Commit Graph

41 Commits

Author SHA1 Message Date
Jamie Gritton
0e5c6bd436 Make it easier for filesystems to count themselves as jail-enabled,
by doing most of the work in a new function prison_add_vfs in kern_jail.c
Now a jail-enabled filesystem need only mark itself with VFCF_JAIL, and
the rest is taken care of.  This includes adding a jail parameter like
allow.mount.foofs, and a sysctl like security.jail.mount_foofs_allowed.
Both of these used to be a static list of known filesystems, with
predefined permission bits.

Reviewed by:	kib
Differential Revision:	D14681
2018-05-04 20:54:27 +00:00
Jamie Gritton
f047b92153 If a jail parameter isn't found, try loading a related kernel module. 2018-03-21 23:50:46 +00:00
Pedro F. Giffuni
5e53a4f90f lib: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-26 02:00:33 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Pedro F. Giffuni
6fd94039ef libjail: make allocation in jailparam_all() somewhat more robust.
Unsign some variables involved in allocation as they will never be
negative anyways. Provide some bounds checking through reallocarray(3).

This is all very unlikely to have any visible effect.

Reviewed by:	jamie
MFC after:	3 weeks
2017-04-16 19:23:10 +00:00
Ruslan Bukin
e5edb77987 Fix libjail reached latest sysctl entry.
Reviewed by:	jamie
Sponsored by:	DARPA, AFRL
Sponsored by:	HEIF5
Differential Revision:	https://reviews.freebsd.org/D8096
2016-10-02 11:56:17 +00:00
Glen Barber
a70cba9582 First pass through library packaging.
Sponsored by:	The FreeBSD Foundation
2016-02-04 21:16:35 +00:00
Glen Barber
ed0d921874 Add a package for jail(8) and related utilities.
Sponsored by:	The FreeBSD Foundation
2016-01-20 17:07:13 +00:00
Bryan Drewery
7b3ea376a2 META MODE: Prefer INSTALL=tools/install.sh to lessen the need for xinstall.host.
This both avoids some dependencies on xinstall.host and allows
bootstrapping on older releases to work due to lack of at least 'install -l'
support.

Sponsored by:	EMC / Isilon Storage Division
2015-11-25 19:10:28 +00:00
Baptiste Daroussin
18b2ee82db Revert r284417 it is not necessary anymore 2015-06-15 19:28:07 +00:00
Baptiste Daroussin
4232f82668 Enforce overwritting SHLIBDIR
Since METAMODE has been added, sys.mk loads bsd.mkopt.mk which ends load loading
bsd.own.mk which then defines SHLIBDIR before all the Makefile.inc everywhere.

This makes /lib being populated again.

Reported by:	many
2015-06-15 15:34:20 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Jamie Gritton
d031802b05 In preparation for using clang's -Wcast-qual:
Use __DECONST (instead of my own attempted re-invention) for the iov
parameters to jail_get/set(2).  Similarly remove the decost-ish hack
from execvp's argv, except the __DECONST is only added at very end.

While I'm at it, remove an unused variable and fix a comment typo.
2014-11-25 21:01:08 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
7cf3a1c6b2 Updated dependencies 2013-03-11 17:21:52 +00:00
Simon J. Gerraty
f5f7c05209 Updated dependencies 2013-02-16 01:23:54 +00:00
Simon J. Gerraty
7cd2dcf076 Updated/new Makefile.depend 2012-11-08 21:24:17 +00:00
Simon J. Gerraty
23090366f7 Sync from head 2012-11-04 02:52:03 +00:00
Jamie Gritton
49f903d5fc Fix some memory allocation errors:
* jail_setv will leak a parameter name if jailparam_import fails.
* jailparam_all loses the jailparam pointer on realloc error
  (a clear freshman mistake).
* If jailparam_init fails, the caller doesn't need to jailparam_free
  the buffer.  That's not really clear, so set things to NULL allowing
  jailparam_free to work without error (though it's still not required).
2012-10-04 19:07:05 +00:00
Marcel Moolenaar
7750ad47a9 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
Jamie Gritton
cee9d6cc1d The fix in r235291 re-broke the "allow.nomount" case. Re-fix it
by testing for the right parameter name.
2012-05-22 18:30:32 +00:00
Jamie Gritton
fb8d1d4f19 The linker isn't consistent in the ordering of dynamic sysctls, so don't
assume that the unnamed final component of "security.jail.param.foo." is
one less than the "foo" component.  It might be one greater instead.
2012-05-11 21:22:52 +00:00
Jamie Gritton
699f40077b Handle the case where a boolean parameter is also a node.
PR:		bin/165515
MFC after:	2 weeks
2012-03-01 15:09:41 +00:00
Matthew D Fleming
cbc134ad03 Introduce signed and unsigned version of CTLTYPE_QUAD, renaming
existing uses.  Rename sysctl_handle_quad() to sysctl_handle_64().
2011-01-19 23:00:25 +00:00
Jamie Gritton
b81422ef7f Find a jail's type as part of jailparam_init rather than waiting until
it's absolutely necessary.

MFC after:	1 week
2010-10-27 21:01:53 +00:00
Ulrich Spörlein
7558f6b4f3 mdoc: fix manlint warnings by unbreaking mdoc syntax 2010-10-08 12:39:49 +00:00
Jamie Gritton
881f6af44b Whitespace and comment fixes.
MFC after:	3 days
2010-08-31 23:14:03 +00:00
Jamie Gritton
4d02a3e762 Don't over-allocate array values in jailparam_export.
Fix a little comment typo.

MFC after:	3 days
2010-08-31 21:50:09 +00:00
Jamie Gritton
fa04d5d393 Make it clear in the example that jailparam_export's return value
should be freed.

MFC after:	3 days
2010-08-31 21:48:45 +00:00
Jamie Gritton
fba36ac4de Don't copy and return a potentially unset buffer when jail_get fails. 2010-07-15 19:21:33 +00:00
Jamie Gritton
c26c472cc8 Don't import parameter values in jail_getv, except for the search key.
Remove the internal jailparam_vlist, in favor of using variants of its
 logic separately in jail_setv and jail_getv.
Free the temporary parameter list and exported values in jail_setv
 and jail_getv.

Noted by:	Stanislav Uzunchev
MFC after:	3 days
2010-07-15 19:21:07 +00:00
Ruslan Ermilov
f2ee2e68d2 realloc() with a proper amount of memory.
MFC after:	3 days
2010-02-17 16:45:03 +00:00
Ed Schouten
daaf575910 Build lib/ with WARNS=6 by default.
Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.

I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.
2010-01-02 09:58:07 +00:00
Jamie Gritton
1574e5ddd9 Add a null pointer check so "name" can be used as a key parameter in
jailparam_get.

PR:		bin/141692
Submitted by:	delphij
MFC after:	3 days
2009-12-17 05:06:56 +00:00
Ruslan Ermilov
bd03af3607 Fixed markup (mostly) errors. 2009-09-21 08:30:52 +00:00
Jamie Gritton
7cbf72137f Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.

Approved by:	re (kib), bz (mentor)
Discussed with:	rwatson
2009-07-25 14:48:57 +00:00
Jamie Gritton
69ea521eba Fix dynamic (re)allocation logic in jailparam_set and jailparam_get.
Touch up jailparam_import a bit while I'm at it.

Approved by:	bz (mentor)
2009-06-25 22:42:19 +00:00
Jamie Gritton
de6f37045c Add libjail, a (somewhat) simpler interface to the jail_set and jail_get
system calls and the security.jail.param sysctls.

Approved by:	bz (mentor)
2009-06-24 18:18:35 +00:00