[a9153ec] | 1 | /*- |
---|
[bb80d9d] | 2 | * SPDX-License-Identifier: BSD-2-Clause-FreeBSD |
---|
| 3 | * |
---|
[a9153ec] | 4 | * Copyright (c) 1999 Poul-Henning Kamp. |
---|
| 5 | * Copyright (c) 2009 James Gritton. |
---|
| 6 | * All rights reserved. |
---|
| 7 | * |
---|
| 8 | * Redistribution and use in source and binary forms, with or without |
---|
| 9 | * modification, are permitted provided that the following conditions |
---|
| 10 | * are met: |
---|
| 11 | * 1. Redistributions of source code must retain the above copyright |
---|
| 12 | * notice, this list of conditions and the following disclaimer. |
---|
| 13 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
| 14 | * notice, this list of conditions and the following disclaimer in the |
---|
| 15 | * documentation and/or other materials provided with the distribution. |
---|
| 16 | * |
---|
| 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
---|
| 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
| 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
| 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
---|
| 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
| 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
| 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
| 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
| 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
| 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
| 27 | * SUCH DAMAGE. |
---|
| 28 | * |
---|
| 29 | * $FreeBSD$ |
---|
| 30 | */ |
---|
| 31 | |
---|
[e599318] | 32 | #ifndef _SYS_JAIL_H_ |
---|
| 33 | #define _SYS_JAIL_H_ |
---|
[a9153ec] | 34 | |
---|
| 35 | #ifdef _KERNEL |
---|
| 36 | struct jail_v0 { |
---|
| 37 | u_int32_t version; |
---|
| 38 | char *path; |
---|
| 39 | char *hostname; |
---|
| 40 | u_int32_t ip_number; |
---|
| 41 | }; |
---|
| 42 | #endif |
---|
| 43 | |
---|
| 44 | struct jail { |
---|
| 45 | uint32_t version; |
---|
| 46 | char *path; |
---|
| 47 | char *hostname; |
---|
| 48 | char *jailname; |
---|
| 49 | uint32_t ip4s; |
---|
| 50 | uint32_t ip6s; |
---|
| 51 | struct in_addr *ip4; |
---|
| 52 | struct in6_addr *ip6; |
---|
| 53 | }; |
---|
| 54 | #define JAIL_API_VERSION 2 |
---|
| 55 | |
---|
| 56 | /* |
---|
| 57 | * For all xprison structs, always keep the pr_version an int and |
---|
| 58 | * the first variable so userspace can easily distinguish them. |
---|
| 59 | */ |
---|
| 60 | #ifndef _KERNEL |
---|
| 61 | struct xprison_v1 { |
---|
| 62 | int pr_version; |
---|
| 63 | int pr_id; |
---|
| 64 | char pr_path[MAXPATHLEN]; |
---|
| 65 | char pr_host[MAXHOSTNAMELEN]; |
---|
| 66 | u_int32_t pr_ip; |
---|
| 67 | }; |
---|
| 68 | #endif |
---|
| 69 | |
---|
| 70 | struct xprison { |
---|
| 71 | int pr_version; |
---|
| 72 | int pr_id; |
---|
| 73 | int pr_state; |
---|
| 74 | cpusetid_t pr_cpusetid; |
---|
| 75 | char pr_path[MAXPATHLEN]; |
---|
| 76 | char pr_host[MAXHOSTNAMELEN]; |
---|
| 77 | char pr_name[MAXHOSTNAMELEN]; |
---|
| 78 | uint32_t pr_ip4s; |
---|
| 79 | uint32_t pr_ip6s; |
---|
| 80 | #if 0 |
---|
| 81 | /* |
---|
| 82 | * sizeof(xprison) will be malloced + size needed for all |
---|
| 83 | * IPv4 and IPv6 addesses. Offsets are based numbers of addresses. |
---|
| 84 | */ |
---|
| 85 | struct in_addr pr_ip4[]; |
---|
| 86 | struct in6_addr pr_ip6[]; |
---|
| 87 | #endif |
---|
| 88 | }; |
---|
| 89 | #define XPRISON_VERSION 3 |
---|
| 90 | |
---|
| 91 | #define PRISON_STATE_INVALID 0 |
---|
| 92 | #define PRISON_STATE_ALIVE 1 |
---|
| 93 | #define PRISON_STATE_DYING 2 |
---|
| 94 | |
---|
| 95 | /* |
---|
| 96 | * Flags for jail_set and jail_get. |
---|
| 97 | */ |
---|
| 98 | #define JAIL_CREATE 0x01 /* Create jail if it doesn't exist */ |
---|
| 99 | #define JAIL_UPDATE 0x02 /* Update parameters of existing jail */ |
---|
| 100 | #define JAIL_ATTACH 0x04 /* Attach to jail upon creation */ |
---|
| 101 | #define JAIL_DYING 0x08 /* Allow getting a dying jail */ |
---|
| 102 | #define JAIL_SET_MASK 0x0f |
---|
| 103 | #define JAIL_GET_MASK 0x08 |
---|
| 104 | |
---|
| 105 | #define JAIL_SYS_DISABLE 0 |
---|
| 106 | #define JAIL_SYS_NEW 1 |
---|
| 107 | #define JAIL_SYS_INHERIT 2 |
---|
| 108 | |
---|
| 109 | #ifndef _KERNEL |
---|
| 110 | |
---|
| 111 | struct iovec; |
---|
| 112 | |
---|
| 113 | int jail(struct jail *); |
---|
| 114 | int jail_set(struct iovec *, unsigned int, int); |
---|
| 115 | int jail_get(struct iovec *, unsigned int, int); |
---|
| 116 | int jail_attach(int); |
---|
| 117 | int jail_remove(int); |
---|
| 118 | |
---|
| 119 | #else /* _KERNEL */ |
---|
| 120 | |
---|
[e599318] | 121 | #include <sys/queue.h> |
---|
| 122 | #include <sys/sysctl.h> |
---|
[3c967ca] | 123 | #include <sys/lock.h> |
---|
[e599318] | 124 | #include <sys/mutex.h> |
---|
| 125 | #include <sys/_task.h> |
---|
[a9153ec] | 126 | |
---|
| 127 | #define JAIL_MAX 999999 |
---|
| 128 | |
---|
| 129 | #ifdef MALLOC_DECLARE |
---|
| 130 | MALLOC_DECLARE(M_PRISON); |
---|
| 131 | #endif |
---|
| 132 | #endif /* _KERNEL */ |
---|
| 133 | |
---|
| 134 | #if defined(_KERNEL) || defined(_WANT_PRISON) |
---|
| 135 | |
---|
[e599318] | 136 | #include <sys/osd.h> |
---|
[a9153ec] | 137 | |
---|
| 138 | #define HOSTUUIDLEN 64 |
---|
[c40e45b] | 139 | #define OSRELEASELEN 32 |
---|
[a9153ec] | 140 | |
---|
[66659ff] | 141 | struct racct; |
---|
| 142 | struct prison_racct; |
---|
| 143 | |
---|
[a9153ec] | 144 | /* |
---|
| 145 | * This structure describes a prison. It is pointed to by all struct |
---|
| 146 | * ucreds's of the inmates. pr_ref keeps track of them and is used to |
---|
| 147 | * delete the struture when the last inmate is dead. |
---|
| 148 | * |
---|
| 149 | * Lock key: |
---|
| 150 | * (a) allprison_lock |
---|
| 151 | * (p) locked by pr_mtx |
---|
| 152 | * (c) set only during creation before the structure is shared, no mutex |
---|
| 153 | * required to read |
---|
| 154 | */ |
---|
| 155 | struct prison { |
---|
| 156 | TAILQ_ENTRY(prison) pr_list; /* (a) all prisons */ |
---|
| 157 | int pr_id; /* (c) prison id */ |
---|
| 158 | int pr_ref; /* (p) refcount */ |
---|
| 159 | int pr_uref; /* (p) user (alive) refcount */ |
---|
| 160 | unsigned pr_flags; /* (p) PR_* flags */ |
---|
| 161 | LIST_HEAD(, prison) pr_children; /* (a) list of child jails */ |
---|
| 162 | LIST_ENTRY(prison) pr_sibling; /* (a) next in parent's list */ |
---|
| 163 | struct prison *pr_parent; /* (c) containing jail */ |
---|
| 164 | struct mtx pr_mtx; |
---|
[c40e45b] | 165 | struct task pr_task; /* (c) destroy task */ |
---|
[a9153ec] | 166 | struct osd pr_osd; /* (p) additional data */ |
---|
| 167 | struct cpuset *pr_cpuset; /* (p) cpuset */ |
---|
| 168 | struct vnet *pr_vnet; /* (c) network stack */ |
---|
| 169 | struct vnode *pr_root; /* (c) vnode to rdir */ |
---|
| 170 | int pr_ip4s; /* (p) number of v4 IPs */ |
---|
| 171 | int pr_ip6s; /* (p) number of v6 IPs */ |
---|
| 172 | struct in_addr *pr_ip4; /* (p) v4 IPs of jail */ |
---|
| 173 | struct in6_addr *pr_ip6; /* (p) v6 IPs of jail */ |
---|
[66659ff] | 174 | struct prison_racct *pr_prison_racct; /* (c) racct jail proxy */ |
---|
| 175 | void *pr_sparep[3]; |
---|
[a9153ec] | 176 | int pr_childcount; /* (a) number of child jails */ |
---|
| 177 | int pr_childmax; /* (p) maximum child jails */ |
---|
| 178 | unsigned pr_allow; /* (p) PR_ALLOW_* flags */ |
---|
| 179 | int pr_securelevel; /* (p) securelevel */ |
---|
| 180 | int pr_enforce_statfs; /* (p) statfs permission */ |
---|
[66659ff] | 181 | int pr_devfs_rsnum; /* (p) devfs ruleset */ |
---|
[c40e45b] | 182 | int pr_spare[3]; |
---|
| 183 | int pr_osreldate; /* (c) kern.osreldate value */ |
---|
[a9153ec] | 184 | unsigned long pr_hostid; /* (p) jail hostid */ |
---|
| 185 | char pr_name[MAXHOSTNAMELEN]; /* (p) admin jail name */ |
---|
| 186 | char pr_path[MAXPATHLEN]; /* (c) chroot path */ |
---|
| 187 | char pr_hostname[MAXHOSTNAMELEN]; /* (p) jail hostname */ |
---|
| 188 | char pr_domainname[MAXHOSTNAMELEN]; /* (p) jail domainname */ |
---|
| 189 | char pr_hostuuid[HOSTUUIDLEN]; /* (p) jail hostuuid */ |
---|
[c40e45b] | 190 | char pr_osrelease[OSRELEASELEN]; /* (c) kern.osrelease value */ |
---|
[a9153ec] | 191 | }; |
---|
[66659ff] | 192 | |
---|
| 193 | struct prison_racct { |
---|
| 194 | LIST_ENTRY(prison_racct) prr_next; |
---|
| 195 | char prr_name[MAXHOSTNAMELEN]; |
---|
| 196 | u_int prr_refcount; |
---|
| 197 | struct racct *prr_racct; |
---|
| 198 | }; |
---|
[a9153ec] | 199 | #endif /* _KERNEL || _WANT_PRISON */ |
---|
| 200 | |
---|
| 201 | #ifdef _KERNEL |
---|
| 202 | /* Flag bits set via options */ |
---|
| 203 | #define PR_PERSIST 0x00000001 /* Can exist without processes */ |
---|
| 204 | #define PR_HOST 0x00000002 /* Virtualize hostname et al */ |
---|
| 205 | #define PR_IP4_USER 0x00000004 /* Restrict IPv4 addresses */ |
---|
| 206 | #define PR_IP6_USER 0x00000008 /* Restrict IPv6 addresses */ |
---|
| 207 | #define PR_VNET 0x00000010 /* Virtual network stack */ |
---|
| 208 | #define PR_IP4_SADDRSEL 0x00000080 /* Do IPv4 src addr sel. or use the */ |
---|
| 209 | /* primary jail address. */ |
---|
| 210 | #define PR_IP6_SADDRSEL 0x00000100 /* Do IPv6 src addr sel. or use the */ |
---|
| 211 | /* primary jail address. */ |
---|
| 212 | |
---|
| 213 | /* Internal flag bits */ |
---|
| 214 | #define PR_IP4 0x02000000 /* IPv4 restricted or disabled */ |
---|
| 215 | /* by this jail or an ancestor */ |
---|
| 216 | #define PR_IP6 0x04000000 /* IPv6 restricted or disabled */ |
---|
| 217 | /* by this jail or an ancestor */ |
---|
| 218 | |
---|
[bcdce02] | 219 | /* |
---|
| 220 | * Flags for pr_allow |
---|
| 221 | * Bits not noted here may be used for dynamic allow.mount.xxxfs. |
---|
| 222 | */ |
---|
[c37f9fb] | 223 | #define PR_ALLOW_SET_HOSTNAME 0x00000001 |
---|
| 224 | #define PR_ALLOW_SYSVIPC 0x00000002 |
---|
| 225 | #define PR_ALLOW_RAW_SOCKETS 0x00000004 |
---|
| 226 | #define PR_ALLOW_CHFLAGS 0x00000008 |
---|
| 227 | #define PR_ALLOW_MOUNT 0x00000010 |
---|
| 228 | #define PR_ALLOW_QUOTAS 0x00000020 |
---|
| 229 | #define PR_ALLOW_SOCKET_AF 0x00000040 |
---|
[3489e3b] | 230 | #define PR_ALLOW_MLOCK 0x00000080 |
---|
[b3169c2] | 231 | #define PR_ALLOW_READ_MSGBUF 0x00000100 |
---|
[2b2563d] | 232 | #define PR_ALLOW_UNPRIV_DEBUG 0x00000200 |
---|
[c37f9fb] | 233 | #define PR_ALLOW_RESERVED_PORTS 0x00008000 |
---|
| 234 | #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ |
---|
[2b2563d] | 235 | #define PR_ALLOW_ALL_STATIC 0x000183ff |
---|
| 236 | |
---|
| 237 | /* |
---|
| 238 | * PR_ALLOW_DIFFERENCES determines which flags are able to be |
---|
| 239 | * different between the parent and child jail upon creation. |
---|
| 240 | */ |
---|
| 241 | #define PR_ALLOW_DIFFERENCES (PR_ALLOW_UNPRIV_DEBUG) |
---|
[a9153ec] | 242 | |
---|
| 243 | /* |
---|
| 244 | * OSD methods |
---|
| 245 | */ |
---|
| 246 | #define PR_METHOD_CREATE 0 |
---|
| 247 | #define PR_METHOD_GET 1 |
---|
| 248 | #define PR_METHOD_SET 2 |
---|
| 249 | #define PR_METHOD_CHECK 3 |
---|
| 250 | #define PR_METHOD_ATTACH 4 |
---|
[c40e45b] | 251 | #define PR_METHOD_REMOVE 5 |
---|
| 252 | #define PR_MAXMETHOD 6 |
---|
[a9153ec] | 253 | |
---|
| 254 | /* |
---|
| 255 | * Lock/unlock a prison. |
---|
| 256 | * XXX These exist not so much for general convenience, but to be useable in |
---|
| 257 | * the FOREACH_PRISON_DESCENDANT_LOCKED macro which can't handle them in |
---|
| 258 | * non-function form as currently defined. |
---|
| 259 | */ |
---|
| 260 | static __inline void |
---|
| 261 | prison_lock(struct prison *pr) |
---|
| 262 | { |
---|
| 263 | |
---|
| 264 | mtx_lock(&pr->pr_mtx); |
---|
| 265 | } |
---|
| 266 | |
---|
| 267 | static __inline void |
---|
| 268 | prison_unlock(struct prison *pr) |
---|
| 269 | { |
---|
| 270 | |
---|
| 271 | mtx_unlock(&pr->pr_mtx); |
---|
| 272 | } |
---|
| 273 | |
---|
| 274 | /* Traverse a prison's immediate children. */ |
---|
| 275 | #define FOREACH_PRISON_CHILD(ppr, cpr) \ |
---|
| 276 | LIST_FOREACH(cpr, &(ppr)->pr_children, pr_sibling) |
---|
| 277 | |
---|
| 278 | /* |
---|
| 279 | * Preorder traversal of all of a prison's descendants. |
---|
| 280 | * This ugly loop allows the macro to be followed by a single block |
---|
| 281 | * as expected in a looping primitive. |
---|
| 282 | */ |
---|
| 283 | #define FOREACH_PRISON_DESCENDANT(ppr, cpr, descend) \ |
---|
| 284 | for ((cpr) = (ppr), (descend) = 1; \ |
---|
| 285 | ((cpr) = (((descend) && !LIST_EMPTY(&(cpr)->pr_children)) \ |
---|
| 286 | ? LIST_FIRST(&(cpr)->pr_children) \ |
---|
| 287 | : ((cpr) == (ppr) \ |
---|
| 288 | ? NULL \ |
---|
| 289 | : (((descend) = LIST_NEXT(cpr, pr_sibling) != NULL) \ |
---|
| 290 | ? LIST_NEXT(cpr, pr_sibling) \ |
---|
| 291 | : (cpr)->pr_parent))));) \ |
---|
| 292 | if (!(descend)) \ |
---|
| 293 | ; \ |
---|
| 294 | else |
---|
| 295 | |
---|
| 296 | /* |
---|
| 297 | * As above, but lock descendants on the way down and unlock on the way up. |
---|
| 298 | */ |
---|
| 299 | #define FOREACH_PRISON_DESCENDANT_LOCKED(ppr, cpr, descend) \ |
---|
| 300 | for ((cpr) = (ppr), (descend) = 1; \ |
---|
| 301 | ((cpr) = (((descend) && !LIST_EMPTY(&(cpr)->pr_children)) \ |
---|
| 302 | ? LIST_FIRST(&(cpr)->pr_children) \ |
---|
| 303 | : ((cpr) == (ppr) \ |
---|
| 304 | ? NULL \ |
---|
| 305 | : ((prison_unlock(cpr), \ |
---|
| 306 | (descend) = LIST_NEXT(cpr, pr_sibling) != NULL) \ |
---|
| 307 | ? LIST_NEXT(cpr, pr_sibling) \ |
---|
| 308 | : (cpr)->pr_parent))));) \ |
---|
| 309 | if ((descend) ? (prison_lock(cpr), 0) : 1) \ |
---|
| 310 | ; \ |
---|
| 311 | else |
---|
| 312 | |
---|
| 313 | /* |
---|
| 314 | * As above, but also keep track of the level descended to. |
---|
| 315 | */ |
---|
| 316 | #define FOREACH_PRISON_DESCENDANT_LOCKED_LEVEL(ppr, cpr, descend, level)\ |
---|
| 317 | for ((cpr) = (ppr), (descend) = 1, (level) = 0; \ |
---|
| 318 | ((cpr) = (((descend) && !LIST_EMPTY(&(cpr)->pr_children)) \ |
---|
| 319 | ? (level++, LIST_FIRST(&(cpr)->pr_children)) \ |
---|
| 320 | : ((cpr) == (ppr) \ |
---|
| 321 | ? NULL \ |
---|
| 322 | : ((prison_unlock(cpr), \ |
---|
| 323 | (descend) = LIST_NEXT(cpr, pr_sibling) != NULL) \ |
---|
| 324 | ? LIST_NEXT(cpr, pr_sibling) \ |
---|
| 325 | : (level--, (cpr)->pr_parent)))));) \ |
---|
| 326 | if ((descend) ? (prison_lock(cpr), 0) : 1) \ |
---|
| 327 | ; \ |
---|
| 328 | else |
---|
| 329 | |
---|
| 330 | /* |
---|
| 331 | * Attributes of the physical system, and the root of the jail tree. |
---|
| 332 | */ |
---|
| 333 | extern struct prison prison0; |
---|
| 334 | |
---|
| 335 | TAILQ_HEAD(prisonlist, prison); |
---|
| 336 | extern struct prisonlist allprison; |
---|
| 337 | extern struct sx allprison_lock; |
---|
| 338 | |
---|
| 339 | /* |
---|
| 340 | * Sysctls to describe jail parameters. |
---|
| 341 | */ |
---|
| 342 | SYSCTL_DECL(_security_jail_param); |
---|
| 343 | |
---|
| 344 | #define SYSCTL_JAIL_PARAM(module, param, type, fmt, descr) \ |
---|
| 345 | SYSCTL_PROC(_security_jail_param ## module, OID_AUTO, param, \ |
---|
| 346 | (type) | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_param, fmt, descr) |
---|
| 347 | #define SYSCTL_JAIL_PARAM_STRING(module, param, access, len, descr) \ |
---|
| 348 | SYSCTL_PROC(_security_jail_param ## module, OID_AUTO, param, \ |
---|
| 349 | CTLTYPE_STRING | CTLFLAG_MPSAFE | (access), NULL, len, \ |
---|
| 350 | sysctl_jail_param, "A", descr) |
---|
| 351 | #define SYSCTL_JAIL_PARAM_STRUCT(module, param, access, len, fmt, descr)\ |
---|
| 352 | SYSCTL_PROC(_security_jail_param ## module, OID_AUTO, param, \ |
---|
| 353 | CTLTYPE_STRUCT | CTLFLAG_MPSAFE | (access), NULL, len, \ |
---|
| 354 | sysctl_jail_param, fmt, descr) |
---|
| 355 | #define SYSCTL_JAIL_PARAM_NODE(module, descr) \ |
---|
| 356 | SYSCTL_NODE(_security_jail_param, OID_AUTO, module, 0, 0, descr) |
---|
[66659ff] | 357 | #define SYSCTL_JAIL_PARAM_SUBNODE(parent, module, descr) \ |
---|
| 358 | SYSCTL_NODE(_security_jail_param_##parent, OID_AUTO, module, 0, 0, descr) |
---|
[a9153ec] | 359 | #define SYSCTL_JAIL_PARAM_SYS_NODE(module, access, descr) \ |
---|
| 360 | SYSCTL_JAIL_PARAM_NODE(module, descr); \ |
---|
| 361 | SYSCTL_JAIL_PARAM(_##module, , CTLTYPE_INT | (access), "E,jailsys", \ |
---|
| 362 | descr) |
---|
| 363 | |
---|
| 364 | /* |
---|
| 365 | * Kernel support functions for jail(). |
---|
| 366 | */ |
---|
| 367 | struct ucred; |
---|
| 368 | struct mount; |
---|
| 369 | struct sockaddr; |
---|
| 370 | struct statfs; |
---|
[bcdce02] | 371 | struct vfsconf; |
---|
[36e8ad4] | 372 | #ifndef __rtems__ |
---|
[a9153ec] | 373 | int jailed(struct ucred *cred); |
---|
[36e8ad4] | 374 | #else /* __rtems__ */ |
---|
| 375 | static inline int |
---|
| 376 | jailed(struct ucred *cred) |
---|
| 377 | { |
---|
| 378 | |
---|
| 379 | (void)cred; |
---|
| 380 | return (0); |
---|
| 381 | } |
---|
| 382 | #endif /* __rtems__ */ |
---|
| 383 | #ifndef __rtems__ |
---|
[a9153ec] | 384 | int jailed_without_vnet(struct ucred *); |
---|
[36e8ad4] | 385 | #else /* __rtems__ */ |
---|
| 386 | static inline int |
---|
| 387 | jailed_without_vnet(struct ucred *cred) |
---|
| 388 | { |
---|
| 389 | |
---|
| 390 | (void)cred; |
---|
| 391 | return (0); |
---|
| 392 | } |
---|
| 393 | #endif /* __rtems__ */ |
---|
[a9153ec] | 394 | void getcredhostname(struct ucred *, char *, size_t); |
---|
| 395 | void getcreddomainname(struct ucred *, char *, size_t); |
---|
| 396 | void getcredhostuuid(struct ucred *, char *, size_t); |
---|
[36e8ad4] | 397 | #ifndef __rtems__ |
---|
[a9153ec] | 398 | void getcredhostid(struct ucred *, unsigned long *); |
---|
[36e8ad4] | 399 | #else /* __rtems__ */ |
---|
| 400 | static inline void |
---|
| 401 | getcredhostid(struct ucred *cred, unsigned long *hostid) |
---|
| 402 | { |
---|
| 403 | |
---|
| 404 | (void)cred; |
---|
| 405 | *hostid = 0; |
---|
| 406 | } |
---|
| 407 | #endif /* __rtems__ */ |
---|
[c40e45b] | 408 | void prison0_init(void); |
---|
[a9153ec] | 409 | int prison_allow(struct ucred *, unsigned); |
---|
[36e8ad4] | 410 | #ifndef __rtems__ |
---|
[a9153ec] | 411 | int prison_check(struct ucred *cred1, struct ucred *cred2); |
---|
[36e8ad4] | 412 | #else /* __rtems__ */ |
---|
| 413 | static inline int |
---|
| 414 | prison_check(struct ucred *cred1, struct ucred *cred2) |
---|
| 415 | { |
---|
| 416 | |
---|
| 417 | (void)cred1; |
---|
| 418 | (void)cred2; |
---|
| 419 | return (0); |
---|
| 420 | } |
---|
| 421 | #endif /* __rtems__ */ |
---|
[a9153ec] | 422 | int prison_owns_vnet(struct ucred *); |
---|
| 423 | int prison_canseemount(struct ucred *cred, struct mount *mp); |
---|
| 424 | void prison_enforce_statfs(struct ucred *cred, struct mount *mp, |
---|
| 425 | struct statfs *sp); |
---|
| 426 | struct prison *prison_find(int prid); |
---|
| 427 | struct prison *prison_find_child(struct prison *, int); |
---|
| 428 | struct prison *prison_find_name(struct prison *, const char *); |
---|
[36e8ad4] | 429 | #ifndef __rtems__ |
---|
[a9153ec] | 430 | int prison_flag(struct ucred *, unsigned); |
---|
[36e8ad4] | 431 | #else /* __rtems__ */ |
---|
| 432 | static inline int |
---|
| 433 | prison_flag(struct ucred *cred, unsigned flag) |
---|
| 434 | { |
---|
| 435 | |
---|
| 436 | (void)cred; |
---|
| 437 | return (prison0.pr_flags & flag); |
---|
| 438 | } |
---|
| 439 | #endif /* __rtems__ */ |
---|
| 440 | #ifndef __rtems__ |
---|
[a9153ec] | 441 | void prison_free(struct prison *pr); |
---|
[36e8ad4] | 442 | #else /* __rtems__ */ |
---|
| 443 | static inline void |
---|
| 444 | prison_free(struct prison *pr) |
---|
| 445 | { |
---|
| 446 | |
---|
| 447 | (void)pr; |
---|
| 448 | } |
---|
| 449 | #endif /* __rtems__ */ |
---|
[a9153ec] | 450 | void prison_free_locked(struct prison *pr); |
---|
[36e8ad4] | 451 | #ifndef __rtems__ |
---|
[a9153ec] | 452 | void prison_hold(struct prison *pr); |
---|
[36e8ad4] | 453 | #else /* __rtems__ */ |
---|
| 454 | static inline void |
---|
| 455 | prison_hold(struct prison *pr) |
---|
| 456 | { |
---|
| 457 | |
---|
| 458 | (void)pr; |
---|
| 459 | } |
---|
| 460 | #endif /* __rtems__ */ |
---|
[a9153ec] | 461 | void prison_hold_locked(struct prison *pr); |
---|
| 462 | void prison_proc_hold(struct prison *); |
---|
| 463 | void prison_proc_free(struct prison *); |
---|
| 464 | int prison_ischild(struct prison *, struct prison *); |
---|
[69b29a0] | 465 | #ifndef __rtems__ |
---|
[a9153ec] | 466 | int prison_equal_ip4(struct prison *, struct prison *); |
---|
[69b29a0] | 467 | #else /* __rtems__ */ |
---|
| 468 | #define prison_equal_ip4(p1, p2) 1 |
---|
| 469 | #endif /* __rtems__ */ |
---|
[36e8ad4] | 470 | #ifndef __rtems__ |
---|
[a9153ec] | 471 | int prison_get_ip4(struct ucred *cred, struct in_addr *ia); |
---|
[36e8ad4] | 472 | #else /* __rtems__ */ |
---|
| 473 | static inline int |
---|
| 474 | prison_get_ip4(struct ucred *cred, struct in_addr *ia) |
---|
| 475 | { |
---|
| 476 | |
---|
| 477 | (void)cred; |
---|
| 478 | (void)ia; |
---|
| 479 | return (EAFNOSUPPORT); |
---|
| 480 | } |
---|
| 481 | #endif /* __rtems__ */ |
---|
| 482 | #ifndef __rtems__ |
---|
[a9153ec] | 483 | int prison_local_ip4(struct ucred *cred, struct in_addr *ia); |
---|
[36e8ad4] | 484 | #else /* __rtems__ */ |
---|
| 485 | static inline int |
---|
| 486 | prison_local_ip4(struct ucred *cred, struct in_addr *ia) |
---|
| 487 | { |
---|
| 488 | |
---|
| 489 | (void)cred; |
---|
| 490 | (void)ia; |
---|
| 491 | return (0); |
---|
| 492 | } |
---|
| 493 | #endif /* __rtems__ */ |
---|
| 494 | #ifndef __rtems__ |
---|
[a9153ec] | 495 | int prison_remote_ip4(struct ucred *cred, struct in_addr *ia); |
---|
[36e8ad4] | 496 | #else /* __rtems__ */ |
---|
| 497 | static inline int |
---|
| 498 | prison_remote_ip4(struct ucred *cred, struct in_addr *ia) |
---|
| 499 | { |
---|
| 500 | |
---|
| 501 | (void)cred; |
---|
| 502 | (void)ia; |
---|
| 503 | return (0); |
---|
| 504 | } |
---|
| 505 | #endif /* __rtems__ */ |
---|
| 506 | #ifndef __rtems__ |
---|
[c40e45b] | 507 | int prison_check_ip4(const struct ucred *, const struct in_addr *); |
---|
[36e8ad4] | 508 | #else /* __rtems__ */ |
---|
| 509 | static inline int |
---|
| 510 | prison_check_ip4(const struct ucred *cred, const struct in_addr *ia) |
---|
| 511 | { |
---|
| 512 | |
---|
| 513 | (void)cred; |
---|
| 514 | (void)ia; |
---|
| 515 | return (0); |
---|
| 516 | } |
---|
| 517 | #endif /* __rtems__ */ |
---|
[c40e45b] | 518 | int prison_check_ip4_locked(const struct prison *, const struct in_addr *); |
---|
[36e8ad4] | 519 | #ifndef __rtems__ |
---|
[a9153ec] | 520 | int prison_saddrsel_ip4(struct ucred *, struct in_addr *); |
---|
[36e8ad4] | 521 | #else /* __rtems__ */ |
---|
| 522 | static inline int |
---|
| 523 | prison_saddrsel_ip4(struct ucred *cred, struct in_addr *ia) |
---|
| 524 | { |
---|
| 525 | |
---|
| 526 | (void)cred; |
---|
| 527 | (void)ia; |
---|
| 528 | return (1); |
---|
| 529 | } |
---|
| 530 | #endif /* __rtems__ */ |
---|
[c40e45b] | 531 | int prison_restrict_ip4(struct prison *, struct in_addr *); |
---|
| 532 | int prison_qcmp_v4(const void *, const void *); |
---|
[a9153ec] | 533 | #ifdef INET6 |
---|
[69b29a0] | 534 | #ifndef __rtems__ |
---|
[a9153ec] | 535 | int prison_equal_ip6(struct prison *, struct prison *); |
---|
[69b29a0] | 536 | #else /* __rtems__ */ |
---|
| 537 | #define prison_equal_ip6(p1, p2) 1 |
---|
| 538 | #endif /* __rtems__ */ |
---|
[36e8ad4] | 539 | #ifndef __rtems__ |
---|
[a9153ec] | 540 | int prison_get_ip6(struct ucred *, struct in6_addr *); |
---|
[36e8ad4] | 541 | #else /* __rtems__ */ |
---|
| 542 | static inline int |
---|
| 543 | prison_get_ip6(struct ucred *cred, struct in6_addr *ia6) |
---|
| 544 | { |
---|
| 545 | |
---|
| 546 | (void)cred; |
---|
| 547 | (void)ia6; |
---|
| 548 | return (EAFNOSUPPORT); |
---|
| 549 | } |
---|
| 550 | #endif /* __rtems__ */ |
---|
| 551 | #ifndef __rtems__ |
---|
[a9153ec] | 552 | int prison_local_ip6(struct ucred *, struct in6_addr *, int); |
---|
[36e8ad4] | 553 | #else /* __rtems__ */ |
---|
| 554 | static inline int |
---|
| 555 | prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only) |
---|
| 556 | { |
---|
| 557 | |
---|
| 558 | (void)cred; |
---|
| 559 | (void)ia6; |
---|
| 560 | (void)v6only; |
---|
| 561 | return (0); |
---|
| 562 | } |
---|
| 563 | #endif /* __rtems__ */ |
---|
| 564 | #ifndef __rtems__ |
---|
[a9153ec] | 565 | int prison_remote_ip6(struct ucred *, struct in6_addr *); |
---|
[36e8ad4] | 566 | #else /* __rtems__ */ |
---|
| 567 | static inline int |
---|
| 568 | prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6) |
---|
| 569 | { |
---|
| 570 | |
---|
| 571 | (void)cred; |
---|
| 572 | (void)ia6; |
---|
| 573 | return (0); |
---|
| 574 | } |
---|
| 575 | #endif /* __rtems__ */ |
---|
| 576 | #ifndef __rtems__ |
---|
[c40e45b] | 577 | int prison_check_ip6(const struct ucred *, const struct in6_addr *); |
---|
[36e8ad4] | 578 | #else /* __rtems__ */ |
---|
| 579 | static inline int |
---|
| 580 | prison_check_ip6(const struct ucred *cred, const struct in6_addr *ia6) |
---|
| 581 | { |
---|
| 582 | |
---|
| 583 | (void)cred; |
---|
| 584 | (void)ia6; |
---|
| 585 | return (0); |
---|
| 586 | } |
---|
| 587 | #endif /* __rtems__ */ |
---|
[c40e45b] | 588 | int prison_check_ip6_locked(const struct prison *, const struct in6_addr *); |
---|
[36e8ad4] | 589 | #ifndef __rtems__ |
---|
[a9153ec] | 590 | int prison_saddrsel_ip6(struct ucred *, struct in6_addr *); |
---|
[36e8ad4] | 591 | #else /* __rtems__ */ |
---|
| 592 | static inline int |
---|
| 593 | prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6) |
---|
| 594 | { |
---|
| 595 | |
---|
| 596 | (void)cred; |
---|
| 597 | (void)ia6; |
---|
| 598 | return (EAFNOSUPPORT); |
---|
| 599 | } |
---|
| 600 | #endif /* __rtems__ */ |
---|
[c40e45b] | 601 | int prison_restrict_ip6(struct prison *, struct in6_addr *); |
---|
| 602 | int prison_qcmp_v6(const void *, const void *); |
---|
[a9153ec] | 603 | #endif |
---|
[36e8ad4] | 604 | #ifndef __rtems__ |
---|
[a9153ec] | 605 | int prison_check_af(struct ucred *cred, int af); |
---|
[36e8ad4] | 606 | #else /* __rtems__ */ |
---|
| 607 | static inline int |
---|
| 608 | prison_check_af(struct ucred *cred, int af) |
---|
| 609 | { |
---|
| 610 | |
---|
| 611 | (void)cred; |
---|
| 612 | (void)af; |
---|
| 613 | return (0); |
---|
| 614 | } |
---|
| 615 | #endif /* __rtems__ */ |
---|
| 616 | #ifndef __rtems__ |
---|
[a9153ec] | 617 | int prison_if(struct ucred *cred, struct sockaddr *sa); |
---|
[36e8ad4] | 618 | #else /* __rtems__ */ |
---|
| 619 | static inline int |
---|
| 620 | prison_if(struct ucred *cred, struct sockaddr *sa) |
---|
| 621 | { |
---|
| 622 | |
---|
| 623 | (void)cred; |
---|
| 624 | (void)sa; |
---|
| 625 | return (0); |
---|
| 626 | } |
---|
| 627 | #endif /* __rtems__ */ |
---|
[a9153ec] | 628 | char *prison_name(struct prison *, struct prison *); |
---|
| 629 | int prison_priv_check(struct ucred *cred, int priv); |
---|
[66659ff] | 630 | int sysctl_jail_param(SYSCTL_HANDLER_ARGS); |
---|
[3489e3b] | 631 | unsigned prison_add_allow(const char *prefix, const char *name, |
---|
| 632 | const char *prefix_descr, const char *descr); |
---|
[bcdce02] | 633 | void prison_add_vfs(struct vfsconf *vfsp); |
---|
[66659ff] | 634 | void prison_racct_foreach(void (*callback)(struct racct *racct, |
---|
[c40e45b] | 635 | void *arg2, void *arg3), void (*pre)(void), void (*post)(void), |
---|
| 636 | void *arg2, void *arg3); |
---|
[66659ff] | 637 | struct prison_racct *prison_racct_find(const char *name); |
---|
| 638 | void prison_racct_hold(struct prison_racct *prr); |
---|
| 639 | void prison_racct_free(struct prison_racct *prr); |
---|
[a9153ec] | 640 | |
---|
| 641 | #endif /* _KERNEL */ |
---|
[e599318] | 642 | #endif /* !_SYS_JAIL_H_ */ |
---|