Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),

sockstat(1), ugidfw(8)
These are the last of the jail-aware userland utilities that didn't work
 with names.

PR:		229266
MFC after:	3 days
Differential Revision:	D16047
This commit is contained in:
jamie 2018-07-03 23:47:20 +00:00
parent 6f2eb073ec
commit 95deb222cf
10 changed files with 64 additions and 27 deletions

View File

@ -34,9 +34,11 @@
*/
#include <sys/param.h>
#include <sys/errno.h>
#include <sys/jail.h>
#include <sys/time.h>
#include <sys/sysctl.h>
#include <sys/ucred.h>
#include <sys/uio.h>
#include <sys/mount.h>
#include <security/mac_bsdextended/mac_bsdextended.h>
@ -599,17 +601,46 @@ bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max,
return (0);
}
static int
bsde_get_jailid(const char *name, size_t buflen, char *errstr)
{
char *ep;
int jid;
struct iovec jiov[4];
/* Copy jail_getid(3) instead of messing with library dependancies */
jid = strtoul(name, &ep, 10);
if (*name && !*ep)
return jid;
jiov[0].iov_base = __DECONST(char *, "name");
jiov[0].iov_len = sizeof("name");
jiov[1].iov_len = strlen(name) + 1;
jiov[1].iov_base = alloca(jiov[1].iov_len);
strcpy(jiov[1].iov_base, name);
if (errstr && buflen) {
jiov[2].iov_base = __DECONST(char *, "errmsg");
jiov[2].iov_len = sizeof("errmsg");
jiov[3].iov_base = errstr;
jiov[3].iov_len = buflen;
errstr[0] = 0;
jid = jail_get(jiov, 4, 0);
if (jid < 0 && !errstr[0])
snprintf(errstr, buflen, "jail_get: %s",
strerror(errno));
} else
jid = jail_get(jiov, 2, 0);
return jid;
}
static int
bsde_parse_subject(int argc, char *argv[],
struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
{
int not_seen, flags;
int current, neg, nextnot;
char *endp;
uid_t uid_min, uid_max;
gid_t gid_min, gid_max;
int jid = 0;
long value;
current = 0;
flags = 0;
@ -668,13 +699,9 @@ bsde_parse_subject(int argc, char *argv[],
snprintf(errstr, buflen, "one jail only");
return (-1);
}
value = strtol(argv[current+1], &endp, 10);
if (*endp != '\0') {
snprintf(errstr, buflen, "invalid jid: '%s'",
argv[current+1]);
jid = bsde_get_jailid(argv[current+1], buflen, errstr);
if (jid < 0)
return (-1);
}
jid = value;
flags |= MBS_PRISON_DEFINED;
if (nextnot) {
neg ^= MBS_PRISON_DEFINED;

View File

@ -13,7 +13,7 @@ SRCS+= altq.c
CFLAGS+=-DPF
.endif
LIBADD= util
LIBADD= jail util
MAN= ipfw.8
.include <bsd.prog.mk>

View File

@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd June 28, 2018
.Dd July 3, 2018
.Dt IPFW 8
.Os
.Sh NAME
@ -1535,10 +1535,10 @@ Matches all TCP or UDP packets sent by or received for a
A
.Ar group
may be specified by name or number.
.It Cm jail Ar prisonID
.It Cm jail Ar jail
Matches all TCP or UDP packets sent by or received for the
jail whos prison ID is
.Ar prisonID .
jail whose ID or name is
.Ar jail .
.It Cm icmptypes Ar types
Matches ICMP packets whose ICMP type is in the list
.Ar types .

View File

@ -32,6 +32,7 @@
#include <err.h>
#include <errno.h>
#include <grp.h>
#include <jail.h>
#include <netdb.h>
#include <pwd.h>
#include <stdio.h>
@ -4581,13 +4582,12 @@ compile_rule(char *av[], uint32_t *rbuf, int *rbufsize, struct tidx *tstate)
case TOK_JAIL:
NEED1("jail requires argument");
{
char *end;
int jid;
cmd->opcode = O_JAIL;
jid = (int)strtol(*av, &end, 0);
if (jid < 0 || *end != '\0')
errx(EX_DATAERR, "jail requires prison ID");
jid = jail_getid(*av);
if (jid < 0)
errx(EX_DATAERR, "%s", jail_errmsg);
cmd32->d[0] = (uint32_t)jid;
cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
av++;

View File

@ -2,4 +2,6 @@
PROG= cpuset
LIBADD= jail
.include <bsd.prog.mk>

View File

@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd February 26, 2018
.Dd July 3, 2018
.Dt CPUSET 1
.Os
.Sh NAME
@ -56,7 +56,7 @@
.Nm
.Fl g
.Op Fl cir
.Op Fl d Ar domain | Fl j Ar jailid | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
.Op Fl d Ar domain | Fl j Ar jail | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
.Sh DESCRIPTION
The
.Nm
@ -68,7 +68,7 @@ available processors and memory domains in the system.
.Nm
requires a target to modify or query.
The target may be specified as a command, process id, thread id, a
cpuset id, an irq, a jail id, or a NUMA domain.
cpuset id, an irq, a jail, or a NUMA domain.
Using
.Fl g
the target's set id or mask may be queried.
@ -136,8 +136,8 @@ the id of the target.
When used with the
.Fl g
option print the id rather than the valid mask of the target.
.It Fl j Ar jailid
Specifies a jail id as the target of the operation.
.It Fl j Ar jail
Specifies a jail id or name as the target of the operation.
.It Fl l Ar cpu-list
Specifies a list of CPUs to apply to a target.
Specification may include

View File

@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
#include <ctype.h>
#include <err.h>
#include <errno.h>
#include <jail.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
@ -320,7 +321,9 @@ main(int argc, char *argv[])
case 'j':
jflag = 1;
which = CPU_WHICH_JAIL;
id = atoi(optarg);
id = jail_getid(optarg);
if (id < 0)
errx(EXIT_FAILURE, "%s", jail_errmsg);
break;
case 'l':
lflag = 1;

View File

@ -2,4 +2,6 @@
PROG= sockstat
LIBADD= jail
.include <bsd.prog.mk>

View File

@ -27,7 +27,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd January 23, 2018
.Dd July 3, 2018
.Dt SOCKSTAT 1
.Os
.Sh NAME
@ -58,8 +58,8 @@ Show
(IPv6) sockets.
.It Fl c
Show connected sockets.
.It Fl j Ar jid
Show only sockets belonging to the specified jail ID.
.It Fl j Ar jail
Show only sockets belonging to the specified jail ID or name.
.It Fl L
Only show Internet sockets if the local and foreign addresses are not
in the loopback network prefix

View File

@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
#include <ctype.h>
#include <err.h>
#include <errno.h>
#include <jail.h>
#include <netdb.h>
#include <pwd.h>
#include <stdarg.h>
@ -1263,7 +1264,9 @@ main(int argc, char *argv[])
opt_c = 1;
break;
case 'j':
opt_j = atoi(optarg);
opt_j = jail_getid(optarg);
if (opt_j < 0)
errx(1, "%s", jail_errmsg);
break;
case 'L':
opt_L = 1;