diff options
| author | jamie <jamie@FreeBSD.org> | 2009-05-27 14:11:23 +0000 |
|---|---|---|
| committer | jamie <jamie@FreeBSD.org> | 2009-05-27 14:11:23 +0000 |
| commit | a013e0afcbb44052a86a7977277d669d8883b7e7 (patch) | |
| tree | b7f782d79e61a1bd80655a068684cb0fd9f39922 /sys/kern/kern_prot.c | |
| parent | 6e53147404a7f4fb4173694bc812d9d23efd9fef (diff) | |
| download | FreeBSD-src-a013e0afcbb44052a86a7977277d669d8883b7e7.zip FreeBSD-src-a013e0afcbb44052a86a7977277d669d8883b7e7.tar.gz | |
Add hierarchical jails. A jail may further virtualize its environment
by creating a child jail, which is visible to that jail and to any
parent jails. Child jails may be restricted more than their parents,
but never less. Jail names reflect this hierarchy, being MIB-style
dot-separated strings.
Every thread now points to a jail, the default being prison0, which
contains information about the physical system. Prison0's root
directory is the same as rootvnode; its hostname is the same as the
global hostname, and its securelevel replaces the global securelevel.
Note that the variable "securelevel" has actually gone away, which
should not cause any problems for code that properly uses
securelevel_gt() and securelevel_ge().
Some jail-related permissions that were kept in global variables and
set via sysctls are now per-jail settings. The sysctls still exist for
backward compatibility, used only by the now-deprecated jail(2) system
call.
Approved by: bz (mentor)
Diffstat (limited to 'sys/kern/kern_prot.c')
| -rw-r--r-- | sys/kern/kern_prot.c | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index b35f81f..1c5f68b 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1263,33 +1263,25 @@ groupmember(gid_t gid, struct ucred *cred) * (securelevel >= level). Note that the logic is inverted -- these * functions return EPERM on "success" and 0 on "failure". * + * Due to care taken when setting the securelevel, we know that no jail will + * be less secure that its parent (or the physical system), so it is sufficient + * to test the current jail only. + * * XXXRW: Possibly since this has to do with privilege, it should move to * kern_priv.c. */ int securelevel_gt(struct ucred *cr, int level) { - int active_securelevel; - - active_securelevel = securelevel; - KASSERT(cr != NULL, ("securelevel_gt: null cr")); - if (cr->cr_prison != NULL) - active_securelevel = imax(cr->cr_prison->pr_securelevel, - active_securelevel); - return (active_securelevel > level ? EPERM : 0); + + return (cr->cr_prison->pr_securelevel > level ? EPERM : 0); } int securelevel_ge(struct ucred *cr, int level) { - int active_securelevel; - - active_securelevel = securelevel; - KASSERT(cr != NULL, ("securelevel_ge: null cr")); - if (cr->cr_prison != NULL) - active_securelevel = imax(cr->cr_prison->pr_securelevel, - active_securelevel); - return (active_securelevel >= level ? EPERM : 0); + + return (cr->cr_prison->pr_securelevel >= level ? EPERM : 0); } /* @@ -1823,7 +1815,7 @@ crfree(struct ucred *cr) /* * Free a prison, if any. */ - if (jailed(cr)) + if (cr->cr_prison != NULL) prison_free(cr->cr_prison); #ifdef VIMAGE /* XXX TODO: find out why and when cr_vimage can be NULL here! */ @@ -1863,8 +1855,7 @@ crcopy(struct ucred *dest, struct ucred *src) (caddr_t)&src->cr_startcopy)); uihold(dest->cr_uidinfo); uihold(dest->cr_ruidinfo); - if (jailed(dest)) - prison_hold(dest->cr_prison); + prison_hold(dest->cr_prison); #ifdef VIMAGE KASSERT(src->cr_vimage != NULL, ("cr_vimage == NULL")); refcount_acquire(&dest->cr_vimage->vi_ucredrefc); |
