The translation is temporarily closed for contributions due to maintenance, please come back later.

Source string Read only

(itstool) path: chapter/para
Context English State
<primary>protocols</primary>
There are certain protocols which are very common, such as TCP, UDP, IP and ICMP. IP and ICMP are on the same level: the network layer 2. There are certain precautions which are taken in order to prevent a jailed process from binding a protocol to a certain address only if the <literal>nam</literal> parameter is set. <literal>nam</literal> is a pointer to a <literal>sockaddr</literal> structure, which describes the address on which to bind the service. A more exact definition is that <literal>sockaddr</literal> "may be used as a template for referring to the identifying tag and length of each address". In the function <literal>in_pcbbind_setup()</literal>, <literal>sin</literal> is a pointer to a <literal>sockaddr_in</literal> structure, which contains the port, address, length and domain family of the socket which is to be bound. Basically, this disallows any processes from <application>jail</application> to be able to specify the address that does not belong to the <application>jail</application> in which the calling process exists.
<filename>/usr/src/sys/netinet/in_pcb.c</filename>:
int
in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp,
u_short *lportp, struct ucred *cred)
{
...
struct sockaddr_in *sin;
...
if (nam) {
sin = (struct sockaddr_in *)nam;
...
if (sin-&gt;sin_addr.s_addr != INADDR_ANY)
if (prison_ip(cred, 0, &amp;sin-&gt;sin_addr.s_addr))
return(EINVAL);
...
if (lport) {
...
if (prison &amp;&amp; prison_ip(cred, 0, &amp;sin-&gt;sin_addr.s_addr))
return (EADDRNOTAVAIL);
...
}
}
if (lport == 0) {
...
if (laddr.s_addr != INADDR_ANY)
if (prison_ip(cred, 0, &amp;laddr.s_addr))
return (EINVAL);
...
}
...
if (prison_ip(cred, 0, &amp;laddr.s_addr))
return (EINVAL);
...
}
You might be wondering what function <literal>prison_ip()</literal> does. <literal>prison_ip()</literal> is given three arguments, a pointer to the credential(represented by <literal>cred</literal>), any flags, and an IP address. It returns 1 if the IP address does NOT belong to the <application>jail</application> or 0 otherwise. As you can see from the code, if it is indeed an IP address not belonging to the <application>jail</application>, the protocol is not allowed to bind to that address.
<filename>/usr/src/sys/kern/kern_jail.c:</filename>
int
prison_ip(struct ucred *cred, int flag, u_int32_t *ip)
{
u_int32_t tmp;

if (!jailed(cred))
return (0);
if (flag)
tmp = *ip;
else
tmp = ntohl(*ip);
if (tmp == INADDR_ANY) {
if (flag)
*ip = cred-&gt;cr_prison-&gt;pr_ip;
else
*ip = htonl(cred-&gt;cr_prison-&gt;pr_ip);
return (0);
}
if (tmp == INADDR_LOOPBACK) {
if (flag)
*ip = cred-&gt;cr_prison-&gt;pr_ip;
else
*ip = htonl(cred-&gt;cr_prison-&gt;pr_ip);
return (0);
}
if (cred-&gt;cr_prison-&gt;pr_ip != tmp)
return (1);
return (0);
}
Filesystem
<primary>filesystem</primary>
Even <literal>root</literal> users within the <application>jail</application> are not allowed to unset or modify any file flags, such as immutable, append-only, and undeleteable flags, if the securelevel is greater than 0.
<filename>/usr/src/sys/ufs/ufs/ufs_vnops.c:</filename>
static int
ufs_setattr(ap)
...
{
...
if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) {
if (ip-&gt;i_flags
&amp; (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
error = securelevel_gt(cred, 0);
if (error)
return (error);
}
...
}
}
<filename>/usr/src/sys/kern/kern_priv.c</filename>
int
priv_check_cred(struct ucred *cred, int priv, int flags)
{
...
error = prison_priv_check(cred, priv);
if (error)
return (error);
...
}
<filename>/usr/src/sys/kern/kern_jail.c</filename>
int
prison_priv_check(struct ucred *cred, int priv)
{
...
switch (priv) {
...
case PRIV_VFS_SYSFLAGS:
if (jail_chflags_allowed)
return (0);
else
return (EPERM);
...
}
...
}
The SYSINIT Framework
<primary>SYSINIT</primary>
<primary>dynamic initialization</primary>
<primary>kernel initialization</primary> <secondary>dynamic</secondary>
<primary>kernel modules</primary>
<primary>kernel linker</primary>
SYSINIT is the framework for a generic call sort and dispatch mechanism. FreeBSD currently uses it for the dynamic initialization of the kernel. SYSINIT allows FreeBSD's kernel subsystems to be reordered, and added, removed, and replaced at kernel link time when the kernel or one of its modules is loaded without having to edit a statically ordered initialization routing and recompile the kernel. This system also allows kernel modules, currently called <firstterm>KLD's</firstterm>, to be separately compiled, linked, and initialized at boot time and loaded even later while the system is already running. This is accomplished using the <quote>kernel linker</quote> and <quote>linker sets</quote>.
Linker Set
A linker technique in which the linker gathers statically declared data throughout a program's source files into a single contiguously addressable unit of data.
SYSINIT Operation
<primary>linker sets</primary>
SYSINIT relies on the ability of the linker to take static data declared at multiple locations throughout a program's source and group it together as a single contiguous chunk of data. This linker technique is called a <quote>linker set</quote>. SYSINIT uses two linker sets to maintain two data sets containing each consumer's call order, function, and a pointer to the data to pass to that function.
SYSINIT uses two priorities when ordering the functions for execution. The first priority is a subsystem ID giving an overall order for SYSINIT's dispatch of functions. Current predeclared ID's are in <filename>&lt;sys/kernel.h&gt;</filename> in the enum list <literal>sysinit_sub_id</literal>. The second priority used is an element order within the subsystem. Current predeclared subsystem element orders are in <filename>&lt;sys/kernel.h&gt;</filename> in the enum list <literal>sysinit_elem_order</literal>.
<primary>pseudo-devices</primary>
There are currently two uses for SYSINIT. Function dispatch at system startup and kernel module loads, and function dispatch at system shutdown and kernel module unload. Kernel subsystems often use system startup SYSINIT's to initialize data structures, for example the process scheduling subsystem uses a SYSINIT to initialize the run queue data structure. Device drivers should avoid using <literal>SYSINIT()</literal> directly. Instead drivers for real devices that are part of a bus structure should use <literal>DRIVER_MODULE()</literal> to provide a function that detects the device and, if it is present, initializes the device. It will do a few things specific to devices and then call <literal>SYSINIT()</literal> itself. For pseudo-devices, which are not part of a bus structure, use <literal>DEV_MODULE()</literal>.
Using SYSINIT
&lt;sys/kernel.h&gt;
SYSINIT(uniquifier, subsystem, order, func, ident)
SYSUNINIT(uniquifier, subsystem, order, func, ident)
Startup
The <literal>SYSINIT()</literal> macro creates the necessary SYSINIT data in SYSINIT's startup data set for SYSINIT to sort and dispatch a function at system startup and module load. <literal>SYSINIT()</literal> takes a uniquifier that SYSINIT uses to identify the particular function dispatch data, the subsystem order, the subsystem element order, the function to call, and the data to pass the function. All functions must take a constant pointer argument.
Example of a <literal>SYSINIT()</literal>
#include &lt;sys/kernel.h&gt;

void foo_null(void *unused)
{
foo_doo();
}
SYSINIT(foo, SI_SUB_FOO, SI_ORDER_FOO, foo_null, NULL);

struct foo foo_voodoo = {
FOO_VOODOO;
}

void foo_arg(void *vdata)
{
struct foo *foo = (struct foo *)vdata;
foo_data(foo);
}
SYSINIT(bar, SI_SUB_FOO, SI_ORDER_FOO, foo_arg, &amp;foo_voodoo);

Loading…

No matching activity found.

Browse all component changes

Things to check

Multiple failing checks

Following checks are failing:
Mismatched full stop: Portuguese (Brazil)
Trailing space: Portuguese (Brazil)

Reset

Source information

Source string comment
(itstool) path: chapter/para
Flags
read-only
Source string location
book.translate.xml:4111
String age
a year ago
Source string age
a year ago
Translation file
books/arch-handbook.pot, string 536