diff options
Diffstat (limited to 'sys/kern/kern_jail.c')
| -rw-r--r-- | sys/kern/kern_jail.c | 71 |
1 files changed, 69 insertions, 2 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 269c87e..5a88d85 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -239,6 +239,19 @@ static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; static unsigned jail_max_af_ips = 255; #endif +/* + * Initialize the parts of prison0 that can't be static-initialized with + * constants. This is called from proc0_init() after creating thread0 cpuset. + */ +void +prison0_init(void) +{ + + prison0.pr_cpuset = cpuset_ref(thread0.td_cpuset); + prison0.pr_osreldate = osreldate; + strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease)); +} + #ifdef INET static int qcmp_v4(const void *ip1, const void *ip2) @@ -538,7 +551,7 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) struct prison *pr, *deadpr, *mypr, *ppr, *tpr; struct vnode *root; char *domain, *errmsg, *host, *name, *namelc, *p, *path, *uuid; - char *g_path; + char *g_path, *osrelstr; #if defined(INET) || defined(INET6) struct prison *tppr; void *op; @@ -548,7 +561,7 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) int created, cuflags, descend, enforce, error, errmsg_len, errmsg_pos; int gotchildmax, gotenforce, gothid, gotrsnum, gotslevel; int fi, jid, jsys, len, level; - int childmax, rsnum, slevel; + int childmax, osreldt, rsnum, slevel; int fullpath_disabled; #if defined(INET) || defined(INET6) int ii, ij; @@ -959,6 +972,46 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) } } + error = vfs_getopt(opts, "osrelease", (void **)&osrelstr, &len); + if (error == ENOENT) + osrelstr = NULL; + else if (error != 0) + goto done_free; + else { + if (flags & JAIL_UPDATE) { + error = EINVAL; + vfs_opterror(opts, + "osrelease cannot be changed after creation"); + goto done_errmsg; + } + if (len == 0 || len >= OSRELEASELEN) { + error = EINVAL; + vfs_opterror(opts, + "osrelease string must be 1-%d bytes long", + OSRELEASELEN - 1); + goto done_errmsg; + } + } + + error = vfs_copyopt(opts, "osreldate", &osreldt, sizeof(osreldt)); + if (error == ENOENT) + osreldt = 0; + else if (error != 0) + goto done_free; + else { + if (flags & JAIL_UPDATE) { + error = EINVAL; + vfs_opterror(opts, + "osreldate cannot be changed after creation"); + goto done_errmsg; + } + if (osreldt == 0) { + error = EINVAL; + vfs_opterror(opts, "osreldate cannot be 0"); + goto done_errmsg; + } + } + /* * Grab the allprison lock before letting modules check their * parameters. Once we have it, do not let go so we'll have a @@ -1285,6 +1338,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) pr->pr_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum; + pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate; + if (osrelstr == NULL) + strcpy(pr->pr_osrelease, ppr->pr_osrelease); + else + strcpy(pr->pr_osrelease, osrelstr); + LIST_INIT(&pr->pr_children); mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK); @@ -4303,12 +4362,20 @@ sysctl_jail_param(SYSCTL_HANDLER_ARGS) return (0); } +/* + * CTLFLAG_RDTUN in the following indicates jail parameters that can be set at + * jail creation time but cannot be changed in an existing jail. + */ SYSCTL_JAIL_PARAM(, jid, CTLTYPE_INT | CTLFLAG_RDTUN, "I", "Jail ID"); SYSCTL_JAIL_PARAM(, parent, CTLTYPE_INT | CTLFLAG_RD, "I", "Jail parent ID"); SYSCTL_JAIL_PARAM_STRING(, name, CTLFLAG_RW, MAXHOSTNAMELEN, "Jail name"); SYSCTL_JAIL_PARAM_STRING(, path, CTLFLAG_RDTUN, MAXPATHLEN, "Jail root path"); SYSCTL_JAIL_PARAM(, securelevel, CTLTYPE_INT | CTLFLAG_RW, "I", "Jail secure level"); +SYSCTL_JAIL_PARAM(, osreldate, CTLTYPE_INT | CTLFLAG_RDTUN, "I", + "Jail value for kern.osreldate and uname -K"); +SYSCTL_JAIL_PARAM_STRING(, osrelease, CTLFLAG_RDTUN, OSRELEASELEN, + "Jail value for kern.osrelease and uname -r"); SYSCTL_JAIL_PARAM(, enforce_statfs, CTLTYPE_INT | CTLFLAG_RW, "I", "Jail cannot see all mounted file systems"); SYSCTL_JAIL_PARAM(, devfs_ruleset, CTLTYPE_INT | CTLFLAG_RW, |
