upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

This Implements the mumbled about "Jail" feature.

Browse source 
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
This commit is contained in:
Poul-Henning Kamp 1999-04-28 11:38:52 +00:00
parent 02daf150a4
commit 75c1354190
64 changed files with 710 additions and 157 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bin/ps/print.c
View file

@ -36,7 +36,7 @@
static char sccsid[] = "@(#)print.c 8.6 (Berkeley) 4/16/94";
#endif
static const char rcsid[] =
"$Id: print.c,v 1.33 1998/11/25 09:34:00 dfr Exp $";
"$Id: print.c,v 1.34 1999/04/06 03:17:57 peter Exp $";
#endif /* not lint */
#include <sys/param.h>
@ -222,6 +222,8 @@ state(k, ve)
*cp++ = 's';
if ((flag & P_CONTROLT) && KI_EPROC(k)->e_pgid == KI_EPROC(k)->e_tpgid)
*cp++ = '+';
if (flag & P_JAILED)
*cp++ = 'J';
*cp = '\0';
(void)printf("%-*s", v->width, buf);
}

7
bin/ps/ps.1
View file

@ -30,7 +30,7 @@
.\" SUCH DAMAGE.
.\"
.\" @(#)ps.1 8.3 (Berkeley) 4/18/94
.\" $Id: ps.1,v 1.19 1998/06/04 07:02:59 jkoshy Exp $
.\" $Id: ps.1,v 1.20 1999/04/06 03:18:57 peter Exp $
.\"
.Dd April 18, 1994
.Dt PS 1
@ -243,6 +243,11 @@ The first letter indicates the run state of the process:
Marks a process in disk (or other short term, uninterruptible) wait.
.It I
Marks a process that is idle (sleeping for longer than about 20 seconds).
.It J
Marks a process which is in
.Xr jail 2 .
The hostname of the prison can be found in
.Ql Li /proc/<pid>/status .
.It R
Marks a runnable process.
.It S

4
lib/libc/sys/Makefile.inc
View file

@ -1,5 +1,5 @@
# @(#)Makefile.inc 8.3 (Berkeley) 10/24/94
# $Id: Makefile.inc,v 1.60 1999/04/05 07:38:07 bde Exp $
# $Id: Makefile.inc,v 1.61 1999/04/11 21:14:40 dt Exp $
# sys sources
.PATH: ${.CURDIR}/../libc/${MACHINE_ARCH}/sys ${.CURDIR}/../libc/sys
@ -82,7 +82,7 @@ MAN2+= _exit.2 accept.2 access.2 acct.2 adjtime.2 aio_read.2 \
getpeername.2 getpgrp.2 getpid.2 getpriority.2 getrlimit.2 \
getrusage.2 getsid.2 getsockname.2 \
getsockopt.2 gettimeofday.2 getuid.2 \
intro.2 ioctl.2 issetugid.2 kill.2 \
intro.2 ioctl.2 issetugid.2 jail.2 kill.2 \
kldfind.2 kldfirstmod.2 kldload.2 kldnext.2 kldstat.2 kldunload.2 \
ktrace.2 link.2 listen.2 lseek.2 \
madvise.2 mincore.2 minherit.2 mkdir.2 mkfifo.2 mknod.2 mlock.2 mmap.2 \

87
lib/libc/sys/jail.2 Normal file
View file

@ -0,0 +1,87 @@
.\"
.\"----------------------------------------------------------------------------
.\""THE BEER-WARE LICENSE" (Revision 42):
.\"<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
.\"can do whatever you want with this stuff. If we meet some day, and you think
.\"this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
.\"----------------------------------------------------------------------------
.\"
.\"$Id: malloc.c,v 1.44 1999/03/28 14:16:05 phk Exp $
.\"
.\"
.Dd April 28, 1999
.Dt JAIL 2
.Os FreeBSD 4.0
.Sh NAME
.Nm jail
.Nd Imprison current process and future decendants.
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <sys/jail.h>
.Ft int
.Fn jail "struct *jail"
.Sh DESCRIPTION
The
.Nm
system call sets up a jail and locks the current process in it.
.Pp
The argument is a pointer to a structure describing the prison:
.Bd -literal -offset indent
struct jail {
char *path;
char *hostname;
u_int32_t ip_number;
};
.Ed
.Pp
The
.Dq Li path
pointer should be set to the directory which is to be the root of the
prison.
.Pp
The
.Dq Li hostname
pointer can be set the hostname of the prison. This can be changed
from the inside of the prison.
.Pp
The
.Dq Li ip_number
can be set to the IP number assigned to the prison.
.Sh PRISON ?
Once a process has been put in a prison, it and its decendants cannot escape
the prison. It is not possible to add a process to a preexisting prison.
.Pp
Inside the prison, the concept of "superuser" is very diluted, in general
it can be assumed that nothing can be mangled from inside a prison, that
doesn't exist inside that prison (ie: the directory tree below
.Dq Li path .
.Pp
All IP activity will be forced to happen to/from the IP number specified,
which should be an alias on one of the systems interfaces.
.Pp
It is possible to identify a process as jailed by examining
.Dq Li /proc/<pid>/status :
it will show a field near the end of the line, either as
a single hyphen for a process at large, or the hostname currently
set for the prison for jailed processes.
.Sh ERRORS
.Fn Jail
calls
.Xr chroot 2
internally, so the it can fail for all the same reasons.
Please consult the
.Xr chroot 2
manual page for details.
.Sh SEE ALSO
.Xr chroot 2
.Xr chdir 2
.Sh HISTORY
The
.Fn jail
function call appeared in
.Fx 4.0 .
.Pp
The jail feature was written by Poul-Henning Kamp for
R&D Associates
.Dq Li http://www.rndassociates.com/
who contributed it to FreeBSD.

55
share/man/man9/suser.9
View file

@ -31,7 +31,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id: suser.9,v 1.4 1997/03/07 02:53:37 jmg Exp $
.\" $Id: suser.9,v 1.5 1998/01/16 18:06:23 bde Exp $
.\"
.Dd Oct 15, 1996
.Dt SUSER 9
@ -43,25 +43,60 @@
.Fd #include <sys/param.h>
.Fd #include <sys/ucred.h>
.Ft int
.Fn suser "struct ucred *cred, u_short *acflag"
.Fn suser "struct proc *proc"
.Ft int
.Fn suser_xxx "struct ucred *cred, struct proc *proc, int flags"
.Sh DESCRIPTION
The
.Nm
function checks if the credentials given include superuser powers.
and
.Nm suser_xxx
functions checks if the credentials given include superuser powers.
.Pp
The
.Nm
routine notes the fact that superuser powers have been used in the
word pointed to by the second argument which should be a pointer to
the p_acflags word of the proc structure. If the second argument is NULL
then the usage is not noted. Because part of it's function is to notice
function is the most common, and should be used unless special
circumstances dictate otherwise.
.Pp
The
.Nm suser_xxx
function should be used when the credentials to be checked are
not the process' own, when there is no process or when superuser
powers should be extended to prisoned roots.
.Pp
By default a process does not command superuser powers if it has
been imprisoned by the
.Xr jail 2
system call.
There are cases however where this is appropriate, and this can
be done by setting the
.Ql PRISON_ROOT
bit in the flags argument to the
.Nm suser_xxx
function. It is important to review carefully in each case that
this does not weaken the prison. Generally only where the action
is protected by the
.Xr chroot 2
implicit in
.Xr jail 2
call should such powers be granted.
.Pp
The
.Nm
and
.Nm suser_xxx
functions notes the fact that superuser powers have been used in the
process structure of the process specified.
Because part of its function is to notice
whether super powers have been used,
.Nm
should be called after other permission possibilities have been exhausted.
the functions should only be called after other permission
possibilities have been exhausted.
.Sh RETURN VALUES
The
.Nm
function returns 0 if the user has super powers and EPERM otherwise.
and
.Nm suser_xxx
functions returns 0 if the user has super powers and EPERM otherwise.
This is the
.Em reverse logic
of some other implementations of

1
sys/conf/files
View file

@ -275,6 +275,7 @@ kern/kern_environment.c standard
kern/kern_exec.c standard
kern/kern_exit.c standard
kern/kern_fork.c standard
kern/kern_jail.c standard
kern/kern_ktrace.c standard
kern/kern_lock.c standard
kern/kern_lockf.c standard

10
sys/fs/msdosfs/msdosfs_vnops.c
View file

@ -1,4 +1,4 @@
/* $Id: msdosfs_vnops.c,v 1.81 1999/01/27 22:42:09 dillon Exp $ */
/* $Id: msdosfs_vnops.c,v 1.82 1999/04/27 11:16:51 phk Exp $ */
/* $NetBSD: msdosfs_vnops.c,v 1.68 1998/02/10 14:10:04 mrg Exp $ */
/*-
@ -431,7 +431,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)))
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)))
return (error);
/*
* We are very inconsistent about handling unsupported
@ -472,7 +472,7 @@ msdosfs_setattr(ap)
gid = pmp->pm_gid;
if ((cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid ||
(gid != pmp->pm_gid && !groupmember(gid, cred))) &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)))
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)))
return error;
if (uid != pmp->pm_uid || gid != pmp->pm_gid)
return EINVAL;
@ -504,7 +504,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)) &&
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)) &&
((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
(error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_p))))
return (error);
@ -527,7 +527,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)))
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)))
return (error);
if (vp->v_type != VDIR) {
/* We ignore the read and execute bits. */

5
sys/fs/procfs/procfs.h
View file

@ -37,7 +37,7 @@
* @(#)procfs.h 8.9 (Berkeley) 5/14/95
*
* From:
* $Id: procfs.h,v 1.21 1999/01/05 03:53:06 peter Exp $
* $Id: procfs.h,v 1.22 1999/04/27 11:16:35 phk Exp $
*/
/*
@ -92,7 +92,8 @@ struct pfsnode {
* Evaluates to 1 if access is allowed.
*/
#define CHECKIO(p1, p2) \
((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
(PRISON_CHECK(p1, p2) && \
(((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \
((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \
((p2)->p_flag & P_SUGID) == 0) || (suser((p1)) == 0))

8
sys/fs/procfs/procfs_status.c
View file

@ -37,12 +37,13 @@
* @(#)procfs_status.c 8.4 (Berkeley) 6/15/94
*
* From:
* $Id: procfs_status.c,v 1.11 1998/07/11 07:45:45 bde Exp $
* $Id: procfs_status.c,v 1.12 1999/01/05 03:53:06 peter Exp $
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/proc.h>
#include <sys/jail.h>
#include <sys/vnode.h>
#include <sys/tty.h>
#include <sys/resourcevar.h>
@ -134,6 +135,11 @@ procfs_dostatus(curp, p, pfs, uio)
for (i = 0; i < cr->cr_ngroups; i++)
ps += sprintf(ps, ",%lu", (u_long)cr->cr_groups[i]);
if (p->p_prison)
ps += sprintf(ps, " %s", p->p_prison->pr_host);
else
ps += sprintf(ps, " -");
ps += sprintf(ps, "\n");
xlen = ps - psbuf;

13
sys/fs/procfs/procfs_vnops.c
View file

@ -36,7 +36,7 @@
*
* @(#)procfs_vnops.c 8.18 (Berkeley) 5/21/95
*
* $Id: procfs_vnops.c,v 1.64 1999/01/27 22:42:07 dillon Exp $
* $Id: procfs_vnops.c,v 1.65 1999/04/27 11:16:39 phk Exp $
*/
/*
@ -134,6 +134,8 @@ procfs_open(ap)
p2 = PFIND(pfs->pfs_pid);
if (p2 == NULL)
return (ENOENT);
if (!PRISON_CHECK(ap->a_p, p2))
return (ENOENT);
switch (pfs->pfs_type) {
case Pmem:
@ -835,6 +837,8 @@ procfs_readdir(ap)
p = PFIND(pfs->pfs_pid);
if (p == NULL)
break;
if (!PRISON_CHECK(curproc, p))
break;
for (pt = &proc_targets[i];
uio->uio_resid >= UIO_MX && i < nproc_targets; pt++, i++) {
@ -893,7 +897,14 @@ procfs_readdir(ap)
default:
while (pcnt < i) {
p = p->p_list.le_next;
if (!p)
goto done;
if (!PRISON_CHECK(curproc, p))
continue;
pcnt++;
}
while (!PRISON_CHECK(curproc, p)) {
p = p->p_list.le_next;
if (!p)
goto done;

2
sys/gnu/ext2fs/ext2_vnops.c
View file

@ -1157,7 +1157,7 @@ ext2_makeinode(mode, dvp, vpp, cnp)
tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */
ip->i_nlink = 1;
if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
suser_xxx(cnp->cn_cred, NULL))
suser_xxx(cnp->cn_cred, 0, PRISON_ROOT))
ip->i_mode &= ~ISGID;
if (cnp->cn_flags & ISWHITEOUT)

2
sys/gnu/fs/ext2fs/ext2_vnops.c
View file

@ -1157,7 +1157,7 @@ ext2_makeinode(mode, dvp, vpp, cnp)
tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */
ip->i_nlink = 1;
if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
suser_xxx(cnp->cn_cred, NULL))
suser_xxx(cnp->cn_cred, 0, PRISON_ROOT))
ip->i_mode &= ~ISGID;
if (cnp->cn_flags & ISWHITEOUT)

5
sys/kern/init_main.c
View file

@ -39,7 +39,7 @@
* SUCH DAMAGE.
*
* @(#)init_main.c 8.9 (Berkeley) 1/21/94
* $Id: init_main.c,v 1.113 1999/04/24 18:50:48 dt Exp $
* $Id: init_main.c,v 1.114 1999/04/28 01:04:25 luoqi Exp $
*/
#include "opt_devfs.h"
@ -409,6 +409,9 @@ proc0_init(dummy)
p->p_ucred = crget();
p->p_ucred->cr_ngroups = 1; /* group 0 */
/* Don't jail it */
p->p_prison = 0;
/* Create procsig. */
p->p_procsig = &procsig0;
p->p_procsig->ps_refcnt = 1;

3
sys/kern/init_sysent.c
View file

@ -2,7 +2,7 @@
* System call switch table.
*
* DO NOT EDIT-- this file is automatically generated.
* created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp
* created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp
*/
#include "opt_compat.h"
@ -357,4 +357,5 @@ struct sysent sysent[] = {
{ 2, (sy_call_t *)utrace }, /* 335 = utrace */
{ 8, (sy_call_t *)sendfile }, /* 336 = sendfile */
{ 3, (sy_call_t *)kldsym }, /* 337 = kldsym */
{ 1, (sy_call_t *)jail }, /* 338 = jail */
};

9
sys/kern/kern_exit.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)kern_exit.c 8.7 (Berkeley) 2/12/94
* $Id: kern_exit.c,v 1.78 1999/04/17 08:36:04 peter Exp $
* $Id: kern_exit.c,v 1.79 1999/04/28 01:04:26 luoqi Exp $
*/
#include "opt_compat.h"
@ -60,6 +60,7 @@
#include <sys/shm.h>
#include <sys/sem.h>
#include <sys/aio.h>
#include <sys/jail.h>
#ifdef COMPAT_43
#include <machine/reg.h>
@ -507,6 +508,12 @@ loop:
p->p_cred = NULL;
}
/*
* Destroy empty prisons
*/
if (p->p_prison && !--p->p_prison->pr_ref)
FREE(p->p_prison, M_PRISON);
/*
* Finally finished with old proc entry.
* Unlink it from its process group and free it.

8
sys/kern/kern_fork.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)kern_fork.c 8.6 (Berkeley) 4/8/94
* $Id: kern_fork.c,v 1.59 1999/04/24 11:25:01 dt Exp $
* $Id: kern_fork.c,v 1.60 1999/04/28 01:04:27 luoqi Exp $
*/
#include "opt_ktrace.h"
@ -54,6 +54,7 @@
#include <sys/acct.h>
#include <sys/ktrace.h>
#include <sys/unistd.h>
#include <sys/jail.h>
#include <vm/vm.h>
#include <sys/lock.h>
@ -308,6 +309,11 @@ again:
p2->p_cred->p_refcnt = 1;
crhold(p1->p_ucred);
if (p2->p_prison) {
p2->p_prison->pr_ref++;
p2->p_flag |= P_JAILED;
}
if (flags & RFSIGSHARE) {
p2->p_procsig = p1->p_procsig;
p2->p_procsig->ps_refcnt++;

114
sys/kern/kern_jail.c Normal file
View file

@ -0,0 +1,114 @@
#include <sys/param.h>
#include <sys/types.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/errno.h>
#include <sys/sysproto.h>
#include <sys/malloc.h>
#include <sys/proc.h>
#include <sys/jail.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
int
jail(p, uap)
struct proc *p;
struct jail_args /* {
syscallarg(struct jail *) jail;
} */ *uap;
{
int error;
struct prison *pr;
struct jail j;
struct chroot_args ca;
error = suser(p);
if (error)
return (error);
error = copyin(uap->jail, &j, sizeof j);
if (error)
return (error);
MALLOC(pr, struct prison *, sizeof *pr , M_PRISON, M_WAITOK);
bzero((caddr_t)pr, sizeof *pr);
error = copyinstr(j.hostname, &pr->pr_host, sizeof pr->pr_host, 0);
if (error)
goto bail;
pr->pr_ip = j.ip_number;
ca.path = j.path;
error = chroot(p, &ca);
if (error)
goto bail;
pr->pr_ref++;
p->p_prison = pr;
p->p_flag |= P_JAILED;
return (0);
bail:
FREE(pr, M_PRISON);
return (error);
}
int
prison_ip(struct proc *p, int flag, u_int32_t *ip)
{
u_int32_t tmp;
if (!p->p_prison)
return (0);
if (flag)
tmp = *ip;
else
tmp = ntohl(*ip);
if (tmp == INADDR_ANY) {
if (flag)
*ip = p->p_prison->pr_ip;
else
*ip = htonl(p->p_prison->pr_ip);
return (0);
}
if (p->p_prison->pr_ip != tmp)
return (1);
return (0);
}
void
prison_remote_ip(struct proc *p, int flag, u_int32_t *ip)
{
u_int32_t tmp;
if (!p->p_prison)
return;
if (flag)
tmp = *ip;
else
tmp = ntohl(*ip);
if (tmp == 0x7f000001) {
if (flag)
*ip = p->p_prison->pr_ip;
else
*ip = htonl(p->p_prison->pr_ip);
return;
}
return;
}
int
prison_if(struct proc *p, struct sockaddr *sa)
{
struct sockaddr_in *sai = (struct sockaddr_in*) sa;
int ok;
if (sai->sin_family != AF_INET)
ok = 0;
else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
ok = 1;
else
ok = 0;
return (ok);
}

4
sys/kern/kern_ktrace.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)kern_ktrace.c 8.2 (Berkeley) 9/23/93
* $Id: kern_ktrace.c,v 1.24 1998/11/10 09:16:29 peter Exp $
* $Id: kern_ktrace.c,v 1.25 1998/12/10 01:47:41 rvb Exp $
*/
#include "opt_ktrace.h"
@ -515,6 +515,8 @@ ktrcanset(callp, targetp)
register struct pcred *caller = callp->p_cred;
register struct pcred *target = targetp->p_cred;
if (!PRISON_CHECK(callp, targetp))
return (0);
if ((caller->pc_ucred->cr_uid == target->p_ruid &&
target->p_ruid == target->p_svuid &&
caller->p_rgid == target->p_rgid && /* XXX */

26
sys/kern/kern_mib.c
View file

@ -37,7 +37,7 @@
* SUCH DAMAGE.
*
* @(#)kern_sysctl.c 8.4 (Berkeley) 4/14/94
* $Id: kern_mib.c,v 1.17 1999/01/25 18:26:09 dillon Exp $
* $Id: kern_mib.c,v 1.18 1999/01/26 07:37:11 dillon Exp $
*/
#include <sys/param.h>
@ -45,6 +45,7 @@
#include <sys/systm.h>
#include <sys/sysctl.h>
#include <sys/proc.h>
#include <sys/jail.h>
#include <sys/unistd.h>
#if defined(SMP)
@ -73,6 +74,9 @@ SYSCTL_NODE(, CTL_USER, user, CTLFLAG_RW, 0,
SYSCTL_NODE(, CTL_P1003_1B, p1003_1b, CTLFLAG_RW, 0,
"p1003_1b, (see p1003_1b.h)");
SYSCTL_NODE(_kern, OID_AUTO, prison, CTLFLAG_RW, 0,
"Prison rules");
SYSCTL_STRING(_kern, KERN_OSRELEASE, osrelease, CTLFLAG_RD, osrelease, 0, "");
SYSCTL_INT(_kern, KERN_OSREV, osrevision, CTLFLAG_RD, 0, BSD, "");
@ -124,8 +128,24 @@ SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
char hostname[MAXHOSTNAMELEN];
SYSCTL_STRING(_kern, KERN_HOSTNAME, hostname, CTLFLAG_RW,
hostname, sizeof(hostname), "");
static int
sysctl_hostname SYSCTL_HANDLER_ARGS
{
int error;
if (req->p->p_prison)
error = sysctl_handle_string(oidp,
req->p->p_prison->pr_host,
sizeof req->p->p_prison->pr_host, req);
else
error = sysctl_handle_string(oidp,
hostname, sizeof hostname, req);
return (error);
}
SYSCTL_PROC(_kern, KERN_HOSTNAME, hostname,
CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON,
0, 0, sysctl_hostname, "A", "");
int securelevel = -1;

7
sys/kern/kern_proc.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)kern_proc.c 8.7 (Berkeley) 2/14/95
* $Id: kern_proc.c,v 1.45 1999/01/28 00:57:47 dillon Exp $
* $Id: kern_proc.c,v 1.46 1999/02/19 14:25:34 luoqi Exp $
*/
#include <sys/param.h>
@ -500,6 +500,8 @@ sysctl_kern_proc SYSCTL_HANDLER_ARGS
p = pfind((pid_t)name[0]);
if (!p)
return (0);
if (!PRISON_CHECK(curproc, p))
return (0);
error = sysctl_out_proc(p, req, 0);
return (error);
}
@ -561,6 +563,9 @@ sysctl_kern_proc SYSCTL_HANDLER_ARGS
break;
}
if (!PRISON_CHECK(curproc, p))
continue;
error = sysctl_out_proc(p, req, doingzomb);
if (error)
return (error);

46
sys/kern/kern_prot.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
* $Id: kern_prot.c,v 1.45 1999/04/27 11:16:01 phk Exp $
* $Id: kern_prot.c,v 1.46 1999/04/27 12:21:06 phk Exp $
*/
/*
@ -395,7 +395,7 @@ setuid(p, uap)
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
uid != pc->pc_ucred->cr_uid && /* allow setuid(geteuid()) */
#endif
(error = suser(p)))
(error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
#ifdef _POSIX_SAVED_IDS
@ -407,7 +407,7 @@ setuid(p, uap)
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */
uid == pc->pc_ucred->cr_uid ||
#endif
suser(p) == 0) /* we are using privs */
suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */
#endif
{
/*
@ -467,7 +467,7 @@ seteuid(p, uap)
euid = uap->euid;
if (euid != pc->p_ruid && /* allow seteuid(getuid()) */
euid != pc->p_svuid && /* allow seteuid(saved uid) */
(error = suser(p)))
(error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
/*
* Everything's okay, do it. Copy credentials so other references do
@ -515,7 +515,7 @@ setgid(p, uap)
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
gid != pc->pc_ucred->cr_groups[0] && /* allow setgid(getegid()) */
#endif
(error = suser(p)))
(error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
#ifdef _POSIX_SAVED_IDS
@ -527,7 +527,7 @@ setgid(p, uap)
#ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */
gid == pc->pc_ucred->cr_groups[0] ||
#endif
suser(p) == 0) /* we are using privs */
suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */
#endif
{
/*
@ -579,7 +579,7 @@ setegid(p, uap)
egid = uap->egid;
if (egid != pc->p_rgid && /* allow setegid(getgid()) */
egid != pc->p_svgid && /* allow setegid(saved gid) */
(error = suser(p)))
(error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
if (pc->pc_ucred->cr_groups[0] != egid) {
pc->pc_ucred = crcopy(pc->pc_ucred);
@ -605,7 +605,7 @@ setgroups(p, uap)
register u_int ngrp;
int error;
if ((error = suser(p)))
if ((error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
ngrp = uap->gidsetsize;
if (ngrp > NGROUPS)
@ -654,7 +654,7 @@ setreuid(p, uap)
if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) ||
(euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid &&
euid != pc->p_ruid && euid != pc->p_svuid)) &&
(error = suser(p)) != 0)
(error = suser_xxx(0, p, PRISON_ROOT)) != 0)
return (error);
if (euid != (uid_t)-1 && pc->pc_ucred->cr_uid != euid) {
@ -697,7 +697,7 @@ setregid(p, uap)
if (((rgid != (gid_t)-1 && rgid != pc->p_rgid && rgid != pc->p_svgid) ||
(egid != (gid_t)-1 && egid != pc->pc_ucred->cr_groups[0] &&
egid != pc->p_rgid && egid != pc->p_svgid)) &&
(error = suser(p)) != 0)
(error = suser_xxx(0, p, PRISON_ROOT)) != 0)
return (error);
if (egid != (gid_t)-1 && pc->pc_ucred->cr_groups[0] != egid) {
@ -769,20 +769,28 @@ int
suser(p)
struct proc *p;
{
return suser_xxx(p->p_ucred, &p->p_acflag);
return suser_xxx(0, p, 0);
}
int
suser_xxx(cred, acflag)
suser_xxx(cred, proc, flag)
struct ucred *cred;
u_short *acflag;
struct proc *proc;
int flag;
{
if (cred->cr_uid == 0) {
if (acflag)
*acflag |= ASU;
return (0);
if (!cred && !proc) {
printf("suser_xxx(): THINK!\n");
return (EPERM);
}
return (EPERM);
if (!cred)
cred = proc->p_ucred;
if (cred->cr_uid != 0)
return (EPERM);
if (proc && proc->p_prison && !(flag & PRISON_ROOT))
return (EPERM);
if (proc)
proc->p_acflag |= ASU;
return (0);
}
/*
@ -883,7 +891,7 @@ setlogin(p, uap)
int error;
char logintmp[MAXLOGNAME];
if ((error = suser(p)))
if ((error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
sizeof(logintmp), (size_t *)0);

4
sys/kern/kern_resource.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)kern_resource.c 8.5 (Berkeley) 1/21/94
* $Id: kern_resource.c,v 1.46 1999/04/27 11:16:02 phk Exp $
* $Id: kern_resource.c,v 1.47 1999/04/27 12:21:07 phk Exp $
*/
#include "opt_compat.h"
@ -387,7 +387,7 @@ dosetrlimit(p, which, limp)
if (limp->rlim_cur > alimp->rlim_max ||
limp->rlim_max > alimp->rlim_max)
if ((error = suser(p)))
if ((error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
if (limp->rlim_cur > limp->rlim_max)
limp->rlim_cur = limp->rlim_max;

6
sys/kern/kern_sig.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)kern_sig.c 8.7 (Berkeley) 4/18/94
* $Id: kern_sig.c,v 1.53 1999/01/10 01:58:24 eivind Exp $
* $Id: kern_sig.c,v 1.54 1999/01/26 02:38:10 julian Exp $
*/
#include "opt_compat.h"
@ -79,12 +79,12 @@ SYSCTL_INT(_kern, KERN_LOGSIGEXIT, logsigexit, CTLFLAG_RW, &kern_logsigexit, 0,
* Can process p, with pcred pc, send the signal signum to process q?
*/
#define CANSIGNAL(p, pc, q, signum) \
((pc)->pc_ucred->cr_uid == 0 || \
(PRISON_CHECK(p, q) && ((pc)->pc_ucred->cr_uid == 0 || \
(pc)->p_ruid == (q)->p_cred->p_ruid || \
(pc)->pc_ucred->cr_uid == (q)->p_cred->p_ruid || \
(pc)->p_ruid == (q)->p_ucred->cr_uid || \
(pc)->pc_ucred->cr_uid == (q)->p_ucred->cr_uid || \
((signum) == SIGCONT && (q)->p_session == (p)->p_session))
((signum) == SIGCONT && (q)->p_session == (p)->p_session)))
/*
* Policy -- Can real uid ruid with ucred uc send a signal to process q?

5
sys/kern/kern_sysctl.c
View file

@ -37,7 +37,7 @@
* SUCH DAMAGE.
*
* @(#)kern_sysctl.c 8.4 (Berkeley) 4/14/94
* $Id: kern_sysctl.c,v 1.86 1999/03/30 09:00:45 phk Exp $
* $Id: kern_sysctl.c,v 1.87 1999/04/27 11:16:05 phk Exp $
*/
#include "opt_compat.h"
@ -764,7 +764,8 @@ found:
/* Most likely only root can write */
if (!(oid->oid_kind & CTLFLAG_ANYBODY) &&
req->newptr && req->p &&
(i = suser(req->p)))
(i = suser_xxx(0, req->p,
(oid->oid_kind & CTLFLAG_PRISON) ? PRISON_ROOT : 0)))
return (i);
if (!oid->oid_handler)

4
sys/kern/kern_xxx.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)kern_xxx.c 8.2 (Berkeley) 11/14/93
* $Id: kern_xxx.c,v 1.28 1998/08/24 08:39:38 dfr Exp $
* $Id: kern_xxx.c,v 1.29 1999/04/27 11:16:09 phk Exp $
*/
#include "opt_compat.h"
@ -85,7 +85,7 @@ osethostname(p, uap)
name[0] = CTL_KERN;
name[1] = KERN_HOSTNAME;
if ((error = suser(p)))
if ((error = suser_xxx(0, p, PRISON_ROOT)))
return (error);
return (userland_sysctl(p, name, 2, 0, 0, 0,
uap->hostname, uap->len, 0));

4
sys/kern/sys_process.c
View file

@ -28,7 +28,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: sys_process.c,v 1.43 1999/03/29 08:29:22 dfr Exp $
* $Id: sys_process.c,v 1.44 1999/04/27 11:16:13 phk Exp $
*/
#include <sys/param.h>
@ -218,6 +218,8 @@ ptrace(curp, uap)
if ((p = pfind(uap->pid)) == NULL)
return ESRCH;
}
if (!PRISON_CHECK(curp, p))
return (ESRCH);
/*
* Permissions check

3
sys/kern/syscalls.c
View file

@ -2,7 +2,7 @@
* System call names.
*
* DO NOT EDIT-- this file is automatically generated.
* created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp
* created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp
*/
char *syscallnames[] = {
@ -344,4 +344,5 @@ char *syscallnames[] = {
"utrace", /* 335 = utrace */
"sendfile", /* 336 = sendfile */
"kldsym", /* 337 = kldsym */
"jail", /* 338 = jail */
};

15
sys/kern/uipc_usrreq.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* From: @(#)uipc_usrreq.c 8.3 (Berkeley) 1/4/94
* $Id: uipc_usrreq.c,v 1.41 1999/04/11 02:17:47 eivind Exp $
* $Id: uipc_usrreq.c,v 1.42 1999/04/12 14:34:52 eivind Exp $
*/
#include <sys/param.h>
@ -490,6 +490,7 @@ unp_attach(so)
unp_count++;
LIST_INIT(&unp->unp_refs);
unp->unp_socket = so;
unp->unp_rvnode = curproc->p_fd->fd_rdir;
LIST_INSERT_HEAD(so->so_type == SOCK_DGRAM ? &unp_dhead
: &unp_shead, unp, unp_link);
so->so_pcb = (caddr_t)unp;
@ -709,6 +710,16 @@ unp_abort(unp)
}
#endif
static int
prison_unpcb(struct proc *p, struct unpcb *unp)
{
if (!p->p_prison)
return (0);
if (p->p_fd->fd_rdir == unp->unp_rvnode)
return (0);
return (1);
}
static int
unp_pcblist SYSCTL_HANDLER_ARGS
{
@ -754,7 +765,7 @@ unp_pcblist SYSCTL_HANDLER_ARGS
for (unp = head->lh_first, i = 0; unp && i < n;
unp = unp->unp_link.le_next) {
if (unp->unp_gencnt <= gencnt)
if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp))
unp_list[i++] = unp;
}
n = i; /* in case we lost some during malloc */

30
sys/kern/vfs_extattr.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94
* $Id: vfs_syscalls.c,v 1.121 1999/03/23 14:26:40 phk Exp $
* $Id: vfs_syscalls.c,v 1.122 1999/04/27 11:16:25 phk Exp $
*/
/* For 4.3 integer FS ID compatibility */
@ -132,7 +132,7 @@ mount(p, uap)
/*
* Silently enforce MNT_NOSUID and MNT_NODEV for non-root users
*/
if (suser_xxx(p->p_ucred, (u_short *)NULL))
if (suser_xxx(p->p_ucred, 0, 0))
SCARG(uap, flags) |= MNT_NOSUID | MNT_NODEV;
/*
* Get vnode to be covered
@ -562,6 +562,12 @@ sync(p, uap)
return (0);
}
/* XXX PRISON: could be per prison flag */
static int prison_quotas;
#if 0
SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, "");
#endif
/*
* Change filesystem quotas.
*/
@ -588,6 +594,8 @@ quotactl(p, uap)
int error;
struct nameidata nd;
if (p->p_prison && !prison_quotas)
return (EPERM);
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
if ((error = namei(&nd)) != 0)
return (error);
@ -631,7 +639,7 @@ statfs(p, uap)
if (error)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
if (suser_xxx(p->p_ucred, (u_short *)NULL)) {
if (suser_xxx(p->p_ucred, 0, 0)) {
bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
sp = &sb;
@ -671,7 +679,7 @@ fstatfs(p, uap)
if (error)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
if (suser_xxx(p->p_ucred, (u_short *)NULL)) {
if (suser_xxx(p->p_ucred, 0, 0)) {
bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
sp = &sb;
@ -886,7 +894,7 @@ chroot(p, uap)
int error;
struct nameidata nd;
error = suser(p);
error = suser_xxx(0, p, PRISON_ROOT);
if (error)
return (error);
if (chroot_allow_open_directories == 0 ||
@ -1076,7 +1084,15 @@ mknod(p, uap)
int whiteout = 0;
struct nameidata nd;
error = suser(p);
switch (SCARG(uap, mode) & S_IFMT) {
case S_IFCHR:
case S_IFBLK:
error = suser(p);
break;
default:
error = suser_xxx(0, p, PRISON_ROOT);
break;
}
if (error)
return (error);
NDINIT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), p);
@ -2977,7 +2993,7 @@ revoke(p, uap)
if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)) != 0)
goto out;
if (p->p_ucred->cr_uid != vattr.va_uid &&
(error = suser(p)))
(error = suser_xxx(0, p, PRISON_ROOT)))
goto out;
if (vp->v_usecount > 1 || (vp->v_flag & VALIASED))
VOP_REVOKE(vp, REVOKEALL);

30
sys/kern/vfs_syscalls.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94
* $Id: vfs_syscalls.c,v 1.121 1999/03/23 14:26:40 phk Exp $
* $Id: vfs_syscalls.c,v 1.122 1999/04/27 11:16:25 phk Exp $
*/
/* For 4.3 integer FS ID compatibility */
@ -132,7 +132,7 @@ mount(p, uap)
/*
* Silently enforce MNT_NOSUID and MNT_NODEV for non-root users
*/
if (suser_xxx(p->p_ucred, (u_short *)NULL))
if (suser_xxx(p->p_ucred, 0, 0))
SCARG(uap, flags) |= MNT_NOSUID | MNT_NODEV;
/*
* Get vnode to be covered
@ -562,6 +562,12 @@ sync(p, uap)
return (0);
}
/* XXX PRISON: could be per prison flag */
static int prison_quotas;
#if 0
SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, "");
#endif
/*
* Change filesystem quotas.
*/
@ -588,6 +594,8 @@ quotactl(p, uap)
int error;
struct nameidata nd;
if (p->p_prison && !prison_quotas)
return (EPERM);
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
if ((error = namei(&nd)) != 0)
return (error);
@ -631,7 +639,7 @@ statfs(p, uap)
if (error)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
if (suser_xxx(p->p_ucred, (u_short *)NULL)) {
if (suser_xxx(p->p_ucred, 0, 0)) {
bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
sp = &sb;
@ -671,7 +679,7 @@ fstatfs(p, uap)
if (error)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
if (suser_xxx(p->p_ucred, (u_short *)NULL)) {
if (suser_xxx(p->p_ucred, 0, 0)) {
bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
sp = &sb;
@ -886,7 +894,7 @@ chroot(p, uap)
int error;
struct nameidata nd;
error = suser(p);
error = suser_xxx(0, p, PRISON_ROOT);
if (error)
return (error);
if (chroot_allow_open_directories == 0 ||
@ -1076,7 +1084,15 @@ mknod(p, uap)
int whiteout = 0;
struct nameidata nd;
error = suser(p);
switch (SCARG(uap, mode) & S_IFMT) {
case S_IFCHR:
case S_IFBLK:
error = suser(p);
break;
default:
error = suser_xxx(0, p, PRISON_ROOT);
break;
}
if (error)
return (error);
NDINIT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), p);
@ -2977,7 +2993,7 @@ revoke(p, uap)
if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)) != 0)
goto out;
if (p->p_ucred->cr_uid != vattr.va_uid &&
(error = suser(p)))
(error = suser_xxx(0, p, PRISON_ROOT)))
goto out;
if (vp->v_usecount > 1 || (vp->v_flag & VALIASED))
VOP_REVOKE(vp, REVOKEALL);

4
sys/kern/vfs_vnops.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)vfs_vnops.c 8.2 (Berkeley) 1/21/94
* $Id: vfs_vnops.c,v 1.66 1999/04/21 05:56:45 alc Exp $
* $Id: vfs_vnops.c,v 1.67 1999/04/27 11:16:27 phk Exp $
*/
#include <sys/param.h>
@ -422,7 +422,7 @@ vn_stat(vp, sb, p)
sb->st_ctimespec = vap->va_ctime;
sb->st_blksize = vap->va_blocksize;
sb->st_flags = vap->va_flags;
if (suser_xxx(p->p_ucred, (u_short *)NULL))
if (suser_xxx(p->p_ucred, 0, 0))
sb->st_gen = 0;
else
sb->st_gen = vap->va_gen;

14
sys/miscfs/devfs/devfs_vnops.c
View file

@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: devfs_vnops.c,v 1.70 1999/02/25 16:06:51 bde Exp $
* $Id: devfs_vnops.c,v 1.71 1999/04/27 11:16:31 phk Exp $
*/
@ -381,7 +381,7 @@ found:
* but only use suser_xxx prives as a last resort
* (Use of super powers is recorded in ap->a_p->p_acflag)
*/
if( suser_xxx(cred, &ap->a_p->p_acflag) == 0) /* XXX what if no proc? */
if( suser_xxx(cred, ap->a_p, 0) == 0) /* XXX what if no proc? */
return 0;
return (EACCES);
}
@ -519,7 +519,7 @@ DBPRINT(("setattr\n"));
#endif
if (((vap->va_vaflags & VA_UTIMES_NULL) == 0) &&
(cred->cr_uid != file_node->uid) &&
suser_xxx(cred, &p->p_acflag))
suser_xxx(cred, p, 0))
return (EPERM);
if(VOP_ACCESS(vp, VWRITE, cred, p))
return (EACCES);
@ -534,7 +534,7 @@ DBPRINT(("setattr\n"));
*/
if (vap->va_mode != (u_short)VNOVAL) {
if ((cred->cr_uid != file_node->uid)
&& suser_xxx(cred, &p->p_acflag))
&& suser_xxx(cred, p, 0))
return (EPERM);
/* set drwxwxrwx stuff */
file_node->mode &= ~07777;
@ -545,7 +545,7 @@ DBPRINT(("setattr\n"));
* Change the owner.. must be root to do this.
*/
if (vap->va_uid != (uid_t)VNOVAL) {
if (suser_xxx(cred, &p->p_acflag))
if (suser_xxx(cred, p, 0))
return (EPERM);
file_node->uid = vap->va_uid;
}
@ -568,7 +568,7 @@ DBPRINT(("setattr\n"));
* we can't do it with normal privs,
* do we have an ace up our sleeve?
*/
if( suser_xxx(cred, &p->p_acflag))
if( suser_xxx(cred, p, 0))
return (EPERM);
cando:
file_node->gid = vap->va_gid;
@ -580,7 +580,7 @@ cando:
* flags should be handled some day
*/
if (vap->va_flags != VNOVAL) {
if (error = suser_xxx(cred, &p->p_acflag))
if (error = suser_xxx(cred, p, 0))
return error;
if (cred->cr_uid == 0)
;

5
sys/miscfs/procfs/procfs.h
View file

@ -37,7 +37,7 @@
* @(#)procfs.h 8.9 (Berkeley) 5/14/95
*
* From:
* $Id: procfs.h,v 1.21 1999/01/05 03:53:06 peter Exp $
* $Id: procfs.h,v 1.22 1999/04/27 11:16:35 phk Exp $
*/
/*
@ -92,7 +92,8 @@ struct pfsnode {
* Evaluates to 1 if access is allowed.
*/
#define CHECKIO(p1, p2) \
((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
(PRISON_CHECK(p1, p2) && \
(((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \
((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \
((p2)->p_flag & P_SUGID) == 0) || (suser((p1)) == 0))

8
sys/miscfs/procfs/procfs_status.c
View file

@ -37,12 +37,13 @@
* @(#)procfs_status.c 8.4 (Berkeley) 6/15/94
*
* From:
* $Id: procfs_status.c,v 1.11 1998/07/11 07:45:45 bde Exp $
* $Id: procfs_status.c,v 1.12 1999/01/05 03:53:06 peter Exp $
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/proc.h>
#include <sys/jail.h>
#include <sys/vnode.h>
#include <sys/tty.h>
#include <sys/resourcevar.h>
@ -134,6 +135,11 @@ procfs_dostatus(curp, p, pfs, uio)
for (i = 0; i < cr->cr_ngroups; i++)
ps += sprintf(ps, ",%lu", (u_long)cr->cr_groups[i]);
if (p->p_prison)
ps += sprintf(ps, " %s", p->p_prison->pr_host);
else
ps += sprintf(ps, " -");
ps += sprintf(ps, "\n");
xlen = ps - psbuf;

13
sys/miscfs/procfs/procfs_vnops.c
View file

@ -36,7 +36,7 @@
*
* @(#)procfs_vnops.c 8.18 (Berkeley) 5/21/95
*
* $Id: procfs_vnops.c,v 1.64 1999/01/27 22:42:07 dillon Exp $
* $Id: procfs_vnops.c,v 1.65 1999/04/27 11:16:39 phk Exp $
*/
/*
@ -134,6 +134,8 @@ procfs_open(ap)
p2 = PFIND(pfs->pfs_pid);
if (p2 == NULL)
return (ENOENT);
if (!PRISON_CHECK(ap->a_p, p2))
return (ENOENT);
switch (pfs->pfs_type) {
case Pmem:
@ -835,6 +837,8 @@ procfs_readdir(ap)
p = PFIND(pfs->pfs_pid);
if (p == NULL)
break;
if (!PRISON_CHECK(curproc, p))
break;
for (pt = &proc_targets[i];
uio->uio_resid >= UIO_MX && i < nproc_targets; pt++, i++) {
@ -893,7 +897,14 @@ procfs_readdir(ap)
default:
while (pcnt < i) {
p = p->p_list.le_next;
if (!p)
goto done;
if (!PRISON_CHECK(curproc, p))
continue;
pcnt++;
}
while (!PRISON_CHECK(curproc, p)) {
p = p->p_list.le_next;
if (!p)
goto done;

10
sys/msdosfs/msdosfs_vnops.c
View file

@ -1,4 +1,4 @@
/* $Id: msdosfs_vnops.c,v 1.81 1999/01/27 22:42:09 dillon Exp $ */
/* $Id: msdosfs_vnops.c,v 1.82 1999/04/27 11:16:51 phk Exp $ */
/* $NetBSD: msdosfs_vnops.c,v 1.68 1998/02/10 14:10:04 mrg Exp $ */
/*-
@ -431,7 +431,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)))
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)))
return (error);
/*
* We are very inconsistent about handling unsupported
@ -472,7 +472,7 @@ msdosfs_setattr(ap)
gid = pmp->pm_gid;
if ((cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid ||
(gid != pmp->pm_gid && !groupmember(gid, cred))) &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)))
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)))
return error;
if (uid != pmp->pm_uid || gid != pmp->pm_gid)
return EINVAL;
@ -504,7 +504,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)) &&
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)) &&
((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
(error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_p))))
return (error);
@ -527,7 +527,7 @@ msdosfs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != pmp->pm_uid &&
(error = suser_xxx(cred, &ap->a_p->p_acflag)))
(error = suser_xxx(cred, ap->a_p, PRISON_ROOT)))
return (error);
if (vp->v_type != VDIR) {
/* We ignore the read and execute bits. */

9
sys/net/bpf.c
View file

@ -37,7 +37,7 @@
*
* @(#)bpf.c 8.2 (Berkeley) 3/28/94
*
* $Id: bpf.c,v 1.47 1999/01/27 22:42:13 dillon Exp $
* $Id: bpf.c,v 1.48 1999/04/28 01:18:13 msmith Exp $
*/
#include "bpfilter.h"
@ -346,6 +346,9 @@ bpfopen(dev, flags, fmt, p)
{
register struct bpf_d *d;
if (p->p_prison)
return (EPERM);
if (minor(dev) >= NBPFILTER)
return (ENXIO);
/*
@ -1014,12 +1017,12 @@ bpfpoll(dev, events, p)
d = &bpf_dtab[minor(dev)];
s = splimp();
if (events & (POLLIN | POLLRDNORM))
if (events & (POLLIN | POLLRDNORM)) {
if (d->bd_hlen != 0 || (d->bd_immediate && d->bd_slen != 0))
revents |= events & (POLLIN | POLLRDNORM);
else
selrecord(p, &d->bd_sel);
}
splx(s);
return (revents);
}

29
sys/net/if.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)if.c 8.3 (Berkeley) 1/4/94
* $Id: if.c,v 1.68 1999/04/26 09:02:40 peter Exp $
* $Id: if.c,v 1.69 1999/04/27 11:16:56 phk Exp $
*/
#include "opt_compat.h"
@ -857,7 +857,7 @@ ifconf(cmd, data)
ifrp = ifc->ifc_req;
for (; space > sizeof (ifr) && ifp; ifp = ifp->if_link.tqe_next) {
char workbuf[64];
int ifnlen;
int ifnlen, addrs;
ifnlen = snprintf(workbuf, sizeof(workbuf),
"%s%d", ifp->if_name, ifp->if_unit);
@ -867,17 +867,14 @@ ifconf(cmd, data)
strcpy(ifr.ifr_name, workbuf);
}
if ((ifa = ifp->if_addrhead.tqh_first) == 0) {
bzero((caddr_t)&ifr.ifr_addr, sizeof(ifr.ifr_addr));
error = copyout((caddr_t)&ifr, (caddr_t)ifrp,
sizeof (ifr));
if (error)
break;
space -= sizeof (ifr), ifrp++;
} else
for ( ; space > sizeof (ifr) && ifa;
ifa = ifa->ifa_link.tqe_next) {
addrs = 0;
ifa = ifp->if_addrhead.tqh_first;
for ( ; space > sizeof (ifr) && ifa;
ifa = ifa->ifa_link.tqe_next) {
register struct sockaddr *sa = ifa->ifa_addr;
if (curproc->p_prison && prison_if(curproc, sa))
continue;
addrs++;
#ifdef COMPAT_43
if (cmd == OSIOCGIFCONF) {
struct osockaddr *osa =
@ -910,6 +907,14 @@ ifconf(cmd, data)
break;
space -= sizeof (ifr);
}
if (!addrs) {
bzero((caddr_t)&ifr.ifr_addr, sizeof(ifr.ifr_addr));
error = copyout((caddr_t)&ifr, (caddr_t)ifrp,
sizeof (ifr));
if (error)
break;
space -= sizeof (ifr), ifrp++;
}
}
ifc->ifc_len -= space;
return (error);

3
sys/net/if.h
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)if.h 8.1 (Berkeley) 6/10/93
* $Id: if.h,v 1.49 1998/03/21 13:36:20 peter Exp $
* $Id: if.h,v 1.50 1999/02/19 13:41:35 phk Exp $
*/
#ifndef _NET_IF_H_
@ -221,6 +221,7 @@ MALLOC_DECLARE(M_IFMADDR);
/* XXX - this should go away soon */
#ifdef KERNEL
int prison_if __P((struct proc *p, struct sockaddr *sa));
#include <net/if_var.h>
#endif

4
sys/net/rtsock.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)rtsock.c 8.5 (Berkeley) 11/2/94
* $Id: rtsock.c,v 1.37 1997/10/31 08:53:13 davidg Exp $
* $Id: rtsock.c,v 1.38 1999/01/27 22:42:14 dillon Exp $
*/
@ -911,6 +911,8 @@ sysctl_iflist(af, w)
while ((ifa = ifa->ifa_link.tqe_next) != 0) {
if (af && af != ifa->ifa_addr->sa_family)
continue;
if (curproc->p_prison && prison_if(curproc, ifa->ifa_addr))
continue;
ifaaddr = ifa->ifa_addr;
netmask = ifa->ifa_netmask;
brdaddr = ifa->ifa_dstaddr;

5
sys/netinet/in.h
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)in.h 8.3 (Berkeley) 1/3/94
* $Id: in.h,v 1.38 1998/12/14 18:09:13 luigi Exp $
* $Id: in.h,v 1.39 1999/04/20 13:32:04 peter Exp $
*/
#ifndef _NETINET_IN_H_
@ -433,6 +433,9 @@ int in_cksum __P((struct mbuf *, int));
int in_localaddr __P((struct in_addr));
char *inet_ntoa __P((struct in_addr)); /* in libkern */
int prison_ip __P((struct proc *p, int flag, u_int32_t *ip));
void prison_remote_ip __P((struct proc *p, int flag, u_int32_t *ip));
#endif /* KERNEL */
#endif

30
sys/netinet/in_pcb.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)in_pcb.c 8.4 (Berkeley) 5/24/95
* $Id: in_pcb.c,v 1.47 1999/01/27 22:42:24 dillon Exp $
* $Id: in_pcb.c,v 1.48 1999/04/27 11:17:31 phk Exp $
*/
#include <sys/param.h>
@ -42,6 +42,7 @@
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/proc.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/sysctl.h>
@ -154,7 +155,7 @@ in_pcbbind(inp, nam, p)
struct inpcbinfo *pcbinfo = inp->inp_pcbinfo;
u_short lport = 0;
int wild = 0, reuseport = (so->so_options & SO_REUSEPORT);
int error;
int error, prison = 0;
if (TAILQ_EMPTY(&in_ifaddrhead)) /* XXX broken! */
return (EADDRNOTAVAIL);
@ -174,6 +175,8 @@ in_pcbbind(inp, nam, p)
if (sin->sin_family != AF_INET)
return (EAFNOSUPPORT);
#endif
if (prison_ip(p, 0, &sin->sin_addr.s_addr))
return(EINVAL);
lport = sin->sin_port;
if (IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) {
/*
@ -195,12 +198,15 @@ in_pcbbind(inp, nam, p)
/* GROSS */
if (ntohs(lport) < IPPORT_RESERVED && p &&
suser(p))
suser_xxx(0, p, PRISON_ROOT))
return (EACCES);
if (p && p->p_prison)
prison = 1;
if (so->so_uid &&
!IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) {
t = in_pcblookup_local(inp->inp_pcbinfo,
sin->sin_addr, lport, INPLOOKUP_WILDCARD);
sin->sin_addr, lport,
prison ? 0 : INPLOOKUP_WILDCARD);
if (t &&
(ntohl(sin->sin_addr.s_addr) != INADDR_ANY ||
ntohl(t->inp_laddr.s_addr) != INADDR_ANY ||
@ -210,7 +216,7 @@ in_pcbbind(inp, nam, p)
return (EADDRINUSE);
}
t = in_pcblookup_local(pcbinfo, sin->sin_addr,
lport, wild);
lport, prison ? 0 : wild);
if (t && (reuseport & t->inp_socket->so_options) == 0)
return (EADDRINUSE);
}
@ -220,6 +226,8 @@ in_pcbbind(inp, nam, p)
ushort first, last;
int count;
if (prison_ip(p, 0, &inp->inp_laddr.s_addr ))
return (EINVAL);
inp->inp_flags |= INP_ANONPORT;
if (inp->inp_flags & INP_HIGHPORT) {
@ -227,7 +235,7 @@ in_pcbbind(inp, nam, p)
last = ipport_hilastauto;
lastport = &pcbinfo->lasthi;
} else if (inp->inp_flags & INP_LOWPORT) {
if (p && (error = suser(p)))
if (p && (error = suser_xxx(0, p, PRISON_ROOT)))
return error;
first = ipport_lowfirstauto; /* 1023 */
last = ipport_lowlastauto; /* 600 */
@ -895,3 +903,13 @@ in_pcbremlists(inp)
LIST_REMOVE(inp, inp_list);
inp->inp_pcbinfo->ipi_count--;
}
int
prison_xinpcb(struct proc *p, struct inpcb *inp)
{
if (!p->p_prison)
return (0);
if (ntohl(inp->inp_laddr.s_addr) == p->p_prison->pr_ip)
return (0);
return (1);
}

3
sys/netinet/in_pcb.h
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)in_pcb.h 8.1 (Berkeley) 6/10/93
* $Id: in_pcb.h,v 1.25 1998/03/28 10:18:22 bde Exp $
* $Id: in_pcb.h,v 1.26 1998/05/15 20:11:33 wollman Exp $
*/
#ifndef _NETINET_IN_PCB_H_
@ -168,6 +168,7 @@ void in_pcbnotify __P((struct inpcbhead *, struct sockaddr *,
void in_pcbrehash __P((struct inpcb *));
int in_setpeeraddr __P((struct socket *so, struct sockaddr **nam));
int in_setsockaddr __P((struct socket *so, struct sockaddr **nam));
int prison_xinpcb __P((struct proc *p, struct inpcb *inp));
#endif /* KERNEL */
#endif /* !_NETINET_IN_PCB_H_ */

4
sys/netinet/tcp_subr.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
* $Id: tcp_subr.c,v 1.51 1999/02/04 03:02:56 msmith Exp $
* $Id: tcp_subr.c,v 1.52 1999/02/04 03:27:43 msmith Exp $
*/
#include "opt_compat.h"
@ -541,7 +541,7 @@ tcp_pcblist SYSCTL_HANDLER_ARGS
s = splnet();
for (inp = tcbinfo.listhead->lh_first, i = 0; inp && i < n;
inp = inp->inp_list.le_next) {
if (inp->inp_gencnt <= gencnt)
if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
inp_list[i++] = inp;
}
splx(s);

4
sys/netinet/tcp_timewait.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
* $Id: tcp_subr.c,v 1.51 1999/02/04 03:02:56 msmith Exp $
* $Id: tcp_subr.c,v 1.52 1999/02/04 03:27:43 msmith Exp $
*/
#include "opt_compat.h"
@ -541,7 +541,7 @@ tcp_pcblist SYSCTL_HANDLER_ARGS
s = splnet();
for (inp = tcbinfo.listhead->lh_first, i = 0; inp && i < n;
inp = inp->inp_list.le_next) {
if (inp->inp_gencnt <= gencnt)
if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
inp_list[i++] = inp;
}
splx(s);

4
sys/netinet/tcp_usrreq.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* From: @(#)tcp_usrreq.c 8.2 (Berkeley) 1/3/94
* $Id: tcp_usrreq.c,v 1.40 1999/01/20 17:31:59 fenner Exp $
* $Id: tcp_usrreq.c,v 1.41 1999/04/24 18:25:35 ache Exp $
*/
#include "opt_tcpdebug.h"
@ -239,6 +239,8 @@ tcp_usr_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
goto out;
}
prison_remote_ip(p, 0, &sinp->sin_addr.s_addr);
if ((error = tcp_connect(tp, nam, p)) != 0)
goto out;
error = tcp_output(tp);

10
sys/netinet/udp_usrreq.c
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)udp_usrreq.c 8.6 (Berkeley) 5/23/95
* $Id: udp_usrreq.c,v 1.48 1998/08/24 07:47:39 dfr Exp $
* $Id: udp_usrreq.c,v 1.49 1998/12/03 20:23:21 dillon Exp $
*/
#include <sys/param.h>
@ -410,7 +410,7 @@ udp_pcblist SYSCTL_HANDLER_ARGS
s = splnet();
for (inp = udbinfo.listhead->lh_first, i = 0; inp && i < n;
inp = inp->inp_list.le_next) {
if (inp->inp_gencnt <= gencnt)
if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
inp_list[i++] = inp;
}
splx(s);
@ -462,6 +462,7 @@ udp_output(inp, m, addr, control, p)
register struct udpiphdr *ui;
register int len = m->m_pkthdr.len;
struct in_addr laddr;
struct sockaddr_in *sin;
int s = 0, error = 0;
if (control)
@ -473,6 +474,8 @@ udp_output(inp, m, addr, control, p)
}
if (addr) {
sin = (struct sockaddr_in *)addr;
prison_remote_ip(p, 0, &sin->sin_addr.s_addr);
laddr = inp->inp_laddr;
if (inp->inp_faddr.s_addr != INADDR_ANY) {
error = EISCONN;
@ -614,6 +617,7 @@ udp_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
{
struct inpcb *inp;
int s, error;
struct sockaddr_in *sin;
inp = sotoinpcb(so);
if (inp == 0)
@ -621,6 +625,8 @@ udp_connect(struct socket *so, struct sockaddr *nam, struct proc *p)
if (inp->inp_faddr.s_addr != INADDR_ANY)
return EISCONN;
s = splnet();
sin = (struct sockaddr_in *)nam;
prison_remote_ip(p, 0, &sin->sin_addr.s_addr);
error = in_pcbconnect(inp, nam, p);
splx(s);
if (error == 0)

6
sys/nfs/nfs_serv.c
View file

@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_serv.c 8.8 (Berkeley) 7/31/95
* $Id: nfs_serv.c,v 1.73 1999/02/16 10:49:53 dfr Exp $
* $Id: nfs_serv.c,v 1.74 1999/04/27 11:17:49 phk Exp $
*/
/*
@ -1445,7 +1445,7 @@ nfsrv_create(nfsd, slp, procp, mrq)
if (vap->va_type == VCHR && rdev == 0xffffffff)
vap->va_type = VFIFO;
if (vap->va_type != VFIFO &&
(error = suser_xxx(cred, (u_short *)0))) {
(error = suser_xxx(cred, 0, 0))) {
vrele(nd.ni_startdir);
zfree(namei_zone, nd.ni_cnd.cn_pnbuf);
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
@ -1642,7 +1642,7 @@ nfsrv_mknod(nfsd, slp, procp, mrq)
if (!error)
zfree(namei_zone, nd.ni_cnd.cn_pnbuf);
} else {
if (vtyp != VFIFO && (error = suser_xxx(cred, (u_short *)0))) {
if (vtyp != VFIFO && (error = suser_xxx(cred, 0, 0))) {
vrele(nd.ni_startdir);
zfree(namei_zone, nd.ni_cnd.cn_pnbuf);
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);

6
sys/nfsserver/nfs_serv.c
View file

@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_serv.c 8.8 (Berkeley) 7/31/95
* $Id: nfs_serv.c,v 1.73 1999/02/16 10:49:53 dfr Exp $
* $Id: nfs_serv.c,v 1.74 1999/04/27 11:17:49 phk Exp $
*/
/*
@ -1445,7 +1445,7 @@ nfsrv_create(nfsd, slp, procp, mrq)
if (vap->va_type == VCHR && rdev == 0xffffffff)
vap->va_type = VFIFO;
if (vap->va_type != VFIFO &&
(error = suser_xxx(cred, (u_short *)0))) {
(error = suser_xxx(cred, 0, 0))) {
vrele(nd.ni_startdir);
zfree(namei_zone, nd.ni_cnd.cn_pnbuf);
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
@ -1642,7 +1642,7 @@ nfsrv_mknod(nfsd, slp, procp, mrq)
if (!error)
zfree(namei_zone, nd.ni_cnd.cn_pnbuf);
} else {
if (vtyp != VFIFO && (error = suser_xxx(cred, (u_short *)0))) {
if (vtyp != VFIFO && (error = suser_xxx(cred, 0, 0))) {
vrele(nd.ni_startdir);
zfree(namei_zone, nd.ni_cnd.cn_pnbuf);
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);

41
sys/sys/jail.h Normal file
View file

@ -0,0 +1,41 @@
/*
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42):
* <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
*
* $Id: loran.c,v 1.15 1999/04/11 03:06:06 eivind Exp $
*
*/
#ifndef _SYS_JAIL_H_
#define _SYS_JAIL_H_
struct jail {
char *path;
char *hostname;
u_int32_t ip_number;
};
#ifdef KERNEL
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_PRISON);
#endif
/*
* This structure describes a prison. It is pointed to by all struct
* proc's of the inmates. pr_ref keeps track of them and is used to
* delete the struture when the last inmate is dead.
*/
struct prison {
int pr_ref;
char pr_host[MAXHOSTNAMELEN];
u_int32_t pr_ip;
};
#endif /* !KERNEL */
#endif /* !_SYS_JAIL_H_ */

17
sys/sys/proc.h
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)proc.h 8.15 (Berkeley) 5/19/95
* $Id: proc.h,v 1.79 1999/04/27 11:18:32 phk Exp $
* $Id: proc.h,v 1.80 1999/04/28 01:04:33 luoqi Exp $
*/
#ifndef _SYS_PROC_H_
@ -107,6 +107,9 @@ struct pasleep {
* which might be addressable only on a processor on which the process
* is running.
*/
struct jail;
struct proc {
TAILQ_ENTRY(proc) p_procq; /* run/sleep queue. */
LIST_ENTRY(proc) p_list; /* List of all processes. */
@ -206,6 +209,7 @@ struct proc {
struct sysentvec *p_sysent; /* System call dispatch information. */
struct rtprio p_rtprio; /* Realtime priority. */
struct prison *p_prison;
/* End area that is copied on creation. */
#define p_endcopy p_addr
struct user *p_addr; /* Kernel virtual addr of u-area (PROC ONLY). */
@ -268,6 +272,8 @@ struct proc {
#define P_NOCLDWAIT 0x400000 /* No zombies if child dies */
#define P_DEADLKTREAT 0x800000 /* lock aquisition - deadlock treatment */
#define P_JAILED 0x1000000 /* Process is in jail */
/*
* MOVE TO ucred.h?
*
@ -292,6 +298,14 @@ MALLOC_DECLARE(M_SUBPROC);
MALLOC_DECLARE(M_ZOMBIE);
#endif
/* flags for suser_xxx() */
#define PRISON_ROOT 1
/* Handy macro to determine of p1 can mangle p2 */
#define PRISON_CHECK(p1, p2) \
((!(p1)->p_prison) || (p1)->p_prison == (p2)->p_prison)
/*
* We use process IDs <= PID_MAX; PID_MAX + 1 must also fit in a pid_t,
* as it is used to represent "no process group".
@ -376,6 +390,7 @@ void setrunnable __P((struct proc *));
void setrunqueue __P((struct proc *));
void sleepinit __P((void));
int suser __P((struct proc *));
int suser_xxx __P((struct ucred *cred, struct proc *proc, int flag));
void remrq __P((struct proc *));
void cpu_switch __P((struct proc *));
void unsleep __P((struct proc *));

3
sys/sys/syscall-hide.h
View file

@ -2,7 +2,7 @@
* System call hiders.
*
* DO NOT EDIT-- this file is automatically generated.
* created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp
* created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp
*/
HIDE_POSIX(fork)
@ -251,3 +251,4 @@ HIDE_POSIX(sched_rr_get_interval)
HIDE_BSD(utrace)
HIDE_BSD(sendfile)
HIDE_BSD(kldsym)
HIDE_BSD(jail)

5
sys/sys/syscall.h
View file

@ -2,7 +2,7 @@
* System call numbers.
*
* DO NOT EDIT-- this file is automatically generated.
* created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp
* created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp
*/
#define SYS_syscall 0
@ -257,4 +257,5 @@
#define SYS_utrace 335
#define SYS_sendfile 336
#define SYS_kldsym 337
#define SYS_MAXSYSCALL 338
#define SYS_jail 338
#define SYS_MAXSYSCALL 339

5
sys/sys/syscall.mk
View file

@ -1,6 +1,6 @@
# FreeBSD system call names.
# DO NOT EDIT-- this file is automatically generated.
# created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp
# created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp
MIASM = \
syscall.o \
exit.o \
@ -212,4 +212,5 @@ MIASM = \
sched_rr_get_interval.o \
utrace.o \
sendfile.o \
kldsym.o
kldsym.o \
jail.o

3
sys/sys/sysctl.h
View file

@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)sysctl.h 8.1 (Berkeley) 6/2/93
* $Id: sysctl.h,v 1.71 1999/02/16 10:49:55 dfr Exp $
* $Id: sysctl.h,v 1.72 1999/02/28 17:38:28 dt Exp $
*/
#ifndef _SYS_SYSCTL_H_
@ -79,6 +79,7 @@ struct ctlname {
#define CTLFLAG_NOLOCK 0x20000000 /* XXX Don't Lock */
#define CTLFLAG_ANYBODY 0x10000000 /* All users can set this var */
#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */
#define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */
/*
* USE THIS instead of a hardwired number from the categories below

6
sys/sys/sysproto.h
View file

@ -2,7 +2,7 @@
* System call prototypes.
*
* DO NOT EDIT-- this file is automatically generated.
* created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp
* created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp
*/
#ifndef _SYS_SYSPROTO_H_
@ -907,6 +907,9 @@ struct kldsym_args {
int cmd; char cmd_[PAD_(int)];
void * data; char data_[PAD_(void *)];
};
struct jail_args {
struct jail * jail; char jail_[PAD_(struct jail *)];
};
int nosys __P((struct proc *, struct nosys_args *));
void exit __P((struct proc *, struct rexit_args *)) __dead2;
int fork __P((struct proc *, struct fork_args *));
@ -1116,6 +1119,7 @@ int sched_rr_get_interval __P((struct proc *, struct sched_rr_get_interval_args
int utrace __P((struct proc *, struct utrace_args *));
int sendfile __P((struct proc *, struct sendfile_args *));
int kldsym __P((struct proc *, struct kldsym_args *));
int jail __P((struct proc *, struct jail_args *));
#ifdef COMPAT_43

5
sys/sys/ucred.h
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)ucred.h 8.4 (Berkeley) 1/9/95
* $Id: ucred.h,v 1.10 1999/01/31 10:05:59 bde Exp $
* $Id: ucred.h,v 1.11 1999/04/27 11:18:38 phk Exp $
*/
#ifndef _SYS_UCRED_H_
@ -41,7 +41,7 @@
* Credentials.
*
* Please do not inspect cr_uid directly to determine superuserness.
* Only the suser_xxx() function should be used for this.
* Only the suser()/suser_xxx() function should be used for this.
*/
struct ucred {
u_short cr_ref; /* reference count */
@ -60,7 +60,6 @@ struct ucred *crcopy __P((struct ucred *cr));
struct ucred *crdup __P((struct ucred *cr));
void crfree __P((struct ucred *cr));
struct ucred *crget __P((void));
int suser_xxx __P((struct ucred *cred, u_short *acflag));
int groupmember __P((gid_t gid, struct ucred *cred));
#endif /* KERNEL */

3
sys/sys/unpcb.h
View file

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)unpcb.h 8.1 (Berkeley) 6/2/93
* $Id: unpcb.h,v 1.6 1997/08/16 19:16:16 wollman Exp $
* $Id: unpcb.h,v 1.7 1998/05/15 20:11:40 wollman Exp $
*/
#ifndef _SYS_UNPCB_H_
@ -71,6 +71,7 @@ struct unpcb {
LIST_ENTRY(unpcb) unp_link; /* glue on list of all PCBs */
struct socket *unp_socket; /* pointer back to socket */
struct vnode *unp_vnode; /* if associated with file */
struct vnode *unp_rvnode; /* root vp for creating process */
ino_t unp_ino; /* fake inode number */
struct unpcb *unp_conn; /* control block of connected socket */
struct unp_head unp_refs; /* referencing socket linked list */

4
sys/ufs/ufs/ufs_vfsops.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)ufs_vfsops.c 8.8 (Berkeley) 5/20/95
* $Id: ufs_vfsops.c,v 1.13 1999/01/28 00:57:56 dillon Exp $
* $Id: ufs_vfsops.c,v 1.14 1999/04/27 11:18:43 phk Exp $
*/
#include "opt_quota.h"
@ -115,7 +115,7 @@ ufs_quotactl(mp, cmds, uid, arg, p)
break;
/* fall through */
default:
if ((error = suser(p)) != 0)
if ((error = suser_xxx(0, p, PRISON_ROOT)) != 0)
return (error);
}

12
sys/ufs/ufs/ufs_vnops.c
View file

@ -36,7 +36,7 @@
* SUCH DAMAGE.
*
* @(#)ufs_vnops.c 8.27 (Berkeley) 5/27/95
* $Id: ufs_vnops.c,v 1.111 1999/03/02 05:31:47 imp Exp $
* $Id: ufs_vnops.c,v 1.112 1999/04/27 11:18:44 phk Exp $
*/
#include "opt_quota.h"
@ -448,7 +448,7 @@ ufs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != ip->i_uid &&
(error = suser_xxx(cred, &p->p_acflag)))
(error = suser_xxx(cred, p, PRISON_ROOT)))
return (error);
if (cred->cr_uid == 0) {
if ((ip->i_flags
@ -504,7 +504,7 @@ ufs_setattr(ap)
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
if (cred->cr_uid != ip->i_uid &&
(error = suser_xxx(cred, &p->p_acflag)) &&
(error = suser_xxx(cred, p, PRISON_ROOT)) &&
((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
(error = VOP_ACCESS(vp, VWRITE, cred, p))))
return (error);
@ -546,7 +546,7 @@ ufs_chmod(vp, mode, cred, p)
int error;
if (cred->cr_uid != ip->i_uid) {
error = suser_xxx(cred, &p->p_acflag);
error = suser_xxx(cred, p, PRISON_ROOT);
if (error)
return (error);
}
@ -594,7 +594,7 @@ ufs_chown(vp, uid, gid, cred, p)
*/
if ((cred->cr_uid != ip->i_uid || uid != ip->i_uid ||
(gid != ip->i_gid && !groupmember((gid_t)gid, cred))) &&
(error = suser_xxx(cred, &p->p_acflag)))
(error = suser_xxx(cred, p, PRISON_ROOT)))
return (error);
ogid = ip->i_gid;
ouid = ip->i_uid;
@ -2166,7 +2166,7 @@ ufs_makeinode(mode, dvp, vpp, cnp)
if (DOINGSOFTDEP(tvp))
softdep_increase_linkcnt(ip);
if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
suser_xxx(cnp->cn_cred, NULL))
suser_xxx(cnp->cn_cred, 0, 0))
ip->i_mode &= ~ISGID;
if (cnp->cn_flags & ISWHITEOUT)

3
usr.sbin/Makefile
View file

@ -1,5 +1,5 @@
# From: @(#)Makefile 5.20 (Berkeley) 6/12/93
# $Id: Makefile,v 1.151 1999/04/07 04:12:02 msmith Exp $
# $Id: Makefile,v 1.152 1999/04/28 08:00:50 obrien Exp $
# XXX MISSING: mkproto
SUBDIR= IPXrouted \
@ -31,6 +31,7 @@ SUBDIR= IPXrouted \
ipresend \
ipsend \
iptest \
jail \
kbdcontrol \
kbdmap \
kernbb \

4
usr.sbin/jail/Makefile Normal file
View file

@ -0,0 +1,4 @@
PROG= jail
MAN8= jail.8
.include <bsd.prog.mk>

32
usr.sbin/jail/jail.8 Normal file
View file

@ -0,0 +1,32 @@
.Dd April 28, 1999
.Dt JAIL 8
.Os FreeBSD 4.0
.Sh NAME
.Nm jail
.Nd imprison process and decendants.
.Sh SYNOPSIS
.Nm jail
.Ar path
.Ar hostname
.Ar ip-number
.Sh DESCRIPTION
The
.Nm
command imprisons a process and all future decendants.
.Pp
Please see the
.Xr jail 2
Manual page for further details.
.Sh SEE ALSO
.Xr chroot 2 ,
.Xr jail 2
.Sh HISTORY
The
.Fn jail
function call appeared in
.Fx 4.0 .
.Pp
The jail feature was written by Poul-Henning Kamp for
R&D Associates
.Dq Li http://www.rndassociates.com/
who contributed it to FreeBSD.

32
usr.sbin/jail/jail.c Normal file
View file

@ -0,0 +1,32 @@
#include <stdio.h>
#include <err.h>
#include <sys/types.h>
#include <sys/jail.h>
#include <netinet/in.h>
int
main(int argc, char **argv)
{
struct jail j;
int i;
struct in_addr in;
if (argc < 5)
errx(1, "Usage: %s path hostname ip command ...\n", argv[0]);
i = chdir(argv[1]);
if (i)
err(1, "chdir %s", argv[1]);
j.path = argv[1];
j.hostname = argv[2];
i = inet_aton(argv[3], &in);
if (!i)
errx(1, "Couldn't make sense if ip number\n");
j.ip_number = in.s_addr;
i = jail(&j);
if (i)
err(1, "Imprisonment failed");
i = execv(argv[4], argv + 4);
if (i)
err(1, "execv(%s)", argv[4]);
exit (0);
}