diff options
author | jamie <jamie@FreeBSD.org> | 2009-07-29 16:41:02 +0000 |
---|---|---|
committer | jamie <jamie@FreeBSD.org> | 2009-07-29 16:41:02 +0000 |
commit | 4bceb596d22ce31ebd523159508cb2b2fff73e9f (patch) | |
tree | 535494c1b7472f0f5284db444ef600f19e6b5cde /sys/kern/kern_jail.c | |
parent | 1aa3b666bcd8f5e11a19afd54894d2325336c753 (diff) | |
download | FreeBSD-src-4bceb596d22ce31ebd523159508cb2b2fff73e9f.zip FreeBSD-src-4bceb596d22ce31ebd523159508cb2b2fff73e9f.tar.gz |
Change the default value of the "ip4" and "ip6" jail parameters to
"disable", which only allows access to the parent/physical system's
IP addresses when specifically directed. Change the default value of
"host" to "new", and don't copy the parent host values, to insulate
jails from the parent hostname et al.
Approved by: re (kib), bz (mentor)
Diffstat (limited to 'sys/kern/kern_jail.c')
-rw-r--r-- | sys/kern/kern_jail.c | 34 |
1 files changed, 7 insertions, 27 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 6f6ae28..e6b4fb9 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -70,6 +70,8 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> +#define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000" + MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); /* prison0 describes what is "real" about the system. */ @@ -81,7 +83,7 @@ struct prison prison0 = { .pr_path = "/", .pr_securelevel = -1, .pr_childmax = JAIL_MAX, - .pr_hostuuid = "00000000-0000-0000-0000-000000000000", + .pr_hostuuid = DEFAULT_HOSTUUID, .pr_children = LIST_HEAD_INITIALIZER(&prison0.pr_children), .pr_flags = PR_HOST, .pr_allow = PR_ALLOW_ALL, @@ -1128,40 +1130,18 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) /* Set some default values, and inherit some from the parent. */ if (name == NULL) name = ""; - if (host != NULL || domain != NULL || uuid != NULL || gothid) { - if (host == NULL) - host = ppr->pr_hostname; - if (domain == NULL) - domain = ppr->pr_domainname; - if (uuid == NULL) - uuid = ppr->pr_hostuuid; - if (!gothid) - hid = ppr->pr_hostid; - } if (path == NULL) { path = "/"; root = mypr->pr_root; vref(root); } + strlcpy(pr->pr_hostuuid, DEFAULT_HOSTUUID, HOSTUUIDLEN); + pr->pr_flags |= PR_HOST; #ifdef INET - pr->pr_flags |= ppr->pr_flags & PR_IP4; - pr->pr_ip4s = ppr->pr_ip4s; - if (ppr->pr_ip4 != NULL) { - pr->pr_ip4 = malloc(pr->pr_ip4s * - sizeof(struct in_addr), M_PRISON, M_WAITOK); - bcopy(ppr->pr_ip4, pr->pr_ip4, - pr->pr_ip4s * sizeof(*pr->pr_ip4)); - } + pr->pr_flags |= PR_IP4 | PR_IP4_USER | PR_IP4_DISABLE; #endif #ifdef INET6 - pr->pr_flags |= ppr->pr_flags & PR_IP6; - pr->pr_ip6s = ppr->pr_ip6s; - if (ppr->pr_ip6 != NULL) { - pr->pr_ip6 = malloc(pr->pr_ip6s * - sizeof(struct in6_addr), M_PRISON, M_WAITOK); - bcopy(ppr->pr_ip6, pr->pr_ip6, - pr->pr_ip6s * sizeof(*pr->pr_ip6)); - } + pr->pr_flags |= PR_IP6 | PR_IP6_USER | PR_IP6_DISABLE; #endif pr->pr_securelevel = ppr->pr_securelevel; pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow; |