xref: /freebsd/usr.sbin/jail/jailp.h (revision d50685b3)

/*-
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Copyright (c) 2011 James Gritton.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/param.h>
#include <sys/types.h>
#include <sys/jail.h>
#include <sys/queue.h>
#include <sys/time.h>

#include <jail.h>
#include <stdio.h>

#define CONF_FILE	"/etc/jail.conf"

#define DEP_FROM	0
#define DEP_TO		1

#define DF_SEEN		0x01	/* Dependency has been followed */
#define DF_LIGHT	0x02	/* Implied dependency on jail existence only */
#define DF_NOFAIL	0x04	/* Don't propagate failed jails */

#define PF_VAR		0x0001	/* This is a variable, not a true parameter */
#define PF_APPEND	0x0002	/* Append to existing parameter list */
#define PF_BAD		0x0004	/* Unable to resolve parameter value */
#define PF_INTERNAL	0x0008	/* Internal parameter, not passed to kernel */
#define PF_BOOL		0x0010	/* Boolean parameter */
#define PF_INT		0x0020	/* Integer parameter */
#define PF_CONV		0x0040	/* Parameter duplicated in converted form */
#define PF_REV		0x0080	/* Run commands in reverse order on stopping */
#define	PF_IMMUTABLE	0x0100	/* Immutable parameter */
#define	PF_NAMEVAL	0x0200	/* Parameter is in "name value" form */

#define JF_START	0x0001	/* -c */
#define JF_SET		0x0002	/* -m */
#define JF_STOP		0x0004	/* -r */
#define JF_DEPEND	0x0008	/* Operation required by dependency */
#define JF_WILD		0x0010	/* Not specified on the command line */
#define JF_FAILED	0x0020	/* Operation failed */
#define JF_PARAMS	0x0040	/* Parameters checked and imported */
#define JF_RDTUN	0x0080	/* Create-only parameter check has been done */
#define JF_PERSIST	0x0100	/* Jail is temporarily persistent */
#define JF_TIMEOUT	0x0200	/* A command (or process kill) timed out */
#define JF_SLEEPQ	0x0400	/* Waiting on a command and/or timeout */
#define JF_FROM_RUNQ	0x0800	/* Has already been on the run queue */
#define JF_CLEANUP	0x1000	/* -C Run post-removal commands */

#define JF_OP_MASK		(JF_START | JF_SET | JF_STOP)
#define JF_RESTART		(JF_START | JF_STOP)
#define JF_START_SET		(JF_START | JF_SET)
#define JF_SET_RESTART		(JF_SET | JF_STOP)
#define JF_START_SET_RESTART	(JF_START | JF_SET | JF_STOP)
#define JF_DO_STOP(js)		(((js) & (JF_SET | JF_STOP)) == JF_STOP)

enum intparam {
	IP__NULL = 0,		/* Null command */
	IP_ALLOW_DYING,		/* Allow making changes to a dying jail */
	IP_COMMAND,		/* Command run inside jail at creation */
	IP_DEPEND,		/* Jail starts after (stops before) another */
	IP_EXEC_CLEAN,		/* Run commands in a clean environment */
	IP_EXEC_CONSOLELOG,	/* Redirect optput for commands run in jail */
	IP_EXEC_FIB,		/* Run jailed commands with this FIB */
	IP_EXEC_JAIL_USER,	/* Run jailed commands as this user */
	IP_EXEC_POSTSTART,	/* Commands run outside jail after creating */
	IP_EXEC_POSTSTOP,	/* Commands run outside jail after removing */
	IP_EXEC_PREPARE,	/* Commands run outside jail before addrs and mounting */
	IP_EXEC_PRESTART,	/* Commands run outside jail before creating */
	IP_EXEC_PRESTOP,	/* Commands run outside jail before removing */
	IP_EXEC_RELEASE,	/* Commands run outside jail after addrs and unmounted */
	IP_EXEC_CREATED,	/* Commands run outside jail right after it was started */
	IP_EXEC_START,		/* Commands run inside jail on creation */
	IP_EXEC_STOP,		/* Commands run inside jail on removal */
	IP_EXEC_SYSTEM_JAIL_USER,/* Get jail_user from system passwd file */
	IP_EXEC_SYSTEM_USER,	/* Run non-jailed commands as this user */
	IP_EXEC_TIMEOUT,	/* Time to wait for a command to complete */
#if defined(INET) || defined(INET6)
	IP_INTERFACE,		/* Add IP addresses to this interface */
	IP_IP_HOSTNAME,		/* Get jail IP address(es) from hostname */
#endif
	IP_MOUNT,		/* Mount points in fstab(5) form */
	IP_MOUNT_DEVFS,		/* Mount /dev under prison root */
	IP_MOUNT_FDESCFS,	/* Mount /dev/fd under prison root */
	IP_MOUNT_PROCFS,	/* Mount /proc under prison root */
	IP_MOUNT_FSTAB,		/* A standard fstab(5) file */
	IP_STOP_TIMEOUT,	/* Time to wait after sending SIGTERM */
	IP_VNET_INTERFACE,	/* Assign interface(s) to vnet jail */
	IP_ZFS_DATASET,		/* Jail ZFS datasets */
#ifdef INET
	IP__IP4_IFADDR,		/* Copy of ip4.addr with interface/netmask */
#endif
#ifdef INET6
	IP__IP6_IFADDR,		/* Copy of ip6.addr with interface/prefixlen */
#endif
	IP__MOUNT_FROM_FSTAB,	/* Line from mount.fstab file */
	IP__OP,			/* Placeholder for requested operation */
	KP_ALLOW_CHFLAGS,
	KP_ALLOW_MOUNT,
	KP_ALLOW_RAW_SOCKETS,
	KP_ALLOW_SET_HOSTNAME,
	KP_ALLOW_SOCKET_AF,
	KP_ALLOW_SYSVIPC,
	KP_DEVFS_RULESET,
	KP_HOST_HOSTNAME,
#ifdef INET
	KP_IP4_ADDR,
#endif
#ifdef INET6
	KP_IP6_ADDR,
#endif
	KP_JID,
	KP_NAME,
	KP_PATH,
	KP_PERSIST,
	KP_SECURELEVEL,
	KP_VNET,
	IP_NPARAM
};

STAILQ_HEAD(cfvars, cfvar);

struct cfvar {
	STAILQ_ENTRY(cfvar)	tq;
	char			*name;
	size_t			pos;
};

TAILQ_HEAD(cfstrings, cfstring);

struct cfstring {
	TAILQ_ENTRY(cfstring)	tq;
	char			*s;
	size_t			len;
	struct cfvars		vars;
};

TAILQ_HEAD(cfparams, cfparam);

struct cfparam {
	TAILQ_ENTRY(cfparam)	tq;
	char			*name;
	struct cfstrings	val;
	unsigned		flags;
	int			gen;
};

TAILQ_HEAD(cfjails, cfjail);
STAILQ_HEAD(cfdepends, cfdepend);

struct cfjail {
	TAILQ_ENTRY(cfjail)	tq;
	char			*name;
	char			*comline;
	struct cfparams		params;
	struct cfdepends	dep[2];
	struct cfjails		*queue;
	struct cfjail		*cfparent;
	struct cfparam		*intparams[IP_NPARAM];
	struct cfstring		*comstring;
	struct jailparam	*jp;
	struct timespec		timeout;
	const enum intparam	*comparam;
	unsigned		flags;
	int			jid;
	int			seq;
	int			pstatus;
	int			ndeps;
	int			njp;
	int			nprocs;
};

struct cfdepend {
	STAILQ_ENTRY(cfdepend)	tq[2];
	struct cfjail		*j[2];
	unsigned		flags;
};

struct cflex {
	const char		*cfname;
	int			error;
};

extern void *emalloc(size_t);
extern void *erealloc(void *, size_t);
extern char *estrdup(const char *);
extern int create_jail(struct cfjail *j);
extern void failed(struct cfjail *j);
extern void jail_note(const struct cfjail *j, const char *fmt, ...);
extern void jail_warnx(const struct cfjail *j, const char *fmt, ...);

extern int next_command(struct cfjail *j);
extern int finish_command(struct cfjail *j);
extern struct cfjail *next_proc(int nonblock);

extern void load_config(const char *cfname);
extern void include_config(void *scanner, const char *cfname);
extern struct cfjail *add_jail(void);
extern void add_param(struct cfjail *j, const struct cfparam *p,
    enum intparam ipnum, const char *value);
extern int bool_param(const struct cfparam *p);
extern int int_param(const struct cfparam *p, int *ip);
extern const char *string_param(const struct cfparam *p);
extern int check_intparams(struct cfjail *j);
extern int import_params(struct cfjail *j);
extern int equalopts(const char *opt1, const char *opt2);
extern int wild_jail_name(const char *wname);
extern int wild_jail_match(const char *jname, const char *wname);
extern void free_param_strings(struct cfparam *p);

extern void dep_setup(int docf);
extern int dep_check(struct cfjail *j);
extern void dep_done(struct cfjail *j, unsigned flags);
extern void dep_reset(struct cfjail *j);
extern struct cfjail *next_jail(void);
extern int start_state(const char *target, int docf, unsigned state,
    int running);
extern void requeue(struct cfjail *j, struct cfjails *queue);
extern void requeue_head(struct cfjail *j, struct cfjails *queue);

extern struct cflex *yyget_extra(void *scanner);
extern FILE *yyget_in(void *scanner);
extern int yyget_lineno(void *scanner);
extern char *yyget_text(void *scanner);

extern struct cfjails cfjails;
extern struct cfjails ready;
extern struct cfjails depend;
extern int iflag;
extern int note_remove;
extern int paralimit;
extern int verbose;