48 Commits

Author SHA1 Message Date
Jamie Gritton
3050aced42 Bugfix to not hide jailparam flags, which for example changes the output
"vnet=2" to the less opaque "vnet=inherit"

Reported by:	kevans
MFC after:	5 days
2020-12-15 20:56:35 +00:00
Alex Richardson
d24f17df96 Fix bad libbxo format strings in jls
The existing format string for the empty case was trying to read varargs
values that weren't passed to xo_emit. This appears to work on x86 (since
the next argument is probably a pointer an empty string), but for CHERI
we can bound variadic arguments and detect a read past the end.

While touching these lines also use the libxo 'a' modifier to avoid having to
construct the libxo format string using asprintf.

Found by:	CHERI
Reviewed By:	allanjude
Differential Revision: https://reviews.freebsd.org/D26885
2020-11-04 14:31:52 +00:00
Pedro F. Giffuni
1de7b4b805 various: general adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.
2017-11-27 15:37:16 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Jamie Gritton
8fd1ba2a5e Improve IP address list representation in libxo output.
Extract decision-making about special-case printing of certain
jail parameters into a function.

Refactor emitting of IPv4 and IPv6 address lists into a function.

Resulting user-facing changes:

XO_VERSION is bumped to 2.

In verbose mode (-v), IPv4 and IPv6-Addresses are now properly emitted
as separate lists.
This only affects the output in encoding styles, i.e. xml and json.

{                                    {
  "__version": "1",                    "__version": "2",
  "jail-information": {                "jail-information": {
    "jail": [                            "jail": [
      {                                    {
        "jid": 166,                          "jid": 166,
        "hostname": "foo.com",               "hostname": "foo.com",
        "path": "/var/jail/foo",             "path": "/var/jail/foo",
        "name": "foo",                       "name": "foo",
        "state": "ACTIVE",                   "state": "ACTIVE",
        "cpusetid": 2,                       "cpusetid": 2,
        "ipv4_addrs": [                      "ipv4_addrs": [
          "10.1.1.1",                          "10.1.1.1",
          "10.1.1.2",                          "10.1.1.2",
          "10.1.1.3",              |           "10.1.1.3"
                                   >         ],
                                   >         "ipv6_addrs": [
          "fe80::1000:1",                      "fe80::1000:1",
          "fe80::1000:2"                       "fe80::1000:2"
        ]                                    ]
      }                                    }
    ]                                    ]
  }                                    }
}                                    }

In -n mode, ip4.addr and ip6.addr are formatted in the encoding styles'
native list types, e.g. instead of comma-separated lists, JSON arrays
are printed.

jls -n all --libxo json
 ...
 "ip4.addr": [
    "10.1.1.1",
    "10.1.1.2",
    "10.1.1.3"
  ],
  "ip4.saddrsel": true,
  "ip6.addr": [
    "fe80::1000:1",
    "fe80::1000:2"
  ],
  ...

jls -n all --libxo xml
  ...
  <ip4.addr>10.1.1.1</ip4.addr>
  <ip4.addr>10.1.1.2</ip4.addr>
  <ip4.addr>10.1.1.3</ip4.addr>
  <ip4.saddrsel>true</ip4.saddrsel>
  <ip6.addr>fe80::1000:1</ip6.addr>
  <ip6.addr>fe80::1000:2</ip6.addr>
  ...

PR:		215008
Submitted by:	Christian Schwarz <me@cschwarz.com>
Differential Revision:	https://reviews.freebsd.org/D8766
2016-12-24 23:51:27 +00:00
Glen Barber
ed0d921874 Add a package for jail(8) and related utilities.
Sponsored by:	The FreeBSD Foundation
2016-01-20 17:07:13 +00:00
Joel Dahl
5837aafd13 mdoc: sort Xr 2016-01-18 20:21:38 +00:00
Bryan Drewery
e3ebb82118 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	EMC / Isilon Storage Division
2016-01-07 19:58:23 +00:00
Craig Rodrigues
cbbaf9b2b1 Add libxo support to jls
PR:                    200746
Submitted by:          Emmanuel Vadot <manu bidouilliste com>
Reviewed by:           allanjude
Relnotes:              yes
Differential Revision: https://reviews.freebsd.org/D4452
2015-12-22 00:58:35 +00:00
Eitan Adler
463a577b27 Fix a ton of speelling errors
arc lint is helpful

Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com
Differential Revision: https://reviews.freebsd.org/D3337
2015-10-21 05:37:09 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Jamie Gritton
b2ea411de2 Allow for parameters added with the JP_OPT flag to not exist.
That's why the flag exists in the first place.

MFC after:	1 week
2015-02-22 00:00:10 +00:00
Jamie Gritton
b687b02ffc Fix the logic for skipping parameters (with -s) that have "jailsys"
parents (such as host.hostname); these were being skipped all the time.
That it went this long without anyone noticing is a sign that this feature
isn't actually used by anyone, but it's there so it might as well work.

MFC after:	1 week
2015-02-20 20:12:05 +00:00
Jamie Gritton
b300bd470f Allow parameters listed on the command line to override the -v option,
instead of crashing.

PR:		197701
MFC after:	1 week
2015-02-20 19:48:24 +00:00
Baptiste Daroussin
c6db8143ed Convert usr.sbin to LIBADD
Reduce overlinking
2014-11-25 16:57:27 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
cc3f4b9965 Merge from head 2014-05-08 23:54:15 +00:00
Warner Losh
c6063d0da8 Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
Simon J. Gerraty
d1d0158641 Merge from head 2013-09-05 20:18:59 +00:00
Dag-Erling Smørgrav
75f75375d4 Add a -N option that prints the jail name rather than its number.
MFC after:	3 weeks
2013-05-17 08:48:16 +00:00
Simon J. Gerraty
7cf3a1c6b2 Updated dependencies 2013-03-11 17:21:52 +00:00
Simon J. Gerraty
f5f7c05209 Updated dependencies 2013-02-16 01:23:54 +00:00
Marcel Moolenaar
7750ad47a9 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
Bjoern A. Zeeb
7412cb7ef3 Fix building with WITHOUT_INET_SUPPORT set.
Reviewed by:	jamie (actually provided the real fix)
MFC after:	3 days
2012-03-06 18:39:07 +00:00
Bjoern A. Zeeb
7bf1e98fde Fix jls backward compat mode broken in r222465, correctly
displaying addresses in verbose mode (jls -v) again.

Submitted by:	jamie
MFC after:	3 days
Approved by:	re (kib)
2011-08-13 13:49:11 +00:00
Bjoern A. Zeeb
e08e8999f6 Add a missing ',' to separate arguments lost for r222465 only found in
case a complete world is built without INET support.

MFC after:	10 days
X-MFC with:	222465
2011-06-18 09:46:39 +00:00
Bjoern A. Zeeb
15ede76031 Check for IPv4 or IPv6 to be available by the kernel to not
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.

Reviewed by:	jamie
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
2011-05-29 21:03:40 +00:00
Jamie Gritton
c2e8cb49d9 Properly recognize a number followed by non-digits as a jail name.
Call "0" a name because zero is used to indicate no specified jid.

MFC after:	3 days
2010-07-08 19:22:52 +00:00
Ed Schouten
f97f9525ba Properly progress through the list of IPv6 addresses using in6_addr size.
Right now if a jail has multiple IPv6 addresses, it will print them
shifting only 4 bytes at a time. Example:

	2001:4dd0:ff41::b23f:a9
	2001:4dd0:ff41::b23f:aa

Becomes:

	2001:4dd0:ff41::b23f:a9
	ff41::b23f:a9:2001:4dd0

By casting to in6_addr, it uses the correct offsets.

MFC after:	1 week
2010-03-18 20:13:04 +00:00
Ed Schouten
71ccf09269 The last big commit: let usr.sbin/ use WARNS=6 by default. 2010-01-02 11:07:44 +00:00
Jamie Gritton
4576bbe233 Don't free jail parameter values after printing them - jail_param_get
expects them to be there for the next jail in the list.

PR:		bin/141359
MFC after:	1 week
2009-12-12 21:59:30 +00:00
Bjoern A. Zeeb
50580ef7b3 Do not truncate IPv6 addresses when printing them in the
jls -av 7.x multi-IP jail backward compat output.

Reported by:	ed
Tested by:	ed
Reviewed by:	rwatson
Approved by:	re
2009-08-12 12:29:07 +00:00
Jamie Gritton
7cbf72137f Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.

Approved by:	re (kib), bz (mentor)
Discussed with:	rwatson
2009-07-25 14:48:57 +00:00
Jamie Gritton
4d4d887907 Give a more expected behavior to -[hns] options, defaulting to all
parameters instead of ignoring the options and giving the old-style
default output.

Approved by:	re (kib), bz (mentor)
2009-07-08 15:57:22 +00:00
Jamie Gritton
de6f37045c Add libjail, a (somewhat) simpler interface to the jail_set and jail_get
system calls and the security.jail.param sysctls.

Approved by:	bz (mentor)
2009-06-24 18:18:35 +00:00
Jamie Gritton
baab20bd4e Use the right jail parameters for -v (cpuset has changed to cpuset.id).
Reported by:	netchild
Approved by:	bz (mentor)
2009-06-17 14:32:08 +00:00
Jamie Gritton
73d0971bf2 Add support for the arbitrary named jail parameters used by jail_set(2)
and jail_get(2).  Jail(8) can now create jails using a "name=value"
format instead of just specifying a limited set of fixed parameters; it
can also modify parameters of existing jails.  Jls(8) can display all
parameters of jails, or a specified set of parameters.  The available
parameters are gathered from the kernel, and not hard-coded into these
programs.

Small patches on killall(1) and jexec(8) to support jail names with
jail_get(2).

Approved by:	bz (mentor)
2009-05-27 14:30:26 +00:00
Bjoern A. Zeeb
1f34f30fb5 Make sure that the direct jls invocations prints something
reasonable close to and in the same format as it had always.

r185435 said it would try that but I had been living with jail
patches for too long to actually remember the single-line format
when adding backwards compatibility back in p4.

Reported by:	Philipp Wuensche <cryx-freebsd@h3q.com>
Tested by:	Philipp Wuensche <cryx-freebsd@h3q.com>
MFC after:	4 weeks (just for me to get the mail)
2008-12-14 16:56:47 +00:00
Bjoern A. Zeeb
0f1fe22db5 Correctly check the number of prison states to not access anything
outside the prison_states array.
When checking if there is a name configured for the prison, check the
first character to not be '\0' instead of checking if the char array
is present, which it always is. Note, that this is different for the
*jailname in the syscall.

Found with:	Coverity Prevent(tm)
CID:		4156, 4155
MFC after:	4 weeks (just that I get the mail)
2008-12-11 01:04:25 +00:00
Bjoern A. Zeeb
413628a7e3 MFp4:
Bring in updated jail support from bz_jail branch.

This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..

SCTP support was updated and supports IPv6 in jails as well.

Cpuset support permits jails to be bound to specific processor
sets after creation.

Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.

DDB 'show jails' command was added to aid debugging.

Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.

Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.

Bump __FreeBSD_version for the afore mentioned and in kernel changes.

Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
  and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
  help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
  suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
  on cluster machines as well as all the testers and people
  who provided feedback the last months on freebsd-jail and
  other channels.
- My employer, CK Software GmbH, for the support so I could work on this.

Reviewed by:	(see above)
MFC after:	3 months (this is just so that I get the mail)
X-MFC Before:   7.2-RELEASE if possible
2008-11-29 14:32:14 +00:00
Pawel Jakub Dawidek
3a6b8b21d2 Sync code with the error report: calloc(number, 1) is equivalent to
malloc(number).
2005-08-19 11:03:49 +00:00
Pawel Jakub Dawidek
8bd435d9cf Not sure why, but SYSCTL_OUT() can sometimes keep returning ENOMEM
in sysctl_jail_list(). Because of this, jls(8) could enter into
an endless loop. The strange thing is, that we can call jls(8) while
the other one is in loop and it will succeed - SYSCTL_OUT() will
not return ENOMEM there.

Maybe SYSCTL_OUT() returns first ENOMEM, because there is no memory,
but is marking some memory range as wired even on failure and another
SYSCTL_OUT() calls are not going to succeed, because process exceeds
limit of wired memory? ENOVMCLUE.

Anyway. Fix jls(8) to ignore ENOMEM and retry only 4 times.

Submitted by:	Niklas Saers
PR:		kern/79245
MFC after:	3 days
2005-08-15 12:15:21 +00:00
Mike Barcroft
90e0c23cb9 IP addresses can be up to 15 characters long, not 12.
PR:     50904
2003-04-22 13:24:56 +00:00
Bruce Evans
87d88cec87 Fixed an err() format error in rev.1.1. This should have been fatal
since WARNS was high in rev.1.1, but __printf0like() has been temporarily
disabled for 9 months.
2003-04-17 22:39:32 +00:00
Mike Barcroft
ebf5d9bc2c o Add jls(8) for listing active jails.
o Add jexec(8) to execute a command in an existing jail.
o Add -j option for killall(1) to kill all processes in a specified
  jail.
o Add -i option to jail(8) to output jail ID of newly created jail.
2003-04-09 03:04:12 +00:00