MFC: Add the -s option to set jail's securelevel.
This is useful for jails run with non-root privileges. PR: bin/80242
This commit is contained in:
matteo
parent
1a9bdb2f4a
commit
2feee4a415
@ -43,6 +43,7 @@
|
||||
.Nm
|
||||
.Op Fl i
|
||||
.Op Fl J Ar jid_file
|
||||
.Op Fl s Ar securelevel
|
||||
.Op Fl l u Ar username | Fl U Ar username
|
||||
.Ar path hostname ip-number command ...
|
||||
.Sh DESCRIPTION
|
||||
@ -73,6 +74,10 @@ is set to the target login.
|
||||
is imported from the current environment.
|
||||
The environment variables from the login class capability database for the
|
||||
target login are also set.
|
||||
.It Fl s Ar securelevel
|
||||
Sets
|
||||
.Va kern.securelevel
|
||||
to the specified value inside the newly created jail.
|
||||
.It Fl u Ar username
|
||||
The user name from host environment as whom the
|
||||
.Ar command
|
||||
|
||||
@ -12,6 +12,7 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/jail.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
@ -54,17 +55,19 @@ main(int argc, char **argv)
|
||||
struct passwd *pwd = NULL;
|
||||
struct in_addr in;
|
||||
gid_t groups[NGROUPS];
|
||||
int ch, i, iflag, Jflag, lflag, ngroups, uflag, Uflag;
|
||||
char path[PATH_MAX], *username, *JidFile;
|
||||
int ch, i, iflag, Jflag, lflag, ngroups, securelevel, uflag, Uflag;
|
||||
char path[PATH_MAX], *ep, *username, *JidFile;
|
||||
static char *cleanenv;
|
||||
const char *shell, *p = NULL;
|
||||
long ltmp;
|
||||
FILE *fp;
|
||||
|
||||
iflag = Jflag = lflag = uflag = Uflag = 0;
|
||||
securelevel = -1;
|
||||
username = JidFile = cleanenv = NULL;
|
||||
fp = NULL;
|
||||
|
||||
while ((ch = getopt(argc, argv, "ilu:U:J:")) != -1) {
|
||||
while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'i':
|
||||
iflag = 1;
|
||||
@ -73,6 +76,12 @@ main(int argc, char **argv)
|
||||
JidFile = optarg;
|
||||
Jflag = 1;
|
||||
break;
|
||||
case 's':
|
||||
ltmp = strtol(optarg, &ep, 0);
|
||||
if (*ep || ep == optarg || ltmp > INT_MAX || !ltmp)
|
||||
errx(1, "invalid securelevel: `%s'", optarg);
|
||||
securelevel = ltmp;
|
||||
break;
|
||||
case 'u':
|
||||
username = optarg;
|
||||
uflag = 1;
|
||||
@ -130,6 +139,11 @@ main(int argc, char **argv)
|
||||
errx(1, "Could not write JidFile: %s", JidFile);
|
||||
}
|
||||
}
|
||||
if (securelevel > 0) {
|
||||
if (sysctlbyname("kern.securelevel", NULL, 0, &securelevel,
|
||||
sizeof(securelevel)))
|
||||
err(1, "Can not set securelevel to %d", securelevel);
|
||||
}
|
||||
if (username != NULL) {
|
||||
if (Uflag)
|
||||
GET_USER_INFO;
|
||||
@ -168,8 +182,9 @@ static void
|
||||
usage(void)
|
||||
{
|
||||
|
||||
(void)fprintf(stderr, "%s%s\n",
|
||||
"usage: jail [-i] [-J jid_file] [-l -u username | -U username]",
|
||||
(void)fprintf(stderr, "%s%s%s\n",
|
||||
"usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ",
|
||||
"username | -U username]",
|
||||
" path hostname ip-number command ...");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user