Author: jamie
Date: Thu Aug 16 19:09:43 2018
New Revision: 337925
URL: https://svnweb.freebsd.org/changeset/base/337925

Log:
  Revert r337922, except for some documention-only bits.  This needs to wait
  until user is changed to stop using jail(2).
  
  Differential Revision:        D14791

Modified:
  head/lib/libc/sys/jail.2
  head/sys/compat/freebsd32/freebsd32_misc.c
  head/sys/compat/freebsd32/freebsd32_proto.h
  head/sys/compat/freebsd32/freebsd32_syscall.h
  head/sys/compat/freebsd32/freebsd32_syscalls.c
  head/sys/compat/freebsd32/freebsd32_sysent.c
  head/sys/compat/freebsd32/freebsd32_systrace_args.c
  head/sys/compat/freebsd32/syscalls.master
  head/sys/kern/init_sysent.c
  head/sys/kern/kern_jail.c
  head/sys/kern/syscalls.c
  head/sys/kern/syscalls.master
  head/sys/kern/systrace_args.c
  head/sys/sys/jail.h
  head/sys/sys/syscall.h
  head/sys/sys/syscall.mk
  head/sys/sys/syscallsubr.h
  head/sys/sys/sysproto.h

Modified: head/lib/libc/sys/jail.2
==============================================================================
--- head/lib/libc/sys/jail.2    Thu Aug 16 18:58:34 2018        (r337924)
+++ head/lib/libc/sys/jail.2    Thu Aug 16 19:09:43 2018        (r337925)
@@ -25,10 +25,11 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 16, 2018
+.Dd February 8, 2012
 .Dt JAIL 2
 .Os
 .Sh NAME
+.Nm jail ,
 .Nm jail_get ,
 .Nm jail_set ,
 .Nm jail_remove ,
@@ -40,6 +41,8 @@
 .In sys/param.h
 .In sys/jail.h
 .Ft int
+.Fn jail "struct jail *jail"
+.Ft int
 .Fn jail_attach "int jid"
 .Ft int
 .Fn jail_remove "int jid"
@@ -50,7 +53,74 @@
 .Fn jail_set "struct iovec *iov" "u_int niov" "int flags"
 .Sh DESCRIPTION
 The
+.Fn jail
+system call sets up a jail and locks the current process in it.
+.Pp
+The argument is a pointer to a structure describing the prison:
+.Bd -literal -offset indent
+struct jail {
+       uint32_t        version;
+       char            *path;
+       char            *hostname;
+       char            *jailname;
+       unsigned int    ip4s;
+       unsigned int    ip6s;
+       struct in_addr  *ip4;
+       struct in6_addr *ip6;
+};
+.Ed
+.Pp
+.Dq Li version
+defines the version of the API in use.
+.Dv JAIL_API_VERSION
+is defined for the current version.
+.Pp
+The
+.Dq Li path
+pointer should be set to the directory which is to be the root of the
+prison.
+.Pp
+The
+.Dq Li hostname
+pointer can be set to the hostname of the prison.
+This can be changed
+from the inside of the prison.
+.Pp
+The
+.Dq Li jailname
+pointer is an optional name that can be assigned to the jail
+for example for management purposes.
+.Pp
+The
+.Dq Li ip4s
+and
+.Dq Li ip6s
+give the numbers of IPv4 and IPv6 addresses that will be passed
+via their respective pointers.
+.Pp
+The
+.Dq Li ip4
+and
+.Dq Li ip6
+pointers can be set to an arrays of IPv4 and IPv6 addresses to be assigned to
+the prison, or NULL if none.
+IPv4 addresses must be in network byte order.
+.Pp
+This is equivalent to, and deprecated in favor of, the
 .Fn jail_set
+system call (see below), with the parameters
+.Va path ,
+.Va host.hostname ,
+.Va name ,
+.Va ip4.addr ,
+and
+.Va ip6.addr ,
+and with the
+.Dv JAIL_ATTACH
+flag.
+.Pp
+The
+.Fn jail_set
 system call creates a new jail, or modifies an existing one, and optionally
 locks the current process in it.
 Jail parameters are passed as an array of name-value pairs in the array
@@ -76,19 +146,13 @@ The current set of available parameters, and their for
 retrieved via the
 .Va security.jail.param
 sysctl MIB entry.
-Notable parameters include
+Notable parameters include those mentioned in the
+.Fn jail
+description above, as well as
 .Va jid
 and
-.Va name
-which identify the jail being created or modified,
-.Va path
-(the root directory of the jail),
-.Va host.hostname
-(the hostname of the jail), and
-.Va ip4.addr
-and
-.Va ip6.addr
-(IP addresses to assign to the jail).
+.Va name ,
+which identify the jail being created or modified.
 See
 .Xr jail 8
 for more information on the core jail parameters.
@@ -173,7 +237,8 @@ It will kill all processes belonging to the jail, and 
 of that jail.
 .Sh RETURN VALUES
 If successful,
-.Fn jail_set
+.Fn jail ,
+.Fn jail_set ,
 and
 .Fn jail_get
 return a non-negative integer, termed the jail identifier (JID).
@@ -184,6 +249,25 @@ to indicate the error.
 .Rv -std jail_attach jail_remove
 .Sh ERRORS
 The
+.Fn jail
+system call
+will fail if:
+.Bl -tag -width Er
+.It Bq Er EPERM
+This process is not allowed to create a jail, either because it is not
+the super-user, or because it would exceed the jail's
+.Va children.max
+limit.
+.It Bq Er EFAULT
+.Fa jail
+points to an address outside the allocated address space of the process.
+.It Bq Er EINVAL
+The version number of the argument is not correct.
+.It Bq Er EAGAIN
+No free JID could be found.
+.El
+.Pp
+The
 .Fn jail_set
 system call
 will fail if:
@@ -287,7 +371,8 @@ does not exist.
 .El
 .Pp
 Further
-.Fn jail_set
+.Fn jail ,
+.Fn jail_set ,
 and
 .Fn jail_attach
 call
@@ -301,7 +386,7 @@ manual page for details.
 .Xr chroot 2 ,
 .Xr jail 8
 .Sh HISTORY
-The now-deprecated
+The
 .Fn jail
 system call appeared in
 .Fx 4.0 .

Modified: head/sys/compat/freebsd32/freebsd32_misc.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_misc.c  Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/compat/freebsd32/freebsd32_misc.c  Thu Aug 16 19:09:43 2018        
(r337925)
@@ -2289,10 +2289,8 @@ freebsd32_sysctl(struct thread *td, struct freebsd32_s
        return (0);
 }
 
-#ifdef COMPAT_FREEBSD11
 int
-freebsd11_freebsd32_jail(struct thread *td,
-    struct freebsd11_freebsd32_jail_args *uap)
+freebsd32_jail(struct thread *td, struct freebsd32_jail_args *uap)
 {
        uint32_t version;
        int error;
@@ -2349,9 +2347,8 @@ freebsd11_freebsd32_jail(struct thread *td,
                /* Sci-Fi jails are not supported, sorry. */
                return (EINVAL);
        }
-       return (freebsd11_kern_jail(td, &j));
+       return (kern_jail(td, &j));
 }
-#endif /* COMPAT_FREEBSD11 */
 
 int
 freebsd32_jail_set(struct thread *td, struct freebsd32_jail_set_args *uap)

Modified: head/sys/compat/freebsd32/freebsd32_proto.h
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_proto.h Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/compat/freebsd32/freebsd32_proto.h Thu Aug 16 19:09:43 2018        
(r337925)
@@ -283,6 +283,9 @@ struct freebsd32_sched_rr_get_interval_args {
        char pid_l_[PADL_(pid_t)]; pid_t pid; char pid_r_[PADR_(pid_t)];
        char interval_l_[PADL_(struct timespec32 *)]; struct timespec32 * 
interval; char interval_r_[PADR_(struct timespec32 *)];
 };
+struct freebsd32_jail_args {
+       char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char 
jail_r_[PADR_(struct jail32 *)];
+};
 struct freebsd32_sigtimedwait_args {
        char set_l_[PADL_(const sigset_t *)]; const sigset_t * set; char 
set_r_[PADR_(const sigset_t *)];
        char info_l_[PADL_(siginfo_t *)]; siginfo_t * info; char 
info_r_[PADR_(siginfo_t *)];
@@ -758,6 +761,7 @@ int freebsd32_aio_return(struct thread *, struct freeb
 int    freebsd32_aio_suspend(struct thread *, struct 
freebsd32_aio_suspend_args *);
 int    freebsd32_aio_error(struct thread *, struct freebsd32_aio_error_args *);
 int    freebsd32_sched_rr_get_interval(struct thread *, struct 
freebsd32_sched_rr_get_interval_args *);
+int    freebsd32_jail(struct thread *, struct freebsd32_jail_args *);
 int    freebsd32_sigtimedwait(struct thread *, struct 
freebsd32_sigtimedwait_args *);
 int    freebsd32_sigwaitinfo(struct thread *, struct 
freebsd32_sigwaitinfo_args *);
 int    freebsd32_aio_waitcomplete(struct thread *, struct 
freebsd32_aio_waitcomplete_args *);
@@ -1180,9 +1184,6 @@ struct freebsd11_freebsd32_fhstat_args {
        char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle * 
u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
        char sb_l_[PADL_(struct freebsd11_stat32 *)]; struct freebsd11_stat32 * 
sb; char sb_r_[PADR_(struct freebsd11_stat32 *)];
 };
-struct freebsd11_freebsd32_jail_args {
-       char jail_l_[PADL_(struct jail32 *)]; struct jail32 * jail; char 
jail_r_[PADR_(struct jail32 *)];
-};
 struct freebsd11_freebsd32_kevent_args {
        char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
        char changelist_l_[PADL_(const struct kevent32_freebsd11 *)]; const 
struct kevent32_freebsd11 * changelist; char changelist_r_[PADR_(const struct 
kevent32_freebsd11 *)];
@@ -1222,7 +1223,6 @@ int       freebsd11_freebsd32_lstat(struct thread *, 
struct 
 int    freebsd11_freebsd32_getdirentries(struct thread *, struct 
freebsd11_freebsd32_getdirentries_args *);
 int    freebsd11_freebsd32_getdents(struct thread *, struct 
freebsd11_freebsd32_getdents_args *);
 int    freebsd11_freebsd32_fhstat(struct thread *, struct 
freebsd11_freebsd32_fhstat_args *);
-int    freebsd11_freebsd32_jail(struct thread *, struct 
freebsd11_freebsd32_jail_args *);
 int    freebsd11_freebsd32_kevent(struct thread *, struct 
freebsd11_freebsd32_kevent_args *);
 int    freebsd11_freebsd32_fstatat(struct thread *, struct 
freebsd11_freebsd32_fstatat_args *);
 int    freebsd11_freebsd32_mknodat(struct thread *, struct 
freebsd11_freebsd32_mknodat_args *);
@@ -1317,7 +1317,7 @@ int       freebsd11_freebsd32_mknodat(struct thread *, 
struc
 #define        FREEBSD32_SYS_AUE_freebsd6_freebsd32_lio_listio AUE_LIO_LISTIO
 #define        FREEBSD32_SYS_AUE_freebsd32_sched_rr_get_interval       AUE_NULL
 #define        FREEBSD32_SYS_AUE_freebsd4_freebsd32_sendfile   AUE_SENDFILE
-#define        FREEBSD32_SYS_AUE_freebsd11_freebsd32_jail      AUE_JAIL
+#define        FREEBSD32_SYS_AUE_freebsd32_jail        AUE_JAIL
 #define        FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigaction  AUE_SIGACTION
 #define        FREEBSD32_SYS_AUE_freebsd4_freebsd32_sigreturn  AUE_SIGRETURN
 #define        FREEBSD32_SYS_AUE_freebsd32_sigtimedwait        AUE_SIGWAIT

Modified: head/sys/compat/freebsd32/freebsd32_syscall.h
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_syscall.h       Thu Aug 16 18:58:34 
2018        (r337924)
+++ head/sys/compat/freebsd32/freebsd32_syscall.h       Thu Aug 16 19:09:43 
2018        (r337925)
@@ -275,7 +275,7 @@
 #define        FREEBSD32_SYS_utrace    335
                                /* 336 is freebsd4 freebsd32_sendfile */
 #define        FREEBSD32_SYS_kldsym    337
-#define        FREEBSD32_SYS_freebsd11_freebsd32_jail  338
+#define        FREEBSD32_SYS_freebsd32_jail    338
 #define        FREEBSD32_SYS_sigprocmask       340
 #define        FREEBSD32_SYS_sigsuspend        341
                                /* 342 is freebsd4 freebsd32_sigaction */

Modified: head/sys/compat/freebsd32/freebsd32_syscalls.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_syscalls.c      Thu Aug 16 18:58:34 
2018        (r337924)
+++ head/sys/compat/freebsd32/freebsd32_syscalls.c      Thu Aug 16 19:09:43 
2018        (r337925)
@@ -347,7 +347,7 @@ const char *freebsd32_syscallnames[] = {
        "utrace",                       /* 335 = utrace */
        "compat4.freebsd32_sendfile",           /* 336 = freebsd4 
freebsd32_sendfile */
        "kldsym",                       /* 337 = kldsym */
-       "compat11.freebsd32_jail",              /* 338 = freebsd11 
freebsd32_jail */
+       "freebsd32_jail",                       /* 338 = freebsd32_jail */
        "#339",                 /* 339 = pioctl */
        "sigprocmask",                  /* 340 = sigprocmask */
        "sigsuspend",                   /* 341 = sigsuspend */

Modified: head/sys/compat/freebsd32/freebsd32_sysent.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_sysent.c        Thu Aug 16 18:58:34 
2018        (r337924)
+++ head/sys/compat/freebsd32/freebsd32_sysent.c        Thu Aug 16 19:09:43 
2018        (r337925)
@@ -394,7 +394,7 @@ struct sysent freebsd32_sysent[] = {
        { AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0, 
SYF_CAPENABLED, SY_THR_STATIC },      /* 335 = utrace */
        { compat4(AS(freebsd4_freebsd32_sendfile_args),freebsd32_sendfile), 
AUE_SENDFILE, NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },  /* 336 = freebsd4 
freebsd32_sendfile */
        { AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0, 
SY_THR_STATIC },   /* 337 = kldsym */
-       { compat11(AS(freebsd11_freebsd32_jail_args),freebsd32_jail), AUE_JAIL, 
NULL, 0, 0, 0, SY_THR_STATIC }, /* 338 = freebsd11 freebsd32_jail */
+       { AS(freebsd32_jail_args), (sy_call_t *)freebsd32_jail, AUE_JAIL, NULL, 
0, 0, 0, SY_THR_STATIC },       /* 338 = freebsd32_jail */
        { 0, (sy_call_t *)nosys, AUE_NULL, NULL, 0, 0, 0, SY_THR_ABSENT },      
                /* 339 = pioctl */
        { AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask, AUE_SIGPROCMASK, 
NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },     /* 340 = sigprocmask */
        { AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND, 
NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },        /* 341 = sigsuspend */

Modified: head/sys/compat/freebsd32/freebsd32_systrace_args.c
==============================================================================
--- head/sys/compat/freebsd32/freebsd32_systrace_args.c Thu Aug 16 18:58:34 
2018        (r337924)
+++ head/sys/compat/freebsd32/freebsd32_systrace_args.c Thu Aug 16 19:09:43 
2018        (r337925)
@@ -1559,6 +1559,13 @@ systrace_args(int sysnum, void *params, uint64_t *uarg
                *n_args = 3;
                break;
        }
+       /* freebsd32_jail */
+       case 338: {
+               struct freebsd32_jail_args *p = params;
+               uarg[0] = (intptr_t) p->jail; /* struct jail32 * */
+               *n_args = 1;
+               break;
+       }
        /* sigprocmask */
        case 340: {
                struct sigprocmask_args *p = params;
@@ -5704,6 +5711,16 @@ systrace_entry_setargdesc(int sysnum, int ndx, char *d
                        break;
                };
                break;
+       /* freebsd32_jail */
+       case 338:
+               switch(ndx) {
+               case 0:
+                       p = "userland struct jail32 *";
+                       break;
+               default:
+                       break;
+               };
+               break;
        /* sigprocmask */
        case 340:
                switch(ndx) {
@@ -9653,6 +9670,11 @@ systrace_return_setargdesc(int sysnum, int ndx, char *
                break;
        /* kldsym */
        case 337:
+               if (ndx == 0 || ndx == 1)
+                       p = "int";
+               break;
+       /* freebsd32_jail */
+       case 338:
                if (ndx == 0 || ndx == 1)
                        p = "int";
                break;

Modified: head/sys/compat/freebsd32/syscalls.master
==============================================================================
--- head/sys/compat/freebsd32/syscalls.master   Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/compat/freebsd32/syscalls.master   Thu Aug 16 19:09:43 2018        
(r337925)
@@ -601,7 +601,7 @@
                                    off_t *sbytes, int flags); }
 337    AUE_NULL        NOPROTO { int kldsym(int fileid, int cmd, \
                                    void *data); }
-338    AUE_JAIL        COMPAT11 { int freebsd32_jail(struct jail32 *jail); }
+338    AUE_JAIL        STD     { int freebsd32_jail(struct jail32 *jail); }
 339    AUE_NULL        UNIMPL  pioctl
 340    AUE_SIGPROCMASK NOPROTO { int sigprocmask(int how, \
                                    const sigset_t *set, sigset_t *oset); }

Modified: head/sys/kern/init_sysent.c
==============================================================================
--- head/sys/kern/init_sysent.c Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/kern/init_sysent.c Thu Aug 16 19:09:43 2018        (r337925)
@@ -387,7 +387,7 @@ struct sysent sysent[] = {
        { AS(utrace_args), (sy_call_t *)sys_utrace, AUE_NULL, NULL, 0, 0, 
SYF_CAPENABLED, SY_THR_STATIC },      /* 335 = utrace */
        { compat4(AS(freebsd4_sendfile_args),sendfile), AUE_SENDFILE, NULL, 0, 
0, SYF_CAPENABLED, SY_THR_STATIC },      /* 336 = freebsd4 sendfile */
        { AS(kldsym_args), (sy_call_t *)sys_kldsym, AUE_NULL, NULL, 0, 0, 0, 
SY_THR_STATIC },   /* 337 = kldsym */
-       { compat11(AS(freebsd11_jail_args),jail), AUE_JAIL, NULL, 0, 0, 0, 
SY_THR_STATIC },     /* 338 = freebsd11 jail */
+       { AS(jail_args), (sy_call_t *)sys_jail, AUE_JAIL, NULL, 0, 0, 0, 
SY_THR_STATIC },       /* 338 = jail */
        { AS(nnpfs_syscall_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 
0, SY_THR_ABSENT },     /* 339 = nnpfs_syscall */
        { AS(sigprocmask_args), (sy_call_t *)sys_sigprocmask, AUE_SIGPROCMASK, 
NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },     /* 340 = sigprocmask */
        { AS(sigsuspend_args), (sy_call_t *)sys_sigsuspend, AUE_SIGSUSPEND, 
NULL, 0, 0, SYF_CAPENABLED, SY_THR_STATIC },        /* 341 = sigsuspend */

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c   Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/kern/kern_jail.c   Thu Aug 16 19:09:43 2018        (r337925)
@@ -74,14 +74,6 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_framework.h>
 
-/*
- * The old jail(2) interface will exist under COMPAT_FREEBSD11, but the global
- * permission sysctls are slated to go away sometime (even with COMPAT).
- */
-#if defined(COMPAT_FREEBSD11) && !defined(BURN_BRIDGES)
-#define PR_GLOBAL_ALLOW
-#endif
-
 #define        DEFAULT_HOSTUUID        "00000000-0000-0000-0000-000000000000"
 
 MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
@@ -207,11 +199,9 @@ const size_t pr_flag_allow_size = sizeof(pr_flag_allow
 #define        JAIL_DEFAULT_ALLOW              (PR_ALLOW_SET_HOSTNAME | 
PR_ALLOW_RESERVED_PORTS)
 #define        JAIL_DEFAULT_ENFORCE_STATFS     2
 #define        JAIL_DEFAULT_DEVFS_RSNUM        0
-#ifdef PR_GLOBAL_ALLOW
 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
 static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
 static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM;
-#endif
 #if defined(INET) || defined(INET6)
 static unsigned jail_max_af_ips = 255;
 #endif
@@ -229,14 +219,13 @@ prison0_init(void)
        strlcpy(prison0.pr_osrelease, osrelease, sizeof(prison0.pr_osrelease));
 }
 
-#ifdef COMPAT_FREEBSD11
 /*
  * struct jail_args {
  *     struct jail *jail;
  * };
  */
 int
-freebsd11_jail(struct thread *td, struct freebsd11_jail_args *uap)
+sys_jail(struct thread *td, struct jail_args *uap)
 {
        uint32_t version;
        int error;
@@ -281,16 +270,13 @@ freebsd11_jail(struct thread *td, struct freebsd11_jai
                /* Sci-Fi jails are not supported, sorry. */
                return (EINVAL);
        }
-       return (freebsd11_kern_jail(td, &j));
+       return (kern_jail(td, &j));
 }
 
 int
-freebsd11_kern_jail(struct thread *td, struct jail *j)
+kern_jail(struct thread *td, struct jail *j)
 {
-       struct iovec optiov[2 * (3
-#ifdef PR_GLOBAL_ALLOW
-                           + 1 + nitems(pr_flag_allow)
-#endif
+       struct iovec optiov[2 * (4 + nitems(pr_flag_allow)
 #ifdef INET
                            + 1
 #endif
@@ -300,10 +286,7 @@ freebsd11_kern_jail(struct thread *td, struct jail *j)
                            )];
        struct uio opt;
        char *u_path, *u_hostname, *u_name;
-#ifdef PR_GLOBAL_ALLOW
        struct bool_flags *bf;
-       int enforce_statfs;
-#endif
 #ifdef INET
        uint32_t ip4s;
        struct in_addr *u_ip4;
@@ -312,7 +295,7 @@ freebsd11_kern_jail(struct thread *td, struct jail *j)
        struct in6_addr *u_ip6;
 #endif
        size_t tmplen;
-       int error;
+       int error, enforce_statfs;
 
        bzero(&optiov, sizeof(optiov));
        opt.uio_iov = optiov;
@@ -323,7 +306,6 @@ freebsd11_kern_jail(struct thread *td, struct jail *j)
        opt.uio_rw = UIO_READ;
        opt.uio_td = td;
 
-#ifdef PR_GLOBAL_ALLOW
        /* Set permissions for top-level jails from sysctls. */
        if (!jailed(td->td_ucred)) {
                for (bf = pr_flag_allow;
@@ -345,7 +327,6 @@ freebsd11_kern_jail(struct thread *td, struct jail *j)
                optiov[opt.uio_iovcnt].iov_len = sizeof(enforce_statfs);
                opt.uio_iovcnt++;
        }
-#endif
 
        tmplen = MAXPATHLEN + MAXHOSTNAMELEN + MAXHOSTNAMELEN;
 #ifdef INET
@@ -449,7 +430,6 @@ freebsd11_kern_jail(struct thread *td, struct jail *j)
        free(u_path, M_TEMP);
        return (error);
 }
-#endif /* COMPAT_FREEBSD11 */
 
 
 /*
@@ -1267,11 +1247,7 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 
                pr->pr_securelevel = ppr->pr_securelevel;
                pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;
-#ifdef PR_GLOBAL_ALLOW
                pr->pr_enforce_statfs = jail_default_enforce_statfs;
-#else
-               pr->pr_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
-#endif
                pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum;
 
                pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
@@ -3439,7 +3415,6 @@ prison_path(struct prison *pr1, struct prison *pr2)
 static SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
     "Jails");
 
-#ifdef COMPAT_FREEBSD11
 static int
 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
 {
@@ -3543,7 +3518,6 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS)
 SYSCTL_OID(_security_jail, OID_AUTO, list,
     CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
     sysctl_jail_list, "S", "List of active jails");
-#endif /* COMPAT_FREEBSD11 */
 
 static int
 sysctl_jail_jailed(SYSCTL_HANDLER_ARGS)
@@ -3583,14 +3557,13 @@ SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
 #if defined(INET) || defined(INET6)
 SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
     &jail_max_af_ips, 0,
-    "Number of IP addresses a jail may have at most per address family");
+    "Number of IP addresses a jail may have at most per address family 
(deprecated)");
 #endif
 
 /*
- * Jail permissions - jailed processes can read these to find out what they are
- * allowed to do.  A deprecated use is to set default permissions for prisons
- * created via jail(2).  For historical reasons, the sysctl names have varying
- * similarity to the parameter names.
+ * Default parameters for jail(2) compatibility.  For historical reasons,
+ * the sysctl names have varying similarity to the parameter names.  Prisons
+ * just see their own parameters, and can't change them.
  */
 static int
 sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
@@ -3599,68 +3572,52 @@ sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS)
        int allow, error, i;
 
        pr = req->td->td_ucred->cr_prison;
-#ifdef PR_GLOBAL_ALLOW
        allow = (pr == &prison0) ? jail_default_allow : pr->pr_allow;
-#else
-       allow = pr->pr_allow;
-#endif
 
        /* Get the current flag value, and convert it to a boolean. */
        i = (allow & arg2) ? 1 : 0;
        if (arg1 != NULL)
                i = !i;
        error = sysctl_handle_int(oidp, &i, 0, req);
-       if (error)
+       if (error || !req->newptr)
                return (error);
-#ifdef PR_GLOBAL_ALLOW
-       if (req->newptr) {
-               i = i ? arg2 : 0;
-               if (arg1 != NULL)
-                       i ^= arg2;
-               /*
-                * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
-                * for writing.
-                */
-               mtx_lock(&prison0.pr_mtx);
-               jail_default_allow = (jail_default_allow & ~arg2) | i;
-               mtx_unlock(&prison0.pr_mtx);
-       }
-#endif
+       i = i ? arg2 : 0;
+       if (arg1 != NULL)
+               i ^= arg2;
+       /*
+        * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
+        * for writing.
+        */
+       mtx_lock(&prison0.pr_mtx);
+       jail_default_allow = (jail_default_allow & ~arg2) | i;
+       mtx_unlock(&prison0.pr_mtx);
        return (0);
 }
 
-#ifdef PR_GLOBAL_ALLOW
-#define CTLFLAG_GLOBAL_ALLOW   (CTLFLAG_RW | CTLFLAG_MPSAFE)
-#define ADDR_GLOBAL_ALLOW(i)   &i
-#else
-#define CTLFLAG_GLOBAL_ALLOW   (CTLFLAG_RD | CTLFLAG_MPSAFE)
-#define ADDR_GLOBAL_ALLOW(i)   NULL
-#endif
-
 SYSCTL_PROC(_security_jail, OID_AUTO, set_hostname_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow, "I",
-    "Processes in jail can set their hostnames");
+    "Processes in jail can set their hostnames (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, socket_unixiproute_only,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     (void *)1, PR_ALLOW_SOCKET_AF, sysctl_jail_default_allow, "I",
-    "Processes in jail are limited to creating UNIX/IP/route sockets only");
+    "Processes in jail are limited to creating UNIX/IP/route sockets only 
(deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, sysvipc_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_SYSVIPC, sysctl_jail_default_allow, "I",
-    "Processes in jail can use System V IPC primitives");
+    "Processes in jail can use System V IPC primitives (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, allow_raw_sockets,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_RAW_SOCKETS, sysctl_jail_default_allow, "I",
-    "Prison root can create raw sockets");
+    "Prison root can create raw sockets (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, chflags_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_CHFLAGS, sysctl_jail_default_allow, "I",
-    "Processes in jail can alter system file flags");
+    "Processes in jail can alter system file flags (deprecated)");
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
-    "Processes in jail can mount/unmount jail-friendly file systems");
+    "Processes in jail can mount/unmount jail-friendly file systems 
(deprecated)");
 
 static int
 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
@@ -3669,33 +3626,25 @@ sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
        int level, error;
 
        pr = req->td->td_ucred->cr_prison;
-#ifdef PR_GLOBAL_ALLOW
        level = (pr == &prison0) ? *(int *)arg1 : *(int *)((char *)pr + arg2);
-#else
-       level = *(int *)((char *)pr + arg2);
-#endif
        error = sysctl_handle_int(oidp, &level, 0, req);
-       if (error)
+       if (error || !req->newptr)
                return (error);
-#ifdef PR_GLOBAL_ALLOW
-       if (req->newptr)
-               *(int *)arg1 = level;
-#endif
+       *(int *)arg1 = level;
        return (0);
 }
 
 SYSCTL_PROC(_security_jail, OID_AUTO, enforce_statfs,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
-    ADDR_GLOBAL_ALLOW(jail_default_enforce_statfs),
-    offsetof(struct prison, pr_enforce_statfs),
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    &jail_default_enforce_statfs, offsetof(struct prison, pr_enforce_statfs),
     sysctl_jail_default_level, "I",
-    "Processes in jail cannot see all mounted file systems");
+    "Processes in jail cannot see all mounted file systems (deprecated)");
+
 SYSCTL_PROC(_security_jail, OID_AUTO, devfs_ruleset,
-    CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW,
-    ADDR_GLOBAL_ALLOW(jail_default_devfs_rsnum),
-    offsetof(struct prison, pr_devfs_rsnum),
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
+    &jail_default_devfs_rsnum, offsetof(struct prison, pr_devfs_rsnum),
     sysctl_jail_default_level, "I",
-    "Ruleset for the devfs filesystem in jail");
+    "Ruleset for the devfs filesystem in jail (deprecated)");
 
 /*
  * Nodes to describe jail parameters.  Maximum length of string parameters
@@ -3836,6 +3785,9 @@ prison_add_allow(const char *prefix, const char *name,
        struct bool_flags *bf;
        struct sysctl_oid *parent;
        char *allow_name, *allow_noname, *allowed;
+#ifndef NO_SYSCTL_DESCR
+       char *descr_deprecated;
+#endif
        unsigned allow_flag;
 
        if (prefix
@@ -3892,7 +3844,10 @@ prison_add_allow(const char *prefix, const char *name,
        bf->flag = allow_flag;
        mtx_unlock(&prison0.pr_mtx);
 
-       /* Create sysctls for the paramter, and the current permission. */
+       /*
+        * Create sysctls for the paramter, and the back-compat global
+        * permission.
+        */
        parent = prefix
            ? SYSCTL_ADD_NODE(NULL,
                  SYSCTL_CHILDREN(&sysctl___security_jail_param_allow),
@@ -3904,10 +3859,17 @@ prison_add_allow(const char *prefix, const char *name,
        if ((prefix
             ? asprintf(&allowed, M_TEMP, "%s_%s_allowed", prefix, name)
             : asprintf(&allowed, M_TEMP, "%s_allowed", name)) >= 0) {
+#ifndef NO_SYSCTL_DESCR
+               (void)asprintf(&descr_deprecated, M_TEMP, "%s (deprecated)",
+                   descr);
+#endif
                (void)SYSCTL_ADD_PROC(NULL,
                    SYSCTL_CHILDREN(&sysctl___security_jail), OID_AUTO, allowed,
-                   CTLTYPE_INT | CTLFLAG_GLOBAL_ALLOW, NULL, allow_flag,
-                   sysctl_jail_default_allow, "I", descr);
+                   CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, allow_flag,
+                   sysctl_jail_default_allow, "I", descr_deprecated);
+#ifndef NO_SYSCTL_DESCR
+               free(descr_deprecated, M_TEMP);
+#endif
                free(allowed, M_TEMP);
        }
        return allow_flag;

Modified: head/sys/kern/syscalls.c
==============================================================================
--- head/sys/kern/syscalls.c    Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/kern/syscalls.c    Thu Aug 16 19:09:43 2018        (r337925)
@@ -344,7 +344,7 @@ const char *syscallnames[] = {
        "utrace",                       /* 335 = utrace */
        "compat4.sendfile",             /* 336 = freebsd4 sendfile */
        "kldsym",                       /* 337 = kldsym */
-       "compat11.jail",                /* 338 = freebsd11 jail */
+       "jail",                 /* 338 = jail */
        "nnpfs_syscall",                        /* 339 = nnpfs_syscall */
        "sigprocmask",                  /* 340 = sigprocmask */
        "sigsuspend",                   /* 341 = sigsuspend */

Modified: head/sys/kern/syscalls.master
==============================================================================
--- head/sys/kern/syscalls.master       Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/kern/syscalls.master       Thu Aug 16 19:09:43 2018        
(r337925)
@@ -738,7 +738,7 @@
                                    _Out_opt_ off_t *sbytes, int flags); }
 337    AUE_NULL        STD     { int kldsym(int fileid, int cmd, \
                                    _In_ void *data); }
-338    AUE_JAIL        COMPAT11 { int jail( \
+338    AUE_JAIL        STD     { int jail( \
                                    _In_ struct jail *jail); }
 
 339    AUE_NULL        NOSTD|NOTSTATIC { int nnpfs_syscall(int operation, \

Modified: head/sys/kern/systrace_args.c
==============================================================================
--- head/sys/kern/systrace_args.c       Thu Aug 16 18:58:34 2018        
(r337924)
+++ head/sys/kern/systrace_args.c       Thu Aug 16 19:09:43 2018        
(r337925)
@@ -1593,6 +1593,13 @@ systrace_args(int sysnum, void *params, uint64_t *uarg
                *n_args = 3;
                break;
        }
+       /* jail */
+       case 338: {
+               struct jail_args *p = params;
+               uarg[0] = (intptr_t) p->jail; /* struct jail * */
+               *n_args = 1;
+               break;
+       }
        /* nnpfs_syscall */
        case 339: {
                struct nnpfs_syscall_args *p = params;
@@ -5765,6 +5772,16 @@ systrace_entry_setargdesc(int sysnum, int ndx, char *d
                        break;
                };
                break;
+       /* jail */
+       case 338:
+               switch(ndx) {
+               case 0:
+                       p = "userland struct jail *";
+                       break;
+               default:
+                       break;
+               };
+               break;
        /* nnpfs_syscall */
        case 339:
                switch(ndx) {
@@ -9627,6 +9644,11 @@ systrace_return_setargdesc(int sysnum, int ndx, char *
                break;
        /* kldsym */
        case 337:
+               if (ndx == 0 || ndx == 1)
+                       p = "int";
+               break;
+       /* jail */
+       case 338:
                if (ndx == 0 || ndx == 1)
                        p = "int";
                break;

Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/jail.h Thu Aug 16 19:09:43 2018        (r337925)
@@ -32,7 +32,6 @@
 #ifndef _SYS_JAIL_H_
 #define _SYS_JAIL_H_
 
-#ifdef COMPAT_FREEBSD11
 #ifdef _KERNEL
 struct jail_v0 {
        u_int32_t       version;
@@ -58,6 +57,16 @@ struct jail {
  * For all xprison structs, always keep the pr_version an int and
  * the first variable so userspace can easily distinguish them.
  */
+#ifndef _KERNEL
+struct xprison_v1 {
+       int              pr_version;
+       int              pr_id;
+       char             pr_path[MAXPATHLEN];
+       char             pr_host[MAXHOSTNAMELEN];
+       u_int32_t        pr_ip;
+};
+#endif
+
 struct xprison {
        int              pr_version;
        int              pr_id;
@@ -82,7 +91,6 @@ struct xprison {
 #define        PRISON_STATE_INVALID    0
 #define        PRISON_STATE_ALIVE      1
 #define        PRISON_STATE_DYING      2
-#endif /* COMPAT_FREEBSD11 */
 
 /*
  * Flags for jail_set and jail_get.
@@ -102,6 +110,7 @@ struct xprison {
 
 struct iovec;
 
+int jail(struct jail *);
 int jail_set(struct iovec *, unsigned int, int);
 int jail_get(struct iovec *, unsigned int, int);
 int jail_attach(int);

Modified: head/sys/sys/syscall.h
==============================================================================
--- head/sys/sys/syscall.h      Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/syscall.h      Thu Aug 16 19:09:43 2018        (r337925)
@@ -280,7 +280,7 @@
 #define        SYS_utrace      335
                                /* 336 is freebsd4 sendfile */
 #define        SYS_kldsym      337
-#define        SYS_freebsd11_jail      338
+#define        SYS_jail        338
 #define        SYS_nnpfs_syscall       339
 #define        SYS_sigprocmask 340
 #define        SYS_sigsuspend  341

Modified: head/sys/sys/syscall.mk
==============================================================================
--- head/sys/sys/syscall.mk     Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/syscall.mk     Thu Aug 16 19:09:43 2018        (r337925)
@@ -209,7 +209,7 @@ MIASM =  \
        sched_rr_get_interval.o \
        utrace.o \
        kldsym.o \
-       freebsd11_jail.o \
+       jail.o \
        nnpfs_syscall.o \
        sigprocmask.o \
        sigsuspend.o \

Modified: head/sys/sys/syscallsubr.h
==============================================================================
--- head/sys/sys/syscallsubr.h  Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/syscallsubr.h  Thu Aug 16 19:09:43 2018        (r337925)
@@ -143,6 +143,7 @@ int kern_getsockname(struct thread *td, int fd, struct
 int    kern_getsockopt(struct thread *td, int s, int level, int name,
            void *optval, enum uio_seg valseg, socklen_t *valsize);
 int    kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data);
+int    kern_jail(struct thread *td, struct jail *j);
 int    kern_jail_get(struct thread *td, struct uio *options, int flags);
 int    kern_jail_set(struct thread *td, struct uio *options, int flags);
 int    kern_kevent(struct thread *td, int fd, int nchanges, int nevents,
@@ -307,6 +308,5 @@ struct freebsd11_dirent;
 
 int    freebsd11_kern_getdirentries(struct thread *td, int fd, char *ubuf, 
u_int
            count, long *basep, void (*func)(struct freebsd11_dirent *));
-int    freebsd11_kern_jail(struct thread *td, struct jail *j);
 
 #endif /* !_SYS_SYSCALLSUBR_H_ */

Modified: head/sys/sys/sysproto.h
==============================================================================
--- head/sys/sys/sysproto.h     Thu Aug 16 18:58:34 2018        (r337924)
+++ head/sys/sys/sysproto.h     Thu Aug 16 19:09:43 2018        (r337925)
@@ -849,6 +849,9 @@ struct kldsym_args {
        char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)];
        char data_l_[PADL_(void *)]; void * data; char data_r_[PADR_(void *)];
 };
+struct jail_args {
+       char jail_l_[PADL_(struct jail *)]; struct jail * jail; char 
jail_r_[PADR_(struct jail *)];
+};
 struct nnpfs_syscall_args {
        char operation_l_[PADL_(int)]; int operation; char 
operation_r_[PADR_(int)];
        char a_pathP_l_[PADL_(char *)]; char * a_pathP; char 
a_pathP_r_[PADR_(char *)];
@@ -1958,6 +1961,7 @@ int       sys_sched_get_priority_min(struct thread *, 
struct
 int    sys_sched_rr_get_interval(struct thread *, struct 
sched_rr_get_interval_args *);
 int    sys_utrace(struct thread *, struct utrace_args *);
 int    sys_kldsym(struct thread *, struct kldsym_args *);
+int    sys_jail(struct thread *, struct jail_args *);
 int    sys_nnpfs_syscall(struct thread *, struct nnpfs_syscall_args *);
 int    sys_sigprocmask(struct thread *, struct sigprocmask_args *);
 int    sys_sigsuspend(struct thread *, struct sigsuspend_args *);
@@ -2527,9 +2531,6 @@ struct freebsd11_fhstat_args {
        char u_fhp_l_[PADL_(const struct fhandle *)]; const struct fhandle * 
u_fhp; char u_fhp_r_[PADR_(const struct fhandle *)];
        char sb_l_[PADL_(struct freebsd11_stat *)]; struct freebsd11_stat * sb; 
char sb_r_[PADR_(struct freebsd11_stat *)];
 };
-struct freebsd11_jail_args {
-       char jail_l_[PADL_(struct jail *)]; struct jail * jail; char 
jail_r_[PADR_(struct jail *)];
-};
 struct freebsd11_kevent_args {
        char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)];
        char changelist_l_[PADL_(struct kevent_freebsd11 *)]; struct 
kevent_freebsd11 * changelist; char changelist_r_[PADR_(struct kevent_freebsd11 
*)];
@@ -2578,7 +2579,6 @@ int       freebsd11_nstat(struct thread *, struct 
freebsd11_
 int    freebsd11_nfstat(struct thread *, struct freebsd11_nfstat_args *);
 int    freebsd11_nlstat(struct thread *, struct freebsd11_nlstat_args *);
 int    freebsd11_fhstat(struct thread *, struct freebsd11_fhstat_args *);
-int    freebsd11_jail(struct thread *, struct freebsd11_jail_args *);
 int    freebsd11_kevent(struct thread *, struct freebsd11_kevent_args *);
 int    freebsd11_getfsstat(struct thread *, struct freebsd11_getfsstat_args *);
 int    freebsd11_statfs(struct thread *, struct freebsd11_statfs_args *);
@@ -2849,7 +2849,7 @@ int       freebsd11_mknodat(struct thread *, struct 
freebsd1
 #define        SYS_AUE_utrace  AUE_NULL
 #define        SYS_AUE_freebsd4_sendfile       AUE_SENDFILE
 #define        SYS_AUE_kldsym  AUE_NULL
-#define        SYS_AUE_freebsd11_jail  AUE_JAIL
+#define        SYS_AUE_jail    AUE_JAIL
 #define        SYS_AUE_nnpfs_syscall   AUE_NULL
 #define        SYS_AUE_sigprocmask     AUE_SIGPROCMASK
 #define        SYS_AUE_sigsuspend      AUE_SIGSUSPEND
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to