freebsd-nq/etc/rc.d/jail
Doug Barton 801c438304 Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.

During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.
2012-01-14 02:18:41 +00:00

743 lines
17 KiB
Bash
Executable File

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: jail
# REQUIRE: LOGIN cleanvar
# BEFORE: securelevel
# KEYWORD: nojail shutdown
# WARNING: This script deals with untrusted data (the data and
# processes inside the jails) and care must be taken when changing the
# code related to this! If you have any doubt whether a change is
# correct and have security impact, please get the patch reviewed by
# the FreeBSD Security Team prior to commit.
. /etc/rc.subr
name="jail"
rcvar="jail_enable"
start_precmd="jail_prestart"
start_cmd="jail_start"
stop_cmd="jail_stop"
# init_variables _j
# Initialize the various jail variables for jail _j.
#
init_variables()
{
_j="$1"
if [ -z "$_j" ]; then
warn "init_variables: you must specify a jail"
return
fi
eval _rootdir=\"\$jail_${_j}_rootdir\"
_devdir="${_rootdir}/dev"
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
eval _ip=\"\$jail_${_j}_ip\"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _exec=\"\$jail_${_j}_exec\"
i=0
while : ; do
eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\"
[ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break
i=$((i + 1))
done
eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\"
i=1
while : ; do
eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\"
[ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break
i=$((i + 1))
done
i=0
while : ; do
eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\"
[ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break
i=$((i + 1))
done
i=0
while : ; do
eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\"
[ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break
i=$((i + 1))
done
eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\"
i=0
while : ; do
eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\"
[ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break
i=$((i + 1))
done
if [ -n "${_exec}" ]; then
# simple/backward-compatible execution
_exec_start="${_exec}"
_exec_stop=""
else
# flexible execution
if [ -z "${_exec_start}" ]; then
_exec_start="/bin/sh /etc/rc"
if [ -z "${_exec_stop}" ]; then
_exec_stop="/bin/sh /etc/rc.shutdown"
fi
fi
fi
# The default jail ruleset will be used by rc.subr if none is specified.
eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
[ -z "${_devfs}" ] && _devfs="NO"
eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\"
[ -z "${_fdescfs}" ] && _fdescfs="NO"
eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\"
[ -z "${_procfs}" ] && _procfs="NO"
eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\"
[ -z "${_mount}" ] && _mount="NO"
# "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified.
eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\"
[ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}"
eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\"
[ -z "${_flags}" ] && _flags="-l -U root"
eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
[ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log"
eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\"
# Debugging aid
#
debug "$_j devfs enable: $_devfs"
debug "$_j fdescfs enable: $_fdescfs"
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
debug "$_j ip: $_ip"
jail_show_addresses ${_j}
debug "$_j interface: $_interface"
debug "$_j fib: $_fib"
debug "$_j root: $_rootdir"
debug "$_j devdir: $_devdir"
debug "$_j fdescdir: $_fdescdir"
debug "$_j procdir: $_procdir"
debug "$_j ruleset: $_ruleset"
debug "$_j fstab: $_fstab"
i=0
while : ; do
eval out=\"\${_exec_prestart${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec pre-start #${i}: ${out}"
i=$((i + 1))
done
debug "$_j exec start: $_exec_start"
i=1
while : ; do
eval out=\"\${_exec_afterstart${i}:-''}\"
if [ -z "$out" ]; then
break;
fi
debug "$_j exec after start #${i}: ${out}"
i=$((i + 1))
done
i=0
while : ; do
eval out=\"\${_exec_poststart${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec post-start #${i}: ${out}"
i=$((i + 1))
done
i=0
while : ; do
eval out=\"\${_exec_prestop${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec pre-stop #${i}: ${out}"
i=$((i + 1))
done
debug "$_j exec stop: $_exec_stop"
i=0
while : ; do
eval out=\"\${_exec_poststop${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec post-stop #${i}: ${out}"
i=$((i + 1))
done
debug "$_j flags: $_flags"
debug "$_j consolelog: $_consolelog"
if [ -z "${_hostname}" ]; then
err 3 "$name: No hostname has been defined for ${_j}"
fi
if [ -z "${_rootdir}" ]; then
err 3 "$name: No root directory has been defined for ${_j}"
fi
}
# set_sysctl rc_knob mib msg
# If the mib sysctl is set according to what rc_knob
# specifies, this function does nothing. However if
# rc_knob is set differently than mib, then the mib
# is set accordingly and msg is displayed followed by
# an '=" sign and the word 'YES' or 'NO'.
#
set_sysctl()
{
_knob="$1"
_mib="$2"
_msg="$3"
_current=`${SYSCTL} -n $_mib 2>/dev/null`
if checkyesno $_knob ; then
if [ "$_current" -ne 1 ]; then
echo -n " ${_msg}=YES"
${SYSCTL} 1>/dev/null ${_mib}=1
fi
else
if [ "$_current" -ne 0 ]; then
echo -n " ${_msg}=NO"
${SYSCTL} 1>/dev/null ${_mib}=0
fi
fi
}
# is_current_mountpoint()
# Is the directory mount point for a currently mounted file
# system?
#
is_current_mountpoint()
{
local _dir _dir2
_dir=$1
_dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'`
[ ! -d "${_dir}" ] && return 1
_dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'`
[ "${_dir}" = "${_dir2}" ]
return $?
}
# is_symlinked_mountpoint()
# Is a mount point, or any of its parent directories, a symlink?
#
is_symlinked_mountpoint()
{
local _dir
_dir=$1
[ -L "$_dir" ] && return 0
[ "$_dir" = "/" ] && return 1
is_symlinked_mountpoint `dirname $_dir`
return $?
}
# secure_umount
# Try to unmount a mount point without being vulnerable to
# symlink attacks.
#
secure_umount()
{
local _dir
_dir=$1
if is_current_mountpoint ${_dir}; then
umount -f ${_dir} >/dev/null 2>&1
else
debug "Nothing mounted on ${_dir} - not unmounting"
fi
}
# jail_umount_fs
# This function unmounts certain special filesystems in the
# currently selected jail. The caller must call the init_variables()
# routine before calling this one.
#
jail_umount_fs()
{
local _device _mountpt _rest
if checkyesno _fdescfs; then
if [ -d "${_fdescdir}" ] ; then
secure_umount ${_fdescdir}
fi
fi
if checkyesno _devfs; then
if [ -d "${_devdir}" ] ; then
secure_umount ${_devdir}
fi
fi
if checkyesno _procfs; then
if [ -d "${_procdir}" ] ; then
secure_umount ${_procdir}
fi
fi
if checkyesno _mount; then
[ -f "${_fstab}" ] || warn "${_fstab} does not exist"
tail -r ${_fstab} | while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue
;;
esac
secure_umount ${_mountpt}
done
fi
}
# jail_mount_fstab()
# Mount file systems from a per jail fstab while trying to
# secure against symlink attacks at the mount points.
#
# If we are certain we cannot secure against symlink attacks we
# do not mount all of the file systems (since we cannot just not
# mount the file system with the problematic mount point).
#
# The caller must call the init_variables() routine before
# calling this one.
#
jail_mount_fstab()
{
local _device _mountpt _rest
while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue
;;
esac
if is_symlinked_mountpoint ${_mountpt}; then
warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}"
return
fi
done <${_fstab}
mount -a -F "${_fstab}"
}
# jail_show_addresses jail
# Debug print the input for the given _multi aliases
# for a jail for init_variables().
#
jail_show_addresses()
{
local _j _type alias
_j="$1"
alias=0
if [ -z "${_j}" ]; then
warn "jail_show_addresses: you must specify a jail"
return
fi
while : ; do
eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
if [ -n "${_addr}" ]; then
debug "${_j} ip_multi${alias}: $_addr"
alias=$((${alias} + 1))
else
break
fi
done
}
# jail_extract_address argument
# The second argument is the string from one of the _ip
# or the _multi variables. In case of a comma separated list
# only one argument must be passed in at a time.
# The function alters the _type, _iface, _addr and _mask variables.
#
jail_extract_address()
{
local _i
_i=$1
if [ -z "${_i}" ]; then
warn "jail_extract_address: called without input"
return
fi
# Check if we have an interface prefix given and split into
# iFace and rest.
case "${_i}" in
*\|*) # ifN|.. prefix there
_iface=${_i%%|*}
_r=${_i##*|}
;;
*) _iface=""
_r=${_i}
;;
esac
# In case the IP has no interface given, check if we have a global one.
_iface=${_iface:-${_interface}}
# Set address, cut off any prefix/netmask/prefixlen.
_addr=${_r}
_addr=${_addr%%[/ ]*}
# Theoretically we can return here if interface is not set,
# as we only care about the _mask if we call ifconfig.
# This is not done because we may want to santize IP addresses
# based on _type later, and optionally change the type as well.
# Extract the prefix/netmask/prefixlen part by cutting off the address.
_mask=${_r}
_mask=`expr "${_mask}" : "${_addr}\(.*\)"`
# Identify type {inet,inet6}.
case "${_addr}" in
*\.*\.*\.*) _type="inet" ;;
*:*) _type="inet6" ;;
*) warn "jail_extract_address: type not identified"
;;
esac
# Handle the special /netmask instead of /prefix or
# "netmask xxx" case for legacy IP.
# We do NOT support shortend class-full netmasks.
if [ "${_type}" = "inet" ]; then
case "${_mask}" in
/*\.*\.*\.*) _mask=" netmask ${_mask#/}" ;;
*) ;;
esac
# In case _mask is still not set use /32.
_mask=${_mask:-/32}
elif [ "${_type}" = "inet6" ]; then
# In case _maske is not set for IPv6, use /128.
_mask=${_mask:-/128}
fi
}
# jail_handle_ips_option {add,del} input
# Handle a single argument imput which can be a comma separated
# list of addresses (theoretically with an option interface and
# prefix/netmask/prefixlen).
#
jail_handle_ips_option()
{
local _x _action _type _i
_action=$1
_x=$2
if [ -z "${_x}" ]; then
# No IP given. This can happen for the primary address
# of each address family.
return
fi
# Loop, in case we find a comma separated list, we need to handle
# each argument on its own.
while [ ${#_x} -gt 0 ]; do
case "${_x}" in
*,*) # Extract the first argument and strip it off the list.
_i=`expr "${_x}" : '^\([^,]*\)'`
_x=`expr "${_x}" : "^[^,]*,\(.*\)"`
;;
*) _i=${_x}
_x=""
;;
esac
_type=""
_iface=""
_addr=""
_mask=""
jail_extract_address "${_i}"
# make sure we got an address.
case "${_addr}" in
"") continue ;;
*) ;;
esac
# Append address to list of addresses for the jail command.
case "${_addrl}" in
"") _addrl="${_addr}" ;;
*) _addrl="${_addrl},${_addr}" ;;
esac
# Configure interface alias if requested by a given interface
# and if we could correctly parse everything.
case "${_iface}" in
"") continue ;;
esac
case "${_type}" in
inet) ;;
inet6) ;;
*) warn "Could not determine address family. Not going" \
"to ${_action} address '${_addr}' for ${_jail}."
continue
;;
esac
case "${_action}" in
add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias
;;
del) # When removing the IP, ignore the _mask.
ifconfig ${_iface} ${_type} ${_addr} -alias
;;
esac
done
}
# jail_ips {add,del}
# Extract the comma separated list of addresses and return them
# for the jail command.
# Handle more than one address via the _multi option as well.
# If an interface is given also add/remove an alias for the
# address with an optional netmask.
#
jail_ips()
{
local _action
_action=$1
case "${_action}" in
add) ;;
del) ;;
*) warn "jail_ips: invalid action '${_action}'"
return
;;
esac
# Handle addresses.
jail_handle_ips_option ${_action} "${_ip}"
# Handle jail_xxx_ip_multi<N>
alias=0
while : ; do
eval _x=\"\$jail_${_jail}_ip_multi${alias}\"
case "${_x}" in
"") break ;;
*) jail_handle_ips_option ${_action} "${_x}"
alias=$((${alias} + 1))
;;
esac
done
}
jail_prestart()
{
if checkyesno jail_parallel_start; then
command_args='&'
fi
}
jail_start()
{
echo -n 'Configuring jails:'
set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \
set_hostname_allow
set_sysctl jail_socket_unixiproute_only \
security.jail.socket_unixiproute_only unixiproute_only
set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \
sysvipc_allow
echo '.'
echo -n 'Starting jails:'
_tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \
err 3 "$name: Can't create temp dir, exiting..."
for _jail in ${jail_list}
do
init_variables $_jail
if [ -f /var/run/jail_${_jail}.id ]; then
echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]"
continue;
fi
_addrl=""
jail_ips "add"
if [ -n "${_fib}" ]; then
_setfib="setfib -F '${_fib}'"
else
_setfib=""
fi
if checkyesno _mount; then
info "Mounting fstab for jail ${_jail} (${_fstab})"
if [ ! -f "${_fstab}" ]; then
err 3 "$name: ${_fstab} does not exist"
fi
jail_mount_fstab
fi
if checkyesno _devfs; then
# If devfs is already mounted here, skip it.
df -t devfs "${_devdir}" >/dev/null
if [ $? -ne 0 ]; then
if is_symlinked_mountpoint ${_devdir}; then
warn "${_devdir} has symlink as parent - not starting jail ${_jail}"
continue
fi
info "Mounting devfs on ${_devdir}"
devfs_mount_jail "${_devdir}" ${_ruleset}
# Transitional symlink for old binaries
if [ ! -L "${_devdir}/log" ]; then
__pwd="`pwd`"
cd "${_devdir}"
ln -sf ../var/run/log log
cd "$__pwd"
fi
fi
# XXX - It seems symlinks don't work when there
# is a devfs(5) device of the same name.
# Jail console output
# __pwd="`pwd`"
# cd "${_devdir}"
# ln -sf ../var/log/console console
# cd "$__pwd"
fi
if checkyesno _fdescfs; then
if is_symlinked_mountpoint ${_fdescdir}; then
warn "${_fdescdir} has symlink as parent, not mounting"
else
info "Mounting fdescfs on ${_fdescdir}"
mount -t fdescfs fdesc "${_fdescdir}"
fi
fi
if checkyesno _procfs; then
if is_symlinked_mountpoint ${_procdir}; then
warn "${_procdir} has symlink as parent, not mounting"
else
info "Mounting procfs onto ${_procdir}"
if [ -d "${_procdir}" ] ; then
mount -t procfs proc "${_procdir}"
fi
fi
fi
_tmp_jail=${_tmp_dir}/jail.$$
i=0
while : ; do
eval out=\"\${_exec_prestart${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
\"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 \
</dev/null
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
i=1
while : ; do
eval out=\"\${_exec_afterstart${i}:-''}\"
if [ -z "$out" ]; then
break;
fi
jexec "${_jail_id}" ${out}
i=$((i + 1))
done
echo -n " $_hostname"
tail +2 ${_tmp_jail} >${_consolelog}
echo ${_jail_id} > /var/run/jail_${_jail}.id
i=0
while : ; do
eval out=\"\${_exec_poststart${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
else
jail_umount_fs
jail_ips "del"
echo " cannot start jail \"${_jail}\": "
tail +2 ${_tmp_jail}
fi
rm -f ${_tmp_jail}
done
rmdir ${_tmp_dir}
echo '.'
}
jail_stop()
{
echo -n 'Stopping jails:'
for _jail in ${jail_list}
do
if [ -f "/var/run/jail_${_jail}.id" ]; then
_jail_id=$(cat /var/run/jail_${_jail}.id)
if [ ! -z "${_jail_id}" ]; then
init_variables $_jail
i=0
while : ; do
eval out=\"\${_exec_prestop${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
if [ -n "${_exec_stop}" ]; then
eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \
>> ${_consolelog} 2>&1
fi
killall -j ${_jail_id} -TERM > /dev/null 2>&1
sleep 1
killall -j ${_jail_id} -KILL > /dev/null 2>&1
jail_umount_fs
echo -n " $_hostname"
i=0
while : ; do
eval out=\"\${_exec_poststop${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
fi
jail_ips "del"
rm /var/run/jail_${_jail}.id
else
echo " cannot stop jail ${_jail}. No jail id in /var/run"
fi
done
echo '.'
}
load_rc_config $name
cmd="$1"
if [ $# -gt 0 ]; then
shift
fi
if [ -n "$*" ]; then
jail_list="$*"
fi
run_rc_command "${cmd}"