summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_jail.c
Commit message (Collapse)AuthorAgeFilesLines
* prison_racct_detach can be called for not fully initialized jail, so make it ↵mjg2012-12-181-0/+2
| | | | | | | | check that the jail has racct before doing anything PR: kern/174436 Reviewed by: trasz MFC after: 3 days
* Remove the support for using non-mpsafe filesystem modules.kib2012-10-221-21/+6
| | | | | | | | | | | | In particular, do not lock Giant conditionally when calling into the filesystem module, remove the VFS_LOCK_GIANT() and related macros. Stop handling buffers belonging to non-mpsafe filesystems. The VFS_VERSION is bumped to indicate the interface change which does not result in the interface signatures changes. Conducted and reviewed by: attilio Tested by: pho
* Fix use-after-free in kern_jail_set() triggered e.g. by attemptstrasz2012-05-221-6/+10
| | | | | | | | | | to clear "persist" flag from empty persistent jail, like this: jail -c persist=1 jail -n 1 -m persist=0 Submitted by: Mateusz Guzik <mjguzik at gmail dot com> MFC after: 2 weeks
* Don't leak locks in prison_racct_modify().trasz2012-05-221-1/+4
| | | | | Submitted by: Mateusz Guzik <mjguzik at gmail dot com> MFC after: 2 weeks
* Make racct and rctl correctly handle jail renaming. Previouslytrasz2012-03-061-8/+71
| | | | | | they would continue using old name, the one jail was created with. PR: bin/165207
* Add procfs to jail-mountable filesystems.mm2012-02-291-0/+8
| | | | | Reviewed by: jamie MFC after: 1 week
* Analogous to r232059, add a parameter for the ZFS file system:mm2012-02-261-4/+12
| | | | | | | | | | | | | | | | allow.mount.zfs: allow mounting the zfs filesystem inside a jail This way the permssions for mounting all current VFCF_JAIL filesystems inside a jail are controlled wia allow.mount.* jail parameters. Update sysctl descriptions. Update jail(8) and zfs(8) manpages. TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel developers MFC after: 10 days
* To improve control over the use of mount(8) inside a jail(8), introducemm2012-02-231-11/+26
| | | | | | | | | | | | | | | | | | | a new jail parameter node with the following parameters: allow.mount.devfs: allow mounting the devfs filesystem inside a jail allow.mount.nullfs: allow mounting the nullfs filesystem inside a jail Both parameters are disabled by default (equals the behavior before devfs and nullfs in jails). Administrators have to explicitly allow mounting devfs and nullfs for each jail. The value "-1" of the devfs_ruleset parameter is removed in favor of the new allow setting. Reviewed by: jamie Suggested by: pjd MFC after: 2 weeks
* Add support for mounting devfs inside jails.mm2012-02-091-2/+55
| | | | | | | | | | | | | A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules. Utilizes new functions introduced in r231265. Reviewed by: jamie MFC after: 1 month
* Use separate buffer for global path to avoid overflow of path buffer.mm2012-01-211-3/+11
| | | | | Reviewed by: jamie@ MFC after: 3 weeks
* Fix missing in r230129:mm2012-01-151-0/+1
| | | | | | | | kern_jail.c: initialize fullpath_disabled to zero vfs_cache.c: add missing dot in comment Reported by: kib MFC after: 1 month
* Introduce vn_path_to_global_path()mm2012-01-151-19/+31
| | | | | | | | | | | | | This function updates path string to vnode's full global path and checks the size of the new path string against the pathlen argument. In vfs_domount(), sys_unmount() and kern_jail_set() this new function is used to update the supplied path argument to the respective global path. Unbreaks jailed zfs(8) with enforce_statfs set to 1. Reviewed by: kib MFC after: 1 month
* Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.ed2011-11-071-1/+1
| | | | | | The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
* Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.ed2011-11-071-1/+1
| | | | This means that their use is restricted to a single C file.
* In order to maximize the re-usability of kernel code in user space thiskmacy2011-09-161-6/+6
| | | | | | | | | | | | | patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls. Reviewed by: rwatson Approved by: re (bz)
* Delay the recursive decrement of pr_uref when jails are made invisiblejamie2011-08-261-26/+5
| | | | | | | | | | | but not removed; decrement it instead when the child jail actually goes away. This avoids letting the counter go below zero in the case where dying (pr_uref==0) jails are "resurrected", and an associated KASSERT panic. Submitted by: Steven Hartland Approved by: re (bz) MFC after: 1 week
* Always disable mount and unmount for jails with enforce_statfs==2.mm2011-08-021-1/+2
| | | | | | | | A working statfs(2) is required for umount(8) in jail. Reviewed by: pjd, kib Approved by: re (kib) MFC after: 2 weeks
* This update changes the mnt_flag field in the mount structure frommckusick2011-07-241-2/+2
| | | | | | | | | | 32 bits to 64 bits and eliminates the unused mnt_xflag field. The existing mnt_flag field is completely out of bits, so this update gives us room to expand. Note that the f_flags field in the statfs structure is already 64 bits, so the expanded mnt_flag field can be exported without having to make any changes in the statfs structure. Approved by: re (bz)
* Add infrastructure to allow all frames/packets received on an interfacebz2011-07-031-0/+1
| | | | | | | | | | | | | | to be assigned to a non-default FIB instance. You may need to recompile world or ports due to the change of struct ifnet. Submitted by: cjsp Submitted by: Alexander V. Chernikov (melifaro ipfw.ru) (original versions) Reviewed by: julian Reviewed by: Alexander V. Chernikov (melifaro ipfw.ru) MFC after: 2 weeks X-MFC: use spare in struct ifnet
* Change the way rctl interfaces with jails by introducing prison_raccttrasz2011-05-031-9/+107
| | | | | | structure, which acts as a proxy between them. This makes jail rules persistent, i.e. they can be added before jail gets created, and they don't disappear when the jail gets destroyed.
* Add rctl. It's used by racct to take user-configurable actions basedtrasz2011-03-301-0/+4
| | | | | | | | on the set of rules it maintains and the current resource usage. It also privides userland API to manage that ruleset. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
* Add racct. It's an API to keep per-process, per-jail, per-loginclasstrasz2011-03-291-0/+17
| | | | | | | | | and per-loginclass resource accounting information, to be used by the new resource limits code. It's connected to the build, but the code that actually calls the new functions will come later. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
* - Merge changes to the base system to support OFED. These includejeff2011-03-211-1/+1
| | | | | a wider arg2 for sysctl, updates to vlan code, IFT_INFINIBAND, and other miscellaneous small features.
* Add two new system calls, setloginclass(2) and getloginclass(2). This makestrasz2011-03-051-0/+6
| | | | | | | | | it possible for the kernel to track login class the process is assigned to, which is required for RCTL. This change also make setusercontext(3) call setloginclass(2) and makes it possible to retrieve current login class using id(1). Reviewed by: kib (as part of a larger patch)
* Add macro to test the sv_flags of any process. Change some places to testdchagin2011-01-261-2/+2
| | | | | | | the flags instead of explicit comparing with address of known sysentvec structures. MFC after: 1 month
* Mfp4 CH177924:bz2010-12-311-1/+8
| | | | | | | | | | | | Add and export constants of array sizes of jail parameters as compiled into the kernel. This is the least intrusive way to allow kvm to read the (sparse) arrays independent of the options the kernel was compiled with. Reviewed by: jhb (originally) MFC after: 1 week Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
* Don't exit kern_jail_set without freeing options when enforce_statfsjamie2010-09-101-5/+8
| | | | | | has an illegal value. MFC after: 3 days
* Back out r210974. Any convenience of not typing "persist" is outweighedjamie2010-08-081-2/+6
| | | | by the possibility of unintended partially-formed jails.
* Implicitly make a new jail persistent if it's set not to attach.jamie2010-08-061-6/+2
| | | | MFC after: 3 days
* Declare ip6 as (struct in6_addr *) instead of (struct in_addr *). This iscperciva2010-06-041-1/+1
| | | | | | | | | a harmless bug since we never actually use ip6 as anything other than an opaque pointer. Found with: Coverty Prevent(tm) CID: 4319 MFC after: 1 month
* Provide groundwork for 32-bit binary compatibility on non-x86 platforms,nwhitehorn2010-03-111-4/+4
| | | | | | | | | for upcoming 64-bit PowerPC and MIPS support. This renames the COMPAT_IA32 option to COMPAT_FREEBSD32, removes some IA32-specific code from MI parts of the kernel and enhances the freebsd32 compatibility code to support big-endian platforms. Reviewed by: kib, jhb
* Revised revision 199201 (add interface description capability as inspireddelphij2010-01-271-0/+1
| | | | | | | | by OpenBSD), based on comments from many, including rwatson, jhb, brooks and others. Sponsored by: iXsystems, Inc. MFC after: 1 month
* Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to controlbz2010-01-171-2/+108
| | | | | | | | | | | | | | | | | | | | whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Reviewed by: jamie, hrs (ipv6 part) Pointed out by: hrs [1] MFC After: 2 weeks Asked for by: Jase Thew (bazerka beardz.net)
* Change DDB show prison:bz2010-01-111-5/+6
| | | | | | | | | - name some columns more closely to the user space variables, as we do for host.* or allow.* (in the listing) already. - print pr_childmax (children.max). - prefix hex values with 0x. MFC after: 3 weeks
* Adjust a comment to reflect reality, as we have proper sourcebz2010-01-111-1/+3
| | | | | | | address selection, even for IPv4, since r183571. Pointed out by: Jase Thew (bazerka beardz.net) MFC after: 3 days
* (S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument.antoine2009-12-281-1/+1
| | | | | | | | | Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version) MFC after: 1 month
* Throughout the network stack we have a few places ofbz2009-12-131-1/+24
| | | | | | | | | | | | | | | | | | if (jailed(cred)) left. If you are running with a vnet (virtual network stack) those will return true and defer you to classic IP-jails handling and thus things will be "denied" or returned with an error. Work around this problem by introducing another "jailed()" function, jailed_without_vnet(), that also takes vnets into account, and permits the calls, should the jail from the given cred have its own virtual network stack. We cannot change the classic jailed() call to do that, as it is used outside the network stack as well. Discussed with: julian, zec, jamie, rwatson (back in Sept) MFC after: 5 days
* Revert revision 199201 for now as it has introduced a kernel vulnerabilitydelphij2009-11-121-1/+0
| | | | and requires more polishing.
* Add interface description capability as inspired by OpenBSD.delphij2009-11-111-0/+1
| | | | MFC after: 3 months
* Revert previous commit and add myself to the list of people who shouldphk2009-09-081-1/+0
| | | | know better than to commit with a cat in the area.
* Add necessary include.phk2009-09-081-0/+1
|
* Allow a jail's name to be the same as its jid (which is the default if nojamie2009-09-041-9/+20
| | | | | | | | name is specified), but still disallow other numeric names. Reviewed by: zec Approved by: bz (mentor) MFC after: 3 days
* Fix a LOR between allprison_lock and vnode locks by releasingjamie2009-08-271-2/+2
| | | | | | | | | allprison_lock before releasing a prison's root vnode. PR: kern/138004 Reviewed by: kib Approved by: bz (mentor) MFC after: 3 days
* When "jail -c vnet" request fails, the current code actually creates andzec2009-08-241-1/+1
| | | | | | | | | | | | leaves behind an orphaned vnet. This change ensures that such vnets get released. This change affects only options VIMAGE builds. Submitted by: jamie Discussed with: bz Approved by: re (rwatson), julian (mentor) MFC after: 3 days
* Make it possible to change the vnet sysctl variables on jailsbz2009-08-131-0/+23
| | | | | | | | | with their own virtual network stack. Jails only inheriting a network stack cannot change anything that cannot be changed from within a prison. Reviewed by: rwatson, zec Approved by: re (kib)
* Make the kernel compile without IP networking by movingbz2009-08-121-1/+2
| | | | | | a variable under a proper #ifdef. Approved by: re (rwatson)
* Merge the remainder of kern_vimage.c and vimage.h into vnet.c andrwatson2009-08-011-1/+4
| | | | | | | | | | vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
* Make the "enforce_statfs" default 2 (most restrictive) in jail_set(2),jamie2009-07-311-3/+4
| | | | | | | | instead of whatever the parent/system has (which is generally 0). This mirrors the old-style default used for jail(2) in conjunction with the security.jail.enforce_statfs sysctl. Approved by: re (kib), bz (mentor)
* Remove a LOR, where the the sleepable allprison_lock was being obtainedjamie2009-07-301-309/+187
| | | | | | | | | | | | | | | | | | | | in prison_equal_ip4/6 while an inp mutex was held. Locking allprison_lock can be avoided by making a restriction on the IP addresses associated with jails: Don't allow the "ip4" and "ip6" parameters to be changed after a jail is created. Setting the "ip4.addr" and "ip6.addr" parameters is allowed, but only if the jail was already created with either ip4/6=new or ip4/6=disable. With this restriction, the prison flags in question (PR_IP4_USER and PR_IP6_USER) become read-only and can be checked without locking. This also allows the simplification of a messy code path that was needed to handle an existing prison gaining an IP address list. PR: kern/136899 Reported by: Dirk Meyer Approved by: re (kib), bz (mentor)
* Don't allow mixing the "vnet" and "ip4/6" jail parameters, since vnetjamie2009-07-291-11/+98
| | | | | | | | jails have their own IP stack and don't have access to the parent IP addresses anyway. Note that a virtual network stack forms a break between prisons with regard to the list of allowed IP addresses. Approved by: re (kib), bz (mentor)
OpenPOWER on IntegriCloud