2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
11 * Copyright (c) 2006 Victor Balada Diaz <victor@bsdes.net>
12 * All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * $FreeBSD: src/sys/kern/kern_jail.c,v 1.6.2.3 2001/08/17 01:00:26 rwatson Exp $
39 * $DragonFly: src/sys/kern/kern_jail.c,v 1.19 2008/05/17 18:20:33 dillon Exp $
42 #include "opt_inet6.h"
44 #include <sys/param.h>
45 #include <sys/types.h>
46 #include <sys/kernel.h>
47 #include <sys/systm.h>
48 #include <sys/errno.h>
49 #include <sys/sysproto.h>
50 #include <sys/malloc.h>
51 #include <sys/nlookup.h>
52 #include <sys/namecache.h>
56 #include <sys/socket.h>
57 #include <sys/sysctl.h>
58 #include <sys/kern_syscall.h>
60 #include <netinet/in.h>
61 #include <netinet6/in6_var.h>
63 #include <sys/mplock2.h>
65 static struct prison
*prison_find(int);
66 static void prison_ipcache_init(struct prison
*);
68 MALLOC_DEFINE(M_PRISON
, "prison", "Prison structures");
70 SYSCTL_NODE(, OID_AUTO
, jail
, CTLFLAG_RW
, 0,
73 int jail_set_hostname_allowed
= 1;
74 SYSCTL_INT(_jail
, OID_AUTO
, set_hostname_allowed
, CTLFLAG_RW
,
75 &jail_set_hostname_allowed
, 0,
76 "Processes in jail can set their hostnames");
78 int jail_socket_unixiproute_only
= 1;
79 SYSCTL_INT(_jail
, OID_AUTO
, socket_unixiproute_only
, CTLFLAG_RW
,
80 &jail_socket_unixiproute_only
, 0,
81 "Processes in jail are limited to creating UNIX/IPv[46]/route sockets only");
83 int jail_sysvipc_allowed
= 0;
84 SYSCTL_INT(_jail
, OID_AUTO
, sysvipc_allowed
, CTLFLAG_RW
,
85 &jail_sysvipc_allowed
, 0,
86 "Processes in jail can use System V IPC primitives");
88 int jail_chflags_allowed
= 0;
89 SYSCTL_INT(_jail
, OID_AUTO
, chflags_allowed
, CTLFLAG_RW
,
90 &jail_chflags_allowed
, 0,
91 "Process in jail can set chflags(1)");
93 int jail_allow_raw_sockets
= 0;
94 SYSCTL_INT(_jail
, OID_AUTO
, allow_raw_sockets
, CTLFLAG_RW
,
95 &jail_allow_raw_sockets
, 0,
96 "Process in jail can create raw sockets");
101 LIST_HEAD(prisonlist
, prison
);
102 struct prisonlist allprison
= LIST_HEAD_INITIALIZER(&allprison
);
105 kern_jail_attach(int jid
)
107 struct proc
*p
= curthread
->td_proc
;
112 pr
= prison_find(jid
);
116 error
= kern_chroot(&pr
->pr_root
);
121 lwkt_gettoken(&p
->p_token
);
124 p
->p_flags
|= P_JAILED
;
125 lwkt_reltoken(&p
->p_token
);
131 assign_prison_id(struct prison
*pr
)
136 tryprid
= lastprid
+ 1;
137 if (tryprid
== JAIL_MAX
)
140 LIST_FOREACH(tpr
, &allprison
, pr_list
) {
141 if (tpr
->pr_id
!= tryprid
)
144 if (tryprid
== JAIL_MAX
) {
149 pr
->pr_id
= lastprid
= tryprid
;
155 kern_jail(struct prison
*pr
, struct jail
*j
)
158 struct nlookupdata nd
;
160 error
= nlookup_init(&nd
, j
->path
, UIO_USERSPACE
, NLC_FOLLOW
);
165 error
= nlookup(&nd
);
170 cache_copy(&nd
.nl_nch
, &pr
->pr_root
);
172 varsymset_init(&pr
->pr_varsymset
, NULL
);
173 prison_ipcache_init(pr
);
175 error
= assign_prison_id(pr
);
177 varsymset_clean(&pr
->pr_varsymset
);
182 LIST_INSERT_HEAD(&allprison
, pr
, pr_list
);
185 error
= kern_jail_attach(pr
->pr_id
);
187 LIST_REMOVE(pr
, pr_list
);
189 varsymset_clean(&pr
->pr_varsymset
);
198 * jail_args(syscallarg(struct jail *) jail)
203 sys_jail(struct jail_args
*uap
)
205 struct thread
*td
= curthread
;
207 struct jail_ip_storage
*jip
;
212 uap
->sysmsg_result
= -1;
214 error
= priv_check(td
, PRIV_JAIL_CREATE
);
218 error
= copyin(uap
->jail
, &jversion
, sizeof(jversion
));
222 pr
= kmalloc(sizeof(*pr
), M_PRISON
, M_WAITOK
| M_ZERO
);
223 SLIST_INIT(&pr
->pr_ips
);
228 /* Single IPv4 jails. */
231 struct sockaddr_in ip4addr
;
233 error
= copyin(uap
->jail
, &jv0
, sizeof(jv0
));
238 j
.hostname
= jv0
.hostname
;
240 jip
= kmalloc(sizeof(*jip
), M_PRISON
, M_WAITOK
| M_ZERO
);
241 ip4addr
.sin_family
= AF_INET
;
242 ip4addr
.sin_addr
.s_addr
= htonl(jv0
.ip_number
);
243 memcpy(&jip
->ip
, &ip4addr
, sizeof(ip4addr
));
244 SLIST_INSERT_HEAD(&pr
->pr_ips
, jip
, entries
);
250 * DragonFly multi noIP/IPv4/IPv6 jails
252 * NOTE: This version is unsupported by FreeBSD
253 * (which uses version 2 instead).
256 error
= copyin(uap
->jail
, &j
, sizeof(j
));
260 for (int i
= 0; i
< j
.n_ips
; i
++) {
261 jip
= kmalloc(sizeof(*jip
), M_PRISON
,
263 SLIST_INSERT_HEAD(&pr
->pr_ips
, jip
, entries
);
264 error
= copyin(&j
.ips
[i
], &jip
->ip
,
265 sizeof(struct sockaddr_storage
));
275 error
= copyinstr(j
.hostname
, &pr
->pr_host
, sizeof(pr
->pr_host
), 0);
279 error
= kern_jail(pr
, &j
);
283 uap
->sysmsg_result
= pr
->pr_id
;
289 while (!SLIST_EMPTY(&pr
->pr_ips
)) {
290 jip
= SLIST_FIRST(&pr
->pr_ips
);
291 SLIST_REMOVE_HEAD(&pr
->pr_ips
, entries
);
292 kfree(jip
, M_PRISON
);
300 * int jail_attach(int jid);
305 sys_jail_attach(struct jail_attach_args
*uap
)
307 struct thread
*td
= curthread
;
310 error
= priv_check(td
, PRIV_JAIL_ATTACH
);
314 error
= kern_jail_attach(uap
->jid
);
320 prison_ipcache_init(struct prison
*pr
)
322 struct jail_ip_storage
*jis
;
323 struct sockaddr_in
*ip4
;
324 struct sockaddr_in6
*ip6
;
326 SLIST_FOREACH(jis
, &pr
->pr_ips
, entries
) {
327 switch (jis
->ip
.ss_family
) {
329 ip4
= (struct sockaddr_in
*)&jis
->ip
;
330 if ((ntohl(ip4
->sin_addr
.s_addr
) >> IN_CLASSA_NSHIFT
) ==
332 /* loopback address */
333 if (pr
->local_ip4
== NULL
)
337 if (pr
->nonlocal_ip4
== NULL
)
338 pr
->nonlocal_ip4
= ip4
;
343 ip6
= (struct sockaddr_in6
*)&jis
->ip
;
344 if (IN6_IS_ADDR_LOOPBACK(&ip6
->sin6_addr
)) {
345 /* loopback address */
346 if (pr
->local_ip6
== NULL
)
350 if (pr
->nonlocal_ip6
== NULL
)
351 pr
->nonlocal_ip6
= ip6
;
359 * Changes INADDR_LOOPBACK for a valid jail address.
360 * ip is in network byte order.
361 * Returns 1 if the ip is among jail valid ips.
362 * Returns 0 if is not among jail valid ips or
363 * if couldn't replace INADDR_LOOPBACK for a valid
367 prison_replace_wildcards(struct thread
*td
, struct sockaddr
*ip
)
369 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
370 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
373 if (td
->td_proc
== NULL
|| td
->td_ucred
== NULL
)
375 if ((pr
= td
->td_ucred
->cr_prison
) == NULL
)
378 if ((ip
->sa_family
== AF_INET
&&
379 ip4
->sin_addr
.s_addr
== htonl(INADDR_ANY
)) ||
380 (ip
->sa_family
== AF_INET6
&&
381 IN6_IS_ADDR_UNSPECIFIED(&ip6
->sin6_addr
)))
383 if ((ip
->sa_family
== AF_INET
&&
384 ip4
->sin_addr
.s_addr
== htonl(INADDR_LOOPBACK
)) ||
385 (ip
->sa_family
== AF_INET6
&&
386 IN6_IS_ADDR_LOOPBACK(&ip6
->sin6_addr
))) {
387 if (!prison_get_local(pr
, ip
->sa_family
, ip
) &&
388 !prison_get_nonlocal(pr
, ip
->sa_family
, ip
))
393 if (jailed_ip(pr
, ip
))
399 prison_remote_ip(struct thread
*td
, struct sockaddr
*ip
)
401 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
402 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
405 if (td
== NULL
|| td
->td_proc
== NULL
|| td
->td_ucred
== NULL
)
407 if ((pr
= td
->td_ucred
->cr_prison
) == NULL
)
409 if ((ip
->sa_family
== AF_INET
&&
410 ip4
->sin_addr
.s_addr
== htonl(INADDR_LOOPBACK
)) ||
411 (ip
->sa_family
== AF_INET6
&&
412 IN6_IS_ADDR_LOOPBACK(&ip6
->sin6_addr
))) {
413 if (!prison_get_local(pr
, ip
->sa_family
, ip
) &&
414 !prison_get_nonlocal(pr
, ip
->sa_family
, ip
))
423 * Prison get non loopback ip:
424 * - af is the address family of the ip we want (AF_INET|AF_INET6).
425 * - If ip != NULL, put the first IP address that is not a loopback address
428 * ip is in network by order and we don't touch it unless we find a valid ip.
429 * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
430 * or NULL. This struct may not be modified.
433 prison_get_nonlocal(struct prison
*pr
, sa_family_t af
, struct sockaddr
*ip
)
435 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
436 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
438 /* Check if it is cached */
441 if (ip4
!= NULL
&& pr
->nonlocal_ip4
!= NULL
)
442 ip4
->sin_addr
.s_addr
= pr
->nonlocal_ip4
->sin_addr
.s_addr
;
443 return (struct sockaddr
*)pr
->nonlocal_ip4
;
446 if (ip6
!= NULL
&& pr
->nonlocal_ip6
!= NULL
)
447 ip6
->sin6_addr
= pr
->nonlocal_ip6
->sin6_addr
;
448 return (struct sockaddr
*)pr
->nonlocal_ip6
;
456 * Prison get loopback ip.
457 * - af is the address family of the ip we want (AF_INET|AF_INET6).
458 * - If ip != NULL, put the first IP address that is not a loopback address
461 * ip is in network by order and we don't touch it unless we find a valid ip.
462 * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
463 * or NULL. This struct may not be modified.
466 prison_get_local(struct prison
*pr
, sa_family_t af
, struct sockaddr
*ip
)
468 struct sockaddr_in
*ip4
= (struct sockaddr_in
*)ip
;
469 struct sockaddr_in6
*ip6
= (struct sockaddr_in6
*)ip
;
471 /* Check if it is cached */
474 if (ip4
!= NULL
&& pr
->local_ip4
!= NULL
)
475 ip4
->sin_addr
.s_addr
= pr
->local_ip4
->sin_addr
.s_addr
;
476 return (struct sockaddr
*)pr
->local_ip4
;
479 if (ip6
!= NULL
&& pr
->local_ip6
!= NULL
)
480 ip6
->sin6_addr
= pr
->local_ip6
->sin6_addr
;
481 return (struct sockaddr
*)pr
->local_ip6
;
488 /* Check if the IP is among ours, if it is return 1, else 0 */
490 jailed_ip(struct prison
*pr
, struct sockaddr
*ip
)
492 struct jail_ip_storage
*jis
;
493 struct sockaddr_in
*jip4
, *ip4
;
494 struct sockaddr_in6
*jip6
, *ip6
;
498 ip4
= (struct sockaddr_in
*)ip
;
499 ip6
= (struct sockaddr_in6
*)ip
;
500 SLIST_FOREACH(jis
, &pr
->pr_ips
, entries
) {
501 switch (ip
->sa_family
) {
503 jip4
= (struct sockaddr_in
*) &jis
->ip
;
504 if (jip4
->sin_family
== AF_INET
&&
505 ip4
->sin_addr
.s_addr
== jip4
->sin_addr
.s_addr
)
509 jip6
= (struct sockaddr_in6
*) &jis
->ip
;
510 if (jip6
->sin6_family
== AF_INET6
&&
511 IN6_ARE_ADDR_EQUAL(&ip6
->sin6_addr
,
522 prison_if(struct ucred
*cred
, struct sockaddr
*sa
)
525 struct sockaddr_in
*sai
= (struct sockaddr_in
*) sa
;
527 pr
= cred
->cr_prison
;
529 if (((sai
->sin_family
!= AF_INET
) && (sai
->sin_family
!= AF_INET6
))
530 && jail_socket_unixiproute_only
)
532 else if ((sai
->sin_family
!= AF_INET
) && (sai
->sin_family
!= AF_INET6
))
534 else if (jailed_ip(pr
, sa
))
540 * Returns a prison instance, or NULL on failure.
542 static struct prison
*
543 prison_find(int prid
)
547 LIST_FOREACH(pr
, &allprison
, pr_list
) {
548 if (pr
->pr_id
== prid
)
555 sysctl_jail_list(SYSCTL_HANDLER_ARGS
)
557 struct thread
*td
= curthread
;
558 struct jail_ip_storage
*jip
;
560 struct sockaddr_in6
*jsin6
;
562 struct sockaddr_in
*jsin
;
565 unsigned int jlssize
, jlsused
;
567 char *jls
; /* Jail list */
568 char *oip
; /* Output ip */
569 char *fullpath
, *freepath
;
573 if (jailed(td
->td_ucred
))
582 jlssize
= (count
* 1024);
583 jls
= kmalloc(jlssize
+ 1, M_TEMP
, M_WAITOK
| M_ZERO
);
584 if (count
< prisoncount
) {
590 LIST_FOREACH(pr
, &allprison
, pr_list
) {
591 error
= cache_fullpath(lp
->lwp_proc
, &pr
->pr_root
, NULL
,
592 &fullpath
, &freepath
, 0);
595 if (jlsused
&& jlsused
< jlssize
)
596 jls
[jlsused
++] = '\n';
597 count
= ksnprintf(jls
+ jlsused
, (jlssize
- jlsused
),
599 pr
->pr_id
, pr
->pr_host
, fullpath
);
600 kfree(freepath
, M_TEMP
);
606 SLIST_FOREACH(jip
, &pr
->pr_ips
, entries
) {
607 char buf
[INET_ADDRSTRLEN
];
609 jsin
= (struct sockaddr_in
*)&jip
->ip
;
611 switch(jsin
->sin_family
) {
613 oip
= kinet_ntoa(jsin
->sin_addr
, buf
);
617 jsin6
= (struct sockaddr_in6
*)&jip
->ip
;
618 oip
= ip6_sprintf(&jsin6
->sin6_addr
);
626 if ((jlssize
- jlsused
) < (strlen(oip
) + 1)) {
630 count
= ksnprintf(jls
+ jlsused
, (jlssize
- jlsused
),
640 * pr_id <SPC> hostname1 <SPC> PATH1 <SPC> IP1 <SPC> IP2\npr_id...
642 error
= SYSCTL_OUT(req
, jls
, jlsused
);
648 SYSCTL_OID(_jail
, OID_AUTO
, list
, CTLTYPE_STRING
| CTLFLAG_RD
, NULL
, 0,
649 sysctl_jail_list
, "A", "List of active jails");
655 prison_hold(struct prison
*pr
)
657 atomic_add_int(&pr
->pr_ref
, 1);
664 prison_free(struct prison
*pr
)
666 struct jail_ip_storage
*jls
;
668 KKASSERT(pr
->pr_ref
> 0);
669 if (atomic_fetchadd_int(&pr
->pr_ref
, -1) != 1)
673 * The MP lock is needed on the last ref to adjust
681 LIST_REMOVE(pr
, pr_list
);
688 while (!SLIST_EMPTY(&pr
->pr_ips
)) {
689 jls
= SLIST_FIRST(&pr
->pr_ips
);
690 SLIST_REMOVE_HEAD(&pr
->pr_ips
, entries
);
691 kfree(jls
, M_PRISON
);
694 if (pr
->pr_linux
!= NULL
)
695 kfree(pr
->pr_linux
, M_PRISON
);
696 varsymset_clean(&pr
->pr_varsymset
);
697 cache_drop(&pr
->pr_root
);
702 * Check if permisson for a specific privilege is granted within jail.
707 prison_priv_check(struct ucred
*cred
, int priv
)
713 case PRIV_CRED_SETUID
:
714 case PRIV_CRED_SETEUID
:
715 case PRIV_CRED_SETGID
:
716 case PRIV_CRED_SETEGID
:
717 case PRIV_CRED_SETGROUPS
:
718 case PRIV_CRED_SETREUID
:
719 case PRIV_CRED_SETREGID
:
720 case PRIV_CRED_SETRESUID
:
721 case PRIV_CRED_SETRESGID
:
723 case PRIV_VFS_SYSFLAGS
:
726 case PRIV_VFS_CHROOT
:
728 case PRIV_VFS_CHFLAGS_DEV
:
729 case PRIV_VFS_REVOKE
:
730 case PRIV_VFS_MKNOD_BAD
:
731 case PRIV_VFS_MKNOD_WHT
:
732 case PRIV_VFS_MKNOD_DIR
:
733 case PRIV_VFS_SETATTR
:
734 case PRIV_VFS_SETGID
:
736 case PRIV_PROC_SETRLIMIT
:
737 case PRIV_PROC_SETLOGIN
:
739 case PRIV_SYSCTL_WRITEJAIL
:
741 case PRIV_VARSYM_SYS
:
743 case PRIV_SETHOSTNAME
:
745 case PRIV_PROC_TRESPASS
:
749 case PRIV_UFS_QUOTAON
:
750 case PRIV_UFS_QUOTAOFF
:
751 case PRIV_VFS_SETQUOTA
:
752 case PRIV_UFS_SETUSE
:
753 case PRIV_VFS_GETQUOTA
:
757 case PRIV_DEBUG_UNPRIV
:
762 * Allow jailed root to bind reserved ports.
764 case PRIV_NETINET_RESERVEDPORT
:
769 * Conditionally allow creating raw sockets in jail.
771 case PRIV_NETINET_RAW
:
772 if (jail_allow_raw_sockets
)
777 case PRIV_HAMMER_IOCTL
: