Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't

apply to most jails but do apply to vnet jails. This includes adding a new sysctl "security.jail.vnet" to identify vnet jails. PR: conf/149050 Submitted by: mdodd MFC after: 3 days
2013-05-19 04:10:34 +00:00 · 2013-05-19 04:10:34 +00:00 · 761d2bb5b9
commit 761d2bb5b9
parent 156860b2b3
6 changed files with 32 additions and 4 deletions
--- a/etc/rc
+++ b/etc/rc
@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
 	if [ "$early_late_divider" = "FILESYSTEMS" ]; then
 		early_late_divider=NETWORKING
 	fi
+	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+		skip="$skip -s nojailvnet"
+	fi
 fi

 # Do a first pass to get everything up to $early_late_divider so that
--- a/etc/rc.d/ipfw
+++ b/etc/rc.d/ipfw
@ -5,7 +5,7 @@

 # PROVIDE: ipfw
 # REQUIRE: ppp
-# KEYWORD: nojail
+# KEYWORD: nojailvnet

 . /etc/rc.subr
 . /etc/network.subr
--- a/etc/rc.d/netif
+++ b/etc/rc.d/netif
@ -28,7 +28,7 @@
 # PROVIDE: netif
 # REQUIRE: atm1 FILESYSTEMS serial sppp sysctl
 # REQUIRE: ipfilter ipfs
-# KEYWORD: nojail
+# KEYWORD: nojailvnet

 . /etc/rc.subr
 . /etc/network.subr
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@ -7,7 +7,7 @@

 # PROVIDE: routing
 # REQUIRE: faith netif ppp stf
-# KEYWORD: nojail
+# KEYWORD: nojailvnet

 . /etc/rc.subr
 . /etc/network.subr
--- a/etc/rc.shutdown
+++ b/etc/rc.shutdown
@ -81,7 +81,12 @@ fi
 # and perform the operation
 #
 rcorder_opts="-k shutdown"
-[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail"
+if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+	rcorder_opts="$rcorder_opts -s nojail"
+	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+		rcorder_opts="$rcorder_opts -s nojailvnet"
+	fi
+fi

 case ${local_startup} in
 [Nn][Oo] | '') ;;
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -4132,6 +4132,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, jailed,
    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
    sysctl_jail_jailed, "I", "Process in jail?");

+static int
+sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
+{
+	int error, havevnet;
+#ifdef VIMAGE
+	struct ucred *cred = req->td->td_ucred;
+
+	havevnet = jailed(cred) && prison_owns_vnet(cred);
+#else
+	havevnet = 0;
+#endif
+	error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
+
+	return (error);
+}
+
+SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
+    sysctl_jail_vnet, "I", "Jail owns VNET?");
+
 #if defined(INET) || defined(INET6)
 SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
    &jail_max_af_ips, 0,