2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
35 #define JAIL_API_VERSION 2
38 * For all xprison structs, always keep the pr_version an int and
39 * the first variable so userspace can easily distinguish them.
45 char pr_path[MAXPATHLEN];
46 char pr_host[MAXHOSTNAMELEN];
55 cpusetid_t pr_cpusetid;
56 char pr_path[MAXPATHLEN];
57 char pr_host[MAXHOSTNAMELEN];
58 char pr_name[MAXHOSTNAMELEN];
63 * sizeof(xprison) will be malloced + size needed for all
64 * IPv4 and IPv6 addesses. Offsets are based numbers of addresses.
66 struct in_addr pr_ip4[];
67 struct in6_addr pr_ip6[];
70 #define XPRISON_VERSION 3
72 static const struct prison_state {
74 const char * state_name;
76 #define PRISON_STATE_INVALID 0
77 { PRISON_STATE_INVALID, "INVALID" },
78 #define PRISON_STATE_ALIVE 1
79 { PRISON_STATE_ALIVE, "ALIVE" },
80 #define PRISON_STATE_DYING 2
81 { PRISON_STATE_DYING, "DYING" },
87 int jail(struct jail *);
92 #include <sys/queue.h>
93 #include <sys/_lock.h>
94 #include <sys/_mutex.h>
95 #include <sys/_task.h>
97 #define JAIL_MAX 999999
100 MALLOC_DECLARE(M_PRISON);
107 * This structure describes a prison. It is pointed to by all struct
108 * ucreds's of the inmates. pr_ref keeps track of them and is used to
109 * delete the struture when the last inmate is dead.
113 * (p) locked by pr_mtx
114 * (c) set only during creation before the structure is shared, no mutex
116 * (d) set only during destruction of jail, no mutex needed
118 #if defined(_KERNEL) || defined(_WANT_PRISON)
120 LIST_ENTRY(prison) pr_list; /* (a) all prisons */
121 int pr_id; /* (c) prison id */
122 int pr_ref; /* (p) refcount */
123 int pr_state; /* (p) prison state */
124 int pr_nprocs; /* (p) process count */
125 char pr_path[MAXPATHLEN]; /* (c) chroot path */
126 struct cpuset *pr_cpuset; /* (p) cpuset */
127 struct vnode *pr_root; /* (c) vnode to rdir */
128 char pr_host[MAXHOSTNAMELEN]; /* (p) jail hostname */
129 char pr_name[MAXHOSTNAMELEN]; /* (c) admin jail name */
130 void *pr_linux; /* (p) linux abi */
131 int pr_securelevel; /* (p) securelevel */
132 struct task pr_task; /* (d) destroy task */
134 void **pr_slots; /* (p) additional data */
135 int pr_ip4s; /* (c) number of v4 IPs */
136 struct in_addr *pr_ip4; /* (c) v4 IPs of jail */
137 int pr_ip6s; /* (c) number of v6 IPs */
138 struct in6_addr *pr_ip6; /* (c) v6 IPs of jail */
140 #endif /* _KERNEL || _WANT_PRISON */
144 * Sysctl-set variables that determine global jail policy
146 * XXX MIB entries will need to be protected by a mutex.
148 extern int jail_set_hostname_allowed;
149 extern int jail_socket_unixiproute_only;
150 extern int jail_sysvipc_allowed;
151 extern int jail_getfsstat_jailrootonly;
152 extern int jail_allow_raw_sockets;
153 extern int jail_chflags_allowed;
155 LIST_HEAD(prisonlist, prison);
156 extern struct prisonlist allprison;
157 extern struct sx allprison_lock;
160 * Kernel support functions for jail().
167 int kern_jail(struct thread *, struct jail *);
168 int jailed(struct ucred *cred);
169 void getcredhostname(struct ucred *cred, char *, size_t);
170 int prison_check(struct ucred *cred1, struct ucred *cred2);
171 int prison_canseemount(struct ucred *cred, struct mount *mp);
172 void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
174 struct prison *prison_find(int prid);
175 void prison_free(struct prison *pr);
176 void prison_free_locked(struct prison *pr);
177 void prison_hold(struct prison *pr);
178 void prison_hold_locked(struct prison *pr);
179 void prison_proc_hold(struct prison *);
180 void prison_proc_free(struct prison *);
181 int prison_get_ip4(struct ucred *cred, struct in_addr *ia);
182 int prison_local_ip4(struct ucred *cred, struct in_addr *ia);
183 int prison_remote_ip4(struct ucred *cred, struct in_addr *ia);
184 int prison_check_ip4(struct ucred *cred, struct in_addr *ia);
186 int prison_get_ip6(struct ucred *, struct in6_addr *);
187 int prison_local_ip6(struct ucred *, struct in6_addr *, int);
188 int prison_remote_ip6(struct ucred *, struct in6_addr *);
189 int prison_check_ip6(struct ucred *, struct in6_addr *);
191 int prison_check_af(struct ucred *cred, int af);
192 int prison_if(struct ucred *cred, struct sockaddr *sa);
193 int prison_priv_check(struct ucred *cred, int priv);
196 * Kernel jail services.
198 struct prison_service;
199 typedef int (*prison_create_t)(struct prison_service *psrv, struct prison *pr);
200 typedef int (*prison_destroy_t)(struct prison_service *psrv, struct prison *pr);
202 struct prison_service *prison_service_register(const char *name,
203 prison_create_t create, prison_destroy_t destroy);
204 void prison_service_deregister(struct prison_service *psrv);
206 void prison_service_data_set(struct prison_service *psrv, struct prison *pr,
208 void *prison_service_data_get(struct prison_service *psrv, struct prison *pr);
209 void *prison_service_data_del(struct prison_service *psrv, struct prison *pr);
212 #endif /* !_SYS_JAIL_H_ */