Lines 208-216
Link Here
|
208 |
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) |
208 |
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) |
209 |
#define JAIL_DEFAULT_ENFORCE_STATFS 2 |
209 |
#define JAIL_DEFAULT_ENFORCE_STATFS 2 |
210 |
#define JAIL_DEFAULT_DEVFS_RSNUM 0 |
210 |
#define JAIL_DEFAULT_DEVFS_RSNUM 0 |
|
|
211 |
#ifdef BURN_BRIDGESXXX |
211 |
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; |
212 |
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; |
212 |
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; |
213 |
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; |
213 |
static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; |
214 |
static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; |
|
|
215 |
#endif |
214 |
#if defined(INET) || defined(INET6) |
216 |
#if defined(INET) || defined(INET6) |
215 |
static unsigned jail_max_af_ips = 255; |
217 |
static unsigned jail_max_af_ips = 255; |
216 |
#endif |
218 |
#endif |
Lines 228-233
Link Here
|
228 |
strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease)); |
230 |
strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease)); |
229 |
} |
231 |
} |
230 |
|
232 |
|
|
|
233 |
#ifdef COMPAT_FREEBSD11XXX |
231 |
/* |
234 |
/* |
232 |
* struct jail_args { |
235 |
* struct jail_args { |
233 |
* struct jail *jail; |
236 |
* struct jail *jail; |
Lines 234-240
Link Here
|
234 |
* }; |
237 |
* }; |
235 |
*/ |
238 |
*/ |
236 |
int |
239 |
int |
237 |
sys_jail(struct thread *td, struct jail_args *uap) |
240 |
freebsd11_jail(struct thread *td, struct freebsd11_jail_args *uap) |
238 |
{ |
241 |
{ |
239 |
uint32_t version; |
242 |
uint32_t version; |
240 |
int error; |
243 |
int error; |
Lines 279-291
Link Here
|
279 |
/* Sci-Fi jails are not supported, sorry. */ |
282 |
/* Sci-Fi jails are not supported, sorry. */ |
280 |
return (EINVAL); |
283 |
return (EINVAL); |
281 |
} |
284 |
} |
282 |
return (kern_jail(td, &j)); |
285 |
return (freebsd11_kern_jail(td, &j)); |
283 |
} |
286 |
} |
284 |
|
287 |
|
285 |
int |
288 |
int |
286 |
kern_jail(struct thread *td, struct jail *j) |
289 |
freebsd11_kern_jail(struct thread *td, struct jail *j) |
287 |
{ |
290 |
{ |
288 |
struct iovec optiov[2 * (4 + nitems(pr_flag_allow) |
291 |
struct iovec optiov[2 * (3 |
|
|
292 |
#ifdef BURN_BRIDGESXXX |
293 |
+ 1 + nitems(pr_flag_allow) |
294 |
#endif |
289 |
#ifdef INET |
295 |
#ifdef INET |
290 |
+ 1 |
296 |
+ 1 |
291 |
#endif |
297 |
#endif |
Lines 295-301
Link Here
|
295 |
)]; |
301 |
)]; |
296 |
struct uio opt; |
302 |
struct uio opt; |
297 |
char *u_path, *u_hostname, *u_name; |
303 |
char *u_path, *u_hostname, *u_name; |
|
|
304 |
#ifdef BURN_BRIDGESXXX |
298 |
struct bool_flags *bf; |
305 |
struct bool_flags *bf; |
|
|
306 |
int enforce_statfs; |
307 |
#endif |
299 |
#ifdef INET |
308 |
#ifdef INET |
300 |
uint32_t ip4s; |
309 |
uint32_t ip4s; |
301 |
struct in_addr *u_ip4; |
310 |
struct in_addr *u_ip4; |
Lines 304-310
Link Here
|
304 |
struct in6_addr *u_ip6; |
313 |
struct in6_addr *u_ip6; |
305 |
#endif |
314 |
#endif |
306 |
size_t tmplen; |
315 |
size_t tmplen; |
307 |
int error, enforce_statfs; |
316 |
int error; |
308 |
|
317 |
|
309 |
bzero(&optiov, sizeof(optiov)); |
318 |
bzero(&optiov, sizeof(optiov)); |
310 |
opt.uio_iov = optiov; |
319 |
opt.uio_iov = optiov; |
Lines 315-320
Link Here
|
315 |
opt.uio_rw = UIO_READ; |
324 |
opt.uio_rw = UIO_READ; |
316 |
opt.uio_td = td; |
325 |
opt.uio_td = td; |
317 |
|
326 |
|
|
|
327 |
#ifdef BURN_BRIDGESXXX |
318 |
/* Set permissions for top-level jails from sysctls. */ |
328 |
/* Set permissions for top-level jails from sysctls. */ |
319 |
if (!jailed(td->td_ucred)) { |
329 |
if (!jailed(td->td_ucred)) { |
320 |
for (bf = pr_flag_allow; |
330 |
for (bf = pr_flag_allow; |
Lines 335-340
Link Here
|
335 |
optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs); |
345 |
optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs); |
336 |
opt.uio_iovcnt++; |
346 |
opt.uio_iovcnt++; |
337 |
} |
347 |
} |
|
|
348 |
#endif |
338 |
|
349 |
|
339 |
tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN; |
350 |
tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN; |
340 |
#ifdef INET |
351 |
#ifdef INET |
Lines 438-443
Link Here
|
438 |
free(u_path, M_TEMP); |
449 |
free(u_path, M_TEMP); |
439 |
return (error); |
450 |
return (error); |
440 |
} |
451 |
} |
|
|
452 |
#endif /* COMPAT_FREEBSD11 */ |
441 |
|
453 |
|
442 |
|
454 |
|
443 |
/* |
455 |
/* |
Lines 1255-1261
Link Here
|
1255 |
|
1267 |
|
1256 |
pr->pr_securelevel = ppr->pr_securelevel; |
1268 |
pr->pr_securelevel = ppr->pr_securelevel; |
1257 |
pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow; |
1269 |
pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow; |
|
|
1270 |
#ifndef BURN_BRIDGESXXX |
1271 |
pr->pr_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS; |
1272 |
#else |
1258 |
pr->pr_enforce_statfs = jail_default_enforce_statfs; |
1273 |
pr->pr_enforce_statfs = jail_default_enforce_statfs; |
|
|
1274 |
#endif |
1259 |
pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum; |
1275 |
pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum; |
1260 |
|
1276 |
|
1261 |
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate; |
1277 |
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate; |
Lines 3407-3412
Link Here
|
3407 |
static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, |
3423 |
static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, |
3408 |
"Jails"); |
3424 |
"Jails"); |
3409 |
|
3425 |
|
|
|
3426 |
#ifdef COMPAT_FREEBSD11XXX |
3410 |
static int |
3427 |
static int |
3411 |
sysctl_jail_list(SYSCTL_HANDLER_ARGS) |
3428 |
sysctl_jail_list(SYSCTL_HANDLER_ARGS) |
3412 |
{ |
3429 |
{ |
Lines 3510-3515
Link Here
|
3510 |
SYSCTL_OID(_security_jail, OID_AUTO, list, |
3527 |
SYSCTL_OID(_security_jail, OID_AUTO, list, |
3511 |
CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, |
3528 |
CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, |
3512 |
sysctl_jail_list, "S", "List of active jails"); |
3529 |
sysctl_jail_list, "S", "List of active jails"); |
|
|
3530 |
#endif /* COMPAT_FREEBSD11 */ |
3513 |
|
3531 |
|
3514 |
static int |
3532 |
static int |
3515 |
sysctl_jail_jailed(SYSCTL_HANDLER_ARGS) |
3533 |
sysctl_jail_jailed(SYSCTL_HANDLER_ARGS) |
Lines 3549-3557
Link Here
|
3549 |
#if defined(INET) || defined(INET6) |
3567 |
#if defined(INET) || defined(INET6) |
3550 |
SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW, |
3568 |
SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW, |
3551 |
&jail_max_af_ips, 0, |
3569 |
&jail_max_af_ips, 0, |
3552 |
"Number of IP addresses a jail may have at most per address family (deprecated)"); |
3570 |
"Number of IP addresses a jail may have at most per address family"); |
3553 |
#endif |
3571 |
#endif |
3554 |
|
3572 |
|
|
|
3573 |
#ifdef BURN_BRIDGESXXX |
3555 |
/* |
3574 |
/* |
3556 |
* Default parameters for jail(2) compatibility. For historical reasons, |
3575 |
* Default parameters for jail(2) compatibility. For historical reasons, |
3557 |
* the sysctl names have varying similarity to the parameter names. Prisons |
3576 |
* the sysctl names have varying similarity to the parameter names. Prisons |
Lines 3669-3674
Link Here
|
3669 |
&jail_default_devfs_rsnum, offsetof(struct prison, pr_devfs_rsnum), |
3688 |
&jail_default_devfs_rsnum, offsetof(struct prison, pr_devfs_rsnum), |
3670 |
sysctl_jail_default_level, "I", |
3689 |
sysctl_jail_default_level, "I", |
3671 |
"Ruleset for the devfs filesystem in jail (deprecated)"); |
3690 |
"Ruleset for the devfs filesystem in jail (deprecated)"); |
|
|
3691 |
#endif /* !BURN_BRIDGES */ |
3672 |
|
3692 |
|
3673 |
/* |
3693 |
/* |
3674 |
* Nodes to describe jail parameters. Maximum length of string parameters |
3694 |
* Nodes to describe jail parameters. Maximum length of string parameters |