From owner-svn-src-all@FreeBSD.ORG Wed Jul 29 16:41:02 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90F77106566B; Wed, 29 Jul 2009 16:41:02 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 64E988FC12; Wed, 29 Jul 2009 16:41:02 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n6TGf20m076624; Wed, 29 Jul 2009 16:41:02 GMT (envelope-from jamie@svn.freebsd.org) Received: (from jamie@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n6TGf2mb076622; Wed, 29 Jul 2009 16:41:02 GMT (envelope-from jamie@svn.freebsd.org) Message-Id: <200907291641.n6TGf2mb076622@svn.freebsd.org> From: Jamie Gritton Date: Wed, 29 Jul 2009 16:41:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r195944 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 16:41:03 -0000 Author: jamie Date: Wed Jul 29 16:41:02 2009 New Revision: 195944 URL: http://svn.freebsd.org/changeset/base/195944 Log: Change the default value of the "ip4" and "ip6" jail parameters to "disable", which only allows access to the parent/physical system's IP addresses when specifically directed. Change the default value of "host" to "new", and don't copy the parent host values, to insulate jails from the parent hostname et al. Approved by: re (kib), bz (mentor) Modified: head/sys/kern/kern_jail.c Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Wed Jul 29 14:50:31 2009 (r195943) +++ head/sys/kern/kern_jail.c Wed Jul 29 16:41:02 2009 (r195944) @@ -70,6 +70,8 @@ __FBSDID("$FreeBSD$"); #include +#define DEFAULT_HOSTUUID "00000000-0000-0000-0000-000000000000" + MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); /* prison0 describes what is "real" about the system. */ @@ -81,7 +83,7 @@ struct prison prison0 = { .pr_path = "/", .pr_securelevel = -1, .pr_childmax = JAIL_MAX, - .pr_hostuuid = "00000000-0000-0000-0000-000000000000", + .pr_hostuuid = DEFAULT_HOSTUUID, .pr_children = LIST_HEAD_INITIALIZER(&prison0.pr_children), .pr_flags = PR_HOST, .pr_allow = PR_ALLOW_ALL, @@ -1128,40 +1130,18 @@ kern_jail_set(struct thread *td, struct /* Set some default values, and inherit some from the parent. */ if (name == NULL) name = ""; - if (host != NULL || domain != NULL || uuid != NULL || gothid) { - if (host == NULL) - host = ppr->pr_hostname; - if (domain == NULL) - domain = ppr->pr_domainname; - if (uuid == NULL) - uuid = ppr->pr_hostuuid; - if (!gothid) - hid = ppr->pr_hostid; - } if (path == NULL) { path = "/"; root = mypr->pr_root; vref(root); } + strlcpy(pr->pr_hostuuid, DEFAULT_HOSTUUID, HOSTUUIDLEN); + pr->pr_flags |= PR_HOST; #ifdef INET - pr->pr_flags |= ppr->pr_flags & PR_IP4; - pr->pr_ip4s = ppr->pr_ip4s; - if (ppr->pr_ip4 != NULL) { - pr->pr_ip4 = malloc(pr->pr_ip4s * - sizeof(struct in_addr), M_PRISON, M_WAITOK); - bcopy(ppr->pr_ip4, pr->pr_ip4, - pr->pr_ip4s * sizeof(*pr->pr_ip4)); - } + pr->pr_flags |= PR_IP4 | PR_IP4_USER | PR_IP4_DISABLE; #endif #ifdef INET6 - pr->pr_flags |= ppr->pr_flags & PR_IP6; - pr->pr_ip6s = ppr->pr_ip6s; - if (ppr->pr_ip6 != NULL) { - pr->pr_ip6 = malloc(pr->pr_ip6s * - sizeof(struct in6_addr), M_PRISON, M_WAITOK); - bcopy(ppr->pr_ip6, pr->pr_ip6, - pr->pr_ip6s * sizeof(*pr->pr_ip6)); - } + pr->pr_flags |= PR_IP6 | PR_IP6_USER | PR_IP6_DISABLE; #endif pr->pr_securelevel = ppr->pr_securelevel; pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;