$FreeBSD: doc/en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml,v 1.19 2007/01/31 14:22:22 delphij Exp $

     $FreeBSD: /repoman/r/dcvs/doc/en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml,v 1.19 2007/01/31 14:22:22 delphij Exp $

      kernel: the <literal>jail()</literal> system call and associated

      kernel: the <literal>jail</literal> system call and associated

        <programlisting><filename>/usr/src/usr.sbin/jail.c</filename>

        <programlisting><filename>/usr/src/usr.sbin/jail/jail.c</filename>

j.version = 0; 

char path[PATH_MAX];

j.path = argv[1];

...

j.hostname = argv[2];</programlisting>

if (realpath(argv[0], path) == NULL)

    err(1, "realpath: %s", argv[0]);

if (chdir(path) != 0)

    err(1, "chdir: %s", path);

memset(&j, 0, sizeof(j));

j.version = 0;

j.path = path;

j.hostname = argv[1];</programlisting>

          network. Jail translates the ip address given into network

          network. Jail translates the ip address given into host

struct in.addr in; 

struct in_addr in; 

... 

i = inet_aton(argv[3], <![CDATA[&in]]>); 

j.ip_number = ntohl(in.s.addr);</programlisting>

if (inet_aton(argv[2], &in) == 0)

    errx(1, "Could not make sense of ip-number: %s", argv[2]);

j.ip_number = ntohl(in.s_addr);</programlisting>

          <citerefentry><refentrytitle>inet_aton</refentrytitle><manvolnum>3</manvolnum></citerefentry>

          <citerefentry><refentrytitle>inet_aton</refentrytitle>

          <manvolnum>3</manvolnum></citerefentry>

          inet aton is translated into network byte order by

          inet_aton is translated into host byte order by

          imprisoned process itself and forks a child process which

          imprisoned process itself and then executes the command

          then executes the command given using &man.execv.3;</para>

          given using &man.execv.3;</para>

i = jail(<![CDATA[&j]]>); 

i = jail(&j); 

i = execv(argv[4], argv + 4);</programlisting>

if (execv(argv[3], argv + 3) != 0)

    err(1, "execv: %s", argv[3]);</programlisting>

    <![CDATA[&jail]]>_set_hostname_allowed, 0,

    &jail_set_hostname_allowed, 0,

    <![CDATA[&jail]]>_socket_unixiproute_only, 0,

    &jail_socket_unixiproute_only, 0,

    "Processes in jail are limited to creating &unix;/IPv4/route sockets only

    "Processes in jail are limited to creating &unix;/IPv4/route sockets only");

");

    <![CDATA[&jail]]>_sysvipc_allowed, 0,

    &jail_sysvipc_allowed, 0,

    <![CDATA[&jail]]>_enforce_statfs, 0,

    &jail_enforce_statfs, 0,

    <![CDATA[&jail]]>_allow_raw_sockets, 0,

    &jail_allow_raw_sockets, 0,

    <![CDATA[&jail]]>_chflags_allowed, 0,

    &jail_chflags_allowed, 0,

          two arguments, <literal>struct proc *p</literal> and

          two arguments, <literal>struct thread *td</literal> and

          <literal>struct jail_args

          <literal>struct jail_args *uap</literal>.

          *uap</literal>. <literal>p</literal> is a pointer to a proc

          <literal>td</literal> is a pointer to the thread

          structure which describes the calling process. In this

          structure which describes the calling thread. In this

          context, uap is a pointer to a structure which specifies the

          context, uap is a pointer to the structure which specifies the

int

/*

jail(p, uap)

 * MPSAFE

        struct proc *p;

 *  

        struct jail_args /* {

 * struct jail_args {

                syscallarg(struct jail *) jail;

 *  struct jail *jail;

        } */ *uap;</programlisting>

 * };

 */ 

int 

jail(struct thread *td, struct jail_args *uap)</programlisting>

error = copyin(uap-&gt;jail, <![CDATA[&j]]>, sizeof j);</programlisting>

error = copyin(uap-&gt;jail, &amp;j, sizeof(j));</programlisting>

        int             pr_ref;

    LIST_ENTRY(prison) pr_list;         /* (a) all prisons */

        char            pr_host[MAXHOSTNAMELEN];

    int      pr_id;             /* (c) prison id */

        u_int32_t       pr_ip;

    int      pr_ref;            /* (p) refcount */

        void            *pr_linux;

    char         pr_path[MAXPATHLEN];       /* (c) chroot path */

    struct vnode    *pr_root;           /* (c) vnode to rdir */

    char         pr_host[MAXHOSTNAMELEN];   /* (p) jail hostname */

    u_int32_t    pr_ip;             /* (c) ip addr host */

    void        *pr_linux;          /* (p) linux abi */

    int      pr_securelevel;        /* (p) securelevel */

    struct task  pr_task;           /* (d) destroy task */

    struct mtx   pr_mtx;

 MALLOC(pr, struct prison *, sizeof *pr , M_PRISON, M_WAITOK);

MALLOC(pr, struct prison *, sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO);

 bzero((caddr_t)pr, sizeof *pr);

...

 error = copyinstr(j.hostname, <![CDATA[&pr-&gt;pr_host]]>, sizeof pr-&gt;pr_host, 0);

error = copyinstr(j.path, &pr->pr_path, sizeof(pr->pr_path), 0);

 if (error) 

if (error)

         goto bail;</programlisting>

    goto e_killmtx;

...

      <indexterm><primary>chroot</primary></indexterm>

error = copyinstr(j.hostname, &pr->pr_host, sizeof(pr->pr_host), 0);

 if (error)

        <para>Finally, the jail system call chroots the path

     goto e_dropvnref;</programlisting>

          specified. The chroot function is given two arguments. The

          first is p, which represents the calling process, the second

          is a pointer to the structure chroot args. The structure

          chroot args contains the path which is to be chrooted. As

          you can see, the path specified in the jail structure is

          copied to the chroot args structure and used.</para>

        <programlisting><filename>/usr/src/sys/kern/kern_jail.c</filename>:

ca.path = j.path; 

error = chroot(p, <![CDATA[&ca]]>);</programlisting>

          the p argument in any system call is actually a pointer to

          the td argument in any system call is actually a pointer to

          that process' proc structure, as stated before. The proc

          that calling thread's thread structure, as stated before. The

          structure contains nodes which can describe the owner's

          td->td_proc is a pointer to the calling process' process

          identity (<literal>p_cred</literal>), the process resource

          structure.  The proc structure contains nodes which can describe

          limits (<literal>p_limit</literal>), and so on. In the

          the owner's identity (<literal>p_ucred</literal>), the process

          definition of the process structure, there is a pointer to a

          resource limits (<literal>p_limit</literal>), and so on. In the

          prison structure. (<literal>p_prison</literal>).</para>

          definition of the ucred structure, there is a pointer to a

          prison structure. (<literal>cr_prison</literal>).</para>

struct prison *p_prison; 

struct ucred *p_ucred; 

...

};

<filename>/usr/include/sys/ucred.h</filename>

struct ucred {

...

struct prison *cr_prison;

          copies the pr structure, which is filled with all the

          calls function jail_attach with a given jid. And the jail_attach

          information from the original jail structure, over to the

          calls function change_root to change the root directory of the

          <literal>p-&gt;p_prison</literal> structure. It then does a

          calling process.  The jail_attach function then creates a new ucred

          bitwise OR of <literal>p-&gt;p_flag</literal> with the constant

          structure, and attaches the newly created ucred structure to the

          <literal>P_JAILED</literal>, meaning that the calling

          calling process after it has successfully attaches the prison on the

          process is now recognized as jailed. The parent process of

          cred structure. From then on, the calling process is recognized as

          each process, forked within the jail, is the program jail

          jailed. When calls function jailed with the newly created ucred

          itself, as it calls the &man.jail.2; system call. When the

          structure as the argument, it returns 1 to tell that the credential

          program is executed through execve, it inherits the

          is in a jail. The parent process of each process, forked within 

          properties of its parents proc structure, therefore it has

          the jail, is the program jail itself, as it calls the &man.jail.2;

          the <literal>p-&gt;p_flag</literal> set, and the

          system call.  When the program is executed through execve, it

          <literal>p-&gt;p_prison</literal> structure is filled.</para>

          inherits the properties of its parent's ucred structure, therefore it

          has the jailed ucred structure.</para>

p->p.prison = pr; 

int

p-&gt;p.flag |= P.JAILED;</programlisting>

jail(struct thread *td, struct jail_args *uap)

{

...

    struct jail_attach_args jaa;

...

    error = jail_attach(td, &jaa);

    if (error)

        goto e_dropprref;

...

}

          &man.fork.2; system call deals differently with imprisoned

          &man.fork.2; system call uses crhold to maintain the credential

          processes. In the fork system call, there are two pointers

          for the newly forked process. It inherently keep the newly forked

          to a <literal>proc</literal> structure <literal>p1</literal>

          child's credential consistent with its parent, so the child process

          and <literal>p2</literal>. <literal>p1</literal> points to

          is also jailed.</para>

          the parent's <literal>proc</literal> structure and p2 points

          to the child's unfilled <literal>proc</literal>

          structure. After copying all relevant data between the

          structures, &man.fork.2; checks if the structure

          <literal>p-&gt;p_prison</literal> is filled on

          <literal>p2</literal>. If it is, it increments the

          <literal>pr.ref</literal> by one, and sets the

          <literal>p_flag</literal> to one on the child process.</para>

if (p2->p_prison) {

p2->p_ucred = crhold(td->td_ucred);

        p2->p_prison->pr_ref++;

td2-&gt;td_ucred = crhold(p2-&gt;p_ucred);</programlisting>

	p2->p_flag |= P_JAILED;

}</programlisting>

    <programlisting>if (p-&gt;p_prison) 

    <programlisting>if (jailed(td-&gt;td_ucred))

        return EPERM;</programlisting>

        return (EPERM);</programlisting>

        these sysctls was <literal>jail_sysvipc_allowed</literal>. On

        these sysctls was <literal>security.jail.sysvipc_allowed</literal>.

        most systems, this sysctl is set to 0. If it were set to 1, it

        On most systems, this sysctl is set to 0. If it were set to 1,

        would defeat the whole purpose of having a jail; privileged

        it would defeat the whole purpose of having a jail; privileged

      <programlisting><filename>/usr/src/sys/kern/sysv msg.c</filename>:

      <programlisting><filename>/usr/src/sys/kern/sysv_msg.c</filename>:

if (!jail.sysvipc.allowed && p->p_prison != NULL)

if (!jail_sysvipc_allowed && jailed(td->td_ucred)

        return (ENOSYS);</programlisting>

    return (ENOSYS);</programlisting>

        <listitem><para>&man.semop.2;<literal>(id, ops, num)</literal>:

        <listitem><para>&man.semop.2;<literal>(semid, sops, nsops)</literal>:

      <para><filename>/usr/src/sys/kern/sysv shm.c</filename>:</para>

      <para><filename>/usr/src/sys/kern/sysv_shm.c</filename>:</para>

        <listitem><para>&man.shmctl.2;<literal>(id, cmd, buf)</literal>:

        <listitem><para>&man.shmctl.2;<literal>(shmid, cmd, buf)</literal>:

        flag)</literal>: shmget accesses or creates a shared memory

        shmflg)</literal>: shmget accesses or creates a shared memory

        <listitem><para>&man.shmat.2;<literal>(id, addr, flag)</literal>:

        <listitem><para>&man.shmat.2;<literal>(shmid, shmaddr, shmflg)</literal>:

        <listitem><para>&man.shmdt.2;<literal>(addr)</literal>: shmdt

        <listitem><para>&man.shmdt.2;<literal>(shmaddr)</literal>: shmdt

        <literal>jail.socket.unixiproute.only</literal> is set. If

        <literal>security.jail.socket_unixiproute_only</literal> is set. If

int socreate(dom, aso, type, proto, p) 

int

... 

socreate(dom, aso, type, proto, cred, td)

register struct protosw *prp; 

...

... 

        if (p->p_prison && jail_socket_unixiproute_only &&

    struct protosw *prp;

            prp->pr_domain->dom_family != PR_LOCAL && prp->pr_domain->dom_family != PF_INET 

...

            && prp->pr_domain->dom_family != PF_ROUTE)

    if (jailed(cred) && jail_socket_unixiproute_only &&

                return (EPROTONOSUPPORT); 

        prp->pr_domain->dom_family != PF_LOCAL &&

        prp->pr_domain->dom_family != PF_INET &&

        prp->pr_domain->dom_family != PF_ROUTE) {

        return (EPROTONOSUPPORT);

    }

        device. There is a conditional which disallows any jailed

        device. It's now controlled by the devfs whether can be used

        processes from accessing this function.</para>

        in the jail.

      <programlisting><filename>/usr/src/sys/net/bpf.c</filename>: 

static int bpfopen(dev, flags, fmt, p) 

... 

{

        if (p->p_prison) 

                return (EPERM);

...

}</programlisting>

        each address"[2]. In the function in

        each address"[2]. In the function

        <literal>pcbbind</literal>, <literal>sin</literal> is a

        <literal>in_pcbbind_setup</literal>, <literal>sin</literal> is a

        pointer to a sockaddr.in structure, which contains the port,

        pointer to a sockaddr_in structure, which contains the port,

      <programlisting><filename>/usr/src/sys/kern/netinet/in_pcb.c</filename>: 

      <programlisting><filename>/usr/src/sys/netinet/in_pcb.c</filename>: 

int in.pcbbind(int, nam, p) 

int

...

in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp,

        struct sockaddr *nam; 

    u_short *lportp, struct ucred *cred)

        struct proc *p; 

        ... 

    ...

        struct sockaddr.in *sin; 

    struct sockaddr_in *sin;

        ... 

    ...

        if (nam) {

    if (nam) {

                sin = (struct sockaddr.in *)nam; 

        sin = (struct sockaddr_in *)nam;

                ... 

        ...

                if (sin->sin_addr.s_addr != INADDR_ANY) 

#ifdef notdef

                       if (prison.ip(p, 0, <![CDATA[&sin]]>-&gt;sin.addr.s_addr)) 

        /*

                              return (EINVAL); 

         * We should check the family, but old programs

                ....

         * incorrectly fail to initialize it.

        }

         */

        if (sin->sin_family != AF_INET)

            return (EAFNOSUPPORT);

#endif

        if (sin->sin_addr.s_addr != INADDR_ANY)

            if (prison_ip(cred, 0, &sin->sin_addr.s_addr))

                return(EINVAL);

        ...

    }

        <literal>prison_ip()</literal> does. prison.ip is given three

        <literal>prison_ip()</literal> does. prison_ip is given three

        arguments, the current process (represented by

        arguments, a pointer to the credential(represented by

        <literal>p</literal>), any flags, and an ip address. It

        <literal>cred</literal>), any flags, and an ip address. It

        returns 1 if the ip address belongs to a jail or 0 if it does

        returns 1 if the ip address does NOT belong to the jail or

        not. As you can see from the code, if it is indeed an ip

        0 otherwise.  As you can see from the code, if it is indeed

        address belonging to a jail, the protcol is not allowed to

        an ip address not belonging to the jail, the protcol is

        bind to a certain port.</para>

        not allowed to bind to a certain port.</para>

int prison_ip(struct proc *p, int flag, u_int32_t *ip) {

int

        u_int32_t tmp;

prison_ip(struct ucred *cred, int flag, u_int32_t *ip)

{

       if (!p->p_prison) 

    u_int32_t tmp;

              return (0); 

       if (flag) 

              tmp = *ip; 

       else tmp = ntohl (*ip); 

       if (tmp == INADDR_ANY) {

              if (flag) 

                     *ip = p->p_prison->pr_ip; 

              else *ip = htonl(p->p_prison->pr_ip); 

              return (0); 

       }

       if (p->p_prison->pr_ip != tmp) 

    if (!jailed(cred))

              return (1); 

        return (0);

       return (0); 

    if (flag)

        tmp = *ip;

    else

        tmp = ntohl(*ip);

    if (tmp == INADDR_ANY) {

        if (flag)

            *ip = cred->cr_prison->pr_ip;

        else

            *ip = htonl(cred->cr_prison->pr_ip);

        return (0);

    }

    if (tmp == INADDR_LOOPBACK) {

        if (flag)

            *ip = cred->cr_prison->pr_ip;

        else

            *ip = htonl(cred->cr_prison->pr_ip);

        return (0);

    }

    if (cred->cr_prison->pr_ip != tmp)

        return (1);

    return (0);

        written within the function <literal>in_pcbbind</literal>:</para>

        written within the function <literal>in_pcbbind_setup</literal>:</para>

      <programlisting><filename>/usr/src/sys/net inet/in_pcb.c</filename>

      <programlisting><filename>/usr/src/sys/netinet/in_pcb.c</filename>

                          ... 

                         ... 

                         if (p && p->p_prison)

                         if (jailed(cred))

                             prison_ip(p, 0, <![CDATA[&sin]]>-&gt;sin_addr.s_addr))

                             prison_ip(cred, 0, &sin->sin_addr.s_addr))

int ufs.setattr(ap) 

static int

        ... 

ufs_setattr(ap)

    ...

        if ((cred->cr.uid == 0) && (p->prison == NULL)) {

    ...

	        if ((ip->i_flags 

        if (!suser_cred(cred,

                     & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) && 

            jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) {

                     securelevel > 0)

            if (ip->i_flags

		       return (EPERM);

                & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {

                error = securelevel_gt(cred, 0);

                if (error)

                    return (error);

            }

            ...