1 /*-
2 * Copyright (c) 1999 Poul-Henning Kamp.
3 * Copyright (c) 2008 Bjoern A. Zeeb.
4 * Copyright (c) 2009 James Gritton.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 #include "opt_ddb.h"
31 #include "opt_inet.h"
32 #include "opt_inet6.h"
33
34 #include <sys/param.h>
35 #include <sys/types.h>
36 #include <sys/kernel.h>
37 #include <sys/systm.h>
38 #include <sys/errno.h>
39 #include <sys/sysproto.h>
40 #include <sys/malloc.h>
41 #include <sys/osd.h>
42 #include <sys/priv.h>
43 #include <sys/proc.h>
44 #include <sys/taskqueue.h>
45 #include <sys/fcntl.h>
46 #include <sys/jail.h>
47 #include <sys/lock.h>
48 #include <sys/mutex.h>
49 #include <sys/racct.h>
50 #include <sys/refcount.h>
51 #include <sys/sx.h>
52 #include <sys/namei.h>
53 #include <sys/mount.h>
54 #include <sys/queue.h>
55 #include <sys/socket.h>
56 #include <sys/syscallsubr.h>
57 #include <sys/sysctl.h>
58 #include <sys/vnode.h>
59
60 #include <net/if.h>
61 #include <net/vnet.h>
62
63 #include <netinet/in.h>
64
65 int
prison_qcmp_v6(const void * ip1,const void * ip2)66 prison_qcmp_v6(const void *ip1, const void *ip2)
67 {
68 const struct in6_addr *ia6a, *ia6b;
69 int i, rc;
70
71 ia6a = (const struct in6_addr *)ip1;
72 ia6b = (const struct in6_addr *)ip2;
73
74 rc = 0;
75 for (i = 0; rc == 0 && i < sizeof(struct in6_addr); i++) {
76 if (ia6a->s6_addr[i] > ia6b->s6_addr[i])
77 rc = 1;
78 else if (ia6a->s6_addr[i] < ia6b->s6_addr[i])
79 rc = -1;
80 }
81 return (rc);
82 }
83
84 int
prison_restrict_ip6(struct prison * pr,struct in6_addr * newip6)85 prison_restrict_ip6(struct prison *pr, struct in6_addr *newip6)
86 {
87 int ii, ij, used;
88 struct prison *ppr;
89
90 ppr = pr->pr_parent;
91 if (!(pr->pr_flags & PR_IP6_USER)) {
92 /* This has no user settings, so just copy the parent's list. */
93 if (pr->pr_ip6s < ppr->pr_ip6s) {
94 /*
95 * There's no room for the parent's list. Use the
96 * new list buffer, which is assumed to be big enough
97 * (if it was passed). If there's no buffer, try to
98 * allocate one.
99 */
100 used = 1;
101 if (newip6 == NULL) {
102 newip6 = malloc(ppr->pr_ip6s * sizeof(*newip6),
103 M_PRISON, M_NOWAIT);
104 if (newip6 != NULL)
105 used = 0;
106 }
107 if (newip6 != NULL) {
108 bcopy(ppr->pr_ip6, newip6,
109 ppr->pr_ip6s * sizeof(*newip6));
110 free(pr->pr_ip6, M_PRISON);
111 pr->pr_ip6 = newip6;
112 pr->pr_ip6s = ppr->pr_ip6s;
113 }
114 return (used);
115 }
116 pr->pr_ip6s = ppr->pr_ip6s;
117 if (pr->pr_ip6s > 0)
118 bcopy(ppr->pr_ip6, pr->pr_ip6,
119 pr->pr_ip6s * sizeof(*newip6));
120 else if (pr->pr_ip6 != NULL) {
121 free(pr->pr_ip6, M_PRISON);
122 pr->pr_ip6 = NULL;
123 }
124 } else if (pr->pr_ip6s > 0) {
125 /* Remove addresses that aren't in the parent. */
126 for (ij = 0; ij < ppr->pr_ip6s; ij++)
127 if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[0],
128 &ppr->pr_ip6[ij]))
129 break;
130 if (ij < ppr->pr_ip6s)
131 ii = 1;
132 else {
133 bcopy(pr->pr_ip6 + 1, pr->pr_ip6,
134 --pr->pr_ip6s * sizeof(*pr->pr_ip6));
135 ii = 0;
136 }
137 for (ij = 1; ii < pr->pr_ip6s; ) {
138 if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[ii],
139 &ppr->pr_ip6[0])) {
140 ii++;
141 continue;
142 }
143 switch (ij >= ppr->pr_ip6s ? -1 :
144 prison_qcmp_v6(&pr->pr_ip6[ii], &ppr->pr_ip6[ij])) {
145 case -1:
146 bcopy(pr->pr_ip6 + ii + 1, pr->pr_ip6 + ii,
147 (--pr->pr_ip6s - ii) * sizeof(*pr->pr_ip6));
148 break;
149 case 0:
150 ii++;
151 ij++;
152 break;
153 case 1:
154 ij++;
155 break;
156 }
157 }
158 if (pr->pr_ip6s == 0) {
159 free(pr->pr_ip6, M_PRISON);
160 pr->pr_ip6 = NULL;
161 }
162 }
163 return 0;
164 }
165
166 /*
167 * Pass back primary IPv6 address for this jail.
168 *
169 * If not restricted return success but do not alter the address. Caller has
170 * to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT).
171 *
172 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
173 */
174 int
prison_get_ip6(struct ucred * cred,struct in6_addr * ia6)175 prison_get_ip6(struct ucred *cred, struct in6_addr *ia6)
176 {
177 struct prison *pr;
178
179 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
180 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
181
182 pr = cred->cr_prison;
183 if (!(pr->pr_flags & PR_IP6))
184 return (0);
185 mtx_lock(&pr->pr_mtx);
186 if (!(pr->pr_flags & PR_IP6)) {
187 mtx_unlock(&pr->pr_mtx);
188 return (0);
189 }
190 if (pr->pr_ip6 == NULL) {
191 mtx_unlock(&pr->pr_mtx);
192 return (EAFNOSUPPORT);
193 }
194
195 bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr));
196 mtx_unlock(&pr->pr_mtx);
197 return (0);
198 }
199
200 /*
201 * Return 1 if we should do proper source address selection or are not jailed.
202 * We will return 0 if we should bypass source address selection in favour
203 * of the primary jail IPv6 address. Only in this case *ia will be updated and
204 * returned in NBO.
205 * Return EAFNOSUPPORT, in case this jail does not allow IPv6.
206 */
207 int
prison_saddrsel_ip6(struct ucred * cred,struct in6_addr * ia6)208 prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6)
209 {
210 struct prison *pr;
211 struct in6_addr lia6;
212 int error;
213
214 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
215 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
216
217 if (!jailed(cred))
218 return (1);
219
220 pr = cred->cr_prison;
221 if (pr->pr_flags & PR_IP6_SADDRSEL)
222 return (1);
223
224 lia6 = in6addr_any;
225 error = prison_get_ip6(cred, &lia6);
226 if (error)
227 return (error);
228 if (IN6_IS_ADDR_UNSPECIFIED(&lia6))
229 return (1);
230
231 bcopy(&lia6, ia6, sizeof(struct in6_addr));
232 return (0);
233 }
234
235 /*
236 * Return true if pr1 and pr2 have the same IPv6 address restrictions.
237 */
238 int
prison_equal_ip6(struct prison * pr1,struct prison * pr2)239 prison_equal_ip6(struct prison *pr1, struct prison *pr2)
240 {
241
242 if (pr1 == pr2)
243 return (1);
244
245 while (pr1 != &prison0 &&
246 #ifdef VIMAGE
247 !(pr1->pr_flags & PR_VNET) &&
248 #endif
249 !(pr1->pr_flags & PR_IP6_USER))
250 pr1 = pr1->pr_parent;
251 while (pr2 != &prison0 &&
252 #ifdef VIMAGE
253 !(pr2->pr_flags & PR_VNET) &&
254 #endif
255 !(pr2->pr_flags & PR_IP6_USER))
256 pr2 = pr2->pr_parent;
257 return (pr1 == pr2);
258 }
259
260 /*
261 * Make sure our (source) address is set to something meaningful to this jail.
262 *
263 * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0)
264 * when needed while binding.
265 *
266 * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail,
267 * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
268 * doesn't allow IPv6.
269 */
270 int
prison_local_ip6(struct ucred * cred,struct in6_addr * ia6,int v6only)271 prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only)
272 {
273 struct prison *pr;
274 int error;
275
276 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
277 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
278
279 pr = cred->cr_prison;
280 if (!(pr->pr_flags & PR_IP6))
281 return (0);
282 mtx_lock(&pr->pr_mtx);
283 if (!(pr->pr_flags & PR_IP6)) {
284 mtx_unlock(&pr->pr_mtx);
285 return (0);
286 }
287 if (pr->pr_ip6 == NULL) {
288 mtx_unlock(&pr->pr_mtx);
289 return (EAFNOSUPPORT);
290 }
291
292 if (IN6_IS_ADDR_UNSPECIFIED(ia6)) {
293 /*
294 * In case there is only 1 IPv6 address, and v6only is true,
295 * then bind directly.
296 */
297 if (v6only != 0 && pr->pr_ip6s == 1)
298 bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr));
299 mtx_unlock(&pr->pr_mtx);
300 return (0);
301 }
302
303 error = prison_check_ip6_locked(pr, ia6);
304 if (error == EADDRNOTAVAIL && IN6_IS_ADDR_LOOPBACK(ia6)) {
305 bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr));
306 error = 0;
307 }
308
309 mtx_unlock(&pr->pr_mtx);
310 return (error);
311 }
312
313 /*
314 * Rewrite destination address in case we will connect to loopback address.
315 *
316 * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
317 */
318 int
prison_remote_ip6(struct ucred * cred,struct in6_addr * ia6)319 prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6)
320 {
321 struct prison *pr;
322
323 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
324 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
325
326 pr = cred->cr_prison;
327 if (!(pr->pr_flags & PR_IP6))
328 return (0);
329 mtx_lock(&pr->pr_mtx);
330 if (!(pr->pr_flags & PR_IP6)) {
331 mtx_unlock(&pr->pr_mtx);
332 return (0);
333 }
334 if (pr->pr_ip6 == NULL) {
335 mtx_unlock(&pr->pr_mtx);
336 return (EAFNOSUPPORT);
337 }
338
339 if (IN6_IS_ADDR_LOOPBACK(ia6) &&
340 prison_check_ip6_locked(pr, ia6) == EADDRNOTAVAIL) {
341 bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr));
342 mtx_unlock(&pr->pr_mtx);
343 return (0);
344 }
345
346 /*
347 * Return success because nothing had to be changed.
348 */
349 mtx_unlock(&pr->pr_mtx);
350 return (0);
351 }
352
353 /*
354 * Check if given address belongs to the jail referenced by cred/prison.
355 *
356 * Returns 0 if address belongs to jail,
357 * EADDRNOTAVAIL if the address doesn't belong to the jail.
358 */
359 int
prison_check_ip6_locked(const struct prison * pr,const struct in6_addr * ia6)360 prison_check_ip6_locked(const struct prison *pr, const struct in6_addr *ia6)
361 {
362 int i, a, z, d;
363
364 /*
365 * Check the primary IP.
366 */
367 if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[0], ia6))
368 return (0);
369
370 /*
371 * All the other IPs are sorted so we can do a binary search.
372 */
373 a = 0;
374 z = pr->pr_ip6s - 2;
375 while (a <= z) {
376 i = (a + z) / 2;
377 d = prison_qcmp_v6(&pr->pr_ip6[i+1], ia6);
378 if (d > 0)
379 z = i - 1;
380 else if (d < 0)
381 a = i + 1;
382 else
383 return (0);
384 }
385
386 return (EADDRNOTAVAIL);
387 }
388
389 int
prison_check_ip6(const struct ucred * cred,const struct in6_addr * ia6)390 prison_check_ip6(const struct ucred *cred, const struct in6_addr *ia6)
391 {
392 struct prison *pr;
393 int error;
394
395 KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
396 KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
397
398 pr = cred->cr_prison;
399 if (!(pr->pr_flags & PR_IP6))
400 return (0);
401 mtx_lock(&pr->pr_mtx);
402 if (!(pr->pr_flags & PR_IP6)) {
403 mtx_unlock(&pr->pr_mtx);
404 return (0);
405 }
406 if (pr->pr_ip6 == NULL) {
407 mtx_unlock(&pr->pr_mtx);
408 return (EAFNOSUPPORT);
409 }
410
411 error = prison_check_ip6_locked(pr, ia6);
412 mtx_unlock(&pr->pr_mtx);
413 return (error);
414 }
415