2 * ----------------------------------------------------------------------------
3 * "THE BEER-WARE LICENSE" (Revision 42):
4 * <phk@FreeBSD.org> wrote this file. As long as you retain this notice you
5 * can do whatever you want with this stuff. If we meet some day, and you think
6 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
7 * ----------------------------------------------------------------------------
35 #define JAIL_API_VERSION 2
38 * For all xprison structs, always keep the pr_version an int and
39 * the first variable so userspace can easily distinguish them.
45 char pr_path[MAXPATHLEN];
46 char pr_host[MAXHOSTNAMELEN];
55 cpusetid_t pr_cpusetid;
56 char pr_path[MAXPATHLEN];
57 char pr_host[MAXHOSTNAMELEN];
58 char pr_name[MAXHOSTNAMELEN];
63 * sizeof(xprison) will be malloced + size needed for all
64 * IPv4 and IPv6 addesses. Offsets are based numbers of addresses.
66 struct in_addr pr_ip4[];
67 struct in6_addr pr_ip6[];
70 #define XPRISON_VERSION 3
72 static const struct prison_state {
74 const char * state_name;
76 #define PRISON_STATE_INVALID 0
77 { PRISON_STATE_INVALID, "INVALID" },
78 #define PRISON_STATE_ALIVE 1
79 { PRISON_STATE_ALIVE, "ALIVE" },
80 #define PRISON_STATE_DYING 2
81 { PRISON_STATE_DYING, "DYING" },
87 int jail(struct jail *);
92 #include <sys/queue.h>
93 #include <sys/_lock.h>
94 #include <sys/_mutex.h>
95 #include <sys/_task.h>
97 #define JAIL_MAX 999999
100 MALLOC_DECLARE(M_PRISON);
104 #if defined(_KERNEL) || defined(_WANT_PRISON)
111 * This structure describes a prison. It is pointed to by all struct
112 * ucreds's of the inmates. pr_ref keeps track of them and is used to
113 * delete the struture when the last inmate is dead.
117 * (p) locked by pr_mtx
118 * (c) set only during creation before the structure is shared, no mutex
120 * (d) set only during destruction of jail, no mutex needed
123 LIST_ENTRY(prison) pr_list; /* (a) all prisons */
124 int pr_id; /* (c) prison id */
125 int pr_ref; /* (p) refcount */
126 int pr_state; /* (p) prison state */
127 int pr_nprocs; /* (p) process count */
128 char pr_path[MAXPATHLEN]; /* (c) chroot path */
129 struct cpuset *pr_cpuset; /* (p) cpuset */
130 struct vnode *pr_root; /* (c) vnode to rdir */
131 char pr_host[MAXHOSTNAMELEN]; /* (p) jail hostname */
132 char pr_name[MAXHOSTNAMELEN]; /* (c) admin jail name */
133 void *pr_linux; /* (p) linux abi */
134 int pr_securelevel; /* (p) securelevel */
135 struct task pr_task; /* (d) destroy task */
137 struct osd pr_osd; /* (p) additional data */
138 int pr_ip4s; /* (c) number of v4 IPs */
139 struct in_addr *pr_ip4; /* (c) v4 IPs of jail */
140 int pr_ip6s; /* (c) number of v6 IPs */
141 struct in6_addr *pr_ip6; /* (c) v6 IPs of jail */
143 #endif /* _KERNEL || _WANT_PRISON */
147 * Sysctl-set variables that determine global jail policy
149 * XXX MIB entries will need to be protected by a mutex.
151 extern int jail_set_hostname_allowed;
152 extern int jail_socket_unixiproute_only;
153 extern int jail_sysvipc_allowed;
154 extern int jail_getfsstat_jailrootonly;
155 extern int jail_allow_raw_sockets;
156 extern int jail_chflags_allowed;
158 LIST_HEAD(prisonlist, prison);
159 extern struct prisonlist allprison;
160 extern struct sx allprison_lock;
163 * Kernel support functions for jail().
170 int kern_jail(struct thread *, struct jail *);
171 int jailed(struct ucred *cred);
172 void getcredhostname(struct ucred *cred, char *, size_t);
173 int prison_check(struct ucred *cred1, struct ucred *cred2);
174 int prison_canseemount(struct ucred *cred, struct mount *mp);
175 void prison_enforce_statfs(struct ucred *cred, struct mount *mp,
177 struct prison *prison_find(int prid);
178 void prison_free(struct prison *pr);
179 void prison_free_locked(struct prison *pr);
180 void prison_hold(struct prison *pr);
181 void prison_hold_locked(struct prison *pr);
182 void prison_proc_hold(struct prison *);
183 void prison_proc_free(struct prison *);
184 int prison_get_ip4(struct ucred *cred, struct in_addr *ia);
185 int prison_local_ip4(struct ucred *cred, struct in_addr *ia);
186 int prison_remote_ip4(struct ucred *cred, struct in_addr *ia);
187 int prison_check_ip4(struct ucred *cred, struct in_addr *ia);
189 int prison_get_ip6(struct ucred *, struct in6_addr *);
190 int prison_local_ip6(struct ucred *, struct in6_addr *, int);
191 int prison_remote_ip6(struct ucred *, struct in6_addr *);
192 int prison_check_ip6(struct ucred *, struct in6_addr *);
194 int prison_check_af(struct ucred *cred, int af);
195 int prison_if(struct ucred *cred, struct sockaddr *sa);
196 int prison_priv_check(struct ucred *cred, int priv);
199 #endif /* !_SYS_JAIL_H_ */