xref: /dragonfly/sys/sys/jail.h (revision 60e242c5) 
1 /*
2  * ----------------------------------------------------------------------------
3  * "THE BEER-WARE LICENSE" (Revision 42):
4  * <phk@FreeBSD.org> wrote this file.  As long as you retain this notice you
5  * can do whatever you want with this stuff. If we meet some day, and you think
6  * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
7  * ----------------------------------------------------------------------------
8  *
9  * $FreeBSD: src/sys/sys/jail.h,v 1.8.2.2 2000/11/01 17:58:06 rwatson Exp $
10  */
11 
12 #ifndef _SYS_JAIL_H_
13 #define _SYS_JAIL_H_
14 
15 #ifndef _SYS_TYPES_H_
16 #include <sys/types.h>
17 #endif
18 #ifndef _SYS_PARAM_H_
19 #include <sys/param.h>
20 #endif
21 #ifndef _SYS_QUEUE_H_
22 #include <sys/queue.h>
23 #endif
24 #ifndef _SYS_UCRED_H_
25 #include <sys/ucred.h>
26 #endif
27 #ifndef _NET_IF_H_
28 #include <net/if.h>
29 #endif
30 
31 struct jail {
32 	uint32_t	version;
33 	char		*path;
34 	char		*hostname;
35 	uint32_t	n_ips;     /* Number of ips */
36 	struct sockaddr_storage *ips;
37 };
38 
39 struct jail_v0 {
40 	uint32_t	version;
41 	char		*path;
42 	char		*hostname;
43 	uint32_t	ip_number;
44 };
45 
46 #ifndef _KERNEL
47 
48 int jail(struct jail *);
49 int jail_attach(int);
50 
51 #endif
52 
53 #ifdef _KERNEL
54 
55 #ifndef _SYS_NAMECACHE_H_
56 #include <sys/namecache.h>
57 #endif
58 #ifndef _SYS_VARSYM_H_
59 #include <sys/varsym.h>
60 #endif
61 
62 #ifdef MALLOC_DECLARE
63 MALLOC_DECLARE(M_PRISON);
64 #endif
65 
66 #endif	/* _KERNEL */
67 
68 /* Jail capabilities */
69 #define PRISON_CAP_ROOT			0    /* Catch-all during development */
70 
71 /* System configuration capabilities */
72 #define PRISON_CAP_SYS_SET_HOSTNAME	1    /* Can set hostname */
73 #define PRISON_CAP_SYS_SYSVIPC		2    /* Can do SysV IPC calls */
74 
75 /* Net specific capabiliites */
76 #define PRISON_CAP_NET_UNIXIPROUTE	20   /* Restrict to UNIX/IPv[46]/route
77                                                 sockets only */
78 #define PRISON_CAP_NET_RAW_SOCKETS	21   /* Can use raw sockets */
79 #define PRISON_CAP_NET_LISTEN_OVERRIDE	22   /* Can override wildcard on host */
80 
81 /* VFS specific capabilities */
82 #define PRISON_CAP_VFS_CHFLAGS		40   /* Can manipulate system file
83                                                 flags */
84 #define PRISON_CAP_VFS_MOUNT_NULLFS	45   /* Can mount nullfs(5) */
85 #define PRISON_CAP_VFS_MOUNT_DEVFS	46   /* Can mount devfs(5) */
86 #define PRISON_CAP_VFS_MOUNT_TMPFS	47   /* Can mount tmpfs(5) */
87 #define PRISON_CAP_VFS_MOUNT_PROCFS	48   /* Can mount procfs(5) */
88 #define PRISON_CAP_VFS_MOUNT_FUSEFS	49   /* Can mount fuse */
89 
90 typedef __uint64_t prison_cap_t;
91 
92 #define PRISON_CAP_ISSET(mask, bit)	(mask & (1LU << bit))
93 
94 #if defined(_KERNEL) || defined(_KERNEL_STRUCTURES)
95 
96 #define	JAIL_MAX	999999
97 
98 /* Used to store the IPs of the jail */
99 
100 struct jail_ip_storage {
101 	struct sockaddr_storage ip;
102 	SLIST_ENTRY(jail_ip_storage) entries;
103 };
104 
105 /*
106  * This structure describes a prison.  It is pointed to by all struct
107  * ucred's of the inmates.  pr_ref keeps track of them and is used to
108  * delete the struture when the last inmate is dead.
109  */
110 struct sysctl_ctx_list;
111 struct sysctl_oid;
112 
113 struct prison {
114 	LIST_ENTRY(prison) pr_list;			/* all prisons */
115 	int		pr_id;				/* prison id */
116 	int		pr_ref;				/* reference count */
117 	struct nchandle pr_root;			/* namecache entry of root */
118 	char 		pr_host[MAXHOSTNAMELEN];	/* host name */
119 	SLIST_HEAD(iplist, jail_ip_storage) pr_ips;	/* list of IP addresses */
120 	struct sockaddr_in	*local_ip4;		/* cache for a loopback ipv4 address */
121 	struct sockaddr_in	*nonlocal_ip4;		/* cache for a non loopback ipv4 address */
122 	struct sockaddr_in6	*local_ip6;		/* cache for a loopback ipv6 address */
123 	struct sockaddr_in6	*nonlocal_ip6;		/* cache for a non loopback ipv6 address */
124 	void		*pr_linux;			/* Linux ABI emulation */
125 	int		 pr_securelevel;		/* jail securelevel */
126 	struct varsymset pr_varsymset;			/* jail varsyms */
127 
128 	struct sysctl_ctx_list *pr_sysctl_ctx;
129 	struct sysctl_oid *pr_sysctl_tree;
130 
131 	prison_cap_t	pr_caps;			/* Prison capabilities */
132 };
133 
134 /*
135  * Kernel support functions for jail.
136  */
137 int	jailed_ip(struct prison *, const struct sockaddr *);
138 void	prison_free(struct prison *);
139 void	prison_hold(struct prison *);
140 int	prison_if(struct ucred *cred, struct sockaddr *sa);
141 struct sockaddr *
142 	prison_get_local(struct prison *pr, sa_family_t, struct sockaddr *);
143 struct sockaddr *
144 	prison_get_nonlocal(struct prison *pr, sa_family_t, struct sockaddr *);
145 int	prison_priv_check(struct ucred *cred, int priv);
146 int	prison_remote_ip(struct thread *td, struct sockaddr *ip);
147 int	prison_local_ip(struct thread *td, struct sockaddr *ip);
148 int	prison_replace_wildcards(struct thread *td, struct sockaddr *ip);
149 int	prison_sysctl_create(struct prison *);
150 int	prison_sysctl_done(struct prison *);
151 
152 /*
153  * Return 1 if the passed credential is in a jail, otherwise 0.
154  *
155  * MPSAFE
156  */
157 static __inline int
158 jailed(struct ucred *cred)
159 {
160 	return(cred->cr_prison != NULL);
161 }
162 
163 #endif /* _KERNEL || _KERNEL_STRUCTURES */
164 #endif /* !_SYS_JAIL_H_ */
165