diff options
| author | phk <phk@FreeBSD.org> | 1999-04-28 11:38:52 +0000 |
|---|---|---|
| committer | phk <phk@FreeBSD.org> | 1999-04-28 11:38:52 +0000 |
| commit | ca21a25f173ed030b0093e4d83140e3b0b43db01 (patch) | |
| tree | 0ced832ca84afcb7423214e45fa0bc0cdd71a660 /sys/kern | |
| parent | 58c42d9a16bbdef6b833ed08531a2a3541db6595 (diff) | |
| download | FreeBSD-src-ca21a25f173ed030b0093e4d83140e3b0b43db01.zip FreeBSD-src-ca21a25f173ed030b0093e4d83140e3b0b43db01.tar.gz | |
This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.
For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".
Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.
Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.
It generally does what one would expect, but setting up a jail
still takes a little knowledge.
A few notes:
I have no scripts for setting up a jail, don't ask me for them.
The IP number should be an alias on one of the interfaces.
mount a /proc in each jail, it will make ps more useable.
/proc/<pid>/status tells the hostname of the prison for
jailed processes.
Quotas are only sensible if you have a mountpoint per prison.
There are no privisions for stopping resource-hogging.
Some "#ifdef INET" and similar may be missing (send patches!)
If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!
Tools, comments, patches & documentation most welcome.
Have fun...
Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/init_main.c | 5 | ||||
| -rw-r--r-- | sys/kern/init_sysent.c | 3 | ||||
| -rw-r--r-- | sys/kern/kern_exit.c | 9 | ||||
| -rw-r--r-- | sys/kern/kern_fork.c | 8 | ||||
| -rw-r--r-- | sys/kern/kern_jail.c | 114 | ||||
| -rw-r--r-- | sys/kern/kern_ktrace.c | 4 | ||||
| -rw-r--r-- | sys/kern/kern_mib.c | 26 | ||||
| -rw-r--r-- | sys/kern/kern_proc.c | 7 | ||||
| -rw-r--r-- | sys/kern/kern_prot.c | 46 | ||||
| -rw-r--r-- | sys/kern/kern_resource.c | 4 | ||||
| -rw-r--r-- | sys/kern/kern_sig.c | 6 | ||||
| -rw-r--r-- | sys/kern/kern_sysctl.c | 5 | ||||
| -rw-r--r-- | sys/kern/kern_xxx.c | 4 | ||||
| -rw-r--r-- | sys/kern/sys_process.c | 4 | ||||
| -rw-r--r-- | sys/kern/syscalls.c | 3 | ||||
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 15 | ||||
| -rw-r--r-- | sys/kern/vfs_extattr.c | 30 | ||||
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 30 | ||||
| -rw-r--r-- | sys/kern/vfs_vnops.c | 4 |
19 files changed, 270 insertions, 57 deletions
diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index bf6ec7f..ed93f6f 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -39,7 +39,7 @@ * SUCH DAMAGE. * * @(#)init_main.c 8.9 (Berkeley) 1/21/94 - * $Id: init_main.c,v 1.113 1999/04/24 18:50:48 dt Exp $ + * $Id: init_main.c,v 1.114 1999/04/28 01:04:25 luoqi Exp $ */ #include "opt_devfs.h" @@ -409,6 +409,9 @@ proc0_init(dummy) p->p_ucred = crget(); p->p_ucred->cr_ngroups = 1; /* group 0 */ + /* Don't jail it */ + p->p_prison = 0; + /* Create procsig. */ p->p_procsig = &procsig0; p->p_procsig->ps_refcnt = 1; diff --git a/sys/kern/init_sysent.c b/sys/kern/init_sysent.c index 3a8b931..43b325d 100644 --- a/sys/kern/init_sysent.c +++ b/sys/kern/init_sysent.c @@ -2,7 +2,7 @@ * System call switch table. * * DO NOT EDIT-- this file is automatically generated. - * created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp + * created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp */ #include "opt_compat.h" @@ -357,4 +357,5 @@ struct sysent sysent[] = { { 2, (sy_call_t *)utrace }, /* 335 = utrace */ { 8, (sy_call_t *)sendfile }, /* 336 = sendfile */ { 3, (sy_call_t *)kldsym }, /* 337 = kldsym */ + { 1, (sy_call_t *)jail }, /* 338 = jail */ }; diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 0e97656..fd66be8 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_exit.c 8.7 (Berkeley) 2/12/94 - * $Id: kern_exit.c,v 1.78 1999/04/17 08:36:04 peter Exp $ + * $Id: kern_exit.c,v 1.79 1999/04/28 01:04:26 luoqi Exp $ */ #include "opt_compat.h" @@ -60,6 +60,7 @@ #include <sys/shm.h> #include <sys/sem.h> #include <sys/aio.h> +#include <sys/jail.h> #ifdef COMPAT_43 #include <machine/reg.h> @@ -508,6 +509,12 @@ loop: } /* + * Destroy empty prisons + */ + if (p->p_prison && !--p->p_prison->pr_ref) + FREE(p->p_prison, M_PRISON); + + /* * Finally finished with old proc entry. * Unlink it from its process group and free it. */ diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index d3f40ea..d5870b5 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_fork.c 8.6 (Berkeley) 4/8/94 - * $Id: kern_fork.c,v 1.59 1999/04/24 11:25:01 dt Exp $ + * $Id: kern_fork.c,v 1.60 1999/04/28 01:04:27 luoqi Exp $ */ #include "opt_ktrace.h" @@ -54,6 +54,7 @@ #include <sys/acct.h> #include <sys/ktrace.h> #include <sys/unistd.h> +#include <sys/jail.h> #include <vm/vm.h> #include <sys/lock.h> @@ -308,6 +309,11 @@ again: p2->p_cred->p_refcnt = 1; crhold(p1->p_ucred); + if (p2->p_prison) { + p2->p_prison->pr_ref++; + p2->p_flag |= P_JAILED; + } + if (flags & RFSIGSHARE) { p2->p_procsig = p1->p_procsig; p2->p_procsig->ps_refcnt++; diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c new file mode 100644 index 0000000..20cb8941 --- /dev/null +++ b/sys/kern/kern_jail.c @@ -0,0 +1,114 @@ + +#include <sys/param.h> +#include <sys/types.h> +#include <sys/kernel.h> +#include <sys/systm.h> +#include <sys/errno.h> +#include <sys/sysproto.h> +#include <sys/malloc.h> +#include <sys/proc.h> +#include <sys/jail.h> +#include <sys/socket.h> +#include <net/if.h> +#include <netinet/in.h> + +MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); + +int +jail(p, uap) + struct proc *p; + struct jail_args /* { + syscallarg(struct jail *) jail; + } */ *uap; +{ + int error; + struct prison *pr; + struct jail j; + struct chroot_args ca; + + error = suser(p); + if (error) + return (error); + error = copyin(uap->jail, &j, sizeof j); + if (error) + return (error); + MALLOC(pr, struct prison *, sizeof *pr , M_PRISON, M_WAITOK); + bzero((caddr_t)pr, sizeof *pr); + error = copyinstr(j.hostname, &pr->pr_host, sizeof pr->pr_host, 0); + if (error) + goto bail; + pr->pr_ip = j.ip_number; + + ca.path = j.path; + error = chroot(p, &ca); + if (error) + goto bail; + + pr->pr_ref++; + p->p_prison = pr; + p->p_flag |= P_JAILED; + return (0); + +bail: + FREE(pr, M_PRISON); + return (error); +} + +int +prison_ip(struct proc *p, int flag, u_int32_t *ip) +{ + u_int32_t tmp; + + if (!p->p_prison) + return (0); + if (flag) + tmp = *ip; + else + tmp = ntohl(*ip); + if (tmp == INADDR_ANY) { + if (flag) + *ip = p->p_prison->pr_ip; + else + *ip = htonl(p->p_prison->pr_ip); + return (0); + } + if (p->p_prison->pr_ip != tmp) + return (1); + return (0); +} + +void +prison_remote_ip(struct proc *p, int flag, u_int32_t *ip) +{ + u_int32_t tmp; + + if (!p->p_prison) + return; + if (flag) + tmp = *ip; + else + tmp = ntohl(*ip); + if (tmp == 0x7f000001) { + if (flag) + *ip = p->p_prison->pr_ip; + else + *ip = htonl(p->p_prison->pr_ip); + return; + } + return; +} + +int +prison_if(struct proc *p, struct sockaddr *sa) +{ + struct sockaddr_in *sai = (struct sockaddr_in*) sa; + int ok; + + if (sai->sin_family != AF_INET) + ok = 0; + else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr)) + ok = 1; + else + ok = 0; + return (ok); +} diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 7a6d237..86579cb 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)kern_ktrace.c 8.2 (Berkeley) 9/23/93 - * $Id: kern_ktrace.c,v 1.24 1998/11/10 09:16:29 peter Exp $ + * $Id: kern_ktrace.c,v 1.25 1998/12/10 01:47:41 rvb Exp $ */ #include "opt_ktrace.h" @@ -515,6 +515,8 @@ ktrcanset(callp, targetp) register struct pcred *caller = callp->p_cred; register struct pcred *target = targetp->p_cred; + if (!PRISON_CHECK(callp, targetp)) + return (0); if ((caller->pc_ucred->cr_uid == target->p_ruid && target->p_ruid == target->p_svuid && caller->p_rgid == target->p_rgid && /* XXX */ diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index 9a8f65c..90afa9f 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -37,7 +37,7 @@ * SUCH DAMAGE. * * @(#)kern_sysctl.c 8.4 (Berkeley) 4/14/94 - * $Id: kern_mib.c,v 1.17 1999/01/25 18:26:09 dillon Exp $ + * $Id: kern_mib.c,v 1.18 1999/01/26 07:37:11 dillon Exp $ */ #include <sys/param.h> @@ -45,6 +45,7 @@ #include <sys/systm.h> #include <sys/sysctl.h> #include <sys/proc.h> +#include <sys/jail.h> #include <sys/unistd.h> #if defined(SMP) @@ -73,6 +74,9 @@ SYSCTL_NODE(, CTL_USER, user, CTLFLAG_RW, 0, SYSCTL_NODE(, CTL_P1003_1B, p1003_1b, CTLFLAG_RW, 0, "p1003_1b, (see p1003_1b.h)"); +SYSCTL_NODE(_kern, OID_AUTO, prison, CTLFLAG_RW, 0, + "Prison rules"); + SYSCTL_STRING(_kern, KERN_OSRELEASE, osrelease, CTLFLAG_RD, osrelease, 0, ""); SYSCTL_INT(_kern, KERN_OSREV, osrevision, CTLFLAG_RD, 0, BSD, ""); @@ -124,8 +128,24 @@ SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD, char hostname[MAXHOSTNAMELEN]; -SYSCTL_STRING(_kern, KERN_HOSTNAME, hostname, CTLFLAG_RW, - hostname, sizeof(hostname), ""); +static int +sysctl_hostname SYSCTL_HANDLER_ARGS +{ + int error; + + if (req->p->p_prison) + error = sysctl_handle_string(oidp, + req->p->p_prison->pr_host, + sizeof req->p->p_prison->pr_host, req); + else + error = sysctl_handle_string(oidp, + hostname, sizeof hostname, req); + return (error); +} + +SYSCTL_PROC(_kern, KERN_HOSTNAME, hostname, + CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_PRISON, + 0, 0, sysctl_hostname, "A", ""); int securelevel = -1; diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index bfb7df9..3dfbfab 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)kern_proc.c 8.7 (Berkeley) 2/14/95 - * $Id: kern_proc.c,v 1.45 1999/01/28 00:57:47 dillon Exp $ + * $Id: kern_proc.c,v 1.46 1999/02/19 14:25:34 luoqi Exp $ */ #include <sys/param.h> @@ -500,6 +500,8 @@ sysctl_kern_proc SYSCTL_HANDLER_ARGS p = pfind((pid_t)name[0]); if (!p) return (0); + if (!PRISON_CHECK(curproc, p)) + return (0); error = sysctl_out_proc(p, req, 0); return (error); } @@ -561,6 +563,9 @@ sysctl_kern_proc SYSCTL_HANDLER_ARGS break; } + if (!PRISON_CHECK(curproc, p)) + continue; + error = sysctl_out_proc(p, req, doingzomb); if (error) return (error); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 56606f4..e4ad6f5 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 - * $Id: kern_prot.c,v 1.45 1999/04/27 11:16:01 phk Exp $ + * $Id: kern_prot.c,v 1.46 1999/04/27 12:21:06 phk Exp $ */ /* @@ -395,7 +395,7 @@ setuid(p, uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != pc->pc_ucred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = suser(p))) + (error = suser_xxx(0, p, PRISON_ROOT))) return (error); #ifdef _POSIX_SAVED_IDS @@ -407,7 +407,7 @@ setuid(p, uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ uid == pc->pc_ucred->cr_uid || #endif - suser(p) == 0) /* we are using privs */ + suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */ #endif { /* @@ -467,7 +467,7 @@ seteuid(p, uap) euid = uap->euid; if (euid != pc->p_ruid && /* allow seteuid(getuid()) */ euid != pc->p_svuid && /* allow seteuid(saved uid) */ - (error = suser(p))) + (error = suser_xxx(0, p, PRISON_ROOT))) return (error); /* * Everything's okay, do it. Copy credentials so other references do @@ -515,7 +515,7 @@ setgid(p, uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != pc->pc_ucred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = suser(p))) + (error = suser_xxx(0, p, PRISON_ROOT))) return (error); #ifdef _POSIX_SAVED_IDS @@ -527,7 +527,7 @@ setgid(p, uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ gid == pc->pc_ucred->cr_groups[0] || #endif - suser(p) == 0) /* we are using privs */ + suser_xxx(0, p, PRISON_ROOT) == 0) /* we are using privs */ #endif { /* @@ -579,7 +579,7 @@ setegid(p, uap) egid = uap->egid; if (egid != pc->p_rgid && /* allow setegid(getgid()) */ egid != pc->p_svgid && /* allow setegid(saved gid) */ - (error = suser(p))) + (error = suser_xxx(0, p, PRISON_ROOT))) return (error); if (pc->pc_ucred->cr_groups[0] != egid) { pc->pc_ucred = crcopy(pc->pc_ucred); @@ -605,7 +605,7 @@ setgroups(p, uap) register u_int ngrp; int error; - if ((error = suser(p))) + if ((error = suser_xxx(0, p, PRISON_ROOT))) return (error); ngrp = uap->gidsetsize; if (ngrp > NGROUPS) @@ -654,7 +654,7 @@ setreuid(p, uap) if (((ruid != (uid_t)-1 && ruid != pc->p_ruid && ruid != pc->p_svuid) || (euid != (uid_t)-1 && euid != pc->pc_ucred->cr_uid && euid != pc->p_ruid && euid != pc->p_svuid)) && - (error = suser(p)) != 0) + (error = suser_xxx(0, p, PRISON_ROOT)) != 0) return (error); if (euid != (uid_t)-1 && pc->pc_ucred->cr_uid != euid) { @@ -697,7 +697,7 @@ setregid(p, uap) if (((rgid != (gid_t)-1 && rgid != pc->p_rgid && rgid != pc->p_svgid) || (egid != (gid_t)-1 && egid != pc->pc_ucred->cr_groups[0] && egid != pc->p_rgid && egid != pc->p_svgid)) && - (error = suser(p)) != 0) + (error = suser_xxx(0, p, PRISON_ROOT)) != 0) return (error); if (egid != (gid_t)-1 && pc->pc_ucred->cr_groups[0] != egid) { @@ -769,20 +769,28 @@ int suser(p) struct proc *p; { - return suser_xxx(p->p_ucred, &p->p_acflag); + return suser_xxx(0, p, 0); } int -suser_xxx(cred, acflag) +suser_xxx(cred, proc, flag) struct ucred *cred; - u_short *acflag; + struct proc *proc; + int flag; { - if (cred->cr_uid == 0) { - if (acflag) - *acflag |= ASU; - return (0); + if (!cred && !proc) { + printf("suser_xxx(): THINK!\n"); + return (EPERM); } - return (EPERM); + if (!cred) + cred = proc->p_ucred; + if (cred->cr_uid != 0) + return (EPERM); + if (proc && proc->p_prison && !(flag & PRISON_ROOT)) + return (EPERM); + if (proc) + proc->p_acflag |= ASU; + return (0); } /* @@ -883,7 +891,7 @@ setlogin(p, uap) int error; char logintmp[MAXLOGNAME]; - if ((error = suser(p))) + if ((error = suser_xxx(0, p, PRISON_ROOT))) return (error); error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp, sizeof(logintmp), (size_t *)0); diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index bd07411..811ccf4 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_resource.c 8.5 (Berkeley) 1/21/94 - * $Id: kern_resource.c,v 1.46 1999/04/27 11:16:02 phk Exp $ + * $Id: kern_resource.c,v 1.47 1999/04/27 12:21:07 phk Exp $ */ #include "opt_compat.h" @@ -387,7 +387,7 @@ dosetrlimit(p, which, limp) if (limp->rlim_cur > alimp->rlim_max || limp->rlim_max > alimp->rlim_max) - if ((error = suser(p))) + if ((error = suser_xxx(0, p, PRISON_ROOT))) return (error); if (limp->rlim_cur > limp->rlim_max) limp->rlim_cur = limp->rlim_max; diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 5da4725..6749e76 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)kern_sig.c 8.7 (Berkeley) 4/18/94 - * $Id: kern_sig.c,v 1.53 1999/01/10 01:58:24 eivind Exp $ + * $Id: kern_sig.c,v 1.54 1999/01/26 02:38:10 julian Exp $ */ #include "opt_compat.h" @@ -79,12 +79,12 @@ SYSCTL_INT(_kern, KERN_LOGSIGEXIT, logsigexit, CTLFLAG_RW, &kern_logsigexit, 0, * Can process p, with pcred pc, send the signal signum to process q? */ #define CANSIGNAL(p, pc, q, signum) \ - ((pc)->pc_ucred->cr_uid == 0 || \ + (PRISON_CHECK(p, q) && ((pc)->pc_ucred->cr_uid == 0 || \ (pc)->p_ruid == (q)->p_cred->p_ruid || \ (pc)->pc_ucred->cr_uid == (q)->p_cred->p_ruid || \ (pc)->p_ruid == (q)->p_ucred->cr_uid || \ (pc)->pc_ucred->cr_uid == (q)->p_ucred->cr_uid || \ - ((signum) == SIGCONT && (q)->p_session == (p)->p_session)) + ((signum) == SIGCONT && (q)->p_session == (p)->p_session))) /* * Policy -- Can real uid ruid with ucred uc send a signal to process q? diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index fc0a204..15f5359 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -37,7 +37,7 @@ * SUCH DAMAGE. * * @(#)kern_sysctl.c 8.4 (Berkeley) 4/14/94 - * $Id: kern_sysctl.c,v 1.86 1999/03/30 09:00:45 phk Exp $ + * $Id: kern_sysctl.c,v 1.87 1999/04/27 11:16:05 phk Exp $ */ #include "opt_compat.h" @@ -764,7 +764,8 @@ found: /* Most likely only root can write */ if (!(oid->oid_kind & CTLFLAG_ANYBODY) && req->newptr && req->p && - (i = suser(req->p))) + (i = suser_xxx(0, req->p, + (oid->oid_kind & CTLFLAG_PRISON) ? PRISON_ROOT : 0))) return (i); if (!oid->oid_handler) diff --git a/sys/kern/kern_xxx.c b/sys/kern/kern_xxx.c index 42b563f..92b26ce 100644 --- a/sys/kern/kern_xxx.c +++ b/sys/kern/kern_xxx.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)kern_xxx.c 8.2 (Berkeley) 11/14/93 - * $Id: kern_xxx.c,v 1.28 1998/08/24 08:39:38 dfr Exp $ + * $Id: kern_xxx.c,v 1.29 1999/04/27 11:16:09 phk Exp $ */ #include "opt_compat.h" @@ -85,7 +85,7 @@ osethostname(p, uap) name[0] = CTL_KERN; name[1] = KERN_HOSTNAME; - if ((error = suser(p))) + if ((error = suser_xxx(0, p, PRISON_ROOT))) return (error); return (userland_sysctl(p, name, 2, 0, 0, 0, uap->hostname, uap->len, 0)); diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c index 62e6736..6ed8ef1 100644 --- a/sys/kern/sys_process.c +++ b/sys/kern/sys_process.c @@ -28,7 +28,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: sys_process.c,v 1.43 1999/03/29 08:29:22 dfr Exp $ + * $Id: sys_process.c,v 1.44 1999/04/27 11:16:13 phk Exp $ */ #include <sys/param.h> @@ -218,6 +218,8 @@ ptrace(curp, uap) if ((p = pfind(uap->pid)) == NULL) return ESRCH; } + if (!PRISON_CHECK(curp, p)) + return (ESRCH); /* * Permissions check diff --git a/sys/kern/syscalls.c b/sys/kern/syscalls.c index bd49409..1359833 100644 --- a/sys/kern/syscalls.c +++ b/sys/kern/syscalls.c @@ -2,7 +2,7 @@ * System call names. * * DO NOT EDIT-- this file is automatically generated. - * created from Id: syscalls.master,v 1.57 1999/04/04 21:41:16 dt Exp + * created from Id: syscalls.master,v 1.58 1999/04/28 11:28:49 phk Exp */ char *syscallnames[] = { @@ -344,4 +344,5 @@ char *syscallnames[] = { "utrace", /* 335 = utrace */ "sendfile", /* 336 = sendfile */ "kldsym", /* 337 = kldsym */ + "jail", /* 338 = jail */ }; diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 292ce70..52823be 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * From: @(#)uipc_usrreq.c 8.3 (Berkeley) 1/4/94 - * $Id: uipc_usrreq.c,v 1.41 1999/04/11 02:17:47 eivind Exp $ + * $Id: uipc_usrreq.c,v 1.42 1999/04/12 14:34:52 eivind Exp $ */ #include <sys/param.h> @@ -490,6 +490,7 @@ unp_attach(so) unp_count++; LIST_INIT(&unp->unp_refs); unp->unp_socket = so; + unp->unp_rvnode = curproc->p_fd->fd_rdir; LIST_INSERT_HEAD(so->so_type == SOCK_DGRAM ? &unp_dhead : &unp_shead, unp, unp_link); so->so_pcb = (caddr_t)unp; @@ -710,6 +711,16 @@ unp_abort(unp) #endif static int +prison_unpcb(struct proc *p, struct unpcb *unp) +{ + if (!p->p_prison) + return (0); + if (p->p_fd->fd_rdir == unp->unp_rvnode) + return (0); + return (1); +} + +static int unp_pcblist SYSCTL_HANDLER_ARGS { int error, i, n; @@ -754,7 +765,7 @@ unp_pcblist SYSCTL_HANDLER_ARGS for (unp = head->lh_first, i = 0; unp && i < n; unp = unp->unp_link.le_next) { - if (unp->unp_gencnt <= gencnt) + if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) unp_list[i++] = unp; } n = i; /* in case we lost some during malloc */ diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 43c0bcc..dd464d7 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94 - * $Id: vfs_syscalls.c,v 1.121 1999/03/23 14:26:40 phk Exp $ + * $Id: vfs_syscalls.c,v 1.122 1999/04/27 11:16:25 phk Exp $ */ /* For 4.3 integer FS ID compatibility */ @@ -132,7 +132,7 @@ mount(p, uap) /* * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users */ - if (suser_xxx(p->p_ucred, (u_short *)NULL)) + if (suser_xxx(p->p_ucred, 0, 0)) SCARG(uap, flags) |= MNT_NOSUID | MNT_NODEV; /* * Get vnode to be covered @@ -562,6 +562,12 @@ sync(p, uap) return (0); } +/* XXX PRISON: could be per prison flag */ +static int prison_quotas; +#if 0 +SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, ""); +#endif + /* * Change filesystem quotas. */ @@ -588,6 +594,8 @@ quotactl(p, uap) int error; struct nameidata nd; + if (p->p_prison && !prison_quotas) + return (EPERM); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); if ((error = namei(&nd)) != 0) return (error); @@ -631,7 +639,7 @@ statfs(p, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(p->p_ucred, (u_short *)NULL)) { + if (suser_xxx(p->p_ucred, 0, 0)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -671,7 +679,7 @@ fstatfs(p, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(p->p_ucred, (u_short *)NULL)) { + if (suser_xxx(p->p_ucred, 0, 0)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -886,7 +894,7 @@ chroot(p, uap) int error; struct nameidata nd; - error = suser(p); + error = suser_xxx(0, p, PRISON_ROOT); if (error) return (error); if (chroot_allow_open_directories == 0 || @@ -1076,7 +1084,15 @@ mknod(p, uap) int whiteout = 0; struct nameidata nd; - error = suser(p); + switch (SCARG(uap, mode) & S_IFMT) { + case S_IFCHR: + case S_IFBLK: + error = suser(p); + break; + default: + error = suser_xxx(0, p, PRISON_ROOT); + break; + } if (error) return (error); NDINIT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), p); @@ -2977,7 +2993,7 @@ revoke(p, uap) if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)) != 0) goto out; if (p->p_ucred->cr_uid != vattr.va_uid && - (error = suser(p))) + (error = suser_xxx(0, p, PRISON_ROOT))) goto out; if (vp->v_usecount > 1 || (vp->v_flag & VALIASED)) VOP_REVOKE(vp, REVOKEALL); diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 43c0bcc..dd464d7 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94 - * $Id: vfs_syscalls.c,v 1.121 1999/03/23 14:26:40 phk Exp $ + * $Id: vfs_syscalls.c,v 1.122 1999/04/27 11:16:25 phk Exp $ */ /* For 4.3 integer FS ID compatibility */ @@ -132,7 +132,7 @@ mount(p, uap) /* * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users */ - if (suser_xxx(p->p_ucred, (u_short *)NULL)) + if (suser_xxx(p->p_ucred, 0, 0)) SCARG(uap, flags) |= MNT_NOSUID | MNT_NODEV; /* * Get vnode to be covered @@ -562,6 +562,12 @@ sync(p, uap) return (0); } +/* XXX PRISON: could be per prison flag */ +static int prison_quotas; +#if 0 +SYSCTL_INT(_kern_prison, OID_AUTO, quotas, CTLFLAG_RW, &prison_quotas, 0, ""); +#endif + /* * Change filesystem quotas. */ @@ -588,6 +594,8 @@ quotactl(p, uap) int error; struct nameidata nd; + if (p->p_prison && !prison_quotas) + return (EPERM); NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); if ((error = namei(&nd)) != 0) return (error); @@ -631,7 +639,7 @@ statfs(p, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(p->p_ucred, (u_short *)NULL)) { + if (suser_xxx(p->p_ucred, 0, 0)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -671,7 +679,7 @@ fstatfs(p, uap) if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(p->p_ucred, (u_short *)NULL)) { + if (suser_xxx(p->p_ucred, 0, 0)) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; sp = &sb; @@ -886,7 +894,7 @@ chroot(p, uap) int error; struct nameidata nd; - error = suser(p); + error = suser_xxx(0, p, PRISON_ROOT); if (error) return (error); if (chroot_allow_open_directories == 0 || @@ -1076,7 +1084,15 @@ mknod(p, uap) int whiteout = 0; struct nameidata nd; - error = suser(p); + switch (SCARG(uap, mode) & S_IFMT) { + case S_IFCHR: + case S_IFBLK: + error = suser(p); + break; + default: + error = suser_xxx(0, p, PRISON_ROOT); + break; + } if (error) return (error); NDINIT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), p); @@ -2977,7 +2993,7 @@ revoke(p, uap) if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)) != 0) goto out; if (p->p_ucred->cr_uid != vattr.va_uid && - (error = suser(p))) + (error = suser_xxx(0, p, PRISON_ROOT))) goto out; if (vp->v_usecount > 1 || (vp->v_flag & VALIASED)) VOP_REVOKE(vp, REVOKEALL); diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 802c437..0300ba5 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)vfs_vnops.c 8.2 (Berkeley) 1/21/94 - * $Id: vfs_vnops.c,v 1.66 1999/04/21 05:56:45 alc Exp $ + * $Id: vfs_vnops.c,v 1.67 1999/04/27 11:16:27 phk Exp $ */ #include <sys/param.h> @@ -422,7 +422,7 @@ vn_stat(vp, sb, p) sb->st_ctimespec = vap->va_ctime; sb->st_blksize = vap->va_blocksize; sb->st_flags = vap->va_flags; - if (suser_xxx(p->p_ucred, (u_short *)NULL)) + if (suser_xxx(p->p_ucred, 0, 0)) sb->st_gen = 0; else sb->st_gen = vap->va_gen; |
