2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2008 Bjoern A. Zeeb.
4 * Copyright (c) 2009 James Gritton.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
32 #include "opt_compat.h"
35 #include "opt_inet6.h"
37 #include <sys/param.h>
38 #include <sys/types.h>
39 #include <sys/kernel.h>
40 #include <sys/systm.h>
41 #include <sys/errno.h>
42 #include <sys/sysproto.h>
43 #include <sys/malloc.h>
47 #include <sys/taskqueue.h>
48 #include <sys/fcntl.h>
51 #include <sys/mutex.h>
52 #include <sys/racct.h>
53 #include <sys/refcount.h>
55 #include <sys/sysent.h>
56 #include <sys/namei.h>
57 #include <sys/mount.h>
58 #include <sys/queue.h>
59 #include <sys/socket.h>
60 #include <sys/syscallsubr.h>
61 #include <sys/sysctl.h>
62 #include <sys/vnode.h>
67 #include <netinet/in.h>
73 #include <security/mac/mac_framework.h>
75 #define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000"
77 MALLOC_DEFINE(M_PRISON
, "prison", "Prison structures");
78 static MALLOC_DEFINE(M_PRISON_RACCT
, "prison_racct", "Prison racct structures");
80 /* Keep struct prison prison0 and some code in kern_jail_set() readable. */
83 #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL|PR_IP6_SADDRSEL
85 #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL
89 #define _PR_IP_SADDRSEL PR_IP6_SADDRSEL
91 #define _PR_IP_SADDRSEL 0
95 /* prison0 describes what is "real" about the system. */
96 struct prison prison0
= {
102 .pr_securelevel
= -1,
104 .pr_childmax
= JAIL_MAX
,
105 .pr_hostuuid
= DEFAULT_HOSTUUID
,
106 .pr_children
= LIST_HEAD_INITIALIZER(prison0
.pr_children
),
108 .pr_flags
= PR_HOST
|PR_VNET
|_PR_IP_SADDRSEL
,
110 .pr_flags
= PR_HOST
|_PR_IP_SADDRSEL
,
112 .pr_allow
= PR_ALLOW_ALL
,
114 MTX_SYSINIT(prison0
, &prison0
.pr_mtx
, "jail mutex", MTX_DEF
);
116 /* allprison, allprison_racct and lastprid are protected by allprison_lock. */
117 struct sx allprison_lock
;
118 SX_SYSINIT(allprison_lock
, &allprison_lock
, "allprison");
119 struct prisonlist allprison
= TAILQ_HEAD_INITIALIZER(allprison
);
120 LIST_HEAD(, prison_racct
) allprison_racct
;
123 static int do_jail_attach(struct thread
*td
, struct prison
*pr
);
124 static void prison_complete(void *context
, int pending
);
125 static void prison_deref(struct prison
*pr
, int flags
);
126 static char *prison_path(struct prison
*pr1
, struct prison
*pr2
);
127 static void prison_remove_one(struct prison
*pr
);
129 static void prison_racct_attach(struct prison
*pr
);
130 static void prison_racct_modify(struct prison
*pr
);
131 static void prison_racct_detach(struct prison
*pr
);
134 static int _prison_check_ip4(const struct prison
*, const struct in_addr
*);
135 static int prison_restrict_ip4(struct prison
*pr
, struct in_addr
*newip4
);
138 static int _prison_check_ip6(struct prison
*pr
, struct in6_addr
*ia6
);
139 static int prison_restrict_ip6(struct prison
*pr
, struct in6_addr
*newip6
);
142 /* Flags for prison_deref */
143 #define PD_DEREF 0x01
144 #define PD_DEUREF 0x02
145 #define PD_LOCKED 0x04
146 #define PD_LIST_SLOCKED 0x08
147 #define PD_LIST_XLOCKED 0x10
150 * Parameter names corresponding to PR_* flag values. Size values are for kvm
151 * as we cannot figure out the size of a sparse array, or an array without a
154 static char *pr_flag_names
[] = {
157 [7] = "ip4.saddrsel",
160 [8] = "ip6.saddrsel",
163 const size_t pr_flag_names_size
= sizeof(pr_flag_names
);
165 static char *pr_flag_nonames
[] = {
168 [7] = "ip4.nosaddrsel",
171 [8] = "ip6.nosaddrsel",
174 const size_t pr_flag_nonames_size
= sizeof(pr_flag_nonames
);
176 struct jailsys_flags
{
180 } pr_flag_jailsys
[] = {
181 { "host", 0, PR_HOST
},
183 { "vnet", 0, PR_VNET
},
186 { "ip4", PR_IP4_USER
, PR_IP4_USER
},
189 { "ip6", PR_IP6_USER
, PR_IP6_USER
},
192 const size_t pr_flag_jailsys_size
= sizeof(pr_flag_jailsys
);
194 static char *pr_allow_names
[] = {
195 "allow.set_hostname",
203 "allow.mount.nullfs",
205 "allow.mount.procfs",
207 "allow.mount.fdescfs",
208 "allow.mount.linprocfs",
209 "allow.mount.linsysfs",
211 const size_t pr_allow_names_size
= sizeof(pr_allow_names
);
213 static char *pr_allow_nonames
[] = {
214 "allow.noset_hostname",
216 "allow.noraw_sockets",
221 "allow.mount.nodevfs",
222 "allow.mount.nonullfs",
224 "allow.mount.noprocfs",
225 "allow.mount.notmpfs",
226 "allow.mount.nofdescfs",
227 "allow.mount.nolinprocfs",
228 "allow.mount.nolinsysfs",
230 const size_t pr_allow_nonames_size
= sizeof(pr_allow_nonames
);
232 #define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
233 #define JAIL_DEFAULT_ENFORCE_STATFS 2
234 #define JAIL_DEFAULT_DEVFS_RSNUM 0
235 static unsigned jail_default_allow
= JAIL_DEFAULT_ALLOW
;
236 static int jail_default_enforce_statfs
= JAIL_DEFAULT_ENFORCE_STATFS
;
237 static int jail_default_devfs_rsnum
= JAIL_DEFAULT_DEVFS_RSNUM
;
238 #if defined(INET) || defined(INET6)
239 static unsigned jail_max_af_ips
= 255;
243 * Initialize the parts of prison0 that can't be static-initialized with
244 * constants. This is called from proc0_init() after creating thread0 cpuset.
250 prison0
.pr_cpuset
= cpuset_ref(thread0
.td_cpuset
);
251 prison0
.pr_osreldate
= osreldate
;
252 strlcpy(prison0
.pr_osrelease
, osrelease
, sizeof(prison0
.pr_osrelease
));
257 qcmp_v4(const void *ip1
, const void *ip2
)
262 * We need to compare in HBO here to get the list sorted as expected
263 * by the result of the code. Sorting NBO addresses gives you
264 * interesting results. If you do not understand, do not try.
266 iaa
= ntohl(((const struct in_addr
*)ip1
)->s_addr
);
267 iab
= ntohl(((const struct in_addr
*)ip2
)->s_addr
);
270 * Do not simply return the difference of the two numbers, the int is
284 qcmp_v6(const void *ip1
, const void *ip2
)
286 const struct in6_addr
*ia6a
, *ia6b
;
289 ia6a
= (const struct in6_addr
*)ip1
;
290 ia6b
= (const struct in6_addr
*)ip2
;
293 for (i
= 0; rc
== 0 && i
< sizeof(struct in6_addr
); i
++) {
294 if (ia6a
->s6_addr
[i
] > ia6b
->s6_addr
[i
])
296 else if (ia6a
->s6_addr
[i
] < ia6b
->s6_addr
[i
])
309 sys_jail(struct thread
*td
, struct jail_args
*uap
)
315 error
= copyin(uap
->jail
, &version
, sizeof(uint32_t));
324 /* FreeBSD single IPv4 jails. */
325 bzero(&j
, sizeof(struct jail
));
326 error
= copyin(uap
->jail
, &j0
, sizeof(struct jail_v0
));
329 j
.version
= j0
.version
;
331 j
.hostname
= j0
.hostname
;
332 j
.ip4s
= htonl(j0
.ip_number
); /* jail_v0 is host order */
338 * Version 1 was used by multi-IPv4 jail implementations
339 * that never made it into the official kernel.
343 case 2: /* JAIL_API_VERSION */
344 /* FreeBSD multi-IPv4/IPv6,noIP jails. */
345 error
= copyin(uap
->jail
, &j
, sizeof(struct jail
));
351 /* Sci-Fi jails are not supported, sorry. */
354 return (kern_jail(td
, &j
));
358 kern_jail(struct thread
*td
, struct jail
*j
)
360 struct iovec optiov
[2 * (4 + nitems(pr_allow_names
)
369 char *u_path
, *u_hostname
, *u_name
;
372 struct in_addr
*u_ip4
;
375 struct in6_addr
*u_ip6
;
378 int error
, enforce_statfs
, fi
;
380 bzero(&optiov
, sizeof(optiov
));
381 opt
.uio_iov
= optiov
;
385 opt
.uio_segflg
= UIO_SYSSPACE
;
386 opt
.uio_rw
= UIO_READ
;
389 /* Set permissions for top-level jails from sysctls. */
390 if (!jailed(td
->td_ucred
)) {
391 for (fi
= 0; fi
< nitems(pr_allow_names
); fi
++) {
392 optiov
[opt
.uio_iovcnt
].iov_base
=
393 (jail_default_allow
& (1 << fi
))
394 ? pr_allow_names
[fi
] : pr_allow_nonames
[fi
];
395 optiov
[opt
.uio_iovcnt
].iov_len
=
396 strlen(optiov
[opt
.uio_iovcnt
].iov_base
) + 1;
399 optiov
[opt
.uio_iovcnt
].iov_base
= "enforce_statfs";
400 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof("enforce_statfs");
402 enforce_statfs
= jail_default_enforce_statfs
;
403 optiov
[opt
.uio_iovcnt
].iov_base
= &enforce_statfs
;
404 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof(enforce_statfs
);
408 tmplen
= MAXPATHLEN
+ MAXHOSTNAMELEN
+ MAXHOSTNAMELEN
;
410 ip4s
= (j
->version
== 0) ? 1 : j
->ip4s
;
411 if (ip4s
> jail_max_af_ips
)
413 tmplen
+= ip4s
* sizeof(struct in_addr
);
419 if (j
->ip6s
> jail_max_af_ips
)
421 tmplen
+= j
->ip6s
* sizeof(struct in6_addr
);
426 u_path
= malloc(tmplen
, M_TEMP
, M_WAITOK
);
427 u_hostname
= u_path
+ MAXPATHLEN
;
428 u_name
= u_hostname
+ MAXHOSTNAMELEN
;
430 u_ip4
= (struct in_addr
*)(u_name
+ MAXHOSTNAMELEN
);
434 u_ip6
= (struct in6_addr
*)(u_ip4
+ ip4s
);
436 u_ip6
= (struct in6_addr
*)(u_name
+ MAXHOSTNAMELEN
);
439 optiov
[opt
.uio_iovcnt
].iov_base
= "path";
440 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof("path");
442 optiov
[opt
.uio_iovcnt
].iov_base
= u_path
;
443 error
= copyinstr(j
->path
, u_path
, MAXPATHLEN
,
444 &optiov
[opt
.uio_iovcnt
].iov_len
);
446 free(u_path
, M_TEMP
);
450 optiov
[opt
.uio_iovcnt
].iov_base
= "host.hostname";
451 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof("host.hostname");
453 optiov
[opt
.uio_iovcnt
].iov_base
= u_hostname
;
454 error
= copyinstr(j
->hostname
, u_hostname
, MAXHOSTNAMELEN
,
455 &optiov
[opt
.uio_iovcnt
].iov_len
);
457 free(u_path
, M_TEMP
);
461 if (j
->jailname
!= NULL
) {
462 optiov
[opt
.uio_iovcnt
].iov_base
= "name";
463 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof("name");
465 optiov
[opt
.uio_iovcnt
].iov_base
= u_name
;
466 error
= copyinstr(j
->jailname
, u_name
, MAXHOSTNAMELEN
,
467 &optiov
[opt
.uio_iovcnt
].iov_len
);
469 free(u_path
, M_TEMP
);
475 optiov
[opt
.uio_iovcnt
].iov_base
= "ip4.addr";
476 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof("ip4.addr");
478 optiov
[opt
.uio_iovcnt
].iov_base
= u_ip4
;
479 optiov
[opt
.uio_iovcnt
].iov_len
= ip4s
* sizeof(struct in_addr
);
481 u_ip4
->s_addr
= j
->ip4s
;
483 error
= copyin(j
->ip4
, u_ip4
, optiov
[opt
.uio_iovcnt
].iov_len
);
485 free(u_path
, M_TEMP
);
492 optiov
[opt
.uio_iovcnt
].iov_base
= "ip6.addr";
493 optiov
[opt
.uio_iovcnt
].iov_len
= sizeof("ip6.addr");
495 optiov
[opt
.uio_iovcnt
].iov_base
= u_ip6
;
496 optiov
[opt
.uio_iovcnt
].iov_len
= j
->ip6s
* sizeof(struct in6_addr
);
497 error
= copyin(j
->ip6
, u_ip6
, optiov
[opt
.uio_iovcnt
].iov_len
);
499 free(u_path
, M_TEMP
);
504 KASSERT(opt
.uio_iovcnt
<= nitems(optiov
),
505 ("kern_jail: too many iovecs (%d)", opt
.uio_iovcnt
));
506 error
= kern_jail_set(td
, &opt
, JAIL_CREATE
| JAIL_ATTACH
);
507 free(u_path
, M_TEMP
);
513 * struct jail_set_args {
514 * struct iovec *iovp;
515 * unsigned int iovcnt;
520 sys_jail_set(struct thread
*td
, struct jail_set_args
*uap
)
525 /* Check that we have an even number of iovecs. */
529 error
= copyinuio(uap
->iovp
, uap
->iovcnt
, &auio
);
532 error
= kern_jail_set(td
, auio
, uap
->flags
);
538 kern_jail_set(struct thread
*td
, struct uio
*optuio
, int flags
)
545 struct in6_addr
*ip6
;
548 struct vfsoptlist
*opts
;
549 struct prison
*pr
, *deadpr
, *mypr
, *ppr
, *tpr
;
551 char *domain
, *errmsg
, *host
, *name
, *namelc
, *p
, *path
, *uuid
;
552 char *g_path
, *osrelstr
;
553 #if defined(INET) || defined(INET6)
558 size_t namelen
, onamelen
, pnamelen
;
559 int born
, created
, cuflags
, descend
, enforce
;
560 int error
, errmsg_len
, errmsg_pos
;
561 int gotchildmax
, gotenforce
, gothid
, gotrsnum
, gotslevel
;
562 int fi
, jid
, jsys
, len
, level
;
563 int childmax
, osreldt
, rsnum
, slevel
;
564 int fullpath_disabled
;
565 #if defined(INET) || defined(INET6)
574 uint64_t pr_allow
, ch_allow
, pr_flags
, ch_flags
;
578 error
= priv_check(td
, PRIV_JAIL_SET
);
579 if (!error
&& (flags
& JAIL_ATTACH
))
580 error
= priv_check(td
, PRIV_JAIL_ATTACH
);
583 mypr
= td
->td_ucred
->cr_prison
;
584 if ((flags
& JAIL_CREATE
) && mypr
->pr_childmax
== 0)
586 if (flags
& ~JAIL_SET_MASK
)
590 * Check all the parameters before committing to anything. Not all
591 * errors can be caught early, but we may as well try. Also, this
592 * takes care of some expensive stuff (path lookup) before getting
593 * the allprison lock.
595 * XXX Jails are not filesystems, and jail parameters are not mount
596 * options. But it makes more sense to re-use the vfsopt code
597 * than duplicate it under a different name.
599 error
= vfs_buildopts(optuio
, &opts
);
610 cuflags
= flags
& (JAIL_CREATE
| JAIL_UPDATE
);
613 vfs_opterror(opts
, "no valid operation (create or update)");
617 error
= vfs_copyopt(opts
, "jid", &jid
, sizeof(jid
));
623 error
= vfs_copyopt(opts
, "securelevel", &slevel
, sizeof(slevel
));
632 vfs_copyopt(opts
, "children.max", &childmax
, sizeof(childmax
));
640 error
= vfs_copyopt(opts
, "enforce_statfs", &enforce
, sizeof(enforce
));
645 else if (enforce
< 0 || enforce
> 2) {
651 error
= vfs_copyopt(opts
, "devfs_ruleset", &rsnum
, sizeof(rsnum
));
659 pr_flags
= ch_flags
= 0;
660 for (fi
= 0; fi
< nitems(pr_flag_names
); fi
++) {
661 if (pr_flag_names
[fi
] == NULL
)
663 vfs_flagopt(opts
, pr_flag_names
[fi
], &pr_flags
, 1 << fi
);
664 vfs_flagopt(opts
, pr_flag_nonames
[fi
], &ch_flags
, 1 << fi
);
666 ch_flags
|= pr_flags
;
667 for (fi
= 0; fi
< nitems(pr_flag_jailsys
); fi
++) {
668 error
= vfs_copyopt(opts
, pr_flag_jailsys
[fi
].name
, &jsys
,
675 case JAIL_SYS_DISABLE
:
676 if (!pr_flag_jailsys
[fi
].disable
) {
680 pr_flags
|= pr_flag_jailsys
[fi
].disable
;
683 pr_flags
|= pr_flag_jailsys
[fi
].new;
685 case JAIL_SYS_INHERIT
:
692 pr_flag_jailsys
[fi
].new | pr_flag_jailsys
[fi
].disable
;
694 if ((flags
& (JAIL_CREATE
| JAIL_UPDATE
| JAIL_ATTACH
)) == JAIL_CREATE
695 && !(pr_flags
& PR_PERSIST
)) {
697 vfs_opterror(opts
, "new jail must persist or attach");
701 if ((flags
& JAIL_UPDATE
) && (ch_flags
& PR_VNET
)) {
703 vfs_opterror(opts
, "vnet cannot be changed after creation");
708 if ((flags
& JAIL_UPDATE
) && (ch_flags
& PR_IP4_USER
)) {
710 vfs_opterror(opts
, "ip4 cannot be changed after creation");
715 if ((flags
& JAIL_UPDATE
) && (ch_flags
& PR_IP6_USER
)) {
717 vfs_opterror(opts
, "ip6 cannot be changed after creation");
722 pr_allow
= ch_allow
= 0;
723 for (fi
= 0; fi
< nitems(pr_allow_names
); fi
++) {
724 vfs_flagopt(opts
, pr_allow_names
[fi
], &pr_allow
, 1 << fi
);
725 vfs_flagopt(opts
, pr_allow_nonames
[fi
], &ch_allow
, 1 << fi
);
727 ch_allow
|= pr_allow
;
729 error
= vfs_getopt(opts
, "name", (void **)&name
, &len
);
735 if (len
== 0 || name
[len
- 1] != '\0') {
739 if (len
> MAXHOSTNAMELEN
) {
740 error
= ENAMETOOLONG
;
745 error
= vfs_getopt(opts
, "host.hostname", (void **)&host
, &len
);
753 if (len
== 0 || host
[len
- 1] != '\0') {
757 if (len
> MAXHOSTNAMELEN
) {
758 error
= ENAMETOOLONG
;
763 error
= vfs_getopt(opts
, "host.domainname", (void **)&domain
, &len
);
771 if (len
== 0 || domain
[len
- 1] != '\0') {
775 if (len
> MAXHOSTNAMELEN
) {
776 error
= ENAMETOOLONG
;
781 error
= vfs_getopt(opts
, "host.hostuuid", (void **)&uuid
, &len
);
789 if (len
== 0 || uuid
[len
- 1] != '\0') {
793 if (len
> HOSTUUIDLEN
) {
794 error
= ENAMETOOLONG
;
799 #ifdef COMPAT_FREEBSD32
800 if (SV_PROC_FLAG(td
->td_proc
, SV_ILP32
)) {
803 error
= vfs_copyopt(opts
, "host.hostid", &hid32
, sizeof(hid32
));
807 error
= vfs_copyopt(opts
, "host.hostid", &hid
, sizeof(hid
));
819 error
= vfs_getopt(opts
, "ip4.addr", &op
, &ip4s
);
824 else if (ip4s
& (sizeof(*ip4
) - 1)) {
828 ch_flags
|= PR_IP4_USER
;
829 pr_flags
|= PR_IP4_USER
;
831 ip4s
/= sizeof(*ip4
);
832 if (ip4s
> jail_max_af_ips
) {
834 vfs_opterror(opts
, "too many IPv4 addresses");
837 ip4
= malloc(ip4s
* sizeof(*ip4
), M_PRISON
, M_WAITOK
);
838 bcopy(op
, ip4
, ip4s
* sizeof(*ip4
));
840 * IP addresses are all sorted but ip[0] to preserve
841 * the primary IP address as given from userland.
842 * This special IP is used for unbound outgoing
843 * connections as well for "loopback" traffic in case
844 * source address selection cannot find any more fitting
845 * address to connect from.
848 qsort(ip4
+ 1, ip4s
- 1, sizeof(*ip4
), qcmp_v4
);
850 * Check for duplicate addresses and do some simple
851 * zero and broadcast checks. If users give other bogus
852 * addresses it is their problem.
854 * We do not have to care about byte order for these
855 * checks so we will do them in NBO.
857 for (ii
= 0; ii
< ip4s
; ii
++) {
858 if (ip4
[ii
].s_addr
== INADDR_ANY
||
859 ip4
[ii
].s_addr
== INADDR_BROADCAST
) {
864 (ip4
[0].s_addr
== ip4
[ii
+1].s_addr
||
865 ip4
[ii
].s_addr
== ip4
[ii
+1].s_addr
)) {
875 error
= vfs_getopt(opts
, "ip6.addr", &op
, &ip6s
);
880 else if (ip6s
& (sizeof(*ip6
) - 1)) {
884 ch_flags
|= PR_IP6_USER
;
885 pr_flags
|= PR_IP6_USER
;
887 ip6s
/= sizeof(*ip6
);
888 if (ip6s
> jail_max_af_ips
) {
890 vfs_opterror(opts
, "too many IPv6 addresses");
893 ip6
= malloc(ip6s
* sizeof(*ip6
), M_PRISON
, M_WAITOK
);
894 bcopy(op
, ip6
, ip6s
* sizeof(*ip6
));
896 qsort(ip6
+ 1, ip6s
- 1, sizeof(*ip6
), qcmp_v6
);
897 for (ii
= 0; ii
< ip6s
; ii
++) {
898 if (IN6_IS_ADDR_UNSPECIFIED(&ip6
[ii
])) {
903 (IN6_ARE_ADDR_EQUAL(&ip6
[0], &ip6
[ii
+1]) ||
904 IN6_ARE_ADDR_EQUAL(&ip6
[ii
], &ip6
[ii
+1])))
914 #if defined(VIMAGE) && (defined(INET) || defined(INET6))
915 if ((ch_flags
& PR_VNET
) && (ch_flags
& (PR_IP4_USER
| PR_IP6_USER
))) {
918 "vnet jails cannot have IP address restrictions");
923 error
= vfs_getopt(opts
, "osrelease", (void **)&osrelstr
, &len
);
929 if (flags
& JAIL_UPDATE
) {
932 "osrelease cannot be changed after creation");
935 if (len
== 0 || len
>= OSRELEASELEN
) {
938 "osrelease string must be 1-%d bytes long",
944 error
= vfs_copyopt(opts
, "osreldate", &osreldt
, sizeof(osreldt
));
950 if (flags
& JAIL_UPDATE
) {
953 "osreldate cannot be changed after creation");
958 vfs_opterror(opts
, "osreldate cannot be 0");
963 fullpath_disabled
= 0;
965 error
= vfs_getopt(opts
, "path", (void **)&path
, &len
);
971 if (flags
& JAIL_UPDATE
) {
974 "path cannot be changed after creation");
977 if (len
== 0 || path
[len
- 1] != '\0') {
981 NDINIT(&nd
, LOOKUP
, FOLLOW
| LOCKLEAF
, UIO_SYSSPACE
,
987 NDFREE(&nd
, NDF_ONLY_PNBUF
);
988 g_path
= malloc(MAXPATHLEN
, M_TEMP
, M_WAITOK
);
989 strlcpy(g_path
, path
, MAXPATHLEN
);
990 error
= vn_path_to_global_path(td
, root
, g_path
, MAXPATHLEN
);
993 else if (error
== ENODEV
) {
994 /* proceed if sysctl debug.disablefullpath == 1 */
995 fullpath_disabled
= 1;
996 if (len
< 2 || (len
== 2 && path
[0] == '/'))
999 /* exit on other errors */
1002 if (root
->v_type
!= VDIR
) {
1007 VOP_UNLOCK(root
, 0);
1008 if (fullpath_disabled
) {
1009 /* Leave room for a real-root full pathname. */
1010 if (len
+ (path
[0] == '/' && strcmp(mypr
->pr_path
, "/")
1011 ? strlen(mypr
->pr_path
) : 0) > MAXPATHLEN
) {
1012 error
= ENAMETOOLONG
;
1020 * Find the specified jail, or at least its parent.
1021 * This abuses the file error codes ENOENT and EEXIST.
1025 if (cuflags
== JAIL_CREATE
&& jid
== 0 && name
!= NULL
) {
1026 namelc
= strrchr(name
, '.');
1027 jid
= strtoul(namelc
!= NULL
? namelc
+ 1 : name
, &p
, 10);
1031 sx_xlock(&allprison_lock
);
1034 * See if a requested jid already exists. There is an
1035 * information leak here if the jid exists but is not within
1036 * the caller's jail hierarchy. Jail creators will get EEXIST
1037 * even though they cannot see the jail, and CREATE | UPDATE
1038 * will return ENOENT which is not normally a valid error.
1042 vfs_opterror(opts
, "negative jid");
1043 goto done_unlock_list
;
1045 pr
= prison_find(jid
);
1047 ppr
= pr
->pr_parent
;
1048 /* Create: jid must not exist. */
1049 if (cuflags
== JAIL_CREATE
) {
1050 mtx_unlock(&pr
->pr_mtx
);
1052 vfs_opterror(opts
, "jail %d already exists",
1054 goto done_unlock_list
;
1056 if (!prison_ischild(mypr
, pr
)) {
1057 mtx_unlock(&pr
->pr_mtx
);
1059 } else if (pr
->pr_uref
== 0) {
1060 if (!(flags
& JAIL_DYING
)) {
1061 mtx_unlock(&pr
->pr_mtx
);
1063 vfs_opterror(opts
, "jail %d is dying",
1065 goto done_unlock_list
;
1066 } else if ((flags
& JAIL_ATTACH
) ||
1067 (pr_flags
& PR_PERSIST
)) {
1069 * A dying jail might be resurrected
1070 * (via attach or persist), but first
1071 * it must determine if another jail
1072 * has claimed its name. Accomplish
1073 * this by implicitly re-setting the
1077 name
= prison_name(mypr
, pr
);
1082 /* Update: jid must exist. */
1083 if (cuflags
== JAIL_UPDATE
) {
1085 vfs_opterror(opts
, "jail %d not found", jid
);
1086 goto done_unlock_list
;
1091 * If the caller provided a name, look for a jail by that name.
1092 * This has different semantics for creates and updates keyed by jid
1093 * (where the name must not already exist in a different jail),
1094 * and updates keyed by the name itself (where the name must exist
1095 * because that is the jail being updated).
1099 namelc
= strrchr(name
, '.');
1104 * This is a hierarchical name. Split it into the
1105 * parent and child names, and make sure the parent
1106 * exists or matches an already found jail.
1109 if (strncmp(name
, ppr
->pr_name
, namelc
- name
)
1110 || ppr
->pr_name
[namelc
- name
] != '\0') {
1111 mtx_unlock(&pr
->pr_mtx
);
1114 "cannot change jail's parent");
1115 goto done_unlock_list
;
1119 ppr
= prison_find_name(mypr
, name
);
1123 "jail \"%s\" not found", name
);
1124 goto done_unlock_list
;
1126 mtx_unlock(&ppr
->pr_mtx
);
1131 if (namelc
[0] != '\0') {
1133 (ppr
== &prison0
) ? 0 : strlen(ppr
->pr_name
) + 1;
1136 FOREACH_PRISON_CHILD(ppr
, tpr
) {
1137 if (tpr
!= pr
&& tpr
->pr_ref
> 0 &&
1138 !strcmp(tpr
->pr_name
+ pnamelen
, namelc
)) {
1140 cuflags
!= JAIL_CREATE
) {
1141 mtx_lock(&tpr
->pr_mtx
);
1142 if (tpr
->pr_ref
> 0) {
1147 if (tpr
->pr_uref
> 0) {
1153 mtx_unlock(&tpr
->pr_mtx
);
1154 } else if (tpr
->pr_uref
> 0) {
1156 * Create, or update(jid):
1157 * name must not exist in an
1158 * active sibling jail.
1162 mtx_unlock(&pr
->pr_mtx
);
1164 "jail \"%s\" already exists",
1166 goto done_unlock_list
;
1170 /* If no active jail is found, use a dying one. */
1171 if (deadpr
!= NULL
&& pr
== NULL
) {
1172 if (flags
& JAIL_DYING
) {
1173 mtx_lock(&deadpr
->pr_mtx
);
1174 if (deadpr
->pr_ref
== 0) {
1175 mtx_unlock(&deadpr
->pr_mtx
);
1179 } else if (cuflags
== JAIL_UPDATE
) {
1182 "jail \"%s\" is dying", name
);
1183 goto done_unlock_list
;
1186 /* Update: name must exist if no jid. */
1187 else if (cuflags
== JAIL_UPDATE
&& pr
== NULL
) {
1189 vfs_opterror(opts
, "jail \"%s\" not found",
1191 goto done_unlock_list
;
1195 /* Update: must provide a jid or name. */
1196 else if (cuflags
== JAIL_UPDATE
&& pr
== NULL
) {
1198 vfs_opterror(opts
, "update specified no jail");
1199 goto done_unlock_list
;
1202 /* If there's no prison to update, create a new one and link it in. */
1204 for (tpr
= mypr
; tpr
!= NULL
; tpr
= tpr
->pr_parent
)
1205 if (tpr
->pr_childcount
>= tpr
->pr_childmax
) {
1207 vfs_opterror(opts
, "prison limit exceeded");
1208 goto done_unlock_list
;
1211 mtx_lock(&ppr
->pr_mtx
);
1212 if (ppr
->pr_ref
== 0) {
1213 mtx_unlock(&ppr
->pr_mtx
);
1215 vfs_opterror(opts
, "jail \"%s\" not found",
1216 prison_name(mypr
, ppr
));
1217 goto done_unlock_list
;
1221 mtx_unlock(&ppr
->pr_mtx
);
1222 pr
= malloc(sizeof(*pr
), M_PRISON
, M_WAITOK
| M_ZERO
);
1224 /* Find the next free jid. */
1227 if (jid
== JAIL_MAX
)
1229 TAILQ_FOREACH(tpr
, &allprison
, pr_list
) {
1230 if (tpr
->pr_id
< jid
)
1232 if (tpr
->pr_id
> jid
|| tpr
->pr_ref
== 0) {
1233 TAILQ_INSERT_BEFORE(tpr
, pr
, pr_list
);
1236 if (jid
== lastprid
) {
1239 "no available jail IDs");
1241 prison_deref(ppr
, PD_DEREF
|
1242 PD_DEUREF
| PD_LIST_XLOCKED
);
1251 * The jail already has a jid (that did not yet exist),
1252 * so just find where to insert it.
1254 TAILQ_FOREACH(tpr
, &allprison
, pr_list
)
1255 if (tpr
->pr_id
>= jid
) {
1256 TAILQ_INSERT_BEFORE(tpr
, pr
, pr_list
);
1261 TAILQ_INSERT_TAIL(&allprison
, pr
, pr_list
);
1262 LIST_INSERT_HEAD(&ppr
->pr_children
, pr
, pr_sibling
);
1263 for (tpr
= ppr
; tpr
!= NULL
; tpr
= tpr
->pr_parent
)
1264 tpr
->pr_childcount
++;
1266 pr
->pr_parent
= ppr
;
1269 /* Set some default values, and inherit some from the parent. */
1274 root
= mypr
->pr_root
;
1277 strlcpy(pr
->pr_hostuuid
, DEFAULT_HOSTUUID
, HOSTUUIDLEN
);
1278 pr
->pr_flags
|= PR_HOST
;
1279 #if defined(INET) || defined(INET6)
1281 if (!(pr_flags
& PR_VNET
))
1285 if (!(ch_flags
& PR_IP4_USER
))
1286 pr
->pr_flags
|= PR_IP4
| PR_IP4_USER
;
1287 else if (!(pr_flags
& PR_IP4_USER
)) {
1288 pr
->pr_flags
|= ppr
->pr_flags
& PR_IP4
;
1289 if (ppr
->pr_ip4
!= NULL
) {
1290 pr
->pr_ip4s
= ppr
->pr_ip4s
;
1291 pr
->pr_ip4
= malloc(pr
->pr_ip4s
*
1292 sizeof(struct in_addr
), M_PRISON
,
1294 bcopy(ppr
->pr_ip4
, pr
->pr_ip4
,
1295 pr
->pr_ip4s
* sizeof(*pr
->pr_ip4
));
1300 if (!(ch_flags
& PR_IP6_USER
))
1301 pr
->pr_flags
|= PR_IP6
| PR_IP6_USER
;
1302 else if (!(pr_flags
& PR_IP6_USER
)) {
1303 pr
->pr_flags
|= ppr
->pr_flags
& PR_IP6
;
1304 if (ppr
->pr_ip6
!= NULL
) {
1305 pr
->pr_ip6s
= ppr
->pr_ip6s
;
1306 pr
->pr_ip6
= malloc(pr
->pr_ip6s
*
1307 sizeof(struct in6_addr
), M_PRISON
,
1309 bcopy(ppr
->pr_ip6
, pr
->pr_ip6
,
1310 pr
->pr_ip6s
* sizeof(*pr
->pr_ip6
));
1316 /* Source address selection is always on by default. */
1317 pr
->pr_flags
|= _PR_IP_SADDRSEL
;
1319 pr
->pr_securelevel
= ppr
->pr_securelevel
;
1320 pr
->pr_allow
= JAIL_DEFAULT_ALLOW
& ppr
->pr_allow
;
1321 pr
->pr_enforce_statfs
= jail_default_enforce_statfs
;
1322 pr
->pr_devfs_rsnum
= ppr
->pr_devfs_rsnum
;
1324 pr
->pr_osreldate
= osreldt
? osreldt
: ppr
->pr_osreldate
;
1325 if (osrelstr
== NULL
)
1326 strcpy(pr
->pr_osrelease
, ppr
->pr_osrelease
);
1328 strcpy(pr
->pr_osrelease
, osrelstr
);
1330 LIST_INIT(&pr
->pr_children
);
1331 mtx_init(&pr
->pr_mtx
, "jail mutex", NULL
, MTX_DEF
| MTX_DUPOK
);
1332 TASK_INIT(&pr
->pr_task
, 0, prison_complete
, pr
);
1335 /* Allocate a new vnet if specified. */
1336 pr
->pr_vnet
= (pr_flags
& PR_VNET
)
1337 ? vnet_alloc() : ppr
->pr_vnet
;
1340 * Allocate a dedicated cpuset for each jail.
1341 * Unlike other initial settings, this may return an erorr.
1343 error
= cpuset_create_root(ppr
, &pr
->pr_cpuset
);
1345 prison_deref(pr
, PD_LIST_XLOCKED
);
1349 mtx_lock(&pr
->pr_mtx
);
1351 * New prisons do not yet have a reference, because we do not
1352 * want others to see the incomplete prison once the
1353 * allprison_lock is downgraded.
1358 * Grab a reference for existing prisons, to ensure they
1359 * continue to exist for the duration of the call.
1362 #if defined(VIMAGE) && (defined(INET) || defined(INET6))
1363 if ((pr
->pr_flags
& PR_VNET
) &&
1364 (ch_flags
& (PR_IP4_USER
| PR_IP6_USER
))) {
1367 "vnet jails cannot have IP address restrictions");
1368 goto done_deref_locked
;
1372 if (PR_IP4_USER
& ch_flags
& (pr_flags
^ pr
->pr_flags
)) {
1375 "ip4 cannot be changed after creation");
1376 goto done_deref_locked
;
1380 if (PR_IP6_USER
& ch_flags
& (pr_flags
^ pr
->pr_flags
)) {
1383 "ip6 cannot be changed after creation");
1384 goto done_deref_locked
;
1389 /* Do final error checking before setting anything. */
1391 if (slevel
< ppr
->pr_securelevel
) {
1393 goto done_deref_locked
;
1397 if (childmax
>= ppr
->pr_childmax
) {
1399 goto done_deref_locked
;
1403 if (enforce
< ppr
->pr_enforce_statfs
) {
1405 goto done_deref_locked
;
1410 * devfs_rsnum is a uint16_t
1412 if (rsnum
< 0 || rsnum
> 65535) {
1414 goto done_deref_locked
;
1417 * Nested jails always inherit parent's devfs ruleset
1419 if (jailed(td
->td_ucred
)) {
1420 if (rsnum
> 0 && rsnum
!= ppr
->pr_devfs_rsnum
) {
1422 goto done_deref_locked
;
1424 rsnum
= ppr
->pr_devfs_rsnum
;
1429 if (ppr
->pr_flags
& PR_IP4
) {
1431 * Make sure the new set of IP addresses is a
1432 * subset of the parent's list. Don't worry
1433 * about the parent being unlocked, as any
1434 * setting is done with allprison_lock held.
1436 for (ij
= 0; ij
< ppr
->pr_ip4s
; ij
++)
1437 if (ip4
[0].s_addr
== ppr
->pr_ip4
[ij
].s_addr
)
1439 if (ij
== ppr
->pr_ip4s
) {
1441 goto done_deref_locked
;
1444 for (ii
= ij
= 1; ii
< ip4s
; ii
++) {
1445 if (ip4
[ii
].s_addr
==
1446 ppr
->pr_ip4
[0].s_addr
)
1448 for (; ij
< ppr
->pr_ip4s
; ij
++)
1449 if (ip4
[ii
].s_addr
==
1450 ppr
->pr_ip4
[ij
].s_addr
)
1452 if (ij
== ppr
->pr_ip4s
)
1455 if (ij
== ppr
->pr_ip4s
) {
1457 goto done_deref_locked
;
1462 * Check for conflicting IP addresses. We permit them
1463 * if there is no more than one IP on each jail. If
1464 * there is a duplicate on a jail with more than one
1465 * IP stop checking and return error.
1469 for (; tppr
!= &prison0
; tppr
= tppr
->pr_parent
)
1470 if (tppr
->pr_flags
& PR_VNET
)
1473 FOREACH_PRISON_DESCENDANT(tppr
, tpr
, descend
) {
1476 (tpr
!= tppr
&& (tpr
->pr_flags
& PR_VNET
)) ||
1478 tpr
->pr_uref
== 0) {
1482 if (!(tpr
->pr_flags
& PR_IP4_USER
))
1485 if (tpr
->pr_ip4
== NULL
||
1486 (ip4s
== 1 && tpr
->pr_ip4s
== 1))
1488 for (ii
= 0; ii
< ip4s
; ii
++) {
1489 if (_prison_check_ip4(tpr
, &ip4
[ii
]) == 0) {
1492 "IPv4 addresses clash");
1493 goto done_deref_locked
;
1501 if (ppr
->pr_flags
& PR_IP6
) {
1503 * Make sure the new set of IP addresses is a
1504 * subset of the parent's list.
1506 for (ij
= 0; ij
< ppr
->pr_ip6s
; ij
++)
1507 if (IN6_ARE_ADDR_EQUAL(&ip6
[0],
1510 if (ij
== ppr
->pr_ip6s
) {
1512 goto done_deref_locked
;
1515 for (ii
= ij
= 1; ii
< ip6s
; ii
++) {
1516 if (IN6_ARE_ADDR_EQUAL(&ip6
[ii
],
1519 for (; ij
< ppr
->pr_ip6s
; ij
++)
1520 if (IN6_ARE_ADDR_EQUAL(
1521 &ip6
[ii
], &ppr
->pr_ip6
[ij
]))
1523 if (ij
== ppr
->pr_ip6s
)
1526 if (ij
== ppr
->pr_ip6s
) {
1528 goto done_deref_locked
;
1532 /* Check for conflicting IP addresses. */
1535 for (; tppr
!= &prison0
; tppr
= tppr
->pr_parent
)
1536 if (tppr
->pr_flags
& PR_VNET
)
1539 FOREACH_PRISON_DESCENDANT(tppr
, tpr
, descend
) {
1542 (tpr
!= tppr
&& (tpr
->pr_flags
& PR_VNET
)) ||
1544 tpr
->pr_uref
== 0) {
1548 if (!(tpr
->pr_flags
& PR_IP6_USER
))
1551 if (tpr
->pr_ip6
== NULL
||
1552 (ip6s
== 1 && tpr
->pr_ip6s
== 1))
1554 for (ii
= 0; ii
< ip6s
; ii
++) {
1555 if (_prison_check_ip6(tpr
, &ip6
[ii
]) == 0) {
1558 "IPv6 addresses clash");
1559 goto done_deref_locked
;
1565 onamelen
= namelen
= 0;
1566 if (namelc
!= NULL
) {
1567 /* Give a default name of the jid. Also allow the name to be
1568 * explicitly the jid - but not any other number, and only in
1569 * normal form (no leading zero/etc).
1571 if (namelc
[0] == '\0')
1572 snprintf(namelc
= numbuf
, sizeof(numbuf
), "%d", jid
);
1573 else if ((strtoul(namelc
, &p
, 10) != jid
||
1574 namelc
[0] < '1' || namelc
[0] > '9') && *p
== '\0') {
1577 "name cannot be numeric (unless it is the jid)");
1578 goto done_deref_locked
;
1581 * Make sure the name isn't too long for the prison or its
1584 pnamelen
= (ppr
== &prison0
) ? 0 : strlen(ppr
->pr_name
) + 1;
1585 onamelen
= strlen(pr
->pr_name
+ pnamelen
);
1586 namelen
= strlen(namelc
);
1587 if (pnamelen
+ namelen
+ 1 > sizeof(pr
->pr_name
)) {
1588 error
= ENAMETOOLONG
;
1589 goto done_deref_locked
;
1591 FOREACH_PRISON_DESCENDANT(pr
, tpr
, descend
) {
1592 if (strlen(tpr
->pr_name
) + (namelen
- onamelen
) >=
1593 sizeof(pr
->pr_name
)) {
1594 error
= ENAMETOOLONG
;
1595 goto done_deref_locked
;
1599 if (pr_allow
& ~ppr
->pr_allow
) {
1601 goto done_deref_locked
;
1605 * Let modules check their parameters. This requires unlocking and
1606 * then re-locking the prison, but this is still a valid state as long
1607 * as allprison_lock remains xlocked.
1609 mtx_unlock(&pr
->pr_mtx
);
1610 error
= osd_jail_call(pr
, PR_METHOD_CHECK
, opts
);
1612 prison_deref(pr
, created
1614 : PD_DEREF
| PD_LIST_XLOCKED
);
1617 mtx_lock(&pr
->pr_mtx
);
1619 /* At this point, all valid parameters should have been noted. */
1620 TAILQ_FOREACH(opt
, opts
, link
) {
1621 if (!opt
->seen
&& strcmp(opt
->name
, "errmsg")) {
1623 vfs_opterror(opts
, "unknown parameter: %s", opt
->name
);
1624 goto done_deref_locked
;
1628 /* Set the parameters of the prison. */
1631 if (pr_flags
& PR_IP4_USER
) {
1632 pr
->pr_flags
|= PR_IP4
;
1633 free(pr
->pr_ip4
, M_PRISON
);
1637 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
) {
1639 if (tpr
->pr_flags
& PR_VNET
) {
1644 if (prison_restrict_ip4(tpr
, NULL
)) {
1653 if (pr_flags
& PR_IP6_USER
) {
1654 pr
->pr_flags
|= PR_IP6
;
1655 free(pr
->pr_ip6
, M_PRISON
);
1659 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
) {
1661 if (tpr
->pr_flags
& PR_VNET
) {
1666 if (prison_restrict_ip6(tpr
, NULL
)) {
1674 pr
->pr_securelevel
= slevel
;
1675 /* Set all child jails to be at least this level. */
1676 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
)
1677 if (tpr
->pr_securelevel
< slevel
)
1678 tpr
->pr_securelevel
= slevel
;
1681 pr
->pr_childmax
= childmax
;
1682 /* Set all child jails to under this limit. */
1683 FOREACH_PRISON_DESCENDANT_LOCKED_LEVEL(pr
, tpr
, descend
, level
)
1684 if (tpr
->pr_childmax
> childmax
- level
)
1685 tpr
->pr_childmax
= childmax
> level
1686 ? childmax
- level
: 0;
1689 pr
->pr_enforce_statfs
= enforce
;
1690 /* Pass this restriction on to the children. */
1691 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
)
1692 if (tpr
->pr_enforce_statfs
< enforce
)
1693 tpr
->pr_enforce_statfs
= enforce
;
1696 pr
->pr_devfs_rsnum
= rsnum
;
1697 /* Pass this restriction on to the children. */
1698 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
)
1699 tpr
->pr_devfs_rsnum
= rsnum
;
1701 if (namelc
!= NULL
) {
1702 if (ppr
== &prison0
)
1703 strlcpy(pr
->pr_name
, namelc
, sizeof(pr
->pr_name
));
1705 snprintf(pr
->pr_name
, sizeof(pr
->pr_name
), "%s.%s",
1706 ppr
->pr_name
, namelc
);
1707 /* Change this component of child names. */
1708 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
) {
1709 bcopy(tpr
->pr_name
+ onamelen
, tpr
->pr_name
+ namelen
,
1710 strlen(tpr
->pr_name
+ onamelen
) + 1);
1711 bcopy(pr
->pr_name
, tpr
->pr_name
, namelen
);
1715 /* Try to keep a real-rooted full pathname. */
1716 if (fullpath_disabled
&& path
[0] == '/' &&
1717 strcmp(mypr
->pr_path
, "/"))
1718 snprintf(pr
->pr_path
, sizeof(pr
->pr_path
), "%s%s",
1719 mypr
->pr_path
, path
);
1721 strlcpy(pr
->pr_path
, path
, sizeof(pr
->pr_path
));
1724 if (PR_HOST
& ch_flags
& ~pr_flags
) {
1725 if (pr
->pr_flags
& PR_HOST
) {
1727 * Copy the parent's host info. As with pr_ip4 above,
1728 * the lack of a lock on the parent is not a problem;
1729 * it is always set with allprison_lock at least
1730 * shared, and is held exclusively here.
1732 strlcpy(pr
->pr_hostname
, pr
->pr_parent
->pr_hostname
,
1733 sizeof(pr
->pr_hostname
));
1734 strlcpy(pr
->pr_domainname
, pr
->pr_parent
->pr_domainname
,
1735 sizeof(pr
->pr_domainname
));
1736 strlcpy(pr
->pr_hostuuid
, pr
->pr_parent
->pr_hostuuid
,
1737 sizeof(pr
->pr_hostuuid
));
1738 pr
->pr_hostid
= pr
->pr_parent
->pr_hostid
;
1740 } else if (host
!= NULL
|| domain
!= NULL
|| uuid
!= NULL
|| gothid
) {
1741 /* Set this prison, and any descendants without PR_HOST. */
1743 strlcpy(pr
->pr_hostname
, host
, sizeof(pr
->pr_hostname
));
1745 strlcpy(pr
->pr_domainname
, domain
,
1746 sizeof(pr
->pr_domainname
));
1748 strlcpy(pr
->pr_hostuuid
, uuid
, sizeof(pr
->pr_hostuuid
));
1750 pr
->pr_hostid
= hid
;
1751 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
) {
1752 if (tpr
->pr_flags
& PR_HOST
)
1756 strlcpy(tpr
->pr_hostname
,
1758 sizeof(tpr
->pr_hostname
));
1760 strlcpy(tpr
->pr_domainname
,
1762 sizeof(tpr
->pr_domainname
));
1764 strlcpy(tpr
->pr_hostuuid
,
1766 sizeof(tpr
->pr_hostuuid
));
1768 tpr
->pr_hostid
= hid
;
1772 if ((tallow
= ch_allow
& ~pr_allow
)) {
1773 /* Clear allow bits in all children. */
1774 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
)
1775 tpr
->pr_allow
&= ~tallow
;
1777 pr
->pr_allow
= (pr
->pr_allow
& ~ch_allow
) | pr_allow
;
1779 * Persistent prisons get an extra reference, and prisons losing their
1780 * persist flag lose that reference. Only do this for existing prisons
1781 * for now, so new ones will remain unseen until after the module
1782 * handlers have completed.
1784 born
= pr
->pr_uref
== 0;
1785 if (!created
&& (ch_flags
& PR_PERSIST
& (pr_flags
^ pr
->pr_flags
))) {
1786 if (pr_flags
& PR_PERSIST
) {
1794 pr
->pr_flags
= (pr
->pr_flags
& ~ch_flags
) | pr_flags
;
1795 mtx_unlock(&pr
->pr_mtx
);
1798 if (racct_enable
&& created
)
1799 prison_racct_attach(pr
);
1802 /* Locks may have prevented a complete restriction of child IP
1803 * addresses. If so, allocate some more memory and try again.
1808 ip4
= malloc(ip4s
* sizeof(*ip4
), M_PRISON
, M_WAITOK
);
1809 mtx_lock(&pr
->pr_mtx
);
1811 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
) {
1813 if (tpr
->pr_flags
& PR_VNET
) {
1818 if (prison_restrict_ip4(tpr
, ip4
)) {
1825 mtx_unlock(&pr
->pr_mtx
);
1831 ip6
= malloc(ip6s
* sizeof(*ip6
), M_PRISON
, M_WAITOK
);
1832 mtx_lock(&pr
->pr_mtx
);
1834 FOREACH_PRISON_DESCENDANT_LOCKED(pr
, tpr
, descend
) {
1836 if (tpr
->pr_flags
& PR_VNET
) {
1841 if (prison_restrict_ip6(tpr
, ip6
)) {
1848 mtx_unlock(&pr
->pr_mtx
);
1852 /* Let the modules do their work. */
1853 sx_downgrade(&allprison_lock
);
1855 error
= osd_jail_call(pr
, PR_METHOD_CREATE
, opts
);
1857 (void)osd_jail_call(pr
, PR_METHOD_REMOVE
, NULL
);
1858 prison_deref(pr
, created
1860 : PD_DEREF
| PD_LIST_SLOCKED
);
1864 error
= osd_jail_call(pr
, PR_METHOD_SET
, opts
);
1867 (void)osd_jail_call(pr
, PR_METHOD_REMOVE
, NULL
);
1868 prison_deref(pr
, created
1870 : PD_DEREF
| PD_LIST_SLOCKED
);
1874 /* Attach this process to the prison if requested. */
1875 if (flags
& JAIL_ATTACH
) {
1876 mtx_lock(&pr
->pr_mtx
);
1877 error
= do_jail_attach(td
, pr
);
1879 vfs_opterror(opts
, "attach failed");
1881 prison_deref(pr
, PD_DEREF
);
1887 if (racct_enable
&& !created
) {
1888 if (!(flags
& JAIL_ATTACH
))
1889 sx_sunlock(&allprison_lock
);
1890 prison_racct_modify(pr
);
1891 if (!(flags
& JAIL_ATTACH
))
1892 sx_slock(&allprison_lock
);
1896 td
->td_retval
[0] = pr
->pr_id
;
1899 * Now that it is all there, drop the temporary reference from existing
1900 * prisons. Or add a reference to newly created persistent prisons
1901 * (which was not done earlier so that the prison would not be publicly
1905 prison_deref(pr
, (flags
& JAIL_ATTACH
)
1907 : PD_DEREF
| PD_LIST_SLOCKED
);
1909 if (pr_flags
& PR_PERSIST
) {
1910 mtx_lock(&pr
->pr_mtx
);
1913 mtx_unlock(&pr
->pr_mtx
);
1915 if (!(flags
& JAIL_ATTACH
))
1916 sx_sunlock(&allprison_lock
);
1922 prison_deref(pr
, created
1923 ? PD_LOCKED
| PD_LIST_XLOCKED
1924 : PD_DEREF
| PD_LOCKED
| PD_LIST_XLOCKED
);
1927 sx_xunlock(&allprison_lock
);
1933 if (vfs_getopt(opts
, "errmsg", (void **)&errmsg
,
1934 &errmsg_len
) == 0 && errmsg_len
> 0) {
1935 errmsg_pos
= 2 * vfs_getopt_pos(opts
, "errmsg") + 1;
1936 if (optuio
->uio_segflg
== UIO_SYSSPACE
)
1938 optuio
->uio_iov
[errmsg_pos
].iov_base
,
1942 optuio
->uio_iov
[errmsg_pos
].iov_base
,
1948 free(ip4
, M_PRISON
);
1951 free(ip6
, M_PRISON
);
1954 free(g_path
, M_TEMP
);
1961 * struct jail_get_args {
1962 * struct iovec *iovp;
1963 * unsigned int iovcnt;
1968 sys_jail_get(struct thread
*td
, struct jail_get_args
*uap
)
1973 /* Check that we have an even number of iovecs. */
1974 if (uap
->iovcnt
& 1)
1977 error
= copyinuio(uap
->iovp
, uap
->iovcnt
, &auio
);
1980 error
= kern_jail_get(td
, auio
, uap
->flags
);
1982 error
= copyout(auio
->uio_iov
, uap
->iovp
,
1983 uap
->iovcnt
* sizeof (struct iovec
));
1989 kern_jail_get(struct thread
*td
, struct uio
*optuio
, int flags
)
1991 struct prison
*pr
, *mypr
;
1993 struct vfsoptlist
*opts
;
1994 char *errmsg
, *name
;
1995 int error
, errmsg_len
, errmsg_pos
, fi
, i
, jid
, len
, locked
, pos
;
1997 if (flags
& ~JAIL_GET_MASK
)
2000 /* Get the parameter list. */
2001 error
= vfs_buildopts(optuio
, &opts
);
2004 errmsg_pos
= vfs_getopt_pos(opts
, "errmsg");
2005 mypr
= td
->td_ucred
->cr_prison
;
2008 * Find the prison specified by one of: lastjid, jid, name.
2010 sx_slock(&allprison_lock
);
2011 error
= vfs_copyopt(opts
, "lastjid", &jid
, sizeof(jid
));
2013 TAILQ_FOREACH(pr
, &allprison
, pr_list
) {
2014 if (pr
->pr_id
> jid
&& prison_ischild(mypr
, pr
)) {
2015 mtx_lock(&pr
->pr_mtx
);
2016 if (pr
->pr_ref
> 0 &&
2017 (pr
->pr_uref
> 0 || (flags
& JAIL_DYING
)))
2019 mtx_unlock(&pr
->pr_mtx
);
2025 vfs_opterror(opts
, "no jail after %d", jid
);
2026 goto done_unlock_list
;
2027 } else if (error
!= ENOENT
)
2028 goto done_unlock_list
;
2030 error
= vfs_copyopt(opts
, "jid", &jid
, sizeof(jid
));
2033 pr
= prison_find_child(mypr
, jid
);
2035 if (pr
->pr_uref
== 0 && !(flags
& JAIL_DYING
)) {
2036 mtx_unlock(&pr
->pr_mtx
);
2038 vfs_opterror(opts
, "jail %d is dying",
2040 goto done_unlock_list
;
2045 vfs_opterror(opts
, "jail %d not found", jid
);
2046 goto done_unlock_list
;
2048 } else if (error
!= ENOENT
)
2049 goto done_unlock_list
;
2051 error
= vfs_getopt(opts
, "name", (void **)&name
, &len
);
2053 if (len
== 0 || name
[len
- 1] != '\0') {
2055 goto done_unlock_list
;
2057 pr
= prison_find_name(mypr
, name
);
2059 if (pr
->pr_uref
== 0 && !(flags
& JAIL_DYING
)) {
2060 mtx_unlock(&pr
->pr_mtx
);
2062 vfs_opterror(opts
, "jail \"%s\" is dying",
2064 goto done_unlock_list
;
2069 vfs_opterror(opts
, "jail \"%s\" not found", name
);
2070 goto done_unlock_list
;
2071 } else if (error
!= ENOENT
)
2072 goto done_unlock_list
;
2074 vfs_opterror(opts
, "no jail specified");
2076 goto done_unlock_list
;
2079 /* Get the parameters of the prison. */
2082 td
->td_retval
[0] = pr
->pr_id
;
2083 error
= vfs_setopt(opts
, "jid", &pr
->pr_id
, sizeof(pr
->pr_id
));
2084 if (error
!= 0 && error
!= ENOENT
)
2086 i
= (pr
->pr_parent
== mypr
) ? 0 : pr
->pr_parent
->pr_id
;
2087 error
= vfs_setopt(opts
, "parent", &i
, sizeof(i
));
2088 if (error
!= 0 && error
!= ENOENT
)
2090 error
= vfs_setopts(opts
, "name", prison_name(mypr
, pr
));
2091 if (error
!= 0 && error
!= ENOENT
)
2093 error
= vfs_setopt(opts
, "cpuset.id", &pr
->pr_cpuset
->cs_id
,
2094 sizeof(pr
->pr_cpuset
->cs_id
));
2095 if (error
!= 0 && error
!= ENOENT
)
2097 error
= vfs_setopts(opts
, "path", prison_path(mypr
, pr
));
2098 if (error
!= 0 && error
!= ENOENT
)
2101 error
= vfs_setopt_part(opts
, "ip4.addr", pr
->pr_ip4
,
2102 pr
->pr_ip4s
* sizeof(*pr
->pr_ip4
));
2103 if (error
!= 0 && error
!= ENOENT
)
2107 error
= vfs_setopt_part(opts
, "ip6.addr", pr
->pr_ip6
,
2108 pr
->pr_ip6s
* sizeof(*pr
->pr_ip6
));
2109 if (error
!= 0 && error
!= ENOENT
)
2112 error
= vfs_setopt(opts
, "securelevel", &pr
->pr_securelevel
,
2113 sizeof(pr
->pr_securelevel
));
2114 if (error
!= 0 && error
!= ENOENT
)
2116 error
= vfs_setopt(opts
, "children.cur", &pr
->pr_childcount
,
2117 sizeof(pr
->pr_childcount
));
2118 if (error
!= 0 && error
!= ENOENT
)
2120 error
= vfs_setopt(opts
, "children.max", &pr
->pr_childmax
,
2121 sizeof(pr
->pr_childmax
));
2122 if (error
!= 0 && error
!= ENOENT
)
2124 error
= vfs_setopts(opts
, "host.hostname", pr
->pr_hostname
);
2125 if (error
!= 0 && error
!= ENOENT
)
2127 error
= vfs_setopts(opts
, "host.domainname", pr
->pr_domainname
);
2128 if (error
!= 0 && error
!= ENOENT
)
2130 error
= vfs_setopts(opts
, "host.hostuuid", pr
->pr_hostuuid
);
2131 if (error
!= 0 && error
!= ENOENT
)
2133 #ifdef COMPAT_FREEBSD32
2134 if (SV_PROC_FLAG(td
->td_proc
, SV_ILP32
)) {
2135 uint32_t hid32
= pr
->pr_hostid
;
2137 error
= vfs_setopt(opts
, "host.hostid", &hid32
, sizeof(hid32
));
2140 error
= vfs_setopt(opts
, "host.hostid", &pr
->pr_hostid
,
2141 sizeof(pr
->pr_hostid
));
2142 if (error
!= 0 && error
!= ENOENT
)
2144 error
= vfs_setopt(opts
, "enforce_statfs", &pr
->pr_enforce_statfs
,
2145 sizeof(pr
->pr_enforce_statfs
));
2146 if (error
!= 0 && error
!= ENOENT
)
2148 error
= vfs_setopt(opts
, "devfs_ruleset", &pr
->pr_devfs_rsnum
,
2149 sizeof(pr
->pr_devfs_rsnum
));
2150 if (error
!= 0 && error
!= ENOENT
)
2152 for (fi
= 0; fi
< nitems(pr_flag_names
); fi
++) {
2153 if (pr_flag_names
[fi
] == NULL
)
2155 i
= (pr
->pr_flags
& (1 << fi
)) ? 1 : 0;
2156 error
= vfs_setopt(opts
, pr_flag_names
[fi
], &i
, sizeof(i
));
2157 if (error
!= 0 && error
!= ENOENT
)
2160 error
= vfs_setopt(opts
, pr_flag_nonames
[fi
], &i
, sizeof(i
));
2161 if (error
!= 0 && error
!= ENOENT
)
2164 for (fi
= 0; fi
< nitems(pr_flag_jailsys
); fi
++) {
2166 (pr_flag_jailsys
[fi
].disable
| pr_flag_jailsys
[fi
].new);
2167 i
= pr_flag_jailsys
[fi
].disable
&&
2168 (i
== pr_flag_jailsys
[fi
].disable
) ? JAIL_SYS_DISABLE
2169 : (i
== pr_flag_jailsys
[fi
].new) ? JAIL_SYS_NEW
2172 vfs_setopt(opts
, pr_flag_jailsys
[fi
].name
, &i
, sizeof(i
));
2173 if (error
!= 0 && error
!= ENOENT
)
2176 for (fi
= 0; fi
< nitems(pr_allow_names
); fi
++) {
2177 if (pr_allow_names
[fi
] == NULL
)
2179 i
= (pr
->pr_allow
& (1 << fi
)) ? 1 : 0;
2180 error
= vfs_setopt(opts
, pr_allow_names
[fi
], &i
, sizeof(i
));
2181 if (error
!= 0 && error
!= ENOENT
)
2184 error
= vfs_setopt(opts
, pr_allow_nonames
[fi
], &i
, sizeof(i
));
2185 if (error
!= 0 && error
!= ENOENT
)
2188 i
= (pr
->pr_uref
== 0);
2189 error
= vfs_setopt(opts
, "dying", &i
, sizeof(i
));
2190 if (error
!= 0 && error
!= ENOENT
)
2193 error
= vfs_setopt(opts
, "nodying", &i
, sizeof(i
));
2194 if (error
!= 0 && error
!= ENOENT
)
2196 error
= vfs_setopt(opts
, "osreldate", &pr
->pr_osreldate
,
2197 sizeof(pr
->pr_osreldate
));
2198 if (error
!= 0 && error
!= ENOENT
)
2200 error
= vfs_setopts(opts
, "osrelease", pr
->pr_osrelease
);
2201 if (error
!= 0 && error
!= ENOENT
)
2204 /* Get the module parameters. */
2205 mtx_unlock(&pr
->pr_mtx
);
2207 error
= osd_jail_call(pr
, PR_METHOD_GET
, opts
);
2210 prison_deref(pr
, PD_DEREF
| PD_LIST_SLOCKED
);
2212 /* By now, all parameters should have been noted. */
2213 TAILQ_FOREACH(opt
, opts
, link
) {
2214 if (!opt
->seen
&& strcmp(opt
->name
, "errmsg")) {
2216 vfs_opterror(opts
, "unknown parameter: %s", opt
->name
);
2221 /* Write the fetched parameters back to userspace. */
2223 TAILQ_FOREACH(opt
, opts
, link
) {
2224 if (opt
->pos
>= 0 && opt
->pos
!= errmsg_pos
) {
2225 pos
= 2 * opt
->pos
+ 1;
2226 optuio
->uio_iov
[pos
].iov_len
= opt
->len
;
2227 if (opt
->value
!= NULL
) {
2228 if (optuio
->uio_segflg
== UIO_SYSSPACE
) {
2230 optuio
->uio_iov
[pos
].iov_base
,
2233 error
= copyout(opt
->value
,
2234 optuio
->uio_iov
[pos
].iov_base
,
2245 prison_deref(pr
, locked
| PD_DEREF
| PD_LIST_SLOCKED
);
2249 sx_sunlock(&allprison_lock
);
2251 if (error
&& errmsg_pos
>= 0) {
2252 vfs_getopt(opts
, "errmsg", (void **)&errmsg
, &errmsg_len
);
2253 errmsg_pos
= 2 * errmsg_pos
+ 1;
2254 if (errmsg_len
> 0) {
2255 if (optuio
->uio_segflg
== UIO_SYSSPACE
)
2257 optuio
->uio_iov
[errmsg_pos
].iov_base
,
2261 optuio
->uio_iov
[errmsg_pos
].iov_base
,
2271 * struct jail_remove_args {
2276 sys_jail_remove(struct thread
*td
, struct jail_remove_args
*uap
)
2278 struct prison
*pr
, *cpr
, *lpr
, *tpr
;
2281 error
= priv_check(td
, PRIV_JAIL_REMOVE
);
2285 sx_xlock(&allprison_lock
);
2286 pr
= prison_find_child(td
->td_ucred
->cr_prison
, uap
->jid
);
2288 sx_xunlock(&allprison_lock
);
2292 /* Remove all descendants of this prison, then remove this prison. */
2294 if (!LIST_EMPTY(&pr
->pr_children
)) {
2295 mtx_unlock(&pr
->pr_mtx
);
2297 FOREACH_PRISON_DESCENDANT(pr
, cpr
, descend
) {
2298 mtx_lock(&cpr
->pr_mtx
);
2299 if (cpr
->pr_ref
> 0) {
2303 /* Already removed - do not do it again. */
2306 mtx_unlock(&cpr
->pr_mtx
);
2308 mtx_lock(&lpr
->pr_mtx
);
2309 prison_remove_one(lpr
);
2310 sx_xlock(&allprison_lock
);
2315 mtx_lock(&lpr
->pr_mtx
);
2316 prison_remove_one(lpr
);
2317 sx_xlock(&allprison_lock
);
2319 mtx_lock(&pr
->pr_mtx
);
2321 prison_remove_one(pr
);
2326 prison_remove_one(struct prison
*pr
)
2331 /* If the prison was persistent, it is not anymore. */
2333 if (pr
->pr_flags
& PR_PERSIST
) {
2336 pr
->pr_flags
&= ~PR_PERSIST
;
2340 * jail_remove added a reference. If that's the only one, remove
2343 KASSERT(pr
->pr_ref
> 0,
2344 ("prison_remove_one removing a dead prison (jid=%d)", pr
->pr_id
));
2345 if (pr
->pr_ref
== 1) {
2347 deuref
| PD_DEREF
| PD_LOCKED
| PD_LIST_XLOCKED
);
2351 mtx_unlock(&pr
->pr_mtx
);
2352 sx_xunlock(&allprison_lock
);
2354 * Kill all processes unfortunate enough to be attached to this prison.
2356 sx_slock(&allproc_lock
);
2357 LIST_FOREACH(p
, &allproc
, p_list
) {
2359 if (p
->p_state
!= PRS_NEW
&& p
->p_ucred
&&
2360 p
->p_ucred
->cr_prison
== pr
)
2361 kern_psignal(p
, SIGKILL
);
2364 sx_sunlock(&allproc_lock
);
2365 /* Remove the temporary reference added by jail_remove. */
2366 prison_deref(pr
, deuref
| PD_DEREF
);
2371 * struct jail_attach_args {
2376 sys_jail_attach(struct thread
*td
, struct jail_attach_args
*uap
)
2381 error
= priv_check(td
, PRIV_JAIL_ATTACH
);
2386 * Start with exclusive hold on allprison_lock to ensure that a possible
2387 * PR_METHOD_REMOVE call isn't concurrent with jail_set or jail_remove.
2388 * But then immediately downgrade it since we don't need to stop
2391 sx_xlock(&allprison_lock
);
2392 sx_downgrade(&allprison_lock
);
2393 pr
= prison_find_child(td
->td_ucred
->cr_prison
, uap
->jid
);
2395 sx_sunlock(&allprison_lock
);
2400 * Do not allow a process to attach to a prison that is not
2401 * considered to be "alive".
2403 if (pr
->pr_uref
== 0) {
2404 mtx_unlock(&pr
->pr_mtx
);
2405 sx_sunlock(&allprison_lock
);
2409 return (do_jail_attach(td
, pr
));
2413 do_jail_attach(struct thread
*td
, struct prison
*pr
)
2416 struct ucred
*newcred
, *oldcred
;
2420 * XXX: Note that there is a slight race here if two threads
2421 * in the same privileged process attempt to attach to two
2422 * different jails at the same time. It is important for
2423 * user processes not to do this, or they might end up with
2424 * a process root from one prison, but attached to the jail
2429 mtx_unlock(&pr
->pr_mtx
);
2431 /* Let modules do whatever they need to prepare for attaching. */
2432 error
= osd_jail_call(pr
, PR_METHOD_ATTACH
, td
);
2434 prison_deref(pr
, PD_DEREF
| PD_DEUREF
| PD_LIST_SLOCKED
);
2437 sx_sunlock(&allprison_lock
);
2440 * Reparent the newly attached process to this jail.
2443 error
= cpuset_setproc_update_set(p
, pr
->pr_cpuset
);
2447 vn_lock(pr
->pr_root
, LK_EXCLUSIVE
| LK_RETRY
);
2448 if ((error
= change_dir(pr
->pr_root
, td
)) != 0)
2451 if ((error
= mac_vnode_check_chroot(td
->td_ucred
, pr
->pr_root
)))
2454 VOP_UNLOCK(pr
->pr_root
, 0);
2455 if ((error
= pwd_chroot(td
, pr
->pr_root
)))
2460 oldcred
= crcopysafe(p
, newcred
);
2461 newcred
->cr_prison
= pr
;
2462 proc_set_cred(p
, newcred
);
2466 racct_proc_ucred_changed(p
, oldcred
, newcred
);
2468 prison_deref(oldcred
->cr_prison
, PD_DEREF
| PD_DEUREF
);
2473 VOP_UNLOCK(pr
->pr_root
, 0);
2475 /* Tell modules this thread is still in its old jail after all. */
2476 (void)osd_jail_call(td
->td_ucred
->cr_prison
, PR_METHOD_ATTACH
, td
);
2477 prison_deref(pr
, PD_DEREF
| PD_DEUREF
);
2483 * Returns a locked prison instance, or NULL on failure.
2486 prison_find(int prid
)
2490 sx_assert(&allprison_lock
, SX_LOCKED
);
2491 TAILQ_FOREACH(pr
, &allprison
, pr_list
) {
2492 if (pr
->pr_id
== prid
) {
2493 mtx_lock(&pr
->pr_mtx
);
2496 mtx_unlock(&pr
->pr_mtx
);
2503 * Find a prison that is a descendant of mypr. Returns a locked prison or NULL.
2506 prison_find_child(struct prison
*mypr
, int prid
)
2511 sx_assert(&allprison_lock
, SX_LOCKED
);
2512 FOREACH_PRISON_DESCENDANT(mypr
, pr
, descend
) {
2513 if (pr
->pr_id
== prid
) {
2514 mtx_lock(&pr
->pr_mtx
);
2517 mtx_unlock(&pr
->pr_mtx
);
2524 * Look for the name relative to mypr. Returns a locked prison or NULL.
2527 prison_find_name(struct prison
*mypr
, const char *name
)
2529 struct prison
*pr
, *deadpr
;
2533 sx_assert(&allprison_lock
, SX_LOCKED
);
2534 mylen
= (mypr
== &prison0
) ? 0 : strlen(mypr
->pr_name
) + 1;
2537 FOREACH_PRISON_DESCENDANT(mypr
, pr
, descend
) {
2538 if (!strcmp(pr
->pr_name
+ mylen
, name
)) {
2539 mtx_lock(&pr
->pr_mtx
);
2540 if (pr
->pr_ref
> 0) {
2541 if (pr
->pr_uref
> 0)
2545 mtx_unlock(&pr
->pr_mtx
);
2548 /* There was no valid prison - perhaps there was a dying one. */
2549 if (deadpr
!= NULL
) {
2550 mtx_lock(&deadpr
->pr_mtx
);
2551 if (deadpr
->pr_ref
== 0) {
2552 mtx_unlock(&deadpr
->pr_mtx
);
2560 * See if a prison has the specific flag set.
2563 prison_flag(struct ucred
*cred
, unsigned flag
)
2566 /* This is an atomic read, so no locking is necessary. */
2567 return (cred
->cr_prison
->pr_flags
& flag
);
2571 prison_allow(struct ucred
*cred
, unsigned flag
)
2574 /* This is an atomic read, so no locking is necessary. */
2575 return (cred
->cr_prison
->pr_allow
& flag
);
2579 * Remove a prison reference. If that was the last reference, remove the
2580 * prison itself - but not in this context in case there are locks held.
2583 prison_free_locked(struct prison
*pr
)
2587 mtx_assert(&pr
->pr_mtx
, MA_OWNED
);
2589 mtx_unlock(&pr
->pr_mtx
);
2591 taskqueue_enqueue(taskqueue_thread
, &pr
->pr_task
);
2595 prison_free(struct prison
*pr
)
2598 mtx_lock(&pr
->pr_mtx
);
2599 prison_free_locked(pr
);
2603 * Complete a call to either prison_free or prison_proc_free.
2606 prison_complete(void *context
, int pending
)
2608 struct prison
*pr
= context
;
2610 sx_xlock(&allprison_lock
);
2611 mtx_lock(&pr
->pr_mtx
);
2612 prison_deref(pr
, pr
->pr_uref
2613 ? PD_DEREF
| PD_DEUREF
| PD_LOCKED
| PD_LIST_XLOCKED
2614 : PD_LOCKED
| PD_LIST_XLOCKED
);
2618 * Remove a prison reference (usually). This internal version assumes no
2619 * mutexes are held, except perhaps the prison itself. If there are no more
2620 * references, release and delist the prison. On completion, the prison lock
2621 * and the allprison lock are both unlocked.
2624 prison_deref(struct prison
*pr
, int flags
)
2626 struct prison
*ppr
, *tpr
;
2629 if (!(flags
& PD_LOCKED
))
2630 mtx_lock(&pr
->pr_mtx
);
2632 if (flags
& PD_DEUREF
) {
2633 KASSERT(pr
->pr_uref
> 0,
2634 ("prison_deref PD_DEUREF on a dead prison (jid=%d)",
2637 lasturef
= pr
->pr_uref
== 0;
2640 KASSERT(prison0
.pr_uref
!= 0, ("prison0 pr_uref=0"));
2643 if (flags
& PD_DEREF
) {
2644 KASSERT(pr
->pr_ref
> 0,
2645 ("prison_deref PD_DEREF on a dead prison (jid=%d)",
2650 mtx_unlock(&pr
->pr_mtx
);
2653 * Tell the modules if the last user reference was removed
2654 * (even it sticks around in dying state).
2657 if (!(flags
& (PD_LIST_SLOCKED
| PD_LIST_XLOCKED
))) {
2658 sx_xlock(&allprison_lock
);
2659 flags
|= PD_LIST_XLOCKED
;
2661 (void)osd_jail_call(pr
, PR_METHOD_REMOVE
, NULL
);
2662 mtx_lock(&pr
->pr_mtx
);
2664 mtx_unlock(&pr
->pr_mtx
);
2667 /* If the prison still has references, nothing else to do. */
2669 if (flags
& PD_LIST_SLOCKED
)
2670 sx_sunlock(&allprison_lock
);
2671 else if (flags
& PD_LIST_XLOCKED
)
2672 sx_xunlock(&allprison_lock
);
2676 if (flags
& PD_LIST_SLOCKED
) {
2677 if (!sx_try_upgrade(&allprison_lock
)) {
2678 sx_sunlock(&allprison_lock
);
2679 sx_xlock(&allprison_lock
);
2681 } else if (!(flags
& PD_LIST_XLOCKED
))
2682 sx_xlock(&allprison_lock
);
2684 TAILQ_REMOVE(&allprison
, pr
, pr_list
);
2685 LIST_REMOVE(pr
, pr_sibling
);
2686 ppr
= pr
->pr_parent
;
2687 for (tpr
= ppr
; tpr
!= NULL
; tpr
= tpr
->pr_parent
)
2688 tpr
->pr_childcount
--;
2689 sx_xunlock(&allprison_lock
);
2692 if (pr
->pr_vnet
!= ppr
->pr_vnet
)
2693 vnet_destroy(pr
->pr_vnet
);
2695 if (pr
->pr_root
!= NULL
)
2697 mtx_destroy(&pr
->pr_mtx
);
2699 free(pr
->pr_ip4
, M_PRISON
);
2702 free(pr
->pr_ip6
, M_PRISON
);
2704 if (pr
->pr_cpuset
!= NULL
)
2705 cpuset_rel(pr
->pr_cpuset
);
2709 prison_racct_detach(pr
);
2713 /* Removing a prison frees a reference on its parent. */
2715 mtx_lock(&pr
->pr_mtx
);
2716 flags
= PD_DEREF
| PD_DEUREF
;
2721 prison_hold_locked(struct prison
*pr
)
2724 mtx_assert(&pr
->pr_mtx
, MA_OWNED
);
2725 KASSERT(pr
->pr_ref
> 0,
2726 ("Trying to hold dead prison (jid=%d).", pr
->pr_id
));
2731 prison_hold(struct prison
*pr
)
2734 mtx_lock(&pr
->pr_mtx
);
2735 prison_hold_locked(pr
);
2736 mtx_unlock(&pr
->pr_mtx
);
2740 prison_proc_hold(struct prison
*pr
)
2743 mtx_lock(&pr
->pr_mtx
);
2744 KASSERT(pr
->pr_uref
> 0,
2745 ("Cannot add a process to a non-alive prison (jid=%d)", pr
->pr_id
));
2747 mtx_unlock(&pr
->pr_mtx
);
2751 prison_proc_free(struct prison
*pr
)
2754 mtx_lock(&pr
->pr_mtx
);
2755 KASSERT(pr
->pr_uref
> 0,
2756 ("Trying to kill a process in a dead prison (jid=%d)", pr
->pr_id
));
2757 if (pr
->pr_uref
> 1)
2761 * Don't remove the last user reference in this context, which
2762 * is expected to be a process that is not only locked, but
2766 mtx_unlock(&pr
->pr_mtx
);
2767 taskqueue_enqueue(taskqueue_thread
, &pr
->pr_task
);
2770 mtx_unlock(&pr
->pr_mtx
);
2776 * Restrict a prison's IP address list with its parent's, possibly replacing
2777 * it. Return true if the replacement buffer was used (or would have been).
2780 prison_restrict_ip4(struct prison
*pr
, struct in_addr
*newip4
)
2785 ppr
= pr
->pr_parent
;
2786 if (!(pr
->pr_flags
& PR_IP4_USER
)) {
2787 /* This has no user settings, so just copy the parent's list. */
2788 if (pr
->pr_ip4s
< ppr
->pr_ip4s
) {
2790 * There's no room for the parent's list. Use the
2791 * new list buffer, which is assumed to be big enough
2792 * (if it was passed). If there's no buffer, try to
2796 if (newip4
== NULL
) {
2797 newip4
= malloc(ppr
->pr_ip4s
* sizeof(*newip4
),
2798 M_PRISON
, M_NOWAIT
);
2802 if (newip4
!= NULL
) {
2803 bcopy(ppr
->pr_ip4
, newip4
,
2804 ppr
->pr_ip4s
* sizeof(*newip4
));
2805 free(pr
->pr_ip4
, M_PRISON
);
2806 pr
->pr_ip4
= newip4
;
2807 pr
->pr_ip4s
= ppr
->pr_ip4s
;
2811 pr
->pr_ip4s
= ppr
->pr_ip4s
;
2812 if (pr
->pr_ip4s
> 0)
2813 bcopy(ppr
->pr_ip4
, pr
->pr_ip4
,
2814 pr
->pr_ip4s
* sizeof(*newip4
));
2815 else if (pr
->pr_ip4
!= NULL
) {
2816 free(pr
->pr_ip4
, M_PRISON
);
2819 } else if (pr
->pr_ip4s
> 0) {
2820 /* Remove addresses that aren't in the parent. */
2821 for (ij
= 0; ij
< ppr
->pr_ip4s
; ij
++)
2822 if (pr
->pr_ip4
[0].s_addr
== ppr
->pr_ip4
[ij
].s_addr
)
2824 if (ij
< ppr
->pr_ip4s
)
2827 bcopy(pr
->pr_ip4
+ 1, pr
->pr_ip4
,
2828 --pr
->pr_ip4s
* sizeof(*pr
->pr_ip4
));
2831 for (ij
= 1; ii
< pr
->pr_ip4s
; ) {
2832 if (pr
->pr_ip4
[ii
].s_addr
== ppr
->pr_ip4
[0].s_addr
) {
2836 switch (ij
>= ppr
->pr_ip4s
? -1 :
2837 qcmp_v4(&pr
->pr_ip4
[ii
], &ppr
->pr_ip4
[ij
])) {
2839 bcopy(pr
->pr_ip4
+ ii
+ 1, pr
->pr_ip4
+ ii
,
2840 (--pr
->pr_ip4s
- ii
) * sizeof(*pr
->pr_ip4
));
2851 if (pr
->pr_ip4s
== 0) {
2852 free(pr
->pr_ip4
, M_PRISON
);
2860 * Pass back primary IPv4 address of this jail.
2862 * If not restricted return success but do not alter the address. Caller has
2863 * to make sure to initialize it correctly (e.g. INADDR_ANY).
2865 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
2866 * Address returned in NBO.
2869 prison_get_ip4(struct ucred
*cred
, struct in_addr
*ia
)
2873 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
2874 KASSERT(ia
!= NULL
, ("%s: ia is NULL", __func__
));
2876 pr
= cred
->cr_prison
;
2877 if (!(pr
->pr_flags
& PR_IP4
))
2879 mtx_lock(&pr
->pr_mtx
);
2880 if (!(pr
->pr_flags
& PR_IP4
)) {
2881 mtx_unlock(&pr
->pr_mtx
);
2884 if (pr
->pr_ip4
== NULL
) {
2885 mtx_unlock(&pr
->pr_mtx
);
2886 return (EAFNOSUPPORT
);
2889 ia
->s_addr
= pr
->pr_ip4
[0].s_addr
;
2890 mtx_unlock(&pr
->pr_mtx
);
2895 * Return 1 if we should do proper source address selection or are not jailed.
2896 * We will return 0 if we should bypass source address selection in favour
2897 * of the primary jail IPv4 address. Only in this case *ia will be updated and
2899 * Return EAFNOSUPPORT, in case this jail does not allow IPv4.
2902 prison_saddrsel_ip4(struct ucred
*cred
, struct in_addr
*ia
)
2908 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
2909 KASSERT(ia
!= NULL
, ("%s: ia is NULL", __func__
));
2914 pr
= cred
->cr_prison
;
2915 if (pr
->pr_flags
& PR_IP4_SADDRSEL
)
2918 lia
.s_addr
= INADDR_ANY
;
2919 error
= prison_get_ip4(cred
, &lia
);
2922 if (lia
.s_addr
== INADDR_ANY
)
2925 ia
->s_addr
= lia
.s_addr
;
2930 * Return true if pr1 and pr2 have the same IPv4 address restrictions.
2933 prison_equal_ip4(struct prison
*pr1
, struct prison
*pr2
)
2940 * No need to lock since the PR_IP4_USER flag can't be altered for
2943 while (pr1
!= &prison0
&&
2945 !(pr1
->pr_flags
& PR_VNET
) &&
2947 !(pr1
->pr_flags
& PR_IP4_USER
))
2948 pr1
= pr1
->pr_parent
;
2949 while (pr2
!= &prison0
&&
2951 !(pr2
->pr_flags
& PR_VNET
) &&
2953 !(pr2
->pr_flags
& PR_IP4_USER
))
2954 pr2
= pr2
->pr_parent
;
2955 return (pr1
== pr2
);
2959 * Make sure our (source) address is set to something meaningful to this
2962 * Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail,
2963 * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
2964 * doesn't allow IPv4. Address passed in in NBO and returned in NBO.
2967 prison_local_ip4(struct ucred
*cred
, struct in_addr
*ia
)
2973 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
2974 KASSERT(ia
!= NULL
, ("%s: ia is NULL", __func__
));
2976 pr
= cred
->cr_prison
;
2977 if (!(pr
->pr_flags
& PR_IP4
))
2979 mtx_lock(&pr
->pr_mtx
);
2980 if (!(pr
->pr_flags
& PR_IP4
)) {
2981 mtx_unlock(&pr
->pr_mtx
);
2984 if (pr
->pr_ip4
== NULL
) {
2985 mtx_unlock(&pr
->pr_mtx
);
2986 return (EAFNOSUPPORT
);
2989 ia0
.s_addr
= ntohl(ia
->s_addr
);
2990 if (ia0
.s_addr
== INADDR_LOOPBACK
) {
2991 ia
->s_addr
= pr
->pr_ip4
[0].s_addr
;
2992 mtx_unlock(&pr
->pr_mtx
);
2996 if (ia0
.s_addr
== INADDR_ANY
) {
2998 * In case there is only 1 IPv4 address, bind directly.
3000 if (pr
->pr_ip4s
== 1)
3001 ia
->s_addr
= pr
->pr_ip4
[0].s_addr
;
3002 mtx_unlock(&pr
->pr_mtx
);
3006 error
= _prison_check_ip4(pr
, ia
);
3007 mtx_unlock(&pr
->pr_mtx
);
3012 * Rewrite destination address in case we will connect to loopback address.
3014 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
3015 * Address passed in in NBO and returned in NBO.
3018 prison_remote_ip4(struct ucred
*cred
, struct in_addr
*ia
)
3022 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3023 KASSERT(ia
!= NULL
, ("%s: ia is NULL", __func__
));
3025 pr
= cred
->cr_prison
;
3026 if (!(pr
->pr_flags
& PR_IP4
))
3028 mtx_lock(&pr
->pr_mtx
);
3029 if (!(pr
->pr_flags
& PR_IP4
)) {
3030 mtx_unlock(&pr
->pr_mtx
);
3033 if (pr
->pr_ip4
== NULL
) {
3034 mtx_unlock(&pr
->pr_mtx
);
3035 return (EAFNOSUPPORT
);
3038 if (ntohl(ia
->s_addr
) == INADDR_LOOPBACK
) {
3039 ia
->s_addr
= pr
->pr_ip4
[0].s_addr
;
3040 mtx_unlock(&pr
->pr_mtx
);
3045 * Return success because nothing had to be changed.
3047 mtx_unlock(&pr
->pr_mtx
);
3052 * Check if given address belongs to the jail referenced by cred/prison.
3054 * Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail,
3055 * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
3056 * doesn't allow IPv4. Address passed in in NBO.
3059 _prison_check_ip4(const struct prison
*pr
, const struct in_addr
*ia
)
3064 * Check the primary IP.
3066 if (pr
->pr_ip4
[0].s_addr
== ia
->s_addr
)
3070 * All the other IPs are sorted so we can do a binary search.
3073 z
= pr
->pr_ip4s
- 2;
3076 d
= qcmp_v4(&pr
->pr_ip4
[i
+1], ia
);
3085 return (EADDRNOTAVAIL
);
3089 prison_check_ip4(const struct ucred
*cred
, const struct in_addr
*ia
)
3094 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3095 KASSERT(ia
!= NULL
, ("%s: ia is NULL", __func__
));
3097 pr
= cred
->cr_prison
;
3098 if (!(pr
->pr_flags
& PR_IP4
))
3100 mtx_lock(&pr
->pr_mtx
);
3101 if (!(pr
->pr_flags
& PR_IP4
)) {
3102 mtx_unlock(&pr
->pr_mtx
);
3105 if (pr
->pr_ip4
== NULL
) {
3106 mtx_unlock(&pr
->pr_mtx
);
3107 return (EAFNOSUPPORT
);
3110 error
= _prison_check_ip4(pr
, ia
);
3111 mtx_unlock(&pr
->pr_mtx
);
3118 prison_restrict_ip6(struct prison
*pr
, struct in6_addr
*newip6
)
3123 ppr
= pr
->pr_parent
;
3124 if (!(pr
->pr_flags
& PR_IP6_USER
)) {
3125 /* This has no user settings, so just copy the parent's list. */
3126 if (pr
->pr_ip6s
< ppr
->pr_ip6s
) {
3128 * There's no room for the parent's list. Use the
3129 * new list buffer, which is assumed to be big enough
3130 * (if it was passed). If there's no buffer, try to
3134 if (newip6
== NULL
) {
3135 newip6
= malloc(ppr
->pr_ip6s
* sizeof(*newip6
),
3136 M_PRISON
, M_NOWAIT
);
3140 if (newip6
!= NULL
) {
3141 bcopy(ppr
->pr_ip6
, newip6
,
3142 ppr
->pr_ip6s
* sizeof(*newip6
));
3143 free(pr
->pr_ip6
, M_PRISON
);
3144 pr
->pr_ip6
= newip6
;
3145 pr
->pr_ip6s
= ppr
->pr_ip6s
;
3149 pr
->pr_ip6s
= ppr
->pr_ip6s
;
3150 if (pr
->pr_ip6s
> 0)
3151 bcopy(ppr
->pr_ip6
, pr
->pr_ip6
,
3152 pr
->pr_ip6s
* sizeof(*newip6
));
3153 else if (pr
->pr_ip6
!= NULL
) {
3154 free(pr
->pr_ip6
, M_PRISON
);
3157 } else if (pr
->pr_ip6s
> 0) {
3158 /* Remove addresses that aren't in the parent. */
3159 for (ij
= 0; ij
< ppr
->pr_ip6s
; ij
++)
3160 if (IN6_ARE_ADDR_EQUAL(&pr
->pr_ip6
[0],
3163 if (ij
< ppr
->pr_ip6s
)
3166 bcopy(pr
->pr_ip6
+ 1, pr
->pr_ip6
,
3167 --pr
->pr_ip6s
* sizeof(*pr
->pr_ip6
));
3170 for (ij
= 1; ii
< pr
->pr_ip6s
; ) {
3171 if (IN6_ARE_ADDR_EQUAL(&pr
->pr_ip6
[ii
],
3176 switch (ij
>= ppr
->pr_ip6s
? -1 :
3177 qcmp_v6(&pr
->pr_ip6
[ii
], &ppr
->pr_ip6
[ij
])) {
3179 bcopy(pr
->pr_ip6
+ ii
+ 1, pr
->pr_ip6
+ ii
,
3180 (--pr
->pr_ip6s
- ii
) * sizeof(*pr
->pr_ip6
));
3191 if (pr
->pr_ip6s
== 0) {
3192 free(pr
->pr_ip6
, M_PRISON
);
3200 * Pass back primary IPv6 address for this jail.
3202 * If not restricted return success but do not alter the address. Caller has
3203 * to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT).
3205 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
3208 prison_get_ip6(struct ucred
*cred
, struct in6_addr
*ia6
)
3212 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3213 KASSERT(ia6
!= NULL
, ("%s: ia6 is NULL", __func__
));
3215 pr
= cred
->cr_prison
;
3216 if (!(pr
->pr_flags
& PR_IP6
))
3218 mtx_lock(&pr
->pr_mtx
);
3219 if (!(pr
->pr_flags
& PR_IP6
)) {
3220 mtx_unlock(&pr
->pr_mtx
);
3223 if (pr
->pr_ip6
== NULL
) {
3224 mtx_unlock(&pr
->pr_mtx
);
3225 return (EAFNOSUPPORT
);
3228 bcopy(&pr
->pr_ip6
[0], ia6
, sizeof(struct in6_addr
));
3229 mtx_unlock(&pr
->pr_mtx
);
3234 * Return 1 if we should do proper source address selection or are not jailed.
3235 * We will return 0 if we should bypass source address selection in favour
3236 * of the primary jail IPv6 address. Only in this case *ia will be updated and
3238 * Return EAFNOSUPPORT, in case this jail does not allow IPv6.
3241 prison_saddrsel_ip6(struct ucred
*cred
, struct in6_addr
*ia6
)
3244 struct in6_addr lia6
;
3247 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3248 KASSERT(ia6
!= NULL
, ("%s: ia6 is NULL", __func__
));
3253 pr
= cred
->cr_prison
;
3254 if (pr
->pr_flags
& PR_IP6_SADDRSEL
)
3258 error
= prison_get_ip6(cred
, &lia6
);
3261 if (IN6_IS_ADDR_UNSPECIFIED(&lia6
))
3264 bcopy(&lia6
, ia6
, sizeof(struct in6_addr
));
3269 * Return true if pr1 and pr2 have the same IPv6 address restrictions.
3272 prison_equal_ip6(struct prison
*pr1
, struct prison
*pr2
)
3278 while (pr1
!= &prison0
&&
3280 !(pr1
->pr_flags
& PR_VNET
) &&
3282 !(pr1
->pr_flags
& PR_IP6_USER
))
3283 pr1
= pr1
->pr_parent
;
3284 while (pr2
!= &prison0
&&
3286 !(pr2
->pr_flags
& PR_VNET
) &&
3288 !(pr2
->pr_flags
& PR_IP6_USER
))
3289 pr2
= pr2
->pr_parent
;
3290 return (pr1
== pr2
);
3294 * Make sure our (source) address is set to something meaningful to this jail.
3296 * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0)
3297 * when needed while binding.
3299 * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail,
3300 * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
3301 * doesn't allow IPv6.
3304 prison_local_ip6(struct ucred
*cred
, struct in6_addr
*ia6
, int v6only
)
3309 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3310 KASSERT(ia6
!= NULL
, ("%s: ia6 is NULL", __func__
));
3312 pr
= cred
->cr_prison
;
3313 if (!(pr
->pr_flags
& PR_IP6
))
3315 mtx_lock(&pr
->pr_mtx
);
3316 if (!(pr
->pr_flags
& PR_IP6
)) {
3317 mtx_unlock(&pr
->pr_mtx
);
3320 if (pr
->pr_ip6
== NULL
) {
3321 mtx_unlock(&pr
->pr_mtx
);
3322 return (EAFNOSUPPORT
);
3325 if (IN6_IS_ADDR_LOOPBACK(ia6
)) {
3326 bcopy(&pr
->pr_ip6
[0], ia6
, sizeof(struct in6_addr
));
3327 mtx_unlock(&pr
->pr_mtx
);
3331 if (IN6_IS_ADDR_UNSPECIFIED(ia6
)) {
3333 * In case there is only 1 IPv6 address, and v6only is true,
3334 * then bind directly.
3336 if (v6only
!= 0 && pr
->pr_ip6s
== 1)
3337 bcopy(&pr
->pr_ip6
[0], ia6
, sizeof(struct in6_addr
));
3338 mtx_unlock(&pr
->pr_mtx
);
3342 error
= _prison_check_ip6(pr
, ia6
);
3343 mtx_unlock(&pr
->pr_mtx
);
3348 * Rewrite destination address in case we will connect to loopback address.
3350 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
3353 prison_remote_ip6(struct ucred
*cred
, struct in6_addr
*ia6
)
3357 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3358 KASSERT(ia6
!= NULL
, ("%s: ia6 is NULL", __func__
));
3360 pr
= cred
->cr_prison
;
3361 if (!(pr
->pr_flags
& PR_IP6
))
3363 mtx_lock(&pr
->pr_mtx
);
3364 if (!(pr
->pr_flags
& PR_IP6
)) {
3365 mtx_unlock(&pr
->pr_mtx
);
3368 if (pr
->pr_ip6
== NULL
) {
3369 mtx_unlock(&pr
->pr_mtx
);
3370 return (EAFNOSUPPORT
);
3373 if (IN6_IS_ADDR_LOOPBACK(ia6
)) {
3374 bcopy(&pr
->pr_ip6
[0], ia6
, sizeof(struct in6_addr
));
3375 mtx_unlock(&pr
->pr_mtx
);
3380 * Return success because nothing had to be changed.
3382 mtx_unlock(&pr
->pr_mtx
);
3387 * Check if given address belongs to the jail referenced by cred/prison.
3389 * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail,
3390 * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
3391 * doesn't allow IPv6.
3394 _prison_check_ip6(struct prison
*pr
, struct in6_addr
*ia6
)
3399 * Check the primary IP.
3401 if (IN6_ARE_ADDR_EQUAL(&pr
->pr_ip6
[0], ia6
))
3405 * All the other IPs are sorted so we can do a binary search.
3408 z
= pr
->pr_ip6s
- 2;
3411 d
= qcmp_v6(&pr
->pr_ip6
[i
+1], ia6
);
3420 return (EADDRNOTAVAIL
);
3424 prison_check_ip6(struct ucred
*cred
, struct in6_addr
*ia6
)
3429 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3430 KASSERT(ia6
!= NULL
, ("%s: ia6 is NULL", __func__
));
3432 pr
= cred
->cr_prison
;
3433 if (!(pr
->pr_flags
& PR_IP6
))
3435 mtx_lock(&pr
->pr_mtx
);
3436 if (!(pr
->pr_flags
& PR_IP6
)) {
3437 mtx_unlock(&pr
->pr_mtx
);
3440 if (pr
->pr_ip6
== NULL
) {
3441 mtx_unlock(&pr
->pr_mtx
);
3442 return (EAFNOSUPPORT
);
3445 error
= _prison_check_ip6(pr
, ia6
);
3446 mtx_unlock(&pr
->pr_mtx
);
3452 * Check if a jail supports the given address family.
3454 * Returns 0 if not jailed or the address family is supported, EAFNOSUPPORT
3458 prison_check_af(struct ucred
*cred
, int af
)
3463 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3465 pr
= cred
->cr_prison
;
3467 /* Prisons with their own network stack are not limited. */
3468 if (prison_owns_vnet(cred
))
3477 if (pr
->pr_flags
& PR_IP4
)
3479 mtx_lock(&pr
->pr_mtx
);
3480 if ((pr
->pr_flags
& PR_IP4
) && pr
->pr_ip4
== NULL
)
3481 error
= EAFNOSUPPORT
;
3482 mtx_unlock(&pr
->pr_mtx
);
3488 if (pr
->pr_flags
& PR_IP6
)
3490 mtx_lock(&pr
->pr_mtx
);
3491 if ((pr
->pr_flags
& PR_IP6
) && pr
->pr_ip6
== NULL
)
3492 error
= EAFNOSUPPORT
;
3493 mtx_unlock(&pr
->pr_mtx
);
3501 if (!(pr
->pr_allow
& PR_ALLOW_SOCKET_AF
))
3502 error
= EAFNOSUPPORT
;
3508 * Check if given address belongs to the jail referenced by cred (wrapper to
3509 * prison_check_ip[46]).
3511 * Returns 0 if jail doesn't restrict the address family or if address belongs
3512 * to jail, EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if
3513 * the jail doesn't allow the address family. IPv4 Address passed in in NBO.
3516 prison_if(struct ucred
*cred
, struct sockaddr
*sa
)
3519 struct sockaddr_in
*sai
;
3522 struct sockaddr_in6
*sai6
;
3526 KASSERT(cred
!= NULL
, ("%s: cred is NULL", __func__
));
3527 KASSERT(sa
!= NULL
, ("%s: sa is NULL", __func__
));
3530 if (prison_owns_vnet(cred
))
3535 switch (sa
->sa_family
)
3539 sai
= (struct sockaddr_in
*)sa
;
3540 error
= prison_check_ip4(cred
, &sai
->sin_addr
);
3545 sai6
= (struct sockaddr_in6
*)sa
;
3546 error
= prison_check_ip6(cred
, &sai6
->sin6_addr
);
3550 if (!(cred
->cr_prison
->pr_allow
& PR_ALLOW_SOCKET_AF
))
3551 error
= EAFNOSUPPORT
;
3557 * Return 0 if jails permit p1 to frob p2, otherwise ESRCH.
3560 prison_check(struct ucred
*cred1
, struct ucred
*cred2
)
3563 return ((cred1
->cr_prison
== cred2
->cr_prison
||
3564 prison_ischild(cred1
->cr_prison
, cred2
->cr_prison
)) ? 0 : ESRCH
);
3568 * Return 1 if p2 is a child of p1, otherwise 0.
3571 prison_ischild(struct prison
*pr1
, struct prison
*pr2
)
3574 for (pr2
= pr2
->pr_parent
; pr2
!= NULL
; pr2
= pr2
->pr_parent
)
3581 * Return 1 if the passed credential is in a jail, otherwise 0.
3584 jailed(struct ucred
*cred
)
3587 return (cred
->cr_prison
!= &prison0
);
3591 * Return 1 if the passed credential is in a jail and that jail does not
3592 * have its own virtual network stack, otherwise 0.
3595 jailed_without_vnet(struct ucred
*cred
)
3601 if (prison_owns_vnet(cred
))
3609 * Return the correct hostname (domainname, et al) for the passed credential.
3612 getcredhostname(struct ucred
*cred
, char *buf
, size_t size
)
3617 * A NULL credential can be used to shortcut to the physical
3618 * system's hostname.
3620 pr
= (cred
!= NULL
) ? cred
->cr_prison
: &prison0
;
3621 mtx_lock(&pr
->pr_mtx
);
3622 strlcpy(buf
, pr
->pr_hostname
, size
);
3623 mtx_unlock(&pr
->pr_mtx
);
3627 getcreddomainname(struct ucred
*cred
, char *buf
, size_t size
)
3630 mtx_lock(&cred
->cr_prison
->pr_mtx
);
3631 strlcpy(buf
, cred
->cr_prison
->pr_domainname
, size
);
3632 mtx_unlock(&cred
->cr_prison
->pr_mtx
);
3636 getcredhostuuid(struct ucred
*cred
, char *buf
, size_t size
)
3639 mtx_lock(&cred
->cr_prison
->pr_mtx
);
3640 strlcpy(buf
, cred
->cr_prison
->pr_hostuuid
, size
);
3641 mtx_unlock(&cred
->cr_prison
->pr_mtx
);
3645 getcredhostid(struct ucred
*cred
, unsigned long *hostid
)
3648 mtx_lock(&cred
->cr_prison
->pr_mtx
);
3649 *hostid
= cred
->cr_prison
->pr_hostid
;
3650 mtx_unlock(&cred
->cr_prison
->pr_mtx
);
3655 * Determine whether the prison represented by cred owns
3656 * its vnet rather than having it inherited.
3658 * Returns 1 in case the prison owns the vnet, 0 otherwise.
3661 prison_owns_vnet(struct ucred
*cred
)
3665 * vnets cannot be added/removed after jail creation,
3666 * so no need to lock here.
3668 return (cred
->cr_prison
->pr_flags
& PR_VNET
? 1 : 0);
3673 * Determine whether the subject represented by cred can "see"
3674 * status of a mount point.
3675 * Returns: 0 for permitted, ENOENT otherwise.
3676 * XXX: This function should be called cr_canseemount() and should be
3677 * placed in kern_prot.c.
3680 prison_canseemount(struct ucred
*cred
, struct mount
*mp
)
3686 pr
= cred
->cr_prison
;
3687 if (pr
->pr_enforce_statfs
== 0)
3689 if (pr
->pr_root
->v_mount
== mp
)
3691 if (pr
->pr_enforce_statfs
== 2)
3694 * If jail's chroot directory is set to "/" we should be able to see
3695 * all mount-points from inside a jail.
3696 * This is ugly check, but this is the only situation when jail's
3697 * directory ends with '/'.
3699 if (strcmp(pr
->pr_path
, "/") == 0)
3701 len
= strlen(pr
->pr_path
);
3703 if (strncmp(pr
->pr_path
, sp
->f_mntonname
, len
) != 0)
3706 * Be sure that we don't have situation where jail's root directory
3707 * is "/some/path" and mount point is "/some/pathpath".
3709 if (sp
->f_mntonname
[len
] != '\0' && sp
->f_mntonname
[len
] != '/')
3715 prison_enforce_statfs(struct ucred
*cred
, struct mount
*mp
, struct statfs
*sp
)
3717 char jpath
[MAXPATHLEN
];
3721 pr
= cred
->cr_prison
;
3722 if (pr
->pr_enforce_statfs
== 0)
3724 if (prison_canseemount(cred
, mp
) != 0) {
3725 bzero(sp
->f_mntonname
, sizeof(sp
->f_mntonname
));
3726 strlcpy(sp
->f_mntonname
, "[restricted]",
3727 sizeof(sp
->f_mntonname
));
3730 if (pr
->pr_root
->v_mount
== mp
) {
3732 * Clear current buffer data, so we are sure nothing from
3733 * the valid path left there.
3735 bzero(sp
->f_mntonname
, sizeof(sp
->f_mntonname
));
3736 *sp
->f_mntonname
= '/';
3740 * If jail's chroot directory is set to "/" we should be able to see
3741 * all mount-points from inside a jail.
3743 if (strcmp(pr
->pr_path
, "/") == 0)
3745 len
= strlen(pr
->pr_path
);
3746 strlcpy(jpath
, sp
->f_mntonname
+ len
, sizeof(jpath
));
3748 * Clear current buffer data, so we are sure nothing from
3749 * the valid path left there.
3751 bzero(sp
->f_mntonname
, sizeof(sp
->f_mntonname
));
3752 if (*jpath
== '\0') {
3753 /* Should never happen. */
3754 *sp
->f_mntonname
= '/';
3756 strlcpy(sp
->f_mntonname
, jpath
, sizeof(sp
->f_mntonname
));
3761 * Check with permission for a specific privilege is granted within jail. We
3762 * have a specific list of accepted privileges; the rest are denied.
3765 prison_priv_check(struct ucred
*cred
, int priv
)
3773 * Privileges specific to prisons with a virtual network stack.
3774 * There might be a duplicate entry here in case the privilege
3775 * is only granted conditionally in the legacy jail case.
3780 * NFS-specific privileges.
3782 case PRIV_NFS_DAEMON
:
3783 case PRIV_NFS_LOCKD
:
3786 * Network stack privileges.
3788 case PRIV_NET_BRIDGE
:
3791 case PRIV_NET_RAW
: /* Dup, cond. in legacy jail case. */
3792 case PRIV_NET_ROUTE
:
3794 case PRIV_NET_SETIFMTU
:
3795 case PRIV_NET_SETIFFLAGS
:
3796 case PRIV_NET_SETIFCAP
:
3797 case PRIV_NET_SETIFDESCR
:
3798 case PRIV_NET_SETIFNAME
:
3799 case PRIV_NET_SETIFMETRIC
:
3800 case PRIV_NET_SETIFPHYS
:
3801 case PRIV_NET_SETIFMAC
:
3802 case PRIV_NET_ADDMULTI
:
3803 case PRIV_NET_DELMULTI
:
3804 case PRIV_NET_HWIOCTL
:
3805 case PRIV_NET_SETLLADDR
:
3806 case PRIV_NET_ADDIFGROUP
:
3807 case PRIV_NET_DELIFGROUP
:
3808 case PRIV_NET_IFCREATE
:
3809 case PRIV_NET_IFDESTROY
:
3810 case PRIV_NET_ADDIFADDR
:
3811 case PRIV_NET_DELIFADDR
:
3814 case PRIV_NET_SETIFVNET
:
3815 case PRIV_NET_SETIFFIB
:
3818 * 802.11-related privileges.
3820 case PRIV_NET80211_GETKEY
:
3822 case PRIV_NET80211_MANAGE
: /* XXX-BZ discuss with sam@ */
3829 case PRIV_NETATM_CFG
:
3830 case PRIV_NETATM_ADD
:
3831 case PRIV_NETATM_DEL
:
3832 case PRIV_NETATM_SET
:
3835 * Bluetooth privileges.
3837 case PRIV_NETBLUETOOTH_RAW
:
3841 * Netgraph and netgraph module privileges.
3843 case PRIV_NETGRAPH_CONTROL
:
3845 case PRIV_NETGRAPH_TTY
:
3849 * IPv4 and IPv6 privileges.
3851 case PRIV_NETINET_IPFW
:
3852 case PRIV_NETINET_DIVERT
:
3853 case PRIV_NETINET_PF
:
3854 case PRIV_NETINET_DUMMYNET
:
3855 case PRIV_NETINET_CARP
:
3856 case PRIV_NETINET_MROUTE
:
3857 case PRIV_NETINET_RAW
:
3858 case PRIV_NETINET_ADDRCTRL6
:
3859 case PRIV_NETINET_ND6
:
3860 case PRIV_NETINET_SCOPE6
:
3861 case PRIV_NETINET_ALIFETIME6
:
3862 case PRIV_NETINET_IPSEC
:
3863 case PRIV_NETINET_BINDANY
:
3878 * No default: or deny here.
3879 * In case of no permit fall through to next switch().
3881 if (cred
->cr_prison
->pr_flags
& PR_VNET
)
3889 * Allow ktrace privileges for root in jail.
3895 * Allow jailed processes to configure audit identity and
3896 * submit audit records (login, etc). In the future we may
3897 * want to further refine the relationship between audit and
3900 case PRIV_AUDIT_GETAUDIT
:
3901 case PRIV_AUDIT_SETAUDIT
:
3902 case PRIV_AUDIT_SUBMIT
:
3906 * Allow jailed processes to manipulate process UNIX
3907 * credentials in any way they see fit.
3909 case PRIV_CRED_SETUID
:
3910 case PRIV_CRED_SETEUID
:
3911 case PRIV_CRED_SETGID
:
3912 case PRIV_CRED_SETEGID
:
3913 case PRIV_CRED_SETGROUPS
:
3914 case PRIV_CRED_SETREUID
:
3915 case PRIV_CRED_SETREGID
:
3916 case PRIV_CRED_SETRESUID
:
3917 case PRIV_CRED_SETRESGID
:
3920 * Jail implements visibility constraints already, so allow
3921 * jailed root to override uid/gid-based constraints.
3923 case PRIV_SEEOTHERGIDS
:
3924 case PRIV_SEEOTHERUIDS
:
3927 * Jail implements inter-process debugging limits already, so
3928 * allow jailed root various debugging privileges.
3930 case PRIV_DEBUG_DIFFCRED
:
3931 case PRIV_DEBUG_SUGID
:
3932 case PRIV_DEBUG_UNPRIV
:
3935 * Allow jail to set various resource limits and login
3936 * properties, and for now, exceed process resource limits.
3938 case PRIV_PROC_LIMIT
:
3939 case PRIV_PROC_SETLOGIN
:
3940 case PRIV_PROC_SETRLIMIT
:
3943 * System V and POSIX IPC privileges are granted in jail.
3946 case PRIV_IPC_WRITE
:
3947 case PRIV_IPC_ADMIN
:
3948 case PRIV_IPC_MSGSIZE
:
3952 * Jail operations within a jail work on child jails.
3954 case PRIV_JAIL_ATTACH
:
3956 case PRIV_JAIL_REMOVE
:
3959 * Jail implements its own inter-process limits, so allow
3960 * root processes in jail to change scheduling on other
3961 * processes in the same jail. Likewise for signalling.
3963 case PRIV_SCHED_DIFFCRED
:
3964 case PRIV_SCHED_CPUSET
:
3965 case PRIV_SIGNAL_DIFFCRED
:
3966 case PRIV_SIGNAL_SUGID
:
3969 * Allow jailed processes to write to sysctls marked as jail
3972 case PRIV_SYSCTL_WRITEJAIL
:
3975 * Allow root in jail to manage a variety of quota
3976 * properties. These should likely be conditional on a
3977 * configuration option.
3979 case PRIV_VFS_GETQUOTA
:
3980 case PRIV_VFS_SETQUOTA
:
3983 * Since Jail relies on chroot() to implement file system
3984 * protections, grant many VFS privileges to root in jail.
3985 * Be careful to exclude mount-related and NFS-related
3989 case PRIV_VFS_WRITE
:
3990 case PRIV_VFS_ADMIN
:
3992 case PRIV_VFS_LOOKUP
:
3993 case PRIV_VFS_BLOCKRESERVE
: /* XXXRW: Slightly surprising. */
3994 case PRIV_VFS_CHFLAGS_DEV
:
3995 case PRIV_VFS_CHOWN
:
3996 case PRIV_VFS_CHROOT
:
3997 case PRIV_VFS_RETAINSUGID
:
3998 case PRIV_VFS_FCHROOT
:
4000 case PRIV_VFS_SETGID
:
4002 case PRIV_VFS_STICKYFILE
:
4005 * As in the non-jail case, non-root users are expected to be
4006 * able to read kernel/phyiscal memory (provided /dev/[k]mem
4007 * exists in the jail and they have permission to access it).
4009 case PRIV_KMEM_READ
:
4013 * Depending on the global setting, allow privilege of
4014 * setting system flags.
4016 case PRIV_VFS_SYSFLAGS
:
4017 if (cred
->cr_prison
->pr_allow
& PR_ALLOW_CHFLAGS
)
4023 * Depending on the global setting, allow privilege of
4024 * mounting/unmounting file systems.
4026 case PRIV_VFS_MOUNT
:
4027 case PRIV_VFS_UNMOUNT
:
4028 case PRIV_VFS_MOUNT_NONUSER
:
4029 case PRIV_VFS_MOUNT_OWNER
:
4030 if (cred
->cr_prison
->pr_allow
& PR_ALLOW_MOUNT
&&
4031 cred
->cr_prison
->pr_enforce_statfs
< 2)
4037 * Allow jailed root to bind reserved ports and reuse in-use
4040 case PRIV_NETINET_RESERVEDPORT
:
4041 case PRIV_NETINET_REUSEPORT
:
4045 * Allow jailed root to set certain IPv4/6 (option) headers.
4047 case PRIV_NETINET_SETHDROPTS
:
4051 * Conditionally allow creating raw sockets in jail.
4053 case PRIV_NETINET_RAW
:
4054 if (cred
->cr_prison
->pr_allow
& PR_ALLOW_RAW_SOCKETS
)
4060 * Since jail implements its own visibility limits on netstat
4061 * sysctls, allow getcred. This allows identd to work in
4064 case PRIV_NETINET_GETCRED
:
4068 * Allow jailed root to set loginclass.
4070 case PRIV_PROC_SETLOGINCLASS
:
4075 * In all remaining cases, deny the privilege request. This
4076 * includes almost all network privileges, many system
4077 * configuration privileges.
4084 * Return the part of pr2's name that is relative to pr1, or the whole name
4085 * if it does not directly follow.
4089 prison_name(struct prison
*pr1
, struct prison
*pr2
)
4093 /* Jails see themselves as "0" (if they see themselves at all). */
4096 name
= pr2
->pr_name
;
4097 if (prison_ischild(pr1
, pr2
)) {
4099 * pr1 isn't locked (and allprison_lock may not be either)
4100 * so its length can't be counted on. But the number of dots
4101 * can be counted on - and counted.
4103 for (; pr1
!= &prison0
; pr1
= pr1
->pr_parent
)
4104 name
= strchr(name
, '.') + 1;
4110 * Return the part of pr2's path that is relative to pr1, or the whole path
4111 * if it does not directly follow.
4114 prison_path(struct prison
*pr1
, struct prison
*pr2
)
4116 char *path1
, *path2
;
4119 path1
= pr1
->pr_path
;
4120 path2
= pr2
->pr_path
;
4121 if (!strcmp(path1
, "/"))
4123 len1
= strlen(path1
);
4124 if (strncmp(path1
, path2
, len1
))
4126 if (path2
[len1
] == '\0')
4128 if (path2
[len1
] == '/')
4129 return (path2
+ len1
);
4135 * Jail-related sysctls.
4137 static SYSCTL_NODE(_security
, OID_AUTO
, jail
, CTLFLAG_RW
, 0,
4141 sysctl_jail_list(SYSCTL_HANDLER_ARGS
)
4144 struct prison
*pr
, *cpr
;
4146 struct in_addr
*ip4
= NULL
;
4150 struct in6_addr
*ip6
= NULL
;
4155 xp
= malloc(sizeof(*xp
), M_TEMP
, M_WAITOK
);
4156 pr
= req
->td
->td_ucred
->cr_prison
;
4158 sx_slock(&allprison_lock
);
4159 FOREACH_PRISON_DESCENDANT(pr
, cpr
, descend
) {
4160 #if defined(INET) || defined(INET6)
4163 mtx_lock(&cpr
->pr_mtx
);
4165 if (cpr
->pr_ip4s
> 0) {
4166 if (ip4s
< cpr
->pr_ip4s
) {
4167 ip4s
= cpr
->pr_ip4s
;
4168 mtx_unlock(&cpr
->pr_mtx
);
4169 ip4
= realloc(ip4
, ip4s
*
4170 sizeof(struct in_addr
), M_TEMP
, M_WAITOK
);
4173 bcopy(cpr
->pr_ip4
, ip4
,
4174 cpr
->pr_ip4s
* sizeof(struct in_addr
));
4178 if (cpr
->pr_ip6s
> 0) {
4179 if (ip6s
< cpr
->pr_ip6s
) {
4180 ip6s
= cpr
->pr_ip6s
;
4181 mtx_unlock(&cpr
->pr_mtx
);
4182 ip6
= realloc(ip6
, ip6s
*
4183 sizeof(struct in6_addr
), M_TEMP
, M_WAITOK
);
4186 bcopy(cpr
->pr_ip6
, ip6
,
4187 cpr
->pr_ip6s
* sizeof(struct in6_addr
));
4190 if (cpr
->pr_ref
== 0) {
4191 mtx_unlock(&cpr
->pr_mtx
);
4194 bzero(xp
, sizeof(*xp
));
4195 xp
->pr_version
= XPRISON_VERSION
;
4196 xp
->pr_id
= cpr
->pr_id
;
4197 xp
->pr_state
= cpr
->pr_uref
> 0
4198 ? PRISON_STATE_ALIVE
: PRISON_STATE_DYING
;
4199 strlcpy(xp
->pr_path
, prison_path(pr
, cpr
), sizeof(xp
->pr_path
));
4200 strlcpy(xp
->pr_host
, cpr
->pr_hostname
, sizeof(xp
->pr_host
));
4201 strlcpy(xp
->pr_name
, prison_name(pr
, cpr
), sizeof(xp
->pr_name
));
4203 xp
->pr_ip4s
= cpr
->pr_ip4s
;
4206 xp
->pr_ip6s
= cpr
->pr_ip6s
;
4208 mtx_unlock(&cpr
->pr_mtx
);
4209 error
= SYSCTL_OUT(req
, xp
, sizeof(*xp
));
4213 if (xp
->pr_ip4s
> 0) {
4214 error
= SYSCTL_OUT(req
, ip4
,
4215 xp
->pr_ip4s
* sizeof(struct in_addr
));
4221 if (xp
->pr_ip6s
> 0) {
4222 error
= SYSCTL_OUT(req
, ip6
,
4223 xp
->pr_ip6s
* sizeof(struct in6_addr
));
4229 sx_sunlock(&allprison_lock
);
4240 SYSCTL_OID(_security_jail
, OID_AUTO
, list
,
4241 CTLTYPE_STRUCT
| CTLFLAG_RD
| CTLFLAG_MPSAFE
, NULL
, 0,
4242 sysctl_jail_list
, "S", "List of active jails");
4245 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS
)
4249 injail
= jailed(req
->td
->td_ucred
);
4250 error
= SYSCTL_OUT(req
, &injail
, sizeof(injail
));
4255 SYSCTL_PROC(_security_jail
, OID_AUTO
, jailed
,
4256 CTLTYPE_INT
| CTLFLAG_RD
| CTLFLAG_MPSAFE
, NULL
, 0,
4257 sysctl_jail_jailed
, "I", "Process in jail?");
4260 sysctl_jail_vnet(SYSCTL_HANDLER_ARGS
)
4262 int error
, havevnet
;
4264 struct ucred
*cred
= req
->td
->td_ucred
;
4266 havevnet
= jailed(cred
) && prison_owns_vnet(cred
);
4270 error
= SYSCTL_OUT(req
, &havevnet
, sizeof(havevnet
));
4275 SYSCTL_PROC(_security_jail
, OID_AUTO
, vnet
,
4276 CTLTYPE_INT
| CTLFLAG_RD
| CTLFLAG_MPSAFE
, NULL
, 0,
4277 sysctl_jail_vnet
, "I", "Jail owns VNET?");
4279 #if defined(INET) || defined(INET6)
4280 SYSCTL_UINT(_security_jail
, OID_AUTO
, jail_max_af_ips
, CTLFLAG_RW
,
4281 &jail_max_af_ips
, 0,
4282 "Number of IP addresses a jail may have at most per address family (deprecated)");
4286 * Default parameters for jail(2) compatibility. For historical reasons,
4287 * the sysctl names have varying similarity to the parameter names. Prisons
4288 * just see their own parameters, and can't change them.
4291 sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS
)
4294 int allow
, error
, i
;
4296 pr
= req
->td
->td_ucred
->cr_prison
;
4297 allow
= (pr
== &prison0
) ? jail_default_allow
: pr
->pr_allow
;
4299 /* Get the current flag value, and convert it to a boolean. */
4300 i
= (allow
& arg2
) ? 1 : 0;
4303 error
= sysctl_handle_int(oidp
, &i
, 0, req
);
4304 if (error
|| !req
->newptr
)
4310 * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
4313 mtx_lock(&prison0
.pr_mtx
);
4314 jail_default_allow
= (jail_default_allow
& ~arg2
) | i
;
4315 mtx_unlock(&prison0
.pr_mtx
);
4319 SYSCTL_PROC(_security_jail
, OID_AUTO
, set_hostname_allowed
,
4320 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4321 NULL
, PR_ALLOW_SET_HOSTNAME
, sysctl_jail_default_allow
, "I",
4322 "Processes in jail can set their hostnames (deprecated)");
4323 SYSCTL_PROC(_security_jail
, OID_AUTO
, socket_unixiproute_only
,
4324 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4325 (void *)1, PR_ALLOW_SOCKET_AF
, sysctl_jail_default_allow
, "I",
4326 "Processes in jail are limited to creating UNIX/IP/route sockets only (deprecated)");
4327 SYSCTL_PROC(_security_jail
, OID_AUTO
, sysvipc_allowed
,
4328 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4329 NULL
, PR_ALLOW_SYSVIPC
, sysctl_jail_default_allow
, "I",
4330 "Processes in jail can use System V IPC primitives (deprecated)");
4331 SYSCTL_PROC(_security_jail
, OID_AUTO
, allow_raw_sockets
,
4332 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4333 NULL
, PR_ALLOW_RAW_SOCKETS
, sysctl_jail_default_allow
, "I",
4334 "Prison root can create raw sockets (deprecated)");
4335 SYSCTL_PROC(_security_jail
, OID_AUTO
, chflags_allowed
,
4336 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4337 NULL
, PR_ALLOW_CHFLAGS
, sysctl_jail_default_allow
, "I",
4338 "Processes in jail can alter system file flags (deprecated)");
4339 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_allowed
,
4340 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4341 NULL
, PR_ALLOW_MOUNT
, sysctl_jail_default_allow
, "I",
4342 "Processes in jail can mount/unmount jail-friendly file systems (deprecated)");
4343 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_devfs_allowed
,
4344 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4345 NULL
, PR_ALLOW_MOUNT_DEVFS
, sysctl_jail_default_allow
, "I",
4346 "Processes in jail can mount the devfs file system (deprecated)");
4347 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_fdescfs_allowed
,
4348 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4349 NULL
, PR_ALLOW_MOUNT_FDESCFS
, sysctl_jail_default_allow
, "I",
4350 "Processes in jail can mount the fdescfs file system (deprecated)");
4351 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_nullfs_allowed
,
4352 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4353 NULL
, PR_ALLOW_MOUNT_NULLFS
, sysctl_jail_default_allow
, "I",
4354 "Processes in jail can mount the nullfs file system (deprecated)");
4355 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_procfs_allowed
,
4356 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4357 NULL
, PR_ALLOW_MOUNT_PROCFS
, sysctl_jail_default_allow
, "I",
4358 "Processes in jail can mount the procfs file system (deprecated)");
4359 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_linprocfs_allowed
,
4360 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4361 NULL
, PR_ALLOW_MOUNT_LINPROCFS
, sysctl_jail_default_allow
, "I",
4362 "Processes in jail can mount the linprocfs file system (deprecated)");
4363 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_linsysfs_allowed
,
4364 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4365 NULL
, PR_ALLOW_MOUNT_LINSYSFS
, sysctl_jail_default_allow
, "I",
4366 "Processes in jail can mount the linsysfs file system (deprecated)");
4367 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_tmpfs_allowed
,
4368 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4369 NULL
, PR_ALLOW_MOUNT_TMPFS
, sysctl_jail_default_allow
, "I",
4370 "Processes in jail can mount the tmpfs file system (deprecated)");
4371 SYSCTL_PROC(_security_jail
, OID_AUTO
, mount_zfs_allowed
,
4372 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4373 NULL
, PR_ALLOW_MOUNT_ZFS
, sysctl_jail_default_allow
, "I",
4374 "Processes in jail can mount the zfs file system (deprecated)");
4377 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS
)
4382 pr
= req
->td
->td_ucred
->cr_prison
;
4383 level
= (pr
== &prison0
) ? *(int *)arg1
: *(int *)((char *)pr
+ arg2
);
4384 error
= sysctl_handle_int(oidp
, &level
, 0, req
);
4385 if (error
|| !req
->newptr
)
4387 *(int *)arg1
= level
;
4391 SYSCTL_PROC(_security_jail
, OID_AUTO
, enforce_statfs
,
4392 CTLTYPE_INT
| CTLFLAG_RW
| CTLFLAG_MPSAFE
,
4393 &jail_default_enforce_statfs
, offsetof(struct prison
, pr_enforce_statfs
),
4394 sysctl_jail_default_level
, "I",
4395 "Processes in jail cannot see all mounted file systems (deprecated)");
4397 SYSCTL_PROC(_security_jail
, OID_AUTO
, devfs_ruleset
,
4398 CTLTYPE_INT
| CTLFLAG_RD
| CTLFLAG_MPSAFE
,
4399 &jail_default_devfs_rsnum
, offsetof(struct prison
, pr_devfs_rsnum
),
4400 sysctl_jail_default_level
, "I",
4401 "Ruleset for the devfs filesystem in jail (deprecated)");
4404 * Nodes to describe jail parameters. Maximum length of string parameters
4405 * is returned in the string itself, and the other parameters exist merely
4406 * to make themselves and their types known.
4408 SYSCTL_NODE(_security_jail
, OID_AUTO
, param
, CTLFLAG_RW
, 0,
4412 sysctl_jail_param(SYSCTL_HANDLER_ARGS
)
4419 switch (oidp
->oid_kind
& CTLTYPE
)
4425 if (!(req
->flags
& SCTL_MASK32
))
4427 return (SYSCTL_OUT(req
, &l
, sizeof(l
)));
4431 return (SYSCTL_OUT(req
, &i
, sizeof(i
)));
4432 case CTLTYPE_STRING
:
4433 snprintf(numbuf
, sizeof(numbuf
), "%jd", (intmax_t)arg2
);
4435 (sysctl_handle_string(oidp
, numbuf
, sizeof(numbuf
), req
));
4436 case CTLTYPE_STRUCT
:
4438 return (SYSCTL_OUT(req
, &s
, sizeof(s
)));
4444 * CTLFLAG_RDTUN in the following indicates jail parameters that can be set at
4445 * jail creation time but cannot be changed in an existing jail.
4447 SYSCTL_JAIL_PARAM(, jid
, CTLTYPE_INT
| CTLFLAG_RDTUN
, "I", "Jail ID");
4448 SYSCTL_JAIL_PARAM(, parent
, CTLTYPE_INT
| CTLFLAG_RD
, "I", "Jail parent ID");
4449 SYSCTL_JAIL_PARAM_STRING(, name
, CTLFLAG_RW
, MAXHOSTNAMELEN
, "Jail name");
4450 SYSCTL_JAIL_PARAM_STRING(, path
, CTLFLAG_RDTUN
, MAXPATHLEN
, "Jail root path");
4451 SYSCTL_JAIL_PARAM(, securelevel
, CTLTYPE_INT
| CTLFLAG_RW
,
4452 "I", "Jail secure level");
4453 SYSCTL_JAIL_PARAM(, osreldate
, CTLTYPE_INT
| CTLFLAG_RDTUN
, "I",
4454 "Jail value for kern.osreldate and uname -K");
4455 SYSCTL_JAIL_PARAM_STRING(, osrelease
, CTLFLAG_RDTUN
, OSRELEASELEN
,
4456 "Jail value for kern.osrelease and uname -r");
4457 SYSCTL_JAIL_PARAM(, enforce_statfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4458 "I", "Jail cannot see all mounted file systems");
4459 SYSCTL_JAIL_PARAM(, devfs_ruleset
, CTLTYPE_INT
| CTLFLAG_RW
,
4460 "I", "Ruleset for in-jail devfs mounts");
4461 SYSCTL_JAIL_PARAM(, persist
, CTLTYPE_INT
| CTLFLAG_RW
,
4462 "B", "Jail persistence");
4464 SYSCTL_JAIL_PARAM(, vnet
, CTLTYPE_INT
| CTLFLAG_RDTUN
,
4465 "E,jailsys", "Virtual network stack");
4467 SYSCTL_JAIL_PARAM(, dying
, CTLTYPE_INT
| CTLFLAG_RD
,
4468 "B", "Jail is in the process of shutting down");
4470 SYSCTL_JAIL_PARAM_NODE(children
, "Number of child jails");
4471 SYSCTL_JAIL_PARAM(_children
, cur
, CTLTYPE_INT
| CTLFLAG_RD
,
4472 "I", "Current number of child jails");
4473 SYSCTL_JAIL_PARAM(_children
, max
, CTLTYPE_INT
| CTLFLAG_RW
,
4474 "I", "Maximum number of child jails");
4476 SYSCTL_JAIL_PARAM_SYS_NODE(host
, CTLFLAG_RW
, "Jail host info");
4477 SYSCTL_JAIL_PARAM_STRING(_host
, hostname
, CTLFLAG_RW
, MAXHOSTNAMELEN
,
4479 SYSCTL_JAIL_PARAM_STRING(_host
, domainname
, CTLFLAG_RW
, MAXHOSTNAMELEN
,
4480 "Jail NIS domainname");
4481 SYSCTL_JAIL_PARAM_STRING(_host
, hostuuid
, CTLFLAG_RW
, HOSTUUIDLEN
,
4483 SYSCTL_JAIL_PARAM(_host
, hostid
, CTLTYPE_ULONG
| CTLFLAG_RW
,
4484 "LU", "Jail host ID");
4486 SYSCTL_JAIL_PARAM_NODE(cpuset
, "Jail cpuset");
4487 SYSCTL_JAIL_PARAM(_cpuset
, id
, CTLTYPE_INT
| CTLFLAG_RD
, "I", "Jail cpuset ID");
4490 SYSCTL_JAIL_PARAM_SYS_NODE(ip4
, CTLFLAG_RDTUN
,
4491 "Jail IPv4 address virtualization");
4492 SYSCTL_JAIL_PARAM_STRUCT(_ip4
, addr
, CTLFLAG_RW
, sizeof(struct in_addr
),
4493 "S,in_addr,a", "Jail IPv4 addresses");
4494 SYSCTL_JAIL_PARAM(_ip4
, saddrsel
, CTLTYPE_INT
| CTLFLAG_RW
,
4495 "B", "Do (not) use IPv4 source address selection rather than the "
4496 "primary jail IPv4 address.");
4499 SYSCTL_JAIL_PARAM_SYS_NODE(ip6
, CTLFLAG_RDTUN
,
4500 "Jail IPv6 address virtualization");
4501 SYSCTL_JAIL_PARAM_STRUCT(_ip6
, addr
, CTLFLAG_RW
, sizeof(struct in6_addr
),
4502 "S,in6_addr,a", "Jail IPv6 addresses");
4503 SYSCTL_JAIL_PARAM(_ip6
, saddrsel
, CTLTYPE_INT
| CTLFLAG_RW
,
4504 "B", "Do (not) use IPv6 source address selection rather than the "
4505 "primary jail IPv6 address.");
4508 SYSCTL_JAIL_PARAM_NODE(allow
, "Jail permission flags");
4509 SYSCTL_JAIL_PARAM(_allow
, set_hostname
, CTLTYPE_INT
| CTLFLAG_RW
,
4510 "B", "Jail may set hostname");
4511 SYSCTL_JAIL_PARAM(_allow
, sysvipc
, CTLTYPE_INT
| CTLFLAG_RW
,
4512 "B", "Jail may use SYSV IPC");
4513 SYSCTL_JAIL_PARAM(_allow
, raw_sockets
, CTLTYPE_INT
| CTLFLAG_RW
,
4514 "B", "Jail may create raw sockets");
4515 SYSCTL_JAIL_PARAM(_allow
, chflags
, CTLTYPE_INT
| CTLFLAG_RW
,
4516 "B", "Jail may alter system file flags");
4517 SYSCTL_JAIL_PARAM(_allow
, quotas
, CTLTYPE_INT
| CTLFLAG_RW
,
4518 "B", "Jail may set file quotas");
4519 SYSCTL_JAIL_PARAM(_allow
, socket_af
, CTLTYPE_INT
| CTLFLAG_RW
,
4520 "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
4522 SYSCTL_JAIL_PARAM_SUBNODE(allow
, mount
, "Jail mount/unmount permission flags");
4523 SYSCTL_JAIL_PARAM(_allow_mount
, , CTLTYPE_INT
| CTLFLAG_RW
,
4524 "B", "Jail may mount/unmount jail-friendly file systems in general");
4525 SYSCTL_JAIL_PARAM(_allow_mount
, devfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4526 "B", "Jail may mount the devfs file system");
4527 SYSCTL_JAIL_PARAM(_allow_mount
, fdescfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4528 "B", "Jail may mount the fdescfs file system");
4529 SYSCTL_JAIL_PARAM(_allow_mount
, nullfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4530 "B", "Jail may mount the nullfs file system");
4531 SYSCTL_JAIL_PARAM(_allow_mount
, procfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4532 "B", "Jail may mount the procfs file system");
4533 SYSCTL_JAIL_PARAM(_allow_mount
, linprocfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4534 "B", "Jail may mount the linprocfs file system");
4535 SYSCTL_JAIL_PARAM(_allow_mount
, linsysfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4536 "B", "Jail may mount the linsysfs file system");
4537 SYSCTL_JAIL_PARAM(_allow_mount
, tmpfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4538 "B", "Jail may mount the tmpfs file system");
4539 SYSCTL_JAIL_PARAM(_allow_mount
, zfs
, CTLTYPE_INT
| CTLFLAG_RW
,
4540 "B", "Jail may mount the zfs file system");
4544 prison_racct_foreach(void (*callback
)(struct racct
*racct
,
4545 void *arg2
, void *arg3
), void (*pre
)(void), void (*post
)(void),
4546 void *arg2
, void *arg3
)
4548 struct prison_racct
*prr
;
4550 ASSERT_RACCT_ENABLED();
4552 sx_slock(&allprison_lock
);
4555 LIST_FOREACH(prr
, &allprison_racct
, prr_next
)
4556 (callback
)(prr
->prr_racct
, arg2
, arg3
);
4559 sx_sunlock(&allprison_lock
);
4562 static struct prison_racct
*
4563 prison_racct_find_locked(const char *name
)
4565 struct prison_racct
*prr
;
4567 ASSERT_RACCT_ENABLED();
4568 sx_assert(&allprison_lock
, SA_XLOCKED
);
4570 if (name
[0] == '\0' || strlen(name
) >= MAXHOSTNAMELEN
)
4573 LIST_FOREACH(prr
, &allprison_racct
, prr_next
) {
4574 if (strcmp(name
, prr
->prr_name
) != 0)
4577 /* Found prison_racct with a matching name? */
4578 prison_racct_hold(prr
);
4582 /* Add new prison_racct. */
4583 prr
= malloc(sizeof(*prr
), M_PRISON_RACCT
, M_ZERO
| M_WAITOK
);
4584 racct_create(&prr
->prr_racct
);
4586 strcpy(prr
->prr_name
, name
);
4587 refcount_init(&prr
->prr_refcount
, 1);
4588 LIST_INSERT_HEAD(&allprison_racct
, prr
, prr_next
);
4593 struct prison_racct
*
4594 prison_racct_find(const char *name
)
4596 struct prison_racct
*prr
;
4598 ASSERT_RACCT_ENABLED();
4600 sx_xlock(&allprison_lock
);
4601 prr
= prison_racct_find_locked(name
);
4602 sx_xunlock(&allprison_lock
);
4607 prison_racct_hold(struct prison_racct
*prr
)
4610 ASSERT_RACCT_ENABLED();
4612 refcount_acquire(&prr
->prr_refcount
);
4616 prison_racct_free_locked(struct prison_racct
*prr
)
4619 ASSERT_RACCT_ENABLED();
4620 sx_assert(&allprison_lock
, SA_XLOCKED
);
4622 if (refcount_release(&prr
->prr_refcount
)) {
4623 racct_destroy(&prr
->prr_racct
);
4624 LIST_REMOVE(prr
, prr_next
);
4625 free(prr
, M_PRISON_RACCT
);
4630 prison_racct_free(struct prison_racct
*prr
)
4634 ASSERT_RACCT_ENABLED();
4635 sx_assert(&allprison_lock
, SA_UNLOCKED
);
4637 old
= prr
->prr_refcount
;
4638 if (old
> 1 && atomic_cmpset_int(&prr
->prr_refcount
, old
, old
- 1))
4641 sx_xlock(&allprison_lock
);
4642 prison_racct_free_locked(prr
);
4643 sx_xunlock(&allprison_lock
);
4647 prison_racct_attach(struct prison
*pr
)
4649 struct prison_racct
*prr
;
4651 ASSERT_RACCT_ENABLED();
4652 sx_assert(&allprison_lock
, SA_XLOCKED
);
4654 prr
= prison_racct_find_locked(pr
->pr_name
);
4655 KASSERT(prr
!= NULL
, ("cannot find prison_racct"));
4657 pr
->pr_prison_racct
= prr
;
4661 * Handle jail renaming. From the racct point of view, renaming means
4662 * moving from one prison_racct to another.
4665 prison_racct_modify(struct prison
*pr
)
4669 struct prison_racct
*oldprr
;
4671 ASSERT_RACCT_ENABLED();
4673 sx_slock(&allproc_lock
);
4674 sx_xlock(&allprison_lock
);
4676 if (strcmp(pr
->pr_name
, pr
->pr_prison_racct
->prr_name
) == 0) {
4677 sx_xunlock(&allprison_lock
);
4678 sx_sunlock(&allproc_lock
);
4682 oldprr
= pr
->pr_prison_racct
;
4683 pr
->pr_prison_racct
= NULL
;
4685 prison_racct_attach(pr
);
4688 * Move resource utilisation records.
4690 racct_move(pr
->pr_prison_racct
->prr_racct
, oldprr
->prr_racct
);
4693 * Force rctl to reattach rules to processes.
4695 FOREACH_PROC_IN_SYSTEM(p
) {
4697 cred
= crhold(p
->p_ucred
);
4699 racct_proc_ucred_changed(p
, cred
, cred
);
4703 sx_sunlock(&allproc_lock
);
4704 prison_racct_free_locked(oldprr
);
4705 sx_xunlock(&allprison_lock
);
4709 prison_racct_detach(struct prison
*pr
)
4712 ASSERT_RACCT_ENABLED();
4713 sx_assert(&allprison_lock
, SA_UNLOCKED
);
4715 if (pr
->pr_prison_racct
== NULL
)
4717 prison_racct_free(pr
->pr_prison_racct
);
4718 pr
->pr_prison_racct
= NULL
;
4725 db_show_prison(struct prison
*pr
)
4728 #if defined(INET) || defined(INET6)
4733 char ip6buf
[INET6_ADDRSTRLEN
];
4736 db_printf("prison %p:\n", pr
);
4737 db_printf(" jid = %d\n", pr
->pr_id
);
4738 db_printf(" name = %s\n", pr
->pr_name
);
4739 db_printf(" parent = %p\n", pr
->pr_parent
);
4740 db_printf(" ref = %d\n", pr
->pr_ref
);
4741 db_printf(" uref = %d\n", pr
->pr_uref
);
4742 db_printf(" path = %s\n", pr
->pr_path
);
4743 db_printf(" cpuset = %d\n", pr
->pr_cpuset
4744 ? pr
->pr_cpuset
->cs_id
: -1);
4746 db_printf(" vnet = %p\n", pr
->pr_vnet
);
4748 db_printf(" root = %p\n", pr
->pr_root
);
4749 db_printf(" securelevel = %d\n", pr
->pr_securelevel
);
4750 db_printf(" devfs_rsnum = %d\n", pr
->pr_devfs_rsnum
);
4751 db_printf(" children.max = %d\n", pr
->pr_childmax
);
4752 db_printf(" children.cur = %d\n", pr
->pr_childcount
);
4753 db_printf(" child = %p\n", LIST_FIRST(&pr
->pr_children
));
4754 db_printf(" sibling = %p\n", LIST_NEXT(pr
, pr_sibling
));
4755 db_printf(" flags = 0x%x", pr
->pr_flags
);
4756 for (fi
= 0; fi
< nitems(pr_flag_names
); fi
++)
4757 if (pr_flag_names
[fi
] != NULL
&& (pr
->pr_flags
& (1 << fi
)))
4758 db_printf(" %s", pr_flag_names
[fi
]);
4759 for (fi
= 0; fi
< nitems(pr_flag_jailsys
); fi
++) {
4760 jsf
= pr
->pr_flags
&
4761 (pr_flag_jailsys
[fi
].disable
| pr_flag_jailsys
[fi
].new);
4762 db_printf(" %-16s= %s\n", pr_flag_jailsys
[fi
].name
,
4763 pr_flag_jailsys
[fi
].disable
&&
4764 (jsf
== pr_flag_jailsys
[fi
].disable
) ? "disable"
4765 : (jsf
== pr_flag_jailsys
[fi
].new) ? "new"
4768 db_printf(" allow = 0x%x", pr
->pr_allow
);
4769 for (fi
= 0; fi
< nitems(pr_allow_names
); fi
++)
4770 if (pr_allow_names
[fi
] != NULL
&& (pr
->pr_allow
& (1 << fi
)))
4771 db_printf(" %s", pr_allow_names
[fi
]);
4773 db_printf(" enforce_statfs = %d\n", pr
->pr_enforce_statfs
);
4774 db_printf(" host.hostname = %s\n", pr
->pr_hostname
);
4775 db_printf(" host.domainname = %s\n", pr
->pr_domainname
);
4776 db_printf(" host.hostuuid = %s\n", pr
->pr_hostuuid
);
4777 db_printf(" host.hostid = %lu\n", pr
->pr_hostid
);
4779 db_printf(" ip4s = %d\n", pr
->pr_ip4s
);
4780 for (ii
= 0; ii
< pr
->pr_ip4s
; ii
++)
4781 db_printf(" %s %s\n",
4782 ii
== 0 ? "ip4.addr =" : " ",
4783 inet_ntoa(pr
->pr_ip4
[ii
]));
4786 db_printf(" ip6s = %d\n", pr
->pr_ip6s
);
4787 for (ii
= 0; ii
< pr
->pr_ip6s
; ii
++)
4788 db_printf(" %s %s\n",
4789 ii
== 0 ? "ip6.addr =" : " ",
4790 ip6_sprintf(ip6buf
, &pr
->pr_ip6
[ii
]));
4794 DB_SHOW_COMMAND(prison
, db_show_prison_command
)
4800 * Show all prisons in the list, and prison0 which is not
4803 db_show_prison(&prison0
);
4804 if (!db_pager_quit
) {
4805 TAILQ_FOREACH(pr
, &allprison
, pr_list
) {
4817 /* Look for a prison with the ID and with references. */
4818 TAILQ_FOREACH(pr
, &allprison
, pr_list
)
4819 if (pr
->pr_id
== addr
&& pr
->pr_ref
> 0)
4822 /* Look again, without requiring a reference. */
4823 TAILQ_FOREACH(pr
, &allprison
, pr_list
)
4824 if (pr
->pr_id
== addr
)
4827 /* Assume address points to a valid prison. */
4828 pr
= (struct prison
*)addr
;