From 235aefe21957ecc7c526a419943418bbb1248f11 Mon Sep 17 00:00:00 2001 From: jamie Date: Wed, 27 Oct 2010 16:22:54 +0000 Subject: [PATCH] Keep all internal/known parameter names in one place, and use enum constants everywhere else. --- usr.sbin/jail/config.c | 217 +++++++++++++++++++---------------------- usr.sbin/jail/jail.c | 76 +++++++-------- usr.sbin/jail/jailp.h | 18 +++- 3 files changed, 151 insertions(+), 160 deletions(-) diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index f7f5b9200c3f..f37b49fc8bd9 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -44,7 +44,6 @@ __FBSDID("$FreeBSD$"); struct ipspec { const char *name; - enum intparam ipnum; unsigned flags; }; @@ -53,52 +52,57 @@ extern int yynerrs; struct cfjails cfjails = TAILQ_HEAD_INITIALIZER(cfjails); -static int cmp_intparam(const void *a, const void *b); static void free_param(struct cfparams *pp, struct cfparam *p); static void free_param_strings(struct cfparam *p); -/* Note these must be in sort order */ static const struct ipspec intparams[] = { - {"allow.dying", IP_ALLOW_DYING, PF_INTERNAL | PF_BOOL }, - {"allow.nodying", IP_ALLOW_DYING, PF_INTERNAL | PF_BOOL }, - {"command", IP_COMMAND, PF_INTERNAL }, - {"depend", IP_DEPEND, PF_INTERNAL }, - {"exec.clean", IP_EXEC_CLEAN, PF_INTERNAL | PF_BOOL }, - {"exec.consolelog", IP_EXEC_CONSOLELOG, PF_INTERNAL }, - {"exec.fib", IP_EXEC_FIB, PF_INTERNAL | PF_INT }, - {"exec.jail_user", IP_EXEC_JAIL_USER, PF_INTERNAL }, - {"exec.noclean", IP_EXEC_CLEAN, PF_INTERNAL | PF_BOOL }, - {"exec.nosystem_jail_user",IP_EXEC_SYSTEM_JAIL_USER,PF_INTERNAL | PF_BOOL }, - {"exec.poststart", IP_EXEC_POSTSTART, PF_INTERNAL }, - {"exec.poststop", IP_EXEC_POSTSTOP, PF_INTERNAL }, - {"exec.prestart", IP_EXEC_PRESTART, PF_INTERNAL }, - {"exec.prestop", IP_EXEC_PRESTOP, PF_INTERNAL }, - {"exec.start", IP_EXEC_START, PF_INTERNAL }, - {"exec.stop", IP_EXEC_STOP, PF_INTERNAL }, - {"exec.system_jail_user", IP_EXEC_SYSTEM_JAIL_USER, PF_INTERNAL | PF_BOOL }, - {"exec.system_user", IP_EXEC_SYSTEM_USER, PF_INTERNAL }, - {"exec.timeout", IP_EXEC_TIMEOUT, PF_INTERNAL | PF_INT }, - {"host.hostname", KP_HOSTNAME, 0 }, - {"interface", IP_INTERFACE, PF_INTERNAL }, - {"ip4.addr", KP_IP4_ADDR, 0 }, + [IP_ALLOW_DYING] = {"allow.dying", PF_INTERNAL | PF_BOOL}, + [IP_COMMAND] = {"command", PF_INTERNAL}, + [IP_DEPEND] = {"depend", PF_INTERNAL}, + [IP_EXEC_CLEAN] = {"exec.clean", PF_INTERNAL | PF_BOOL}, + [IP_EXEC_CONSOLELOG] = {"exec.consolelog", PF_INTERNAL}, + [IP_EXEC_FIB] = {"exec.fib", PF_INTERNAL | PF_INT}, + [IP_EXEC_JAIL_USER] = {"exec.jail_user", PF_INTERNAL}, + [IP_EXEC_POSTSTART] = {"exec.poststart", PF_INTERNAL}, + [IP_EXEC_POSTSTOP] = {"exec.poststop", PF_INTERNAL}, + [IP_EXEC_PRESTART] = {"exec.prestart", PF_INTERNAL}, + [IP_EXEC_PRESTOP] = {"exec.prestop", PF_INTERNAL}, + [IP_EXEC_START] = {"exec.start", PF_INTERNAL}, + [IP_EXEC_STOP] = {"exec.stop", PF_INTERNAL}, + [IP_EXEC_SYSTEM_JAIL_USER]= {"exec.system_jail_user", + PF_INTERNAL | PF_BOOL}, + [IP_EXEC_SYSTEM_USER] = {"exec.system_user", PF_INTERNAL}, + [IP_EXEC_TIMEOUT] = {"exec.timeout", PF_INTERNAL | PF_INT}, + [IP_INTERFACE] = {"interface", PF_INTERNAL}, + [IP_IP_HOSTNAME] = {"ip_hostname", PF_INTERNAL | PF_BOOL}, + [IP_MOUNT] = {"mount", PF_INTERNAL}, + [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, + [IP_MOUNT_DEVFS_RULESET]= {"mount.devfs.ruleset", PF_INTERNAL}, + [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, + [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, + [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, + [IP__IP4_IFADDR] = {"ip4.addr", PF_INTERNAL | PF_CONV}, #ifdef INET6 - {"ip6.addr", KP_IP6_ADDR, 0 }, + [IP__IP6_IFADDR] = {"ip6.addr", PF_INTERNAL | PF_CONV}, #endif - {"ip_hostname", IP_IP_HOSTNAME, PF_INTERNAL | PF_BOOL }, - {"jid", KP_JID, PF_INT }, - {"mount", IP_MOUNT, PF_INTERNAL }, - {"mount.devfs", IP_MOUNT_DEVFS, PF_INTERNAL | PF_BOOL }, - {"mount.devfs.ruleset", IP_MOUNT_DEVFS_RULESET, PF_INTERNAL }, - {"mount.fstab", IP_MOUNT_FSTAB, PF_INTERNAL }, - {"mount.nodevfs", IP_MOUNT_DEVFS, PF_INTERNAL | PF_BOOL }, - {"name", KP_NAME, 0 }, - {"noip_hostname", IP_IP_HOSTNAME, PF_INTERNAL | PF_BOOL }, - {"nopersist", KP_PERSIST, PF_BOOL }, - {"path", KP_PATH, 0 }, - {"persist", KP_PERSIST, PF_BOOL }, - {"stop.timeout", IP_STOP_TIMEOUT, PF_INTERNAL | PF_INT }, - {"vnet", KP_VNET, 0 }, - {"vnet.interface", IP_VNET_INTERFACE, PF_INTERNAL }, + [KP_ALLOW_CHFLAGS] = {"allow.chflags", 0}, + [KP_ALLOW_MOUNT] = {"allow.mount", 0}, + [KP_ALLOW_RAW_SOCKETS] = {"allow.raw_sockets", 0}, + [KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0}, + [KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0}, + [KP_ALLOW_SYSVIPC] = {"allow.sysvipc", 0}, + [KP_ENFORCE_STATFS] = {"enforce_statfs", 0}, + [KP_HOST_HOSTNAME] = {"host.hostname", 0}, + [KP_IP4_ADDR] = {"ip4.addr", 0}, +#ifdef INET6 + [KP_IP6_ADDR] = {"ip6.addr", 0}, +#endif + [KP_JID] = {"jid", 0}, + [KP_NAME] = {"name", 0}, + [KP_PATH] = {"path", 0}, + [KP_PERSIST] = {"persist", 0}, + [KP_SECURELEVEL] = {"securelevel", 0}, + [KP_VNET] = {"vnet", 0}, }; /* @@ -146,7 +150,7 @@ load_config(void) * though they may also be explicitly set later on. */ add_param(j, NULL, - strtol(j->name, &ep, 10) && !*ep ? "jid" : "name", + strtol(j->name, &ep, 10) && !*ep ? KP_JID : KP_NAME, j->name); /* * Collect parameters for the jail, global parameters/variables, @@ -156,16 +160,16 @@ load_config(void) TAILQ_FOREACH(wj, &wild, tq) { if (j->seq < wj->seq && !did_self) { TAILQ_FOREACH(p, &opp, tq) - add_param(j, p, NULL, NULL); + add_param(j, p, 0, NULL); did_self = 1; } if (wild_jail_match(j->name, wj->name)) TAILQ_FOREACH(p, &wj->params, tq) - add_param(j, p, NULL, NULL); + add_param(j, p, 0, NULL); } if (!did_self) TAILQ_FOREACH(p, &opp, tq) - add_param(j, p, NULL, NULL); + add_param(j, p, 0, NULL); /* Resolve any variable substitutions. */ pgen = 0; @@ -274,13 +278,16 @@ add_jail(void) * Add a parameter to a jail. */ void -add_param(struct cfjail *j, const struct cfparam *p, const char *name, +add_param(struct cfjail *j, const struct cfparam *p, enum intparam ipnum, const char *value) { struct cfstrings nss; struct cfparam *dp, *np; struct cfstring *s, *ns; struct cfvar *v, *nv; + struct ipspec *ips; + const char *name; + char *cs, *tname; unsigned flags; if (j == NULL) { @@ -312,6 +319,18 @@ add_param(struct cfjail *j, const struct cfparam *p, const char *name, } } else { flags = PF_APPEND; + if (ipnum != 0) { + name = intparams[ipnum].name; + flags |= intparams[ipnum].flags; + } else if ((cs = strchr(value, '='))) { + tname = alloca(cs - value + 1); + strlcpy(tname, value, cs - value + 1); + name = tname; + value = cs + 1; + } else { + name = value; + value = NULL; + } if (value != NULL) { ns = emalloc(sizeof(struct cfstring)); ns->s = estrdup(value); @@ -322,21 +341,23 @@ add_param(struct cfjail *j, const struct cfparam *p, const char *name, } /* See if this parameter has already been added. */ - TAILQ_FOREACH(dp, &j->params, tq) { - if (equalopts(dp->name, name)) { - /* Found it - append or replace. */ - if (strcmp(dp->name, name)) { - free(dp->name); - dp->name = estrdup(name); - } - if (!(flags & PF_APPEND) || STAILQ_EMPTY(&nss)) - free_param_strings(dp); - STAILQ_CONCAT(&dp->val, &nss); - dp->flags |= flags; - break; + if (ipnum != 0) + dp = j->intparams[ipnum]; + else + TAILQ_FOREACH(dp, &j->params, tq) + if (!(dp->flags & PF_CONV) && equalopts(dp->name, name)) + break; + if (dp != NULL) { + /* Found it - append or replace. */ + if (strcmp(dp->name, name)) { + free(dp->name); + dp->name = estrdup(name); } - } - if (dp == NULL) { + if (!(flags & PF_APPEND) || STAILQ_EMPTY(&nss)) + free_param_strings(dp); + STAILQ_CONCAT(&dp->val, &nss); + dp->flags |= flags; + } else { /* Not found - add it. */ np = emalloc(sizeof(struct cfparam)); np->name = estrdup(name); @@ -345,29 +366,16 @@ add_param(struct cfjail *j, const struct cfparam *p, const char *name, np->flags = flags; np->gen = 0; TAILQ_INSERT_TAIL(&j->params, np, tq); - } -} - -/* - * Find internal or known parameters. - */ -void -find_intparams(void) -{ - struct cfjail *j; - struct cfparam *p; - struct ipspec *ip; - - TAILQ_FOREACH(j, &cfjails, tq) { - TAILQ_FOREACH(p, &j->params, tq) { - ip = bsearch(p->name, intparams, - sizeof(intparams) / sizeof(intparams[0]), - sizeof(struct ipspec), cmp_intparam); - if (ip != NULL) { - j->intparams[ip->ipnum] = p; - p->flags |= ip->flags; - } - } + if (ipnum != 0) + j->intparams[ipnum] = np; + else + for (ipnum = 1; ipnum < IP_NPARAM; ipnum++) + if (!(intparams[ipnum].flags & PF_CONV) && + equalopts(name, intparams[ipnum].name)) { + j->intparams[ipnum] = np; + np->flags |= intparams[ipnum].flags; + break; + } } } @@ -457,7 +465,6 @@ ip_params(struct cfjail *j) { struct in_addr addr4; struct addrinfo hints, *ai0, *ai; - struct cfparam *np; struct cfstring *s, *ns; char *cs, *ep; const char *hostname; @@ -477,7 +484,7 @@ ip_params(struct cfjail *j) * for any IP addresses it finds. */ if (bool_param(j->intparams[IP_IP_HOSTNAME]) && - (hostname = string_param(j->intparams[KP_HOSTNAME]))) { + (hostname = string_param(j->intparams[KP_HOST_HOSTNAME]))) { j->intparams[IP_IP_HOSTNAME] = NULL; /* * Silently ignore unsupported address families from @@ -526,7 +533,7 @@ ip_params(struct cfjail *j) &addr4, avalue4, INET_ADDRSTRLEN) == NULL) err(1, "inet_ntop"); - add_param(j, NULL, "ip4.addr", + add_param(j, NULL, KP_IP4_ADDR, avalue4); break; #ifdef INET6 @@ -539,7 +546,7 @@ ip_params(struct cfjail *j) &addr6, avalue6, INET6_ADDRSTRLEN) == NULL) err(1, "inet_ntop"); - add_param(j, NULL, "ip6.addr", + add_param(j, NULL, KP_IP6_ADDR, avalue6); break; #endif @@ -562,28 +569,14 @@ ip_params(struct cfjail *j) { if (j->intparams[KP_IP4_ADDR + isip6] == NULL) continue; - np = j->intparams[IP__IP4_IFADDR + isip6]; STAILQ_FOREACH(s, &j->intparams[KP_IP4_ADDR + isip6]->val, tq) { cs = strchr(s->s, '|'); - if (cs || defif) { - if (np == NULL) { - np = j->intparams[IP__IP4_IFADDR + - isip6] = - emalloc(sizeof(struct cfparam)); - np->name = estrdup(j->intparams - [KP_IP4_ADDR + isip6]->name); - STAILQ_INIT(&np->val); - np->flags = PF_INTERNAL; - } - ns = emalloc(sizeof(struct cfstring)); - ns->s = estrdup(s->s); - ns->len = s->len; - STAILQ_INIT(&ns->vars); - STAILQ_INSERT_TAIL(&np->val, ns, tq); - if (cs != NULL) { - strcpy(s->s, cs + 1); - s->len -= cs - s->s + 1; - } + if (cs || defif) + add_param(j, NULL, IP__IP4_IFADDR + isip6, + s->s); + if (cs) { + strcpy(s->s, cs + 1); + s->len -= cs + 1 - s->s; } if ((cs = strchr(s->s, '/'))) { prefix = strtol(cs + 1, &ep, 10); @@ -745,16 +738,6 @@ wild_jail_name(const char *wname) return 0; } -/* - * Compare strings and intparams for bsearch. - */ - -static int -cmp_intparam(const void *a, const void *b) -{ - return strcmp((const char *)a, ((const struct ipspec *)b)->name); -} - /* * Free a parameter record and all its strings and variables. */ diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index 0da39d9a1cdd..1ea88f9a8a97 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -48,6 +48,12 @@ __FBSDID("$FreeBSD$"); #define JP_RDTUN(jp) (((jp)->jp_ctltype & CTLFLAG_RDTUN) == CTLFLAG_RDTUN) +struct permspec { + const char *name; + enum intparam ipnum; + int rev; +}; + const char *cfname; int verbose; @@ -63,19 +69,13 @@ static void print_param(FILE *fp, const struct cfparam *p, int sep, int doname); static void quoted_print(FILE *fp, char *str); static void usage(void); -static const char *perm_sysctl[][3] = { - { "security.jail.set_hostname_allowed", - "allow.noset_hostname", "allow.set_hostname" }, - { "security.jail.sysvipc_allowed", - "allow.nosysvipc", "allow.sysvipc" }, - { "security.jail.allow_raw_sockets", - "allow.noraw_sockets", "allow.raw_sockets" }, - { "security.jail.chflags_allowed", - "allow.nochflags", "allow.chflags" }, - { "security.jail.mount_allowed", - "allow.nomount", "allow.mount" }, - { "security.jail.socket_unixiproute_only", - "allow.socket_af", "allow.nosocket_af" }, +static struct permspec perm_sysctl[] = { + { "security.jail.set_hostname_allowed", KP_ALLOW_SET_HOSTNAME, 0 }, + { "security.jail.sysvipc_allowed", KP_ALLOW_SYSVIPC, 0 }, + { "security.jail.allow_raw_sockets", KP_ALLOW_RAW_SOCKETS, 0 }, + { "security.jail.chflags_allowed", KP_ALLOW_CHFLAGS, 0 }, + { "security.jail.mount_allowed", KP_ALLOW_MOUNT, 0 }, + { "security.jail.socket_unixiproute_only", KP_ALLOW_SOCKET_AF, 1 }, }; int @@ -113,7 +113,7 @@ main(int argc, char **argv) cfname = optarg; break; case 'h': - add_param(NULL, NULL, "ip_hostname", NULL); + add_param(NULL, NULL, IP_IP_HOSTNAME, NULL); docf = 0; break; case 'i': @@ -124,14 +124,14 @@ main(int argc, char **argv) JidFile = optarg; break; case 'l': - add_param(NULL, NULL, "exec.clean", NULL); + add_param(NULL, NULL, IP_EXEC_CLEAN, NULL); docf = 0; break; case 'm': op |= JF_SET; break; case 'n': - add_param(NULL, NULL, "name", optarg); + add_param(NULL, NULL, KP_NAME, optarg); docf = 0; break; case 'p': @@ -150,17 +150,18 @@ main(int argc, char **argv) Rflag = 1; break; case 's': - add_param(NULL, NULL, "securelevel", optarg); + add_param(NULL, NULL, KP_SECURELEVEL, optarg); docf = 0; break; case 'u': - add_param(NULL, NULL, "exec.jail_user", optarg); - add_param(NULL, NULL, "exec.system_jail_user", NULL); + add_param(NULL, NULL, IP_EXEC_JAIL_USER, optarg); + add_param(NULL, NULL, IP_EXEC_SYSTEM_JAIL_USER, NULL); docf = 0; break; case 'U': - add_param(NULL, NULL, "exec.jail_user", optarg); - add_param(NULL, NULL, "exec.nosystem_jail_user", NULL); + add_param(NULL, NULL, IP_EXEC_JAIL_USER, optarg); + add_param(NULL, NULL, IP_EXEC_SYSTEM_JAIL_USER, + "false"); docf = 0; break; case 'v': @@ -182,8 +183,8 @@ main(int argc, char **argv) op = JF_START; docf = 0; oldcl = 1; - add_param(NULL, NULL, "path", argv[0]); - add_param(NULL, NULL, "host.hostname", argv[1]); + add_param(NULL, NULL, KP_PATH, argv[0]); + add_param(NULL, NULL, KP_HOST_HOSTNAME, argv[1]); if (argv[2][0] != '\0') { for (cs = argv[2];; cs = ncs + 1) { ncs = strchr(cs, ','); @@ -192,15 +193,15 @@ main(int argc, char **argv) add_param(NULL, NULL, #ifdef INET6 inet_pton(AF_INET6, cs, &addr6) == 1 - ? "ip6.addr" : + ? KP_IP6_ADDR : #endif - "ip4.addr", cs); + KP_IP4_ADDR, cs); if (!ncs) break; } } for (i = 3; i < argc; i++) - add_param(NULL, NULL, "command", argv[i]); + add_param(NULL, NULL, IP_COMMAND, argv[i]); /* Emulate the defaults from security.jail.* sysctls. */ sysvallen = sizeof(sysval); if (sysctlbyname("security.jail.jailed", &sysval, &sysvallen, @@ -208,18 +209,20 @@ main(int argc, char **argv) for (pi = 0; pi < sizeof(perm_sysctl) / sizeof(perm_sysctl[0]); pi++) { sysvallen = sizeof(sysval); - if (sysctlbyname(perm_sysctl[pi][0], + if (sysctlbyname(perm_sysctl[pi].name, &sysval, &sysvallen, NULL, 0) == 0) add_param(NULL, NULL, - perm_sysctl[pi][sysval ? 2 : 1], - NULL); + perm_sysctl[pi].ipnum, + (sysval ? 1 : 0) ^ + perm_sysctl[pi].rev + ? NULL : "false"); } sysvallen = sizeof(sysval); if (sysctlbyname("security.jail.enforce_statfs", &sysval, &sysvallen, NULL, 0) == 0) { snprintf(enforce_statfs, sizeof(enforce_statfs), "%d", sysval); - add_param(NULL, NULL, "enforce_statfs", + add_param(NULL, NULL, KP_ENFORCE_STATFS, enforce_statfs); } } @@ -243,16 +246,14 @@ main(int argc, char **argv) if (!strncmp(argv[i], "command", 7) && (argv[i][7] == '\0' || argv[i][7] == '=')) { if (argv[i][7] == '=') - add_param(NULL, NULL, "command", + add_param(NULL, NULL, IP_COMMAND, argv[i] + 8); for (i++; i < argc; i++) - add_param(NULL, NULL, "command", + add_param(NULL, NULL, IP_COMMAND, argv[i]); break; } - if ((cs = strchr(argv[i], '='))) - *cs++ = '\0'; - add_param(NULL, NULL, argv[i], cs); + add_param(NULL, NULL, 0, argv[i]); } } else { /* From the config file, perhaps with a specified jail */ @@ -262,7 +263,6 @@ main(int argc, char **argv) } /* Find out which jails will be run. */ - find_intparams(); dep_setup(docf); error = 0; if (op == JF_STOP) { @@ -315,7 +315,7 @@ main(int argc, char **argv) { j->flags |= JF_CHECKINT; if (dflag) - add_param(j, NULL, "allow.dying", NULL); + add_param(j, NULL, IP_ALLOW_DYING, NULL); if (check_intparams(j) < 0) continue; } @@ -959,7 +959,7 @@ print_jail(FILE *fp, struct cfjail *j, int oldcl) fprintf(fp, "%d\t", j->jid); print_param(fp, j->intparams[KP_PATH], ',', 0); putc('\t', fp); - print_param(fp, j->intparams[KP_HOSTNAME], ',', 0); + print_param(fp, j->intparams[KP_HOST_HOSTNAME], ',', 0); putc('\t', fp); print_param(fp, j->intparams[KP_IP4_ADDR], ',', 0); #ifdef INET6 diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h index 227ad38184dc..1d33d01c26b0 100644 --- a/usr.sbin/jail/jailp.h +++ b/usr.sbin/jail/jailp.h @@ -49,6 +49,7 @@ #define PF_INTERNAL 0x08 /* Internal parameter, not passed to kernel */ #define PF_BOOL 0x10 /* Boolean parameter */ #define PF_INT 0x20 /* Integer parameter */ +#define PF_CONV 0x40 /* Parameter duplicated in converted form */ #define JF_START 0x0001 /* -c */ #define JF_SET 0x0002 /* -m */ @@ -93,16 +94,23 @@ enum intparam { IP_INTERFACE, /* Add IP addresses to this interface */ IP_IP_HOSTNAME, /* Get jail IP address(es) from hostname */ IP_MOUNT, /* Mount points in fstab(5) form */ - IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ IP_MOUNT_DEVFS_RULESET, /* Ruleset for the devfs mount */ + IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ + IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ IP__IP4_IFADDR, /* Copy of ip4.addr with interface/netmask */ #ifdef INET6 IP__IP6_IFADDR, /* Copy of ip6.addr with interface/prefixlen */ #endif - IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ - KP_HOSTNAME, + KP_ALLOW_CHFLAGS, + KP_ALLOW_MOUNT, + KP_ALLOW_RAW_SOCKETS, + KP_ALLOW_SET_HOSTNAME, + KP_ALLOW_SOCKET_AF, + KP_ALLOW_SYSVIPC, + KP_ENFORCE_STATFS, + KP_HOST_HOSTNAME, KP_IP4_ADDR, #ifdef INET6 KP_IP6_ADDR, @@ -111,6 +119,7 @@ enum intparam { KP_NAME, KP_PATH, KP_PERSIST, + KP_SECURELEVEL, KP_VNET, IP_NPARAM }; @@ -187,8 +196,7 @@ extern int term_procs(struct cfjail *j); extern void load_config(void); extern struct cfjail *add_jail(void); extern void add_param(struct cfjail *j, const struct cfparam *p, - const char *name, const char *value); -extern void find_intparams(void); + enum intparam ipnum, const char *value); extern int check_intparams(struct cfjail *j); extern int bool_param(const struct cfparam *p); extern int int_param(const struct cfparam *p, int *ip);