef _SYS_TYPES_H_ 16 #include <sys/types.h> 17 #endif 18 #ifndef _SYS_PARAM_H_ 19 #include <sys/param.h> 20 #endif 21 #ifndef _SYS_QUEUE_H_ 22 #include <sys/queue.h> 23 #endif 24 #ifndef _SYS_UCRED_H_ 25 #include <sys/ucred.h> 26 #endif 27 #ifndef _NET_IF_H_ 28 #include <net/if.h> 29 #endif 30 31 struct jail { 32 uint32_t version; 33 char *path; 34 char *hostname; 35 uint32_t n_ips; /* Number of ips */ 36 struct sockaddr_storage *ips; 37 }; 38 39 struct jail_v0 { 40 uint32_t version; 41 char *path; 42 char *hostname; 43 uint32_t ip_number; 44 }; 45 46 #ifndef _KERNEL 47 48 int jail(struct jail *); 49 int jail_attach(int); 50 51 #endif 52 53 #ifdef _KERNEL 54 55 #ifndef _SYS_NAMECACHE_H_ 56 #include <sys/namecache.h> 57 #endif 58 #ifndef _SYS_VARSYM_H_ 59 #include <sys/varsym.h> 60 #endif 61 62 #ifdef MALLOC_DECLARE 63 MALLOC_DECLARE(M_PRISON); 64 #endif 65 66 #endif /* _KERNEL */ 67 68 /* Jail capabilities */ 69 #define PRISON_CAP_ROOT 0 /* Catch-all during development */ 70 71 /* System configuration capabilities */ 72 #define PRISON_CAP_SYS_SET_HOSTNAME 1 /* Can set hostname */ 73 #define PRISON_CAP_SYS_SYSVIPC 2 /* Can do SysV IPC calls */ 74 75 /* Net specific capabiliites */ 76 #define PRISON_CAP_NET_UNIXIPROUTE 20 /* Restrict to UNIX/IPv[46]/route 77 sockets only */ 78 #define PRISON_CAP_NET_RAW_SOCKETS 21 /* Can use raw sockets */ 79 #define PRISON_CAP_NET_LISTEN_OVERRIDE 22 /* Can override wildcard on host */ 80 81 /* VFS specific capabilities */ 82 #define PRISON_CAP_VFS_CHFLAGS 40 /* Can manipulate system file 83 flags */ 84 #define PRISON_CAP_VFS_MOUNT_NULLFS 45 /* Can mount nullfs(5) */ 85 #define PRISON_CAP_VFS_MOUNT_DEVFS 46 /* Can mount devfs(5) */ 86 #define PRISON_CAP_VFS_MOUNT_TMPFS 47 /* Can mount tmpfs(5) */ 87 #define PRISON_CAP_VFS_MOUNT_PROCFS 48 /* Can mount procfs(5) */ 88 #define PRISON_CAP_VFS_MOUNT_FUSEFS 49 /* Can mount fuse */ 89 90 typedef __uint64_t prison_cap_t; 91 92 #define PRISON_CAP_ISSET(mask, bit) (mask & (1LU << bit)) 93 94 #if defined(_KERNEL) || defined(_KERNEL_STRUCTURES) 95 96 #define JAIL_MAX 999999 97 98 /* Used to store the IPs of the jail */ 99 100 struct jail_ip_storage { 101 struct sockaddr_storage ip; 102 SLIST_ENTRY(jail_ip_storage) entries; 103 }; 104 105 /* 106 * This structure describes a prison. It is pointed to by all struct 107 * ucred's of the inmates. pr_ref keeps track of them and is used to 108 * delete the struture when the last inmate is dead. 109 */ 110 struct sysctl_ctx_list; 111 struct sysctl_oid; 112 113 struct prison { 114 LIST_ENTRY(prison) pr_list; /* all prisons */ 115 int pr_id; /* prison id */ 116 int pr_ref; /* reference count */ 117 struct nchandle pr_root; /* namecache entry of root */ 118 char pr_host[MAXHOSTNAMELEN]; /* host name */ 119 SLIST_HEAD(iplist, jail_ip_storage) pr_ips; /* list of IP addresses */ 120 struct sockaddr_in *local_ip4; /* cache for a loopback ipv4 address */ 121 struct sockaddr_in *nonlocal_ip4; /* cache for a non loopback ipv4 address */ 122 struct sockaddr_in6 *local_ip6; /* cache for a loopback ipv6 address */ 123 struct sockaddr_in6 *nonlocal_ip6; /* cache for a non loopback ipv6 address */ 124 void *pr_linux; /* Linux ABI emulation */ 125 int pr_securelevel; /* jail securelevel */ 126 struct varsymset pr_varsymset; /* jail varsyms */ 127 128 struct sysctl_ctx_list *pr_sysctl_ctx; 129 struct sysctl_oid *pr_sysctl_tree; 130 131 prison_cap_t pr_caps; /* Prison capabilities */ 132 }; 133 134 /* 135 * Kernel support functions for jail. 136 */ 137 int jailed_ip(struct prison *, const struct sockaddr *); 138 void prison_free(struct prison *); 139 void prison_hold(struct prison *); 140 int prison_if(struct ucred *cred, struct sockaddr *sa); 141 struct sockaddr * 142 prison_get_local(struct prison *pr, sa_family_t, struct sockaddr *); 143 struct sockaddr * 144 prison_get_nonlocal(struct prison *pr, sa_family_t, struct sockaddr *); 145 int prison_priv_check(struct ucred *cred, int priv); 146 int prison_remote_ip(struct thread *td, struct sockaddr *ip); 147 int prison_local_ip(struct thread *td, struct sockaddr *ip); 148 int prison_replace_wildcards(struct thread *td, struct sockaddr *ip); 149 int prison_sysctl_create(struct prison *); 150 int prison_sysctl_done(struct prison *); 151 152 /* 153 * Return 1 if the passed credential is in a jail, otherwise 0. 154 * 155 * MPSAFE 156 */ 157 static __inline int 158 jailed(struct ucred *cred) 159 { 160 return(cred->cr_prison != NULL); 161 } 162 163 #endif /* _KERNEL || _KERNEL_STRUCTURES */ 164 #endif /* !_SYS_JAIL_H_ */ 165