d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add the -s option to set jail's securelevel. This is useful for jails run with non-root privileges.

Browse Source 
PR:	bin/80242
MFC after:	2 weeks
This commit is contained in:
Matteo Riondato 2006-05-11 13:04:23 +00:00
parent 110ce88054
commit 7deb00ccd9
2 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
usr.sbin/jail/jail.8
View File

@ -33,7 +33,7 @@
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd May 9, 2006 .Dd May 11, 2006
.Dt JAIL 8 .Dt JAIL 8
.Os .Os
.Sh NAME .Sh NAME
@ -43,6 +43,7 @@
.Nm .Nm
.Op Fl i .Op Fl i
.Op Fl J Ar jid_file .Op Fl J Ar jid_file
.Op Fl s Ar securelevel
.Op Fl l u Ar username | Fl U Ar username .Op Fl l u Ar username | Fl U Ar username
.Ar path hostname ip-number command ... .Ar path hostname ip-number command ...
.Sh DESCRIPTION .Sh DESCRIPTION
@ -73,6 +74,10 @@ is set to the target login.
is imported from the current environment. is imported from the current environment.
The environment variables from the login class capability database for the The environment variables from the login class capability database for the
target login are also set. target login are also set.
.It Fl s Ar securelevel
Sets
.Va kern.securelevel
to the specified value inside the newly created jail.
.It Fl u Ar username .It Fl u Ar username
The user name from host environment as whom the The user name from host environment as whom the
.Ar command .Ar command

23
usr.sbin/jail/jail.c
View File

@ -12,6 +12,7 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h> #include <sys/param.h>
#include <sys/jail.h> #include <sys/jail.h>
#include <sys/sysctl.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <arpa/inet.h> #include <arpa/inet.h>
@ -28,6 +29,7 @@ __FBSDID("$FreeBSD$");
#include <unistd.h> #include <unistd.h>
static void usage(void); static void usage(void);
static void setsecurelevel(int level);
extern char **environ; extern char **environ;
#define GET_USER_INFO do { \ #define GET_USER_INFO do { \
@ -58,13 +60,14 @@ main(int argc, char **argv)
char path[PATH_MAX], *username, *JidFile; char path[PATH_MAX], *username, *JidFile;
static char *cleanenv; static char *cleanenv;
const char *shell, *p = NULL; const char *shell, *p = NULL;
int securelevel = -1;
FILE *fp; FILE *fp;
iflag = Jflag = lflag = uflag = Uflag = 0; iflag = Jflag = lflag = uflag = Uflag = 0;
username = JidFile = cleanenv = NULL; username = JidFile = cleanenv = NULL;
fp = NULL; fp = NULL;
while ((ch = getopt(argc, argv, "ilu:U:J:")) != -1) { while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) {
switch (ch) { switch (ch) {
case 'i': case 'i':
iflag = 1; iflag = 1;
@ -73,6 +76,9 @@ main(int argc, char **argv)
JidFile = optarg; JidFile = optarg;
Jflag = 1; Jflag = 1;
break; break;
case 's':
securelevel = (int) strtol(optarg, NULL, 0);
break;
case 'u': case 'u':
username = optarg; username = optarg;
uflag = 1; uflag = 1;
@ -130,6 +136,8 @@ main(int argc, char **argv)
errx(1, "Could not write JidFile: %s", JidFile); errx(1, "Could not write JidFile: %s", JidFile);
} }
} }
if (securelevel > 0)
setsecurelevel(securelevel);
if (username != NULL) { if (username != NULL) {
if (Uflag) if (Uflag)
GET_USER_INFO; GET_USER_INFO;
@ -168,8 +176,17 @@ static void
usage(void) usage(void)
{ {
(void)fprintf(stderr, "%s%s\n", (void)fprintf(stderr, "%s%s%s\n",
"usage: jail [-i] [-J jid_file] [-l -u username | -U username]", "usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ",
"username | -U username]",
" path hostname ip-number command ..."); " path hostname ip-number command ...");
exit(1); exit(1);
} }
static void
setsecurelevel(int level) {
if (sysctlbyname("kern.securelevel", NULL, 0, &level, sizeof(level)))
err(1, "Can not set securelevel to %d", level);
}