Add the -s option to set jail's securelevel. This is useful for jails run with non-root privileges.

PR:	bin/80242
MFC after:	2 weeks
This commit is contained in:
Matteo Riondato 2006-05-11 13:04:23 +00:00
parent 110ce88054
commit 7deb00ccd9
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=158428
2 changed files with 26 additions and 4 deletions

View File

@ -33,7 +33,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd May 9, 2006
.Dd May 11, 2006
.Dt JAIL 8
.Os
.Sh NAME
@ -43,6 +43,7 @@
.Nm
.Op Fl i
.Op Fl J Ar jid_file
.Op Fl s Ar securelevel
.Op Fl l u Ar username | Fl U Ar username
.Ar path hostname ip-number command ...
.Sh DESCRIPTION
@ -73,6 +74,10 @@ is set to the target login.
is imported from the current environment.
The environment variables from the login class capability database for the
target login are also set.
.It Fl s Ar securelevel
Sets
.Va kern.securelevel
to the specified value inside the newly created jail.
.It Fl u Ar username
The user name from host environment as whom the
.Ar command

View File

@ -12,6 +12,7 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/jail.h>
#include <sys/sysctl.h>
#include <netinet/in.h>
#include <arpa/inet.h>
@ -28,6 +29,7 @@ __FBSDID("$FreeBSD$");
#include <unistd.h>
static void usage(void);
static void setsecurelevel(int level);
extern char **environ;
#define GET_USER_INFO do { \
@ -58,13 +60,14 @@ main(int argc, char **argv)
char path[PATH_MAX], *username, *JidFile;
static char *cleanenv;
const char *shell, *p = NULL;
int securelevel = -1;
FILE *fp;
iflag = Jflag = lflag = uflag = Uflag = 0;
username = JidFile = cleanenv = NULL;
fp = NULL;
while ((ch = getopt(argc, argv, "ilu:U:J:")) != -1) {
while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) {
switch (ch) {
case 'i':
iflag = 1;
@ -73,6 +76,9 @@ main(int argc, char **argv)
JidFile = optarg;
Jflag = 1;
break;
case 's':
securelevel = (int) strtol(optarg, NULL, 0);
break;
case 'u':
username = optarg;
uflag = 1;
@ -130,6 +136,8 @@ main(int argc, char **argv)
errx(1, "Could not write JidFile: %s", JidFile);
}
}
if (securelevel > 0)
setsecurelevel(securelevel);
if (username != NULL) {
if (Uflag)
GET_USER_INFO;
@ -168,8 +176,17 @@ static void
usage(void)
{
(void)fprintf(stderr, "%s%s\n",
"usage: jail [-i] [-J jid_file] [-l -u username | -U username]",
(void)fprintf(stderr, "%s%s%s\n",
"usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ",
"username | -U username]",
" path hostname ip-number command ...");
exit(1);
}
static void
setsecurelevel(int level) {
if (sysctlbyname("kern.securelevel", NULL, 0, &level, sizeof(level)))
err(1, "Can not set securelevel to %d", level);
}