kernel - Revert part of the contig allocation work
[dragonfly.git] / sys / kern / kern_jail.c
blob8afa4ba6db53b15d20b207bcbcd0783e82800c5d
1 /*
2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
9 */
10 /*-
11 * Copyright (c) 2006 Victor Balada Diaz <victor@bsdes.net>
12 * All rights reserved.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
38 * $FreeBSD: src/sys/kern/kern_jail.c,v 1.6.2.3 2001/08/17 01:00:26 rwatson Exp $
39 * $DragonFly: src/sys/kern/kern_jail.c,v 1.19 2008/05/17 18:20:33 dillon Exp $
42 #include "opt_inet6.h"
44 #include <sys/param.h>
45 #include <sys/types.h>
46 #include <sys/kernel.h>
47 #include <sys/systm.h>
48 #include <sys/errno.h>
49 #include <sys/sysproto.h>
50 #include <sys/malloc.h>
51 #include <sys/nlookup.h>
52 #include <sys/namecache.h>
53 #include <sys/proc.h>
54 #include <sys/priv.h>
55 #include <sys/jail.h>
56 #include <sys/socket.h>
57 #include <sys/sysctl.h>
58 #include <sys/kern_syscall.h>
59 #include <net/if.h>
60 #include <netinet/in.h>
61 #include <netinet6/in6_var.h>
63 #include <sys/mplock2.h>
65 static struct prison *prison_find(int);
66 static void prison_ipcache_init(struct prison *);
68 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
70 SYSCTL_NODE(, OID_AUTO, jail, CTLFLAG_RW, 0,
71 "Jail rules");
73 int jail_set_hostname_allowed = 1;
74 SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
75 &jail_set_hostname_allowed, 0,
76 "Processes in jail can set their hostnames");
78 int jail_socket_unixiproute_only = 1;
79 SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
80 &jail_socket_unixiproute_only, 0,
81 "Processes in jail are limited to creating UNIX/IPv[46]/route sockets only");
83 int jail_sysvipc_allowed = 0;
84 SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
85 &jail_sysvipc_allowed, 0,
86 "Processes in jail can use System V IPC primitives");
88 int jail_chflags_allowed = 0;
89 SYSCTL_INT(_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
90 &jail_chflags_allowed, 0,
91 "Process in jail can set chflags(1)");
93 int jail_allow_raw_sockets = 0;
94 SYSCTL_INT(_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
95 &jail_allow_raw_sockets, 0,
96 "Process in jail can create raw sockets");
98 int lastprid = 0;
99 int prisoncount = 0;
101 LIST_HEAD(prisonlist, prison);
102 struct prisonlist allprison = LIST_HEAD_INITIALIZER(&allprison);
104 static int
105 kern_jail_attach(int jid)
107 struct proc *p = curthread->td_proc;
108 struct prison *pr;
109 struct ucred *cr;
110 int error;
112 pr = prison_find(jid);
113 if (pr == NULL)
114 return(EINVAL);
116 error = kern_chroot(&pr->pr_root);
117 if (error)
118 return(error);
120 prison_hold(pr);
121 lwkt_gettoken(&p->p_token);
122 cr = cratom_proc(p);
123 cr->cr_prison = pr;
124 p->p_flags |= P_JAILED;
125 lwkt_reltoken(&p->p_token);
127 return(0);
130 static int
131 assign_prison_id(struct prison *pr)
133 int tryprid;
134 struct prison *tpr;
136 tryprid = lastprid + 1;
137 if (tryprid == JAIL_MAX)
138 tryprid = 1;
139 next:
140 LIST_FOREACH(tpr, &allprison, pr_list) {
141 if (tpr->pr_id != tryprid)
142 continue;
143 tryprid++;
144 if (tryprid == JAIL_MAX) {
145 return (ERANGE);
147 goto next;
149 pr->pr_id = lastprid = tryprid;
151 return (0);
154 static int
155 kern_jail(struct prison *pr, struct jail *j)
157 int error;
158 struct nlookupdata nd;
160 error = nlookup_init(&nd, j->path, UIO_USERSPACE, NLC_FOLLOW);
161 if (error) {
162 nlookup_done(&nd);
163 return (error);
165 error = nlookup(&nd);
166 if (error) {
167 nlookup_done(&nd);
168 return (error);
170 cache_copy(&nd.nl_nch, &pr->pr_root);
172 varsymset_init(&pr->pr_varsymset, NULL);
173 prison_ipcache_init(pr);
175 error = assign_prison_id(pr);
176 if (error) {
177 varsymset_clean(&pr->pr_varsymset);
178 nlookup_done(&nd);
179 return (error);
182 LIST_INSERT_HEAD(&allprison, pr, pr_list);
183 ++prisoncount;
185 error = kern_jail_attach(pr->pr_id);
186 if (error) {
187 LIST_REMOVE(pr, pr_list);
188 --prisoncount;
189 varsymset_clean(&pr->pr_varsymset);
191 nlookup_done(&nd);
192 return (error);
196 * jail()
198 * jail_args(syscallarg(struct jail *) jail)
200 * MPALMOSTSAFE
203 sys_jail(struct jail_args *uap)
205 struct thread *td = curthread;
206 struct prison *pr;
207 struct jail_ip_storage *jip;
208 struct jail j;
209 int error;
210 uint32_t jversion;
212 uap->sysmsg_result = -1;
214 error = priv_check(td, PRIV_JAIL_CREATE);
215 if (error)
216 return (error);
218 error = copyin(uap->jail, &jversion, sizeof(jversion));
219 if (error)
220 return (error);
222 pr = kmalloc(sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);
223 SLIST_INIT(&pr->pr_ips);
224 get_mplock();
226 switch (jversion) {
227 case 0:
228 /* Single IPv4 jails. */
230 struct jail_v0 jv0;
231 struct sockaddr_in ip4addr;
233 error = copyin(uap->jail, &jv0, sizeof(jv0));
234 if (error)
235 goto out;
237 j.path = jv0.path;
238 j.hostname = jv0.hostname;
240 jip = kmalloc(sizeof(*jip), M_PRISON, M_WAITOK | M_ZERO);
241 ip4addr.sin_family = AF_INET;
242 ip4addr.sin_addr.s_addr = htonl(jv0.ip_number);
243 memcpy(&jip->ip, &ip4addr, sizeof(ip4addr));
244 SLIST_INSERT_HEAD(&pr->pr_ips, jip, entries);
245 break;
248 case 1:
250 * DragonFly multi noIP/IPv4/IPv6 jails
252 * NOTE: This version is unsupported by FreeBSD
253 * (which uses version 2 instead).
256 error = copyin(uap->jail, &j, sizeof(j));
257 if (error)
258 goto out;
260 for (int i = 0; i < j.n_ips; i++) {
261 jip = kmalloc(sizeof(*jip), M_PRISON,
262 M_WAITOK | M_ZERO);
263 SLIST_INSERT_HEAD(&pr->pr_ips, jip, entries);
264 error = copyin(&j.ips[i], &jip->ip,
265 sizeof(struct sockaddr_storage));
266 if (error)
267 goto out;
269 break;
270 default:
271 error = EINVAL;
272 goto out;
275 error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0);
276 if (error)
277 goto out;
279 error = kern_jail(pr, &j);
280 if (error)
281 goto out;
283 uap->sysmsg_result = pr->pr_id;
284 rel_mplock();
285 return (0);
287 out:
288 /* Delete all ips */
289 while (!SLIST_EMPTY(&pr->pr_ips)) {
290 jip = SLIST_FIRST(&pr->pr_ips);
291 SLIST_REMOVE_HEAD(&pr->pr_ips, entries);
292 kfree(jip, M_PRISON);
294 rel_mplock();
295 kfree(pr, M_PRISON);
296 return (error);
300 * int jail_attach(int jid);
302 * MPALMOSTSAFE
305 sys_jail_attach(struct jail_attach_args *uap)
307 struct thread *td = curthread;
308 int error;
310 error = priv_check(td, PRIV_JAIL_ATTACH);
311 if (error)
312 return(error);
313 get_mplock();
314 error = kern_jail_attach(uap->jid);
315 rel_mplock();
316 return (error);
319 static void
320 prison_ipcache_init(struct prison *pr)
322 struct jail_ip_storage *jis;
323 struct sockaddr_in *ip4;
324 struct sockaddr_in6 *ip6;
326 SLIST_FOREACH(jis, &pr->pr_ips, entries) {
327 switch (jis->ip.ss_family) {
328 case AF_INET:
329 ip4 = (struct sockaddr_in *)&jis->ip;
330 if ((ntohl(ip4->sin_addr.s_addr) >> IN_CLASSA_NSHIFT) ==
331 IN_LOOPBACKNET) {
332 /* loopback address */
333 if (pr->local_ip4 == NULL)
334 pr->local_ip4 = ip4;
335 } else {
336 /* public address */
337 if (pr->nonlocal_ip4 == NULL)
338 pr->nonlocal_ip4 = ip4;
340 break;
342 case AF_INET6:
343 ip6 = (struct sockaddr_in6 *)&jis->ip;
344 if (IN6_IS_ADDR_LOOPBACK(&ip6->sin6_addr)) {
345 /* loopback address */
346 if (pr->local_ip6 == NULL)
347 pr->local_ip6 = ip6;
348 } else {
349 /* public address */
350 if (pr->nonlocal_ip6 == NULL)
351 pr->nonlocal_ip6 = ip6;
353 break;
359 * Changes INADDR_LOOPBACK for a valid jail address.
360 * ip is in network byte order.
361 * Returns 1 if the ip is among jail valid ips.
362 * Returns 0 if is not among jail valid ips or
363 * if couldn't replace INADDR_LOOPBACK for a valid
364 * IP.
367 prison_replace_wildcards(struct thread *td, struct sockaddr *ip)
369 struct sockaddr_in *ip4 = (struct sockaddr_in *)ip;
370 struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)ip;
371 struct prison *pr;
373 if (td->td_proc == NULL || td->td_ucred == NULL)
374 return (1);
375 if ((pr = td->td_ucred->cr_prison) == NULL)
376 return (1);
378 if ((ip->sa_family == AF_INET &&
379 ip4->sin_addr.s_addr == htonl(INADDR_ANY)) ||
380 (ip->sa_family == AF_INET6 &&
381 IN6_IS_ADDR_UNSPECIFIED(&ip6->sin6_addr)))
382 return (1);
383 if ((ip->sa_family == AF_INET &&
384 ip4->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) ||
385 (ip->sa_family == AF_INET6 &&
386 IN6_IS_ADDR_LOOPBACK(&ip6->sin6_addr))) {
387 if (!prison_get_local(pr, ip->sa_family, ip) &&
388 !prison_get_nonlocal(pr, ip->sa_family, ip))
389 return(0);
390 else
391 return(1);
393 if (jailed_ip(pr, ip))
394 return(1);
395 return(0);
399 prison_remote_ip(struct thread *td, struct sockaddr *ip)
401 struct sockaddr_in *ip4 = (struct sockaddr_in *)ip;
402 struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)ip;
403 struct prison *pr;
405 if (td == NULL || td->td_proc == NULL || td->td_ucred == NULL)
406 return(1);
407 if ((pr = td->td_ucred->cr_prison) == NULL)
408 return(1);
409 if ((ip->sa_family == AF_INET &&
410 ip4->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) ||
411 (ip->sa_family == AF_INET6 &&
412 IN6_IS_ADDR_LOOPBACK(&ip6->sin6_addr))) {
413 if (!prison_get_local(pr, ip->sa_family, ip) &&
414 !prison_get_nonlocal(pr, ip->sa_family, ip))
415 return(0);
416 else
417 return(1);
419 return(1);
423 * Prison get non loopback ip:
424 * - af is the address family of the ip we want (AF_INET|AF_INET6).
425 * - If ip != NULL, put the first IP address that is not a loopback address
426 * into *ip.
428 * ip is in network by order and we don't touch it unless we find a valid ip.
429 * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
430 * or NULL. This struct may not be modified.
432 struct sockaddr *
433 prison_get_nonlocal(struct prison *pr, sa_family_t af, struct sockaddr *ip)
435 struct sockaddr_in *ip4 = (struct sockaddr_in *)ip;
436 struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)ip;
438 /* Check if it is cached */
439 switch(af) {
440 case AF_INET:
441 if (ip4 != NULL && pr->nonlocal_ip4 != NULL)
442 ip4->sin_addr.s_addr = pr->nonlocal_ip4->sin_addr.s_addr;
443 return (struct sockaddr *)pr->nonlocal_ip4;
445 case AF_INET6:
446 if (ip6 != NULL && pr->nonlocal_ip6 != NULL)
447 ip6->sin6_addr = pr->nonlocal_ip6->sin6_addr;
448 return (struct sockaddr *)pr->nonlocal_ip6;
451 /* NOTREACHED */
452 return NULL;
456 * Prison get loopback ip.
457 * - af is the address family of the ip we want (AF_INET|AF_INET6).
458 * - If ip != NULL, put the first IP address that is not a loopback address
459 * into *ip.
461 * ip is in network by order and we don't touch it unless we find a valid ip.
462 * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
463 * or NULL. This struct may not be modified.
465 struct sockaddr *
466 prison_get_local(struct prison *pr, sa_family_t af, struct sockaddr *ip)
468 struct sockaddr_in *ip4 = (struct sockaddr_in *)ip;
469 struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)ip;
471 /* Check if it is cached */
472 switch(af) {
473 case AF_INET:
474 if (ip4 != NULL && pr->local_ip4 != NULL)
475 ip4->sin_addr.s_addr = pr->local_ip4->sin_addr.s_addr;
476 return (struct sockaddr *)pr->local_ip4;
478 case AF_INET6:
479 if (ip6 != NULL && pr->local_ip6 != NULL)
480 ip6->sin6_addr = pr->local_ip6->sin6_addr;
481 return (struct sockaddr *)pr->local_ip6;
484 /* NOTREACHED */
485 return NULL;
488 /* Check if the IP is among ours, if it is return 1, else 0 */
490 jailed_ip(struct prison *pr, struct sockaddr *ip)
492 struct jail_ip_storage *jis;
493 struct sockaddr_in *jip4, *ip4;
494 struct sockaddr_in6 *jip6, *ip6;
496 if (pr == NULL)
497 return(0);
498 ip4 = (struct sockaddr_in *)ip;
499 ip6 = (struct sockaddr_in6 *)ip;
500 SLIST_FOREACH(jis, &pr->pr_ips, entries) {
501 switch (ip->sa_family) {
502 case AF_INET:
503 jip4 = (struct sockaddr_in *) &jis->ip;
504 if (jip4->sin_family == AF_INET &&
505 ip4->sin_addr.s_addr == jip4->sin_addr.s_addr)
506 return(1);
507 break;
508 case AF_INET6:
509 jip6 = (struct sockaddr_in6 *) &jis->ip;
510 if (jip6->sin6_family == AF_INET6 &&
511 IN6_ARE_ADDR_EQUAL(&ip6->sin6_addr,
512 &jip6->sin6_addr))
513 return(1);
514 break;
517 /* Ip not in list */
518 return(0);
522 prison_if(struct ucred *cred, struct sockaddr *sa)
524 struct prison *pr;
525 struct sockaddr_in *sai = (struct sockaddr_in*) sa;
527 pr = cred->cr_prison;
529 if (((sai->sin_family != AF_INET) && (sai->sin_family != AF_INET6))
530 && jail_socket_unixiproute_only)
531 return(1);
532 else if ((sai->sin_family != AF_INET) && (sai->sin_family != AF_INET6))
533 return(0);
534 else if (jailed_ip(pr, sa))
535 return(0);
536 return(1);
540 * Returns a prison instance, or NULL on failure.
542 static struct prison *
543 prison_find(int prid)
545 struct prison *pr;
547 LIST_FOREACH(pr, &allprison, pr_list) {
548 if (pr->pr_id == prid)
549 break;
551 return(pr);
554 static int
555 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
557 struct thread *td = curthread;
558 struct jail_ip_storage *jip;
559 #ifdef INET6
560 struct sockaddr_in6 *jsin6;
561 #endif
562 struct sockaddr_in *jsin;
563 struct lwp *lp;
564 struct prison *pr;
565 unsigned int jlssize, jlsused;
566 int count, error;
567 char *jls; /* Jail list */
568 char *oip; /* Output ip */
569 char *fullpath, *freepath;
571 jlsused = 0;
573 if (jailed(td->td_ucred))
574 return (0);
575 lp = td->td_lwp;
576 retry:
577 count = prisoncount;
579 if (count == 0)
580 return(0);
582 jlssize = (count * 1024);
583 jls = kmalloc(jlssize + 1, M_TEMP, M_WAITOK | M_ZERO);
584 if (count < prisoncount) {
585 kfree(jls, M_TEMP);
586 goto retry;
588 count = prisoncount;
590 LIST_FOREACH(pr, &allprison, pr_list) {
591 error = cache_fullpath(lp->lwp_proc, &pr->pr_root, NULL,
592 &fullpath, &freepath, 0);
593 if (error)
594 continue;
595 if (jlsused && jlsused < jlssize)
596 jls[jlsused++] = '\n';
597 count = ksnprintf(jls + jlsused, (jlssize - jlsused),
598 "%d %s %s",
599 pr->pr_id, pr->pr_host, fullpath);
600 kfree(freepath, M_TEMP);
601 if (count < 0)
602 goto end;
603 jlsused += count;
605 /* Copy the IPS */
606 SLIST_FOREACH(jip, &pr->pr_ips, entries) {
607 char buf[INET_ADDRSTRLEN];
609 jsin = (struct sockaddr_in *)&jip->ip;
611 switch(jsin->sin_family) {
612 case AF_INET:
613 oip = kinet_ntoa(jsin->sin_addr, buf);
614 break;
615 #ifdef INET6
616 case AF_INET6:
617 jsin6 = (struct sockaddr_in6 *)&jip->ip;
618 oip = ip6_sprintf(&jsin6->sin6_addr);
619 break;
620 #endif
621 default:
622 oip = "?family?";
623 break;
626 if ((jlssize - jlsused) < (strlen(oip) + 1)) {
627 error = ERANGE;
628 goto end;
630 count = ksnprintf(jls + jlsused, (jlssize - jlsused),
631 " %s", oip);
632 if (count < 0)
633 goto end;
634 jlsused += count;
639 * The format is:
640 * pr_id <SPC> hostname1 <SPC> PATH1 <SPC> IP1 <SPC> IP2\npr_id...
642 error = SYSCTL_OUT(req, jls, jlsused);
643 end:
644 kfree(jls, M_TEMP);
645 return(error);
648 SYSCTL_OID(_jail, OID_AUTO, list, CTLTYPE_STRING | CTLFLAG_RD, NULL, 0,
649 sysctl_jail_list, "A", "List of active jails");
652 * MPSAFE
654 void
655 prison_hold(struct prison *pr)
657 atomic_add_int(&pr->pr_ref, 1);
661 * MPALMOSTSAFE
663 void
664 prison_free(struct prison *pr)
666 struct jail_ip_storage *jls;
668 KKASSERT(pr->pr_ref > 0);
669 if (atomic_fetchadd_int(&pr->pr_ref, -1) != 1)
670 return;
673 * The MP lock is needed on the last ref to adjust
674 * the list.
676 get_mplock();
677 if (pr->pr_ref) {
678 rel_mplock();
679 return;
681 LIST_REMOVE(pr, pr_list);
682 --prisoncount;
683 rel_mplock();
686 * Clean up
688 while (!SLIST_EMPTY(&pr->pr_ips)) {
689 jls = SLIST_FIRST(&pr->pr_ips);
690 SLIST_REMOVE_HEAD(&pr->pr_ips, entries);
691 kfree(jls, M_PRISON);
694 if (pr->pr_linux != NULL)
695 kfree(pr->pr_linux, M_PRISON);
696 varsymset_clean(&pr->pr_varsymset);
697 cache_drop(&pr->pr_root);
698 kfree(pr, M_PRISON);
702 * Check if permisson for a specific privilege is granted within jail.
704 * MPSAFE
707 prison_priv_check(struct ucred *cred, int priv)
709 if (!jailed(cred))
710 return (0);
712 switch (priv) {
713 case PRIV_CRED_SETUID:
714 case PRIV_CRED_SETEUID:
715 case PRIV_CRED_SETGID:
716 case PRIV_CRED_SETEGID:
717 case PRIV_CRED_SETGROUPS:
718 case PRIV_CRED_SETREUID:
719 case PRIV_CRED_SETREGID:
720 case PRIV_CRED_SETRESUID:
721 case PRIV_CRED_SETRESGID:
723 case PRIV_VFS_SYSFLAGS:
724 case PRIV_VFS_CHOWN:
725 case PRIV_VFS_CHMOD:
726 case PRIV_VFS_CHROOT:
727 case PRIV_VFS_LINK:
728 case PRIV_VFS_CHFLAGS_DEV:
729 case PRIV_VFS_REVOKE:
730 case PRIV_VFS_MKNOD_BAD:
731 case PRIV_VFS_MKNOD_WHT:
732 case PRIV_VFS_MKNOD_DIR:
733 case PRIV_VFS_SETATTR:
734 case PRIV_VFS_SETGID:
736 case PRIV_PROC_SETRLIMIT:
737 case PRIV_PROC_SETLOGIN:
739 case PRIV_SYSCTL_WRITEJAIL:
741 case PRIV_VARSYM_SYS:
743 case PRIV_SETHOSTNAME:
745 case PRIV_PROC_TRESPASS:
747 return (0);
749 case PRIV_UFS_QUOTAON:
750 case PRIV_UFS_QUOTAOFF:
751 case PRIV_VFS_SETQUOTA:
752 case PRIV_UFS_SETUSE:
753 case PRIV_VFS_GETQUOTA:
754 return (0);
757 case PRIV_DEBUG_UNPRIV:
758 return (0);
762 * Allow jailed root to bind reserved ports.
764 case PRIV_NETINET_RESERVEDPORT:
765 return (0);
769 * Conditionally allow creating raw sockets in jail.
771 case PRIV_NETINET_RAW:
772 if (jail_allow_raw_sockets)
773 return (0);
774 else
775 return (EPERM);
777 case PRIV_HAMMER_IOCTL:
778 return (0);
780 default:
782 return (EPERM);