Commit Graph

190 Commits

Author SHA1 Message Date
Jamie Gritton
e9322de834 Partially roll back r239601 - keep parameter strings both length-delimited
and null-terminated at the same time, because they're later passed to
libjail as null-terminated.  That means I also need to add a nul byte when
comma-combining array parameters.

MFC after:	6 days
2012-08-23 19:39:23 +00:00
Jamie Gritton
b01d717742 Pre-separate IP addresses passed on the command line, so they can be
properly parsed for interface prefixes and netmask suffixes.  This was
already done for the old-style (fixed) command line, but missed for
the new-style.

MFC after:	1 week
2012-08-23 01:43:22 +00:00
Jamie Gritton
2b4f1090de Remember that I'm using length-defined strings in parameters:
Remove a bogus null terminator when stripping the netmask from
 IP addresses.  This was causing later addresses in a comma-separated
 string to disappear.

 Use memcpy instead of strcpy.  This could just cause Bad Things.

PR:		170832
MFC after:	1 week
2012-08-23 01:43:01 +00:00
Maxim Konovalov
a1d92ae6b4 o Restore -u <username> getopt(3) flag somehow killed in r234712.
PR:		bin/169490
Submitted by:	amdmi3
MFC after:	2 weeks
2012-06-28 08:25:19 +00:00
Joel Dahl
8972c8b6a5 Minor spelling fixes. 2012-06-03 11:29:48 +00:00
Jamie Gritton
a6486f6008 When writing the jid via the -i flag, do it right when the jail is created,
before any commands run.  /etc/rc.d/jail depends on this.
2012-05-28 20:44:11 +00:00
Jamie Gritton
8632fa3e92 Don't try to set a null TERM environment.
Submitted by:	Mateusz Guzik <mjguzik gmail.com>
2012-05-25 00:38:06 +00:00
Warren Block
344c81a166 Fixes to man8 groff mandoc style, usage mistakes, or typos.
PR:		168016
Submitted by:	Nobuyuki Koganemaru
Approved by:	gjb
MFC after:	3 days
2012-05-24 02:24:03 +00:00
Jamie Gritton
858b023a07 Note that the new jail(8) will be appearing in 9.1. 2012-05-23 15:30:13 +00:00
Baptiste Daroussin
5e2a209a27 Fix world after byacc import:
- old yacc(1) use to magicially append stdlib.h, while new one don't
- new yacc(1) do declare yyparse by itself, fix redundant declaration of
  'yyparse'

Approved by:	des (mentor)
2012-05-22 16:33:10 +00:00
Joel Dahl
4228c8a2b1 Remove end of line whitespace. 2012-05-12 19:59:37 +00:00
Glen Barber
7b1d17a1bc General mdoc(7) and typo fixes.
PR:		167804
Submitted by:	Nobuyuki Koganemaru (kogane!jp.freebsd.org)
MFC after:	3 days
2012-05-12 15:08:22 +00:00
Joel Dahl
70c8684f0b mdoc: remove redundant Pp and end a display block with Ed. 2012-05-12 14:43:52 +00:00
Joel Dahl
7f4211ddb9 Fix .Pp macro. 2012-05-11 22:05:30 +00:00
Jamie Gritton
6fcbac3cd5 Add a meta-parameter IP__NULL to enum intparam, instead of mixing
enum values and zeroes.  This keeps clang happy (and is just good form).

Submitted by:	dim
2012-05-03 21:39:23 +00:00
Jamie Gritton
ff129df002 Add YY_NO_INPUT so clang doesn't complain about "input" not being used. 2012-05-02 21:24:08 +00:00
Jamie Gritton
901fc7b51f Fix the dates and history as of the move to HEAD. 2012-04-27 23:39:21 +00:00
Jamie Gritton
91b24c185b A new jail(8) with a configuration file, ultimately to replace the work
currently done by /etc/rc.d/jail.

MFC after:	3 months
2012-04-26 17:36:05 +00:00
Martin Matuska
06531226e6 Bump .Dd to reflect latest update
Reported by:	bz
MFC after:	1 week
2012-02-29 07:33:07 +00:00
Martin Matuska
41c0675e6e Add procfs to jail-mountable filesystems.
Reviewed by:	jamie
MFC after:	1 week
2012-02-29 00:30:18 +00:00
Martin Matuska
638f378253 mdoc(7) stype - start new sentences on new line
MFC after:	1 week
2012-02-28 07:35:07 +00:00
Jamie Gritton
0c4d49e94a Use the defvs_ruleset paramater when mounting a jail's /dev,
instead of a mount.devfs.ruleset pseudo-parameter.
2012-02-27 22:37:35 +00:00
Jamie Gritton
46571c7c00 From r224286:
Document the potential for jail escape.

From r224615:

  Always disable mount and unmount for jails with enforce_statfs==2.

From r231267:

  A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
  mounting devfs inside jails. A value of -1 disables mounting devfs in
  jails, a value of zero means no restrictions. Nested jails can only
  have mounting devfs disabled or inherit parent's enforcement as jails are
  not allowed to view or manipulate devfs(8) rules.

From r232059:

  To improve control over the use of mount(8) inside a jail(8), introduce
  a new jail parameter node with the following parameters:

  allow.mount.devfs:
	allow mounting the devfs filesystem inside a jail

  allow.mount.nullfs:
	allow mounting the nullfs filesystem inside a jail

From r232186:

  allow.mount.zfs:
	allow mounting the zfs filesystem inside a jail
2012-02-27 22:28:38 +00:00
Martin Matuska
e7af90ab00 Analogous to r232059, add a parameter for the ZFS file system:
allow.mount.zfs:
	allow mounting the zfs filesystem inside a jail

This way the permssions for mounting all current VFCF_JAIL filesystems
inside a jail are controlled wia allow.mount.* jail parameters.

Update sysctl descriptions.
Update jail(8) and zfs(8) manpages.

TODO:	document the connection of allow.mount.* and VFCF_JAIL for kernel
	developers

MFC after:	10 days
2012-02-26 16:30:39 +00:00
Martin Matuska
bf3db8aa65 To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:

allow.mount.devfs:
	allow mounting the devfs filesystem inside a jail

allow.mount.nullfs:
	allow mounting the nullfs filesystem inside a jail

Both parameters are disabled by default (equals the behavior before
devfs and nullfs in jails). Administrators have to explicitly allow
mounting devfs and nullfs for each jail. The value "-1" of the
devfs_ruleset parameter is removed in favor of the new allow setting.

Reviewed by:	jamie
Suggested by:	pjd
MFC after:	2 weeks
2012-02-23 18:51:24 +00:00
Martin Matuska
0cc207a6f5 Add support for mounting devfs inside jails.
A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.

Utilizes new functions introduced in r231265.

Reviewed by:	jamie
MFC after:	1 month
2012-02-09 10:22:08 +00:00
Jamie Gritton
1ca35de448 Improvements in error messages:
Some errors printed the jail name for unnamed (command line) jails.

Attempting to create an already-existing jail from the command line
returned with no error (even for non-root) due to bad logic in
start_state.

Ignore kvm_proc errors, which are typically caused by permission
problems.  Instead, stop ignoring permission errors when removing
a jail (but continue to silently ignore other errors, i.e. the
jail no longer existing).  This makes non-root attempts at removing
a jail give a clearer error message.
2012-02-08 23:51:46 +00:00
Jamie Gritton
7ca65ae0fe Allow relative pathnames for jails generated on the command line
(but continue to flag when from a config file).
2012-02-07 22:13:24 +00:00
Jamie Gritton
4334a36a6a Better communicate the purpose of "-r *". 2012-01-31 19:45:32 +00:00
Martin Matuska
d637f5bf9a Try resolving jail path with realpath(3).
jail(8) does a chdir(2) to the given path argument. Kernel evaluates the
jail path from the new cwd and not from the original cwd, which leads to
undesired behavior if given a relative path.

Reviewed by:	jamie
MFC after:	2 weeks
2012-01-24 08:04:38 +00:00
Martin Matuska
435d46675d Always disable mount and unmount for jails with enforce_statfs==2.
A working statfs(2) is required for umount(8) in jail.

Reviewed by:	pjd, kib
Approved by:	re (kib)
MFC after:	2 weeks
2011-08-02 19:44:40 +00:00
Benedict Reuschling
76e54f993c Revert my last change to this file, as BETA1 is not announced yet.
Pointed out by: kib
Pointy hat to:  me
Approved by:	re (kib, implicit)
2011-07-28 12:23:32 +00:00
Benedict Reuschling
f49a230f9c Add a section to the jail chapter that explains why it is not
recommended to allow root users in the jail to access the host system.

PR:		docs/156853
Submitted by:	crees
Patch by:	crees
Approved by:	re (kib) for BETA1
2011-07-28 11:41:55 +00:00
Glen Barber
1f897ce116 Document the potential for jail escape.
Submitted by:	Vedad KAJTAZ (vedad % kajtaz net)
PR:		142341
Reviewed by:	bz, rwatson
Rewording by:	rwatson
Approved by:	re (kensmith)
MFC after:	3 days
2011-07-24 03:34:38 +00:00
Jamie Gritton
eadec913d9 Don't report errors for the exit status of processes that are killed
as part of jail removal (IP_STOP_TIMEOUT).

Note a jail as "removed" even if it wasn't jail_remove() that did
the deed, e.g. if it already went away because all its processes
were killed.
2011-07-06 21:49:56 +00:00
Jamie Gritton
600802304e Advance to the next command before running anything, so errors found in
finish_command can be processed properly.
Call failed() once in next_command() instead of multiple times in
 run_command().
Continue processing commands when a no-wait operation (IP__OP or background
 command) succeeds.
2011-06-22 21:18:37 +00:00
Jamie Gritton
c6eff841df Fix a couple of NULL dereferences. 2011-06-21 19:13:48 +00:00
Jamie Gritton
5fb611c2bf Following r222465:
Check for IPv4 or IPv6 to be available by the kernel to not
  provoke errors trying to query options not available.
  Make it possible to compile out INET or INET6 only parts.
2011-06-20 23:04:13 +00:00
Jamie Gritton
e16fb8fba8 Linty stuff. 2011-06-20 07:58:44 +00:00
Jamie Gritton
2b00f7ba65 Move the actual create/remove (IP__OP) handling into run_command,
and the cost of an ugly single-use global variable.
2011-06-18 15:23:08 +00:00
Jamie Gritton
d8352076b1 Update copyright dates and other whitespacey stuff. 2011-06-17 16:21:03 +00:00
Jamie Gritton
3b40332c44 Split run_command up into an outer function (next_command) that chooses
a single command string to run, and an inner function (run_command) that
 runs that single string.
Move the list of start/stop commands to run from a switch statement into
 an array, with a new placeholder parameter IP__OP for actually creating
 or removing the jail.
When jail creation fails, revert all non-exec commands in reverse order.
2011-06-17 16:18:44 +00:00
Jamie Gritton
2a194551a7 Change cfstrings from an STAILQ into a TAILQ to allow commands to be
traversed in reverse order.
2011-06-17 16:06:13 +00:00
Bjoern A. Zeeb
15ede76031 Check for IPv4 or IPv6 to be available by the kernel to not
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.

Reviewed by:	jamie
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
2011-05-29 21:03:40 +00:00
Benedict Reuschling
0f3f5331e4 Revert r221655:
Various people voiced their concerns about these changes.
Until this is resolved, we should use the old version.
2011-05-08 14:57:01 +00:00
Benedict Reuschling
7dc2d68994 Jails have a problem in that if the jail directory is world-readable,
an attacker with root access to the jail can create a setuid binary for
their own use in the host environment (if they also have this access),
thus breaking root in the host.

This exploit is impossible if the jail's files are not world-readable.
Add instructions to the man page on how to create a jail with the
correct permissions set.

PR:		docs/156853
Submitted by:	Chris Rees (utisoft at gmail dot com)
Reviewed by:	cperciva (security parts)
MFC after:	9 days
2011-05-08 12:16:39 +00:00
Jamie Gritton
aa02af5404 run_command (mostly) cleanup:
Make the parallelism limit a global instead of always passing it
 to run_command and finish_command.
In the case of an empty command string, try to run any other strings
 the command may have.
Replace JF_BACKGROUND with its sort-of opposite JF_SLEEPQ.
Change j->comstring earlier to render JF_RUNQ unncessary.
Change the if-else series to a more readable switch statement.
Treat IP_STOP_TIMEOUT like a command, calling run_command which then
 calls term_procs.
When the IP_STOP_TIMEOUT "command" finishes, it shouldn't mess with
 the parallelism limit.
Make sufficient checks in finish_command and run_command so that
 the nonintuitive j->comstring null check isn't necessary to run them.
Rename the "waiting" queue to "depend", because the "sleeping" and
 "runnable" queues are also used to wait for something.
2010-12-10 23:57:55 +00:00
Jamie Gritton
5264032f22 Check unmounts for a mount point of the right FS type. 2010-11-04 19:32:32 +00:00
Jamie Gritton
8ebbf0e287 Check paths for security:
path must be absolute.
 mount paths must exist and have no symlinks beyond the jail's path itself.
 consolelog must exist (apart from the final component) and have no
  symlinks beyond the jail's path itself.
2010-11-04 18:40:29 +00:00
Jamie Gritton
52a4962202 Reads the mount.fstab file, and put its lines separately into the
IP__MOUNT_FROM_FSTAB internal parameter.
2010-11-04 17:01:21 +00:00