2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
11 * Copyright (c) 2006 Victor Balada Diaz <victor@bsdes.net>
12 * All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * $FreeBSD: src/sys/kern/kern_jail.c,v 1.6.2.3 2001/08/17 01:00:26 rwatson Exp $
39 * $DragonFly: src/sys/kern/kern_jail.c,v 1.19 2008/05/17 18:20:33 dillon Exp $
42 #include "opt_inet6.h"
44 #include <sys/param.h>
45 #include <sys/types.h>
46 #include <sys/kernel.h>
47 #include <sys/systm.h>
48 #include <sys/errno.h>
49 #include <sys/sysproto.h>
50 #include <sys/malloc.h>
51 #include <sys/nlookup.h>
52 #include <sys/namecache.h>
56 #include <sys/socket.h>
57 #include <sys/sysctl.h>
58 #include <sys/kern_syscall.h>
60 #include <netinet/in.h>
61 #include <netinet6/in6_var.h>
63 static struct prison
*prison_find(int);
64 static void prison_ipcache_init(struct prison
*);
66 MALLOC_DEFINE(M_PRISON
, "prison", "Prison structures");
68 SYSCTL_NODE(, OID_AUTO
, jail
, CTLFLAG_RW
, 0,
71 int jail_set_hostname_allowed
= 1;
72 SYSCTL_INT(_jail
, OID_AUTO
, set_hostname_allowed
, CTLFLAG_RW
,
73 &jail_set_hostname_allowed
, 0,
74 "Processes in jail can set their hostnames");
76 int jail_socket_unixiproute_only
= 1;
77 SYSCTL_INT(_jail
, OID_AUTO
, socket_unixiproute_only
, CTLFLAG_RW
,
78 &jail_socket_unixiproute_only
, 0,
79 "Processes in jail are limited to creating UNIX/IPv[46]/route sockets only");
81 int jail_sysvipc_allowed
= 0;
82 SYSCTL_INT(_jail
, OID_AUTO
, sysvipc_allowed
, CTLFLAG_RW
,
83 &jail_sysvipc_allowed
, 0,
84 "Processes in jail can use System V IPC primitives");
86 int jail_chflags_allowed
= 0;
87 SYSCTL_INT(_jail
, OID_AUTO
, chflags_allowed
, CTLFLAG_RW
,
88 &jail_chflags_allowed
, 0,
89 "Process in jail can set chflags(1)");
91 int jail_allow_raw_sockets
= 0;
92 SYSCTL_INT(_jail
, OID_AUTO
, allow_raw_sockets
, CTLFLAG_RW
,
93 &jail_allow_raw_sockets
, 0,
94 "Process in jail can create raw sockets");
99 LIST_HEAD(prisonlist
, prison
);
100 struct prisonlist allprison
= LIST_HEAD_INITIALIZER(&allprison
);
103 kern_jail_attach(int jid
)
105 struct proc
*p
= curthread
->td_proc
;
109 pr
= prison_find(jid
);
113 error
= kern_chroot(&pr
->pr_root
);
119 p
->p_ucred
->cr_prison
= pr
;
120 p
->p_flag
|= P_JAILED
;
128 * jail_args(syscallarg(struct jail *) jail)
131 sys_jail(struct jail_args
*uap
)
133 struct prison
*pr
, *tpr
;
136 struct thread
*td
= curthread
;
137 int error
, tryprid
, i
;
139 struct nlookupdata nd
;
141 struct sockaddr_storage
*uips
; /* Userland ips */
142 struct sockaddr_in ip4addr
;
143 struct jail_ip_storage
*jip
;
146 error
= priv_check(td
, PRIV_ROOT
);
148 uap
->sysmsg_result
= -1;
151 error
= copyin(uap
->jail
, &jversion
, sizeof jversion
);
153 uap
->sysmsg_result
= -1;
156 pr
= kmalloc(sizeof *pr
, M_PRISON
, M_WAITOK
| M_ZERO
);
157 SLIST_INIT(&pr
->pr_ips
);
161 error
= copyin(uap
->jail
, &jv0
, sizeof(struct jail_v0
));
164 jip
= kmalloc(sizeof(*jip
), M_PRISON
, M_WAITOK
| M_ZERO
);
165 ip4addr
.sin_family
= AF_INET
;
166 ip4addr
.sin_addr
.s_addr
= htonl(jv0
.ip_number
);
167 memcpy(&jip
->ip
, &ip4addr
, sizeof(ip4addr
));
168 SLIST_INSERT_HEAD(&pr
->pr_ips
, jip
, entries
);
171 error
= copyin(uap
->jail
, &j
, sizeof(j
));
174 uips
= kmalloc((sizeof(*uips
) * j
.n_ips
), M_PRISON
,
176 error
= copyin(j
.ips
, uips
, (sizeof(*uips
) * j
.n_ips
));
178 kfree(uips
, M_PRISON
);
181 for (i
= 0; i
< j
.n_ips
; i
++) {
182 jip
= kmalloc(sizeof(*jip
), M_PRISON
,
184 memcpy(&jip
->ip
, &uips
[i
], sizeof(*uips
));
185 SLIST_INSERT_HEAD(&pr
->pr_ips
, jip
, entries
);
187 kfree(uips
, M_PRISON
);
194 error
= copyinstr(j
.hostname
, &pr
->pr_host
, sizeof pr
->pr_host
, 0);
197 error
= nlookup_init(&nd
, j
.path
, UIO_USERSPACE
, NLC_FOLLOW
);
199 goto nlookup_init_clean
;
200 error
= nlookup(&nd
);
202 goto nlookup_init_clean
;
203 cache_copy(&nd
.nl_nch
, &pr
->pr_root
);
205 varsymset_init(&pr
->pr_varsymset
, NULL
);
206 prison_ipcache_init(pr
);
208 tryprid
= lastprid
+ 1;
209 if (tryprid
== JAIL_MAX
)
212 LIST_FOREACH(tpr
, &allprison
, pr_list
) {
213 if (tpr
->pr_id
!= tryprid
)
216 if (tryprid
== JAIL_MAX
) {
222 pr
->pr_id
= lastprid
= tryprid
;
223 LIST_INSERT_HEAD(&allprison
, pr
, pr_list
);
226 error
= kern_jail_attach(pr
->pr_id
);
228 goto jail_attach_clean
;
231 uap
->sysmsg_result
= pr
->pr_id
;
235 LIST_REMOVE(pr
, pr_list
);
237 varsymset_clean(&pr
->pr_varsymset
);
242 while (!SLIST_EMPTY(&pr
->pr_ips
)) {
243 jip
= SLIST_FIRST(&pr
->pr_ips
);
244 SLIST_REMOVE_HEAD(&pr
->pr_ips
, entries
);
252 * int jail_attach(int jid);
255 sys_jail_attach(struct jail_attach_args
*uap
)
257 struct thread
*td
= curthread
;
260 error
= priv_check(td
, PRIV_ROOT
);
264 return(kern_jail_attach(uap
->jid
));
268 prison_ipcache_init(struct prison
*pr
)
270 struct jail_ip_storage
*jis
;
271 struct sockaddr_in
*ip4
;
272 struct sockaddr_in6
*ip6
;
274 SLIST_FOREACH(jis
, &pr
->pr_ips
, entries
) {
275 switch (jis
->ip
.ss_family
) {
277 ip4
= (struct sockaddr_in
*)&jis
->ip
;
278 if ((ntohl(ip4
->sin_addr
.s_addr
) >> IN_CLASSA_NSHIFT
) ==
280 /* loopback address */
281 if (pr
->local_ip4
== NULL
)
285 if (pr
->nonlocal_ip4
== NULL
)
286 pr
->nonlocal_ip4
= ip4
;
291 ip6
= (struct sockaddr_in6
*)&jis
->ip
;
292 if (IN6_IS_ADDR_LOOPBACK(&ip6
->sin6_addr
)) {
293 /* loopback address */
294 if (pr
->local_ip6
== NULL
)
298 if (pr
->nonlocal_ip6
== NULL
)
299 pr
->nonlocal_ip6
= ip6
;
307 * Changes INADDR_LOOPBACK for a valid jail address.
308 * ip is in network byte order.
309 * Returns 1 if the ip is among jail valid ips.
310 * Returns 0 if is not among jail valid ips or
311 * if couldn't replace INADDR_LOOPBACK for a valid
315 prison_replace_wildcards(struct thread
*td
, struct sockaddr
*ip
)
317 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
318 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
321 if (td
->td_proc
== NULL
)
323 if ((pr
= td
->td_proc
->p_ucred
->cr_prison
) == NULL
)
326 if ((ip
->sa_family
== AF_INET
&&
327 ip4
->sin_addr
.s_addr
== htonl(INADDR_ANY
)) ||
328 (ip
->sa_family
== AF_INET6
&&
329 IN6_IS_ADDR_UNSPECIFIED(&ip6
->sin6_addr
)))
331 if ((ip
->sa_family
== AF_INET
&&
332 ip4
->sin_addr
.s_addr
== htonl(INADDR_LOOPBACK
)) ||
333 (ip
->sa_family
== AF_INET6
&&
334 IN6_IS_ADDR_LOOPBACK(&ip6
->sin6_addr
))) {
335 if (!prison_get_local(pr
, ip
->sa_family
, ip
) &&
336 !prison_get_nonlocal(pr
, ip
->sa_family
, ip
))
341 if (jailed_ip(pr
, ip
))
347 prison_remote_ip(struct thread
*td
, struct sockaddr
*ip
)
349 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
350 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
353 if (td
== NULL
|| td
->td_proc
== NULL
)
355 if ((pr
= td
->td_proc
->p_ucred
->cr_prison
) == NULL
)
357 if ((ip
->sa_family
== AF_INET
&&
358 ip4
->sin_addr
.s_addr
== htonl(INADDR_LOOPBACK
)) ||
359 (ip
->sa_family
== AF_INET6
&&
360 IN6_IS_ADDR_LOOPBACK(&ip6
->sin6_addr
))) {
361 if (!prison_get_local(pr
, ip
->sa_family
, ip
) &&
362 !prison_get_nonlocal(pr
, ip
->sa_family
, ip
))
371 * Prison get non loopback ip:
372 * - af is the address family of the ip we want (AF_INET|AF_INET6).
373 * - If ip != NULL, put the first IP address that is not a loopback address
376 * ip is in network by order and we don't touch it unless we find a valid ip.
377 * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
378 * or NULL. This struct may not be modified.
381 prison_get_nonlocal(struct prison
*pr
, sa_family_t af
, struct sockaddr
*ip
)
383 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
384 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
386 /* Check if it is cached */
389 if (ip4
!= NULL
&& pr
->nonlocal_ip4
!= NULL
)
390 ip4
->sin_addr
.s_addr
= pr
->nonlocal_ip4
->sin_addr
.s_addr
;
391 return (struct sockaddr
*)pr
->nonlocal_ip4
;
394 if (ip6
!= NULL
&& pr
->nonlocal_ip6
!= NULL
)
395 ip6
->sin6_addr
= pr
->nonlocal_ip6
->sin6_addr
;
396 return (struct sockaddr
*)pr
->nonlocal_ip6
;
404 * Prison get loopback ip.
405 * - af is the address family of the ip we want (AF_INET|AF_INET6).
406 * - If ip != NULL, put the first IP address that is not a loopback address
409 * ip is in network by order and we don't touch it unless we find a valid ip.
410 * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
411 * or NULL. This struct may not be modified.
414 prison_get_local(struct prison
*pr
, sa_family_t af
, struct sockaddr
*ip
)
416 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
417 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
419 /* Check if it is cached */
422 if (ip4
!= NULL
&& pr
->local_ip4
!= NULL
)
423 ip4
->sin_addr
.s_addr
= pr
->local_ip4
->sin_addr
.s_addr
;
424 return (struct sockaddr
*)pr
->local_ip4
;
427 if (ip6
!= NULL
&& pr
->local_ip6
!= NULL
)
428 ip6
->sin6_addr
= pr
->local_ip6
->sin6_addr
;
429 return (struct sockaddr
*)pr
->local_ip6
;
436 /* Check if the IP is among ours, if it is return 1, else 0 */
438 jailed_ip(struct prison
*pr
, struct sockaddr
*ip
)
440 struct jail_ip_storage
*jis
;
441 struct sockaddr_in
*jip4
, *ip4
;
442 struct sockaddr_in6
*jip6
, *ip6
;
446 ip4
= (struct sockaddr_in
*)ip
;
447 ip6
= (struct sockaddr_in6
*)ip
;
448 SLIST_FOREACH(jis
, &pr
->pr_ips
, entries
) {
449 switch (ip
->sa_family
) {
451 jip4
= (struct sockaddr_in
*) &jis
->ip
;
452 if (jip4
->sin_family
== AF_INET
&&
453 ip4
->sin_addr
.s_addr
== jip4
->sin_addr
.s_addr
)
457 jip6
= (struct sockaddr_in6
*) &jis
->ip
;
458 if (jip6
->sin6_family
== AF_INET6
&&
459 IN6_ARE_ADDR_EQUAL(&ip6
->sin6_addr
,
470 prison_if(struct ucred
*cred
, struct sockaddr
*sa
)
473 struct sockaddr_in
*sai
= (struct sockaddr_in
*) sa
;
475 pr
= cred
->cr_prison
;
477 if (((sai
->sin_family
!= AF_INET
) && (sai
->sin_family
!= AF_INET6
))
478 && jail_socket_unixiproute_only
)
480 else if ((sai
->sin_family
!= AF_INET
) && (sai
->sin_family
!= AF_INET6
))
482 else if (jailed_ip(pr
, sa
))
488 * Returns a prison instance, or NULL on failure.
490 static struct prison
*
491 prison_find(int prid
)
495 LIST_FOREACH(pr
, &allprison
, pr_list
) {
496 if (pr
->pr_id
== prid
)
503 sysctl_jail_list(SYSCTL_HANDLER_ARGS
)
505 struct jail_ip_storage
*jip
;
507 struct sockaddr_in6
*jsin6
;
509 struct sockaddr_in
*jsin
;
512 unsigned int jlssize
, jlsused
;
514 char *jls
; /* Jail list */
515 char *oip
; /* Output ip */
516 char *fullpath
, *freepath
;
519 p
= curthread
->td_proc
;
521 if (jailed(p
->p_ucred
))
529 jlssize
= (count
* 1024);
530 jls
= kmalloc(jlssize
+ 1, M_TEMP
, M_WAITOK
| M_ZERO
);
531 if (count
< prisoncount
) {
537 LIST_FOREACH(pr
, &allprison
, pr_list
) {
538 error
= cache_fullpath(p
, &pr
->pr_root
, &fullpath
, &freepath
);
541 if (jlsused
&& jlsused
< jlssize
)
542 jls
[jlsused
++] = '\n';
543 count
= ksnprintf(jls
+ jlsused
, (jlssize
- jlsused
),
545 pr
->pr_id
, pr
->pr_host
, fullpath
);
546 kfree(freepath
, M_TEMP
);
552 SLIST_FOREACH(jip
, &pr
->pr_ips
, entries
) {
553 jsin
= (struct sockaddr_in
*)&jip
->ip
;
555 switch(jsin
->sin_family
) {
557 oip
= inet_ntoa(jsin
->sin_addr
);
561 jsin6
= (struct sockaddr_in6
*)&jip
->ip
;
562 oip
= ip6_sprintf(&jsin6
->sin6_addr
);
570 if ((jlssize
- jlsused
) < (strlen(oip
) + 1)) {
574 count
= ksnprintf(jls
+ jlsused
, (jlssize
- jlsused
),
584 * pr_id <SPC> hostname1 <SPC> PATH1 <SPC> IP1 <SPC> IP2\npr_id...
586 error
= SYSCTL_OUT(req
, jls
, jlsused
);
592 SYSCTL_OID(_jail
, OID_AUTO
, list
, CTLTYPE_STRING
| CTLFLAG_RD
, NULL
, 0,
593 sysctl_jail_list
, "A", "List of active jails");
596 prison_hold(struct prison
*pr
)
602 prison_free(struct prison
*pr
)
604 struct jail_ip_storage
*jls
;
605 KKASSERT(pr
->pr_ref
>= 1);
607 if (--pr
->pr_ref
> 0)
611 while (!SLIST_EMPTY(&pr
->pr_ips
)) {
612 jls
= SLIST_FIRST(&pr
->pr_ips
);
613 SLIST_REMOVE_HEAD(&pr
->pr_ips
, entries
);
616 LIST_REMOVE(pr
, pr_list
);
619 if (pr
->pr_linux
!= NULL
)
620 kfree(pr
->pr_linux
, M_PRISON
);
621 varsymset_clean(&pr
->pr_varsymset
);
622 cache_drop(&pr
->pr_root
);