o Move per-process jail pointer (p->pr_prison) to inside of the subject

  credential structure, ucred (cr->cr_prison).
o Allow jail inheritence to be a function of credential inheritence.
o Abstract prison structure reference counting behind pr_hold() and
  pr_free(), invoked by the similarly named credential reference
  management functions, removing this code from per-ABI fork/exit code.
o Modify various jail() functions to use struct ucred arguments instead
  of struct proc arguments.
o Introduce jailed() function to determine if a credential is jailed,
  rather than directly checking pointers all over the place.
o Convert PRISON_CHECK() macro to prison_check() function.
o Move jail() function prototypes to jail.h.
o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the
  flag in the process flags field itself.
o Eliminate that "const" qualifier from suser/p_can/etc to reflect
  mutex use.

Notes:

o Some further cleanup of the linux/jail code is still required.
o It's now possible to consider resolving some of the process vs
  credential based permission checking confusion in the socket code.
o Mutex protection of struct prison is still not present, and is
  required to protect the reference count plus some fields in the
  structure.

Reviewed by:	freebsd-arch
Obtained from:	TrustedBSD Project

1 files changed, 3 insertions, 1 deletions

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 2dba7d9..dc4ae26 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -46,6 +46,7 @@
 #include <sys/socketvar.h>
 #include <sys/domain.h>
 #include <sys/protosw.h>
+#include <sys/jail.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -915,7 +916,8 @@ sysctl_iflist(af, w)
 		while ((ifa = TAILQ_NEXT(ifa, ifa_link)) != 0) {
 			if (af && af != ifa->ifa_addr->sa_family)
 				continue;
-			if (curproc->p_prison && prison_if(curproc, ifa->ifa_addr))
+			if (jailed(curproc->p_ucred) &&
+			    prison_if(curproc->p_ucred, ifa->ifa_addr))
 				continue;
 			ifaaddr = ifa->ifa_addr;
 			netmask = ifa->ifa_netmask;