Index: sys/kern/kern_jail.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_jail.c,v retrieving revision 1.7 diff -u -r1.7 kern_jail.c --- sys/kern/kern_jail.c 2000/06/04 04:28:31 1.7 +++ sys/kern/kern_jail.c 2000/10/31 01:09:50 @@ -39,6 +39,11 @@ &jail_socket_unixiproute_only, 0, "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); +int jail_sysvipc_allowed = 0; +SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, + &jail_sysvipc_allowed, 0, + "Processes in jail can use System V IPC primitives"); + int jail(p, uap) struct proc *p; Index: sys/kern/sysv_msg.c =================================================================== RCS file: /home/ncvs/src/sys/kern/sysv_msg.c,v retrieving revision 1.25 diff -u -r1.25 sysv_msg.c --- sys/kern/sysv_msg.c 2000/09/19 22:59:22 1.25 +++ sys/kern/sysv_msg.c 2000/10/31 01:09:50 @@ -30,6 +30,7 @@ #include #include #include +#include static MALLOC_DEFINE(M_MSG, "msg", "SVID compatible message queues"); @@ -210,6 +211,9 @@ } */ *uap; { + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + if (uap->which >= sizeof(msgcalls)/sizeof(msgcalls[0])) return (EINVAL); return ((*msgcalls[uap->which])(p, &uap->a2)); @@ -263,6 +267,9 @@ printf("call to msgctl(%d, %d, 0x%x)\n", msqid, cmd, user_msqptr); #endif + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + msqid = IPCID_TO_IX(msqid); if (msqid < 0 || msqid >= msginfo.msgmni) { @@ -399,6 +406,9 @@ printf("msgget(0x%x, 0%o)\n", key, msgflg); #endif + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + if (key != IPC_PRIVATE) { for (msqid = 0; msqid < msginfo.msgmni; msqid++) { msqptr = &msqids[msqid]; @@ -511,6 +521,9 @@ msgflg); #endif + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + msqid = IPCID_TO_IX(msqid); if (msqid < 0 || msqid >= msginfo.msgmni) { @@ -834,6 +847,9 @@ printf("call to msgrcv(%d, 0x%x, %d, %ld, %d)\n", msqid, user_msgp, msgsz, msgtyp, msgflg); #endif + + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); msqid = IPCID_TO_IX(msqid); Index: sys/kern/sysv_sem.c =================================================================== RCS file: /home/ncvs/src/sys/kern/sysv_sem.c,v retrieving revision 1.28 diff -u -r1.28 sysv_sem.c --- sys/kern/sysv_sem.c 2000/10/27 11:45:34 1.28 +++ sys/kern/sysv_sem.c 2000/10/31 01:09:51 @@ -19,6 +19,7 @@ #include #include #include +#include static MALLOC_DEFINE(M_SEM, "sem", "SVID compatible semaphores"); @@ -201,6 +202,9 @@ } */ *uap; { + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + if (uap->which >= sizeof(semcalls)/sizeof(semcalls[0])) return (EINVAL); return ((*semcalls[uap->which])(p, &uap->a2)); @@ -407,6 +411,9 @@ printf("call to semctl(%d, %d, %d, 0x%x)\n", semid, semnum, cmd, arg); #endif + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + semid = IPCID_TO_IX(semid); if (semid < 0 || semid >= seminfo.semmsl) return(EINVAL); @@ -567,6 +574,9 @@ printf("semget(0x%x, %d, 0%o)\n", key, nsems, semflg); #endif + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + if (key != IPC_PRIVATE) { for (semid = 0; semid < seminfo.semmni; semid++) { if ((sema[semid].sem_perm.mode & SEM_ALLOC) && @@ -684,6 +694,9 @@ #ifdef SEM_DEBUG printf("call to semop(%d, 0x%x, %d)\n", semid, sops, nsops); #endif + + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); semid = IPCID_TO_IX(semid); /* Convert back to zero origin */ Index: sys/kern/sysv_shm.c =================================================================== RCS file: /home/ncvs/src/sys/kern/sysv_shm.c,v retrieving revision 1.48 diff -u -r1.48 sysv_shm.c --- sys/kern/sysv_shm.c 2000/05/29 22:40:54 1.48 +++ sys/kern/sysv_shm.c 2000/10/31 01:09:51 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include @@ -223,6 +224,9 @@ struct shmmap_state *shmmap_s; int i; + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + shmmap_s = (struct shmmap_state *)p->p_vmspace->vm_shm; if (shmmap_s == NULL) return EINVAL; @@ -257,6 +261,9 @@ vm_size_t size; int rv; + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + shmmap_s = (struct shmmap_state *)p->p_vmspace->vm_shm; if (shmmap_s == NULL) { size = shminfo.shmseg * sizeof(struct shmmap_state); @@ -348,6 +355,9 @@ struct shmid_ds *shmseg; struct oshmid_ds outbuf; + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + shmseg = shm_find_segment_by_shmid(uap->shmid); if (shmseg == NULL) return EINVAL; @@ -396,6 +406,9 @@ struct shmid_ds inbuf; struct shmid_ds *shmseg; + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + shmseg = shm_find_segment_by_shmid(uap->shmid); if (shmseg == NULL) return EINVAL; @@ -572,6 +585,9 @@ { int segnum, mode, error; + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); + mode = uap->shmflg & ACCESSPERMS; if (uap->key != IPC_PRIVATE) { again: @@ -599,6 +615,9 @@ int a4; } */ *uap; { + + if (!jail_sysvipc_allowed && p->p_prison != NULL) + return (ENOSYS); if (uap->which >= sizeof(shmcalls)/sizeof(shmcalls[0])) return EINVAL; Index: sys/sys/jail.h =================================================================== RCS file: /home/ncvs/src/sys/sys/jail.h,v retrieving revision 1.9 diff -u -r1.9 jail.h --- sys/sys/jail.h 2000/06/04 04:28:31 1.9 +++ sys/sys/jail.h 2000/10/31 01:10:08 @@ -48,6 +48,7 @@ */ extern int jail_set_hostname_allowed; extern int jail_socket_unixiproute_only; +extern int jail_sysvipc_allowed; #endif /* !_KERNEL */ #endif /* !_SYS_JAIL_H_ */ Index: usr.sbin/jail/jail.8 =================================================================== RCS file: /home/ncvs/src/usr.sbin/jail/jail.8,v retrieving revision 1.15 diff -u -r1.15 jail.8 --- usr.sbin/jail/jail.8 2000/07/08 14:12:34 1.15 +++ usr.sbin/jail/jail.8 2000/10/31 01:10:08 @@ -281,6 +281,45 @@ .Pp In a future version of FreeBSD, the mechanisms for managing jails will be more refined. +.Sh SYSCTL MIB ENTRIES +Certain aspects of the jail containments environment may be modified from +the host environment using +.Xr sysctl 8 +MIB variables. +Currently, these variables affect all jails on the system, although in +the future this functionality may be finer grained. +.Pp +.Ss jail.set_hostname_allowed +This MIB entry determines whether or not processes within a jail are +allowed to change their hostname via +.Xr hostname 1 +or +.Xr sethostname 3 . +In the current jail implementation, the ability to set the hostname from +within the jail can impact management tools relying on the accuracy of jail +information in /proc. +As such, this should be disabled in environments where privileged access to +jails is given out to untrusted parties. +.Ss jail.socket_unixiproute_only +The jail functionality binds an IPv4 address to each jail, and limits +access to other network addresses in the IPv4 space that may be available +in the host environment. +However, jail is not currently able to limit access to other network +protocol stacks that have not had jail functionality added to them. +As such, by default, processes within jails may only access protocols +in the following domains: PF_LOCAL, PF_INET, and PF_ROUTE, permitting +them access to UNIX domain sockets, IPv4 addresses, and routing sockets. +To enable access to other domains, this MIB variable may be set to +0. +.Ss jail.sysvipc_allowed +This MIB entry determines whether or not processes within a jail have access +to System V IPC primitives. +In the current jail implementation, System V primitives share a single +namespace across the host and jail environments, meaning that processes +within a jail would be able to communicate with (and potentially interfere +with) processes outside of the jail, and in other jails. +As such, this functionality is disabled by default, but can be enabled +by setting this MIB entry to 1. .Sh SEE ALSO .Xr newaliases 1 , .Xr ps 1 ,