d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Update rc.d/jail to use a jail(8) configuration file instead of

Browse Source 
command line options.  The "jail_<jname>_*" rc.conf(5) variables for
  per-jail configuration are automatically converted to
  /var/run/jail.<jname>.conf before the jail(8) utility is invoked.
  This is transparently backward compatible.

- Fix a minor bug in jail(8) which prevented it from returning false
  when jail -r failed.

Approved by:	re (glebius)
This commit is contained in:
hrs 2013-10-10 09:32:27 +00:00
parent 028a23e8a8
commit f8b617128e
6 changed files with 462 additions and 991 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
UPDATING
View File

@ -31,6 +31,25 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10.x IS SLOW:
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
20131010:
The rc.d/jail script has been updated to support jail(8)
configuration file. The "jail_<jname>_*" rc.conf(5) variables
for per-jail configuration are automatically converted to
/var/run/jail.<jname>.conf before the jail(8) utility is invoked.
This is transparently backward compatible. See below about some
incompatibilities and rc.conf(5) manual page for more details.
These variables are now deprecated in favor of jail(8) configuration
file. One can use "rc.d/jail config <jname>" command to generate
a jail(8) configuration file in /var/run/jail.<jname>.conf without
running the jail(8) utility. The default pathname of the
configuration file is /etc/jail.conf and can be specified by
using $jail_conf or $jail_<jname>_conf variables.
Please note that jail_devfs_ruleset accepts an integer at
this moment. Please consider to rewrite the ruleset name
with an integer.
20130930:
BIND has been removed from the base system. If all you need
is a local resolver, simply enable and start the local_unbound

35
etc/defaults/rc.conf
View File

@ -674,44 +674,11 @@ mixer_enable="YES" # Run the sound mixer.
opensm_enable="NO" # Opensm(8) for infiniband devices defaults to off
##############################################################
### Jail Configuration #######################################
### Jail Configuration (see rc.conf(5) manual page) ##########
##############################################################
jail_enable="NO" # Set to NO to disable starting of any jails
jail_parallel_start="NO" # Start jails in the background
jail_list="" # Space separated list of names of jails
jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail
#
# To use rc's built-in jail infrastructure create entries for
# each jail, specified in jail_list, with the following variables.
# NOTES:
# - replace 'example' with the jail's name.
# - except rootdir, hostname, ip and the _multi<n> addresses,
# all of the following variables may be made global jail variables
# if you don't specify a jail name (ie. jail_interface, jail_devfs_ruleset).
#
#jail_example_rootdir="/usr/jail/default" # Jail's root directory
#jail_example_hostname="default.domain.com" # Jail's hostname
#jail_example_interface="" # Jail's interface variable to create IP aliases on
#jail_example_fib="0" # Routing table for setfib(1)
#jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6 address
#jail_example_ip_multi0="2001:db8::10" # and another IPv6 address
#jail_example_exec_start="/bin/sh /etc/rc" # command to execute in jail for starting
#jail_example_exec_afterstart0="/bin/sh command" # command to execute after the one for
# starting the jail. More than one can be
# specified using a trailing number
#jail_example_exec_stop="/bin/sh /etc/rc.shutdown" # command to execute in jail for stopping
#jail_example_devfs_enable="NO" # mount devfs in the jail
#jail_example_devfs_ruleset="ruleset_name" # devfs ruleset to apply to jail -
# usually you want "devfsrules_jail".
#jail_example_fdescfs_enable="NO" # mount fdescfs in the jail
#jail_example_procfs_enable="NO" # mount procfs in jail
#jail_example_mount_enable="NO" # mount/umount jail's fs
#jail_example_fstab="" # fstab(5) for mount/umount
#jail_example_flags="-l -U root" # flags for jail(8)
#jail_example_parameters="allow.raw_sockets=1" # extra parameters for this jail
##############################################################
### Define source_rc_confs, the mechanism used by /etc/rc.* ##

889
etc/rc.d/jail
View File

@ -8,81 +8,138 @@
# BEFORE: securelevel
# KEYWORD: nojail shutdown
# WARNING: This script deals with untrusted data (the data and
# processes inside the jails) and care must be taken when changing the
# code related to this! If you have any doubt whether a change is
# correct and have security impact, please get the patch reviewed by
# the FreeBSD Security Team prior to commit.
. /etc/rc.subr
name="jail"
rcvar="jail_enable"
start_precmd="jail_prestart"
start_cmd="jail_start"
start_postcmd="jail_warn"
stop_cmd="jail_stop"
config_cmd="jail_config"
console_cmd="jail_console"
status_cmd="jail_status"
extra_commands="config console status"
: ${jail_conf:=/etc/jail.conf}
: ${jail_program:=/usr/sbin/jail}
: ${jail_consolecmd:=/bin/sh}
: ${jail_jexec:=/usr/sbin/jexec}
: ${jail_jls:=/usr/sbin/jls}
# init_variables _j
# Initialize the various jail variables for jail _j.
#
init_variables()
need_dad_wait=
# extact_var jail name param num defval
# Extract value from ${jail_$jail_$name} or ${jail_$name} and
# set it to $param. If not defined, $defval is used.
# When $num is [0-9]*, ${jail_$jail_$name$num} are looked up and
# $param is set by using +=.
# When $num is YN or NY, the value is interpret as boolean.
extract_var()
{
_j="$1"
local i _j _name _param _num _def _name1 _name2
_j=$1
_name=$2
_param=$3
_num=$4
_def=$5
case $_num in
YN)
_name1=jail_${_j}_${_name}
_name2=jail_${_name}
eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\"
if checkyesno $_name1; then
echo " $_param = 1;"
else
echo " $_param = 0;"
fi
;;
NY)
_name1=jail_${_j}_${_name}
_name2=jail_${_name}
eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\"
if checkyesno $_name1; then
echo " $_param = 0;"
else
echo " $_param = 1;"
fi
;;
[0-9]*)
i=$_num
while : ; do
_name1=jail_${_j}_${_name}${i}
_name2=jail_${_name}${i}
eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\"
if [ -n "$_tmpargs" ]; then
echo " $_param += \"$_tmpargs\";"
else
break;
fi
i=$(($i + 1))
done
;;
*)
_name1=jail_${_j}_${_name}
_name2=jail_${_name}
eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\"
if [ -n "$_tmpargs" ]; then
echo " $_param = \"$_tmpargs\";"
fi
;;
esac
}
# parse_options _j
# Parse options and create a temporary configuration file if necessary.
#
parse_options()
{
local _j
_j=$1
_confwarn=0
if [ -z "$_j" ]; then
warn "init_variables: you must specify a jail"
warn "parse_options: you must specify a jail"
return
fi
eval _jconf=\"\${jail_${_j}_conf:-/etc/jail.${_j}.conf}\"
eval _rootdir=\"\$jail_${_j}_rootdir\"
_devdir="${_rootdir}/dev"
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
if [ -z "$_rootdir" -o \
-z "$_hostname" ]; then
if [ -r "$_jconf" ]; then
_conf="$_jconf"
return 0
elif [ -r "$jail_conf" ]; then
_conf="$jail_conf"
return 0
else
warn "Invalid configuration for $_j " \
"(no jail.conf, no hostname, or no path). " \
"Jail $_j was ignored."
fi
return 1
fi
eval _ip=\"\$jail_${_j}_ip\"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
if [ -z "$_ip" ] && ! check_kern_features vimage; then
warn "no ipaddress specified and no vimage support. " \
"Jail $_j was ignored."
return 1
fi
_conf=/var/run/jail.${_j}.conf
#
# To relieve confusion, show a warning message.
#
_confwarn=1
if [ -r "$jail_conf" -o -r "$_jconf" ]; then
warn "$_conf is created and used for jail $_j."
fi
/usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1
eval : \${jail_${_j}_flags:=${jail_flags}}
eval _exec=\"\$jail_${_j}_exec\"
i=0
while : ; do
eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\"
[ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break
i=$((i + 1))
done
eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\"
i=1
while : ; do
eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\"
[ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break
i=$((i + 1))
done
i=0
while : ; do
eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\"
[ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break
i=$((i + 1))
done
i=0
while : ; do
eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\"
[ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break
i=$((i + 1))
done
eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\"
i=0
while : ; do
eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\"
[ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break
i=$((i + 1))
done
eval _exec_start=\"\$jail_${_j}_exec_start\"
eval _exec_stop=\"\$jail_${_j}_exec_stop\"
if [ -n "${_exec}" ]; then
# simple/backward-compatible execution
_exec_start="${_exec}"
@ -96,285 +153,104 @@ init_variables()
fi
fi
fi
# The default jail ruleset will be used by rc.subr if none is specified.
eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
[ -z "${_devfs}" ] && _devfs="NO"
eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\"
[ -z "${_fdescfs}" ] && _fdescfs="NO"
eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\"
[ -z "${_procfs}" ] && _procfs="NO"
eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\"
[ -z "${_mount}" ] && _mount="NO"
# "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified.
eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\"
[ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}"
eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\"
[ -z "${_flags}" ] && _flags="-l -U root"
eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
[ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _parameters=\"\${jail_${_j}_parameters:-${jail_parameters}}\"
[ -z "${_parameters}" ] && _parameters=""
eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\"
eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\"
(
date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S"
echo "$_j {"
extract_var $_j hostname host.hostname - ""
extract_var $_j rootdir path - ""
if [ -n "$_ip" ]; then
extract_var $_j interface interface - ""
jail_handle_ips_option $_ip $_interface
alias=0
while : ; do
eval _x=\"\$jail_${_jail}_ip_multi${alias}\"
[ -z "$_x" ] && break
# Debugging aid
#
debug "$_j devfs enable: $_devfs"
debug "$_j fdescfs enable: $_fdescfs"
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
debug "$_j ip: $_ip"
jail_show_addresses ${_j}
debug "$_j interface: $_interface"
debug "$_j fib: $_fib"
debug "$_j root: $_rootdir"
debug "$_j devdir: $_devdir"
debug "$_j fdescdir: $_fdescdir"
debug "$_j procdir: $_procdir"
debug "$_j ruleset: $_ruleset"
debug "$_j fstab: $_fstab"
i=0
while : ; do
eval out=\"\${_exec_prestart${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec pre-start #${i}: ${out}"
i=$((i + 1))
done
debug "$_j exec start: $_exec_start"
i=1
while : ; do
eval out=\"\${_exec_afterstart${i}:-''}\"
if [ -z "$out" ]; then
break;
fi
debug "$_j exec after start #${i}: ${out}"
i=$((i + 1))
done
i=0
while : ; do
eval out=\"\${_exec_poststart${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec post-start #${i}: ${out}"
i=$((i + 1))
done
i=0
while : ; do
eval out=\"\${_exec_prestop${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec pre-stop #${i}: ${out}"
i=$((i + 1))
done
debug "$_j exec stop: $_exec_stop"
i=0
while : ; do
eval out=\"\${_exec_poststop${i}:-''}\"
if [ -z "$out" ]; then
break
fi
debug "$_j exec post-stop #${i}: ${out}"
i=$((i + 1))
done
debug "$_j flags: $_flags"
debug "$_j consolelog: $_consolelog"
debug "$_j parameters: $_parameters"
if [ -z "${_hostname}" ]; then
err 3 "$name: No hostname has been defined for ${_j}"
fi
if [ -z "${_rootdir}" ]; then
err 3 "$name: No root directory has been defined for ${_j}"
fi
}
# set_sysctl rc_knob mib msg
# If the mib sysctl is set according to what rc_knob
# specifies, this function does nothing. However if
# rc_knob is set differently than mib, then the mib
# is set accordingly and msg is displayed followed by
# an '=" sign and the word 'YES' or 'NO'.
#
set_sysctl()
{
_knob="$1"
_mib="$2"
_msg="$3"
_current=`${SYSCTL} -n $_mib 2>/dev/null`
if checkyesno $_knob ; then
if [ "$_current" -ne 1 ]; then
echo -n " ${_msg}=YES"
${SYSCTL} 1>/dev/null ${_mib}=1
fi
else
if [ "$_current" -ne 0 ]; then
echo -n " ${_msg}=NO"
${SYSCTL} 1>/dev/null ${_mib}=0
fi
fi
}
# is_current_mountpoint()
# Is the directory mount point for a currently mounted file
# system?
#
is_current_mountpoint()
{
local _dir _dir2
_dir=$1
_dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'`
[ ! -d "${_dir}" ] && return 1
_dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'`
[ "${_dir}" = "${_dir2}" ]
return $?
}
# is_symlinked_mountpoint()
# Is a mount point, or any of its parent directories, a symlink?
#
is_symlinked_mountpoint()
{
local _dir
_dir=$1
[ -L "$_dir" ] && return 0
[ "$_dir" = "/" ] && return 1
is_symlinked_mountpoint `dirname $_dir`
return $?
}
# secure_umount
# Try to unmount a mount point without being vulnerable to
# symlink attacks.
#
secure_umount()
{
local _dir
_dir=$1
if is_current_mountpoint ${_dir}; then
umount -f ${_dir} >/dev/null 2>&1
else
debug "Nothing mounted on ${_dir} - not unmounting"
fi
}
# jail_umount_fs
# This function unmounts certain special filesystems in the
# currently selected jail. The caller must call the init_variables()
# routine before calling this one.
#
jail_umount_fs()
{
local _device _mountpt _rest
if checkyesno _fdescfs; then
if [ -d "${_fdescdir}" ] ; then
secure_umount ${_fdescdir}
fi
fi
if checkyesno _devfs; then
if [ -d "${_devdir}" ] ; then
secure_umount ${_devdir}
fi
fi
if checkyesno _procfs; then
if [ -d "${_procdir}" ] ; then
secure_umount ${_procdir}
fi
fi
if checkyesno _mount; then
[ -f "${_fstab}" ] || warn "${_fstab} does not exist"
tail -r ${_fstab} | while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue
;;
esac
secure_umount ${_mountpt}
done
fi
}
# jail_mount_fstab()
# Mount file systems from a per jail fstab while trying to
# secure against symlink attacks at the mount points.
#
# If we are certain we cannot secure against symlink attacks we
# do not mount all of the file systems (since we cannot just not
# mount the file system with the problematic mount point).
#
# The caller must call the init_variables() routine before
# calling this one.
#
jail_mount_fstab()
{
local _device _mountpt _rest
while read _device _mountpt _rest; do
case ":${_device}" in
:#* | :)
continue
jail_handle_ips_option $_x $_interface
alias=$(($alias + 1))
done
case $need_dad_wait in
1)
# Sleep to let DAD complete before
# starting services.
echo " exec.start += \"sleep " \
$(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \
"\";"
;;
esac
if is_symlinked_mountpoint ${_mountpt}; then
warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}"
return
fi
done <${_fstab}
mount -a -F "${_fstab}"
}
# jail_show_addresses jail
# Debug print the input for the given _multi aliases
# for a jail for init_variables().
#
jail_show_addresses()
{
local _j _type alias
_j="$1"
alias=0
if [ -z "${_j}" ]; then
warn "jail_show_addresses: you must specify a jail"
return
fi
while : ; do
eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
if [ -n "${_addr}" ]; then
debug "${_j} ip_multi${alias}: $_addr"
alias=$((${alias} + 1))
esac
# These are applicable only to non-vimage jails.
extract_var $_j fib exec.fib - ""
extract_var $_j socket_unixiproute_only \
allow.raw_sockets NY YES
else
break
echo " vnet;"
extract_var $_j vnet_interface vnet.interface - ""
fi
done
echo " exec.clean;"
echo " exec.system_user = \"root\";"
echo " exec.jail_user = \"root\";"
extract_var $_j exec_prestart exec.prestart 0 ""
extract_var $_j exec_poststart exec.poststart 0 ""
extract_var $_j exec_prestop exec.prestop 0 ""
extract_var $_j exec_poststop exec.poststop 0 ""
echo " exec.start += \"$_exec_start\";"
extract_var $_j exec_afterstart exec.start 1 ""
echo " exec.stop = \"$_exec_stop\";"
extract_var $_j consolelog exec.consolelog - \
/var/log/jail_${_j}_console.log
eval : \${jail_${_j}_devfs_enable:=${jail_devfs_enable:-NO}}
if checkyesno jail_${_j}_devfs_enable; then
echo " mount.devfs;"
case $_ruleset in
"") ;;
[0-9]*) echo " devfs_ruleset = \"$_ruleset\";" ;;
devfsrules_jail)
# XXX: This is the default value,
# Let jail(8) to use the default because
# mount(8) only accepts an integer.
# This should accept a ruleset name.
;;
*) warn "devfs_ruleset must be integer." ;;
esac
if [ -r $_fstab ]; then
echo " mount.fstab = \"$_fstab\";"
fi
fi
eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}}
if checkyesno jail_${_j}_fdescfs_enable; then
echo " mount += " \
"\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";"
fi
eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}}
if checkyesno jail_${_j}_procfs_enable; then
echo " mount += " \
"\"procfs ${_rootdir%/}/proc procfs rw 0 0\";"
fi
echo " ${_parameters};"
eval : \${jail_${_j}_mount_enable:=${jail_mount_enable:-NO}}
if checkyesno jail_${_j}_mount_enable; then
echo " allow.mount;" >> $_conf
fi
extract_var $_j set_hostname_allow allow.set_hostname YN NO
extract_var $_j sysvipc_allow allow.sysvipc YN NO
echo "}"
) >> $_conf
return 0
}
# jail_extract_address argument
# jail_extract_address argument iface
# The second argument is the string from one of the _ip
# or the _multi variables. In case of a comma separated list
# only one argument must be passed in at a time.
@ -382,8 +258,9 @@ jail_show_addresses()
#
jail_extract_address()
{
local _i
local _i _interface
_i=$1
_interface=$2
if [ -z "${_i}" ]; then
warn "jail_extract_address: called without input"
@ -439,21 +316,21 @@ jail_extract_address()
_mask=${_mask:-/32}
elif [ "${_type}" = "inet6" ]; then
# In case _maske is not set for IPv6, use /128.
_mask=${_mask:-/128}
# In case _maske is not set for IPv6, use /64.
_mask=${_mask:-/64}
fi
}
# jail_handle_ips_option {add,del} input
# jail_handle_ips_option input iface
# Handle a single argument imput which can be a comma separated
# list of addresses (theoretically with an option interface and
# prefix/netmask/prefixlen).
#
jail_handle_ips_option()
{
local _x _action _type _i
_action=$1
_x=$2
local _x _type _i _iface
_x=$1
_iface=$2
if [ -z "${_x}" ]; then
# No IP given. This can happen for the primary address
@ -468,294 +345,146 @@ jail_handle_ips_option()
*,*) # Extract the first argument and strip it off the list.
_i=`expr "${_x}" : '^\([^,]*\)'`
_x=`expr "${_x}" : "^[^,]*,\(.*\)"`
;;
;;
*) _i=${_x}
_x=""
;;
;;
esac
_type=""
_iface=""
_addr=""
_mask=""
jail_extract_address "${_i}"
jail_extract_address $_i $_iface
# make sure we got an address.
case "${_addr}" in
case $_addr in
"") continue ;;
*) ;;
esac
# Append address to list of addresses for the jail command.
case "${_type}" in
case $_type in
inet)
case "${_addrl}" in
"") _addrl="${_addr}" ;;
*) _addrl="${_addrl},${_addr}" ;;
esac
;;
echo " ip4.addr += \"${_addr}${_mask}\";"
;;
inet6)
case "${_addr6l}" in
"") _addr6l="${_addr}" ;;
*) _addr6l="${_addr6l},${_addr}" ;;
esac
;;
esac
# Configure interface alias if requested by a given interface
# and if we could correctly parse everything.
case "${_iface}" in
"") continue ;;
esac
case "${_type}" in
inet) ;;
inet6) ipv6_address_count=$((ipv6_address_count + 1)) ;;
*) warn "Could not determine address family. Not going" \
"to ${_action} address '${_addr}' for ${_jail}."
continue
;;
esac
case "${_action}" in
add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias
;;
del) # When removing the IP, ignore the _mask.
ifconfig ${_iface} ${_type} ${_addr} -alias
;;
echo " ip6.addr += \"${_addr}${_mask}\";"
need_dad_wait=1
;;
esac
done
}
# jail_ips {add,del}
# Extract the comma separated list of addresses and return them
# for the jail command.
# Handle more than one address via the _multi option as well.
# If an interface is given also add/remove an alias for the
# address with an optional netmask.
#
jail_ips()
jail_config()
{
local _action
_action=$1
case "${_action}" in
add) ;;
del) ;;
*) warn "jail_ips: invalid action '${_action}'"
return
;;
case $1 in
_ALL) return ;;
esac
# Handle addresses.
ipv6_address_count=0
jail_handle_ips_option ${_action} "${_ip}"
# Handle jail_xxx_ip_multi<N>
alias=0
while : ; do
eval _x=\"\$jail_${_jail}_ip_multi${alias}\"
case "${_x}" in
"") break ;;
*) jail_handle_ips_option ${_action} "${_x}"
alias=$((${alias} + 1))
;;
esac
for _jail in $@; do
if parse_options $_jail; then
echo "$_jail: parameters are in $_conf."
fi
done
case ${ipv6_address_count} in
0) ;;
*) # Sleep 1 second to let DAD complete before starting services.
sleep 1
;;
esac
}
jail_prestart()
jail_console()
{
if checkyesno jail_parallel_start; then
command_args='&'
fi
# One argument that is not _ALL.
case $#:$1 in
1:_ALL) err 3 "Specify a jail name." ;;
1:*) ;;
*) err 3 "Specify a jail name." ;;
esac
eval _cmd=\${jail_$1_consolecmd:-$jail_consolecmd}
$jail_jexec $1 $_cmd
}
jail_status()
{
$jail_jls -N
}
jail_start()
{
echo -n 'Configuring jails:'
set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \
set_hostname_allow
set_sysctl jail_socket_unixiproute_only \
security.jail.socket_unixiproute_only unixiproute_only
set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \
sysvipc_allow
echo '.'
if [ $# = 0 ]; then
return
fi
echo -n 'Starting jails:'
_tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \
err 3 "$name: Can't create temp dir, exiting..."
for _jail in ${jail_list}
do
init_variables $_jail
if [ -f /var/run/jail_${_jail}.id ]; then
echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]"
continue;
fi
_addrl=""
_addr6l=""
jail_ips "add"
if [ -n "${_fib}" ]; then
_setfib="setfib -F '${_fib}'"
case $1 in
_ALL)
echo -n ' '
command=$jail_program
rc_flags=$jail_flags
command_args="-f $jail_conf -c"
$command $rc_flags $command_args "*"
echo '.'
return
;;
esac
_tmp=`mktemp -t jail` || exit 3
for _jail in $@; do
parse_options $_jail || continue
eval rc_flags=\${jail_${_j}_flags:-$jail_flags}
eval command=\${jail_${_j}_program:-$jail_program}
if checkyesno jail_parallel_start; then
command_args="-i -f $_conf -c $_jail &"
else
_setfib=""
command_args="-i -f $_conf -c $_jail"
fi
if checkyesno _mount; then
info "Mounting fstab for jail ${_jail} (${_fstab})"
if [ ! -f "${_fstab}" ]; then
err 3 "$name: ${_fstab} does not exist"
fi
jail_mount_fstab
fi
if checkyesno _devfs; then
# If devfs is already mounted here, skip it.
df -t devfs "${_devdir}" >/dev/null
if [ $? -ne 0 ]; then
if is_symlinked_mountpoint ${_devdir}; then
warn "${_devdir} has symlink as parent - not starting jail ${_jail}"
continue
fi
info "Mounting devfs on ${_devdir}"
devfs_mount_jail "${_devdir}" ${_ruleset}
# Transitional symlink for old binaries
if [ ! -L "${_devdir}/log" ]; then
ln -sf ../var/run/log "${_devdir}/log"
fi
fi
# XXX - It seems symlinks don't work when there
# is a devfs(5) device of the same name.
# Jail console output
# __pwd="`pwd`"
# cd "${_devdir}"
# ln -sf ../var/log/console console
# cd "$__pwd"
fi
if checkyesno _fdescfs; then
if is_symlinked_mountpoint ${_fdescdir}; then
warn "${_fdescdir} has symlink as parent, not mounting"
else
info "Mounting fdescfs on ${_fdescdir}"
mount -t fdescfs fdesc "${_fdescdir}"
fi
fi
if checkyesno _procfs; then
if is_symlinked_mountpoint ${_procdir}; then
warn "${_procdir} has symlink as parent, not mounting"
else
info "Mounting procfs onto ${_procdir}"
if [ -d "${_procdir}" ] ; then
mount -t procfs proc "${_procdir}"
fi
fi
fi
_tmp_jail=${_tmp_dir}/jail.$$
i=0
while : ; do
eval out=\"\${_exec_prestart${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \
${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \
${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \
</dev/null
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
i=1
while : ; do
eval out=\"\${_exec_afterstart${i}:-''}\"
if [ -z "$out" ]; then
break;
fi
jexec "${_jail_id}" ${out}
i=$((i + 1))
done
echo -n " $_hostname"
tail +2 ${_tmp_jail} >${_consolelog}
echo ${_jail_id} > /var/run/jail_${_jail}.id
i=0
while : ; do
eval out=\"\${_exec_poststart${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
if $command $rc_flags $command_args \
>> $_tmp 2>&1 </dev/null; then
echo -n " ${_hostname:-${_jail}}"
else
jail_umount_fs
jail_ips "del"
echo " cannot start jail \"${_jail}\": "
tail +2 ${_tmp_jail}
echo " cannot start jail \"${_hostname:-${jail}}\": "
tail +2 $_tmp
fi
rm -f ${_tmp_jail}
rm -f $_tmp
done
rmdir ${_tmp_dir}
echo '.'
}
jail_stop()
{
if [ $# = 0 ]; then
return
fi
echo -n 'Stopping jails:'
for _jail in ${jail_list}
do
if [ -f "/var/run/jail_${_jail}.id" ]; then
_jail_id=$(cat /var/run/jail_${_jail}.id)
if [ ! -z "${_jail_id}" ]; then
init_variables $_jail
i=0
while : ; do
eval out=\"\${_exec_prestop${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
if [ -n "${_exec_stop}" ]; then
eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \
>> ${_consolelog} 2>&1
fi
killall -j ${_jail_id} -TERM > /dev/null 2>&1
sleep 1
killall -j ${_jail_id} -KILL > /dev/null 2>&1
jail_umount_fs
echo -n " $_hostname"
i=0
while : ; do
eval out=\"\${_exec_poststop${i}:-''}\"
[ -z "$out" ] && break
${out}
i=$((i + 1))
done
fi
jail_ips "del"
rm /var/run/jail_${_jail}.id
else
echo " cannot stop jail ${_jail}. No jail id in /var/run"
case $1 in
_ALL)
echo -n ' '
command=$jail_program
rc_flags=$jail_flags
command_args="-f $jail_conf -r"
$command $rc_flags $command_args "*"
echo '.'
return
;;
esac
for _jail in $@; do
parse_options $_jail || continue
eval command=\${jail_${_j}_program:-$jail_program}
if $command -q -f $_conf -r $_jail; then
echo -n " ${_hostname:-${_jail}}"
fi
done
echo '.'
}
load_rc_config $name
cmd="$1"
if [ $# -gt 0 ]; then
shift
fi
if [ -n "$*" ]; then
jail_list="$*"
fi
jail_warn()
{
run_rc_command "${cmd}"
# To relieve confusion, show a warning message.
case $_confwarn in
1) warn "Per-jail configuration via jail_* variables " \
"is obsolete. Please consider to migrate to $jail_conf."
;;
esac
}
load_rc_config $name
case $# in
1) run_rc_command $@ ${jail_list:-_ALL} ;;
*) run_rc_command $@ ;;
esac

22
etc/rc.subr
View File

@ -1463,28 +1463,6 @@ devfs_domount()
return 0
}
# devfs_mount_jail dir [ruleset]
# Mounts a devfs file system appropriate for jails
# on the directory dir. If ruleset is specified, the ruleset
# it names will be used instead. If present, ruleset must
# be the name of a ruleset as defined in a devfs.rules(5) file.
# This function returns non-zero if an error occurs.
#
devfs_mount_jail()
{
local jdev rs _me
jdev="$1"
[ -n "$2" ] && rs=$2 || rs="devfsrules_jail"
_me="devfs_mount_jail"
devfs_init_rulesets
if ! devfs_domount "$jdev" $rs; then
warn "$_me: devfs was not mounted on $jdev"
return 1
fi
return 0
}
# Provide a function for normalizing the mounting of memory
# filesystems. This should allow the rest of the code here to remain
# as close as possible between 5-current and 4-stable.

478
share/man/man5/rc.conf.5
View File

@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd September 23, 2013
.Dd October 10, 2013
.Dt RC.CONF 5
.Os
.Sh NAME
@ -3891,14 +3891,32 @@ indicates that the highest frequency (less power savings) should be used.
If set to
.Dq Li NO ,
any configured jails will not be started.
.It Va jail_conf
.Pq Vt str
The configuration filename used by
.Xr jail 8
utility.
The default value is
.Pa /etc/jail.conf .
.It Va jail_parallel_start
.Pq Vt bool
If set to
.Dq Li YES ,
all configured jails will be started in the background (in parallel).
.It Va jail_flags
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _flags
for every jail in
.Va jail_list .
.It Va jail_list
.Pq Vt str
A space separated list of names for jails.
If this variable is empty,
all of
.Xr jail 8
instances in the configuration file will be configured.
This is purely a configuration aid to help identify and
configure multiple jails.
The names specified in this list will be used to
@ -3908,171 +3926,41 @@ The literal jail name of
.Dq Li 0
.Pq zero
is not allowed.
.Pp
Assuming that the jail in question was named
.Li vjail ,
you would have the following dependent variables:
.Bd -literal
jail_vjail_hostname="jail.example.com"
jail_vjail_ip="192.0.2.100"
jail_vjail_rootdir="/var/jails/vjail/root"
.Ed
.Pp
.It Va jail_flags
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _flags
for every jail in
.Va jail_list .
.It Va jail_interface
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _interface
for every jail in
.Va jail_list .
.It Va jail_fstab
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
for every jail in
.Va jail_list .
.It Va jail_mount_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
sets
.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable
to
.Dq Li YES
by default for every jail in
.Va jail_list .
.It Va jail_devfs_ruleset
.Pq Vt str
Unset by default.
When set, sets
.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset
to given value for every jail in
.Va jail_list .
.It Va jail_devfs_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
sets
.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable
to
.Dq Li YES
by default for every jail in
.Va jail_list .
.It Va jail_fdescfs_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
sets
.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
to
.Dq Li YES
by default for every jail in
.Va jail_list .
.It Va jail_procfs_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
sets
.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
to
.Dq Li YES
by default for every jail in
.Va jail_list .
.It Va jail_exec_prestart Ns Aq Ar N
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart Ns Aq Ar N
for every jail in
.Va jail_list .
.It Va jail_exec_start
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start
for every jail in
.Va jail_list .
.It Va jail_exec_afterstart Ns Aq Ar N
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_afterstart Ns Aq Ar N
for every jail in
.Va jail_list .
.It Va jail_exec_poststart Ns Aq Ar N
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart Ns Aq Ar N
for every jail in
.Va jail_list .
.It Va jail_exec_prestop Ns Aq Ar N
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop Ns Aq Ar N
for every jail in
.Va jail_list .
.It Va jail_exec_stop
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop
for every jail in
.Va jail_list .
.It Va jail_exec_poststop Ns Aq Ar N
.Pq Vt str
Unset by default.
When set, use as default value for
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop Ns Aq Ar N
for every jail in
.Va jail_list .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _rootdir
.Pq Vt str
Unset by default.
Set to the root directory used by jail
.Va jname .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _hostname
.Pq Vt str
Unset by default.
Set to the fully qualified domain name (FQDN) assigned to jail
.Va jname .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _parameters
.Pq Vt str
Unset by default.
Set extra parameters for jail
.Va jname ,
such as
.Dq Li allow.chflags
or
.Dq Li children.max .
See
.It Va jail_* variables
Note that older releases supported per-jail configuration via
.Xr rc.conf 5
variables.
For example,
hostname of a jail named
.Li vjail
was able to be set by
.Li jail_vjail_hostname .
These per-jail configuration variables are now obsolete in favor of
.Xr jail 8
for a list of available parameters.
Note that the following parameters are already defined by
configuration file.
For backward compatibility,
when per-jail configuration variables are defined,
.Xr jail 8
configuration files are created as
.Pa /var/run/jail. Ns Ao Ar jname Ac Ns Pa .conf
and used.
.Pp
The following per-jail parameters are handled by
.Pa rc.d/jail
script out of their corresponding
.Nm
variables:
variables.
In addition to them, parameters in
.Va jail_ Ns Ao Ar jname Ac Ns Va _parameters
will be added to the configuration file.
They must be a semi-colon
.Pq Ql \&;
delimited list of
.Dq key=value .
For more details,
see
.Xr jail 8
manual page.
.Bl -tag -width "host.hostname" -offset indent
.It Li path
set from
@ -4080,202 +3968,90 @@ set from
.It Li host.hostname
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _hostname
.It Li command
.It Li exec.consolelog
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start
.Va jail_ Ns Ao Ar jname Ac Ns Va _consolelog .
The default value is
.Pa /var/log/jail_ Ao Ar jname Ac Pa _console.log .
.It Li interface
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _interface .
.It Li vnet.interface
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _vnet_interface .
This implies
.Li vnet
parameter will be enabled and cannot be specified with
.Va jail_ Ns Ao Ar jname Ac Ns Va _interface ,
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
and/or
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
at the same time.
.It Li fstab
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
.It Li mount
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
or
.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable.
.It Li exec.fib
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _fib
.It Li exec.start
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start .
The parameter name was
.Li command
in some older releases.
.It Li exec.prestart
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart
.It Li exec.poststart
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart
.It Li exec.stop
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop
.It Li exec.prestop
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop
.It Li exec.poststop
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop
.It Li ip4.addr
set if
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
contains IPv4 addresses
or
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
contain IPv4 addresses
.It Li ip6.addr
set if
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip6
contains IPv6 addresses
.El
.It Va jail_ Ns Ao Ar jname Ac Ns Va _ip
.Pq Vt str
Unset by default.
Set to the (primary) IPv4 and/or IPv6 address(es) assigned to the jail.
The argument can be a sole address or a comma separated list of addresses.
Additionally each address can be prefixed by the name of an interface
followed by a pipe to overwrite
.Va jail_ Ns Ao Ar jname Ac Ns Va _interface
or
.Va jail_interface
and/or suffixed by a netmask, prefixlen or prefix.
In case no netmask, prefixlen or prefix is given,
.Sq /32
will be used for IPv4 and
.Sq /128
will be used for an IPv6 address.
If no address is given for the jail then the jail will be started with
no networking support.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
.Pq Vt str
Unset by default.
Set additional IPv4 and/or IPv6 address(es) assigned to the jail.
The sequence starts with
.Dq Li _multi0
and the numbers have to be strictly ascending.
These entries follow the same syntax as their primary
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip
entry.
The order of the entries can be important as the first address for
each address family found will be the primary address of the jail.
See
.Va ip-addresses
option in
.Xr jail 8
for more details.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _flags
.Pq Vt str
Set to
.Dq Li -l -U root
by default.
These are flags to pass to
.Xr jail 8 .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _interface
.Pq Vt str
Unset by default.
When set, sets the interface to use when setting IP address alias.
Note that the alias is created at jail startup and removed at jail shutdown.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _fib
.Pq Vt str
Unset by default.
When set, the jail is started with the specified forwarding table (sometimes
referred to as a routing table) via
.Xr setfib 1 .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
.Pq Vt str
Set to
.Pa /etc/fstab. Ns Aq Ar jname
by default.
This is the file system information file to use for jail
.Va jname .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
mount all file systems from
.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
at jail startup.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset
.Pq Vt str
Unset by default.
When set, defines the device file system ruleset file to use for jail
.Va jname .
.It Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
mount the device file system inside jail
.Ar jname
at jail startup.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
mount the file-descriptor file system inside jail
.Ar jname
at jail startup.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
When set to
.Dq Li YES ,
mount the process file system inside jail
.Ar jname
at jail startup.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestart Ns Aq Ar N
.Pq Vt str
Unset by default.
This is the command run as
.Ar N Ns
th command
before jail startup, where
.Ar N
is 0, 1, and so on.
It is run outside the jail.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_start
.Pq Vt str
Set to
.Dq Li /bin/sh /etc/rc
by default.
This is the command executed in a jail at jail startup.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_afterstart Ns Aq Ar N
.Pq Vt str
Unset by default.
This is the command run as
.Ar N Ns
th command
in a jail
after jail startup, where
.Ar N
is 1, 2, and so on.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststart Ns Aq Ar N
.Pq Vt str
Unset by default.
This is the command run as
.Ar N Ns
th command
after jail startup, where
.Ar N
is 0, 1, and so on.
It is run outside the jail.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_prestop Ns Aq Ar N
.Pq Vt str
Unset by default.
This is the command run as
.Ar N Ns
th command
before jail shutdown, where
.Ar N
is 0, 1, and so on.
It is run outside the jail.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_stop
.Pq Vt str
Set to
.Dq Li /bin/sh /etc/rc.shutdown
by default.
This is the command executed in a jail at jail shutdown.
.It Va jail_ Ns Ao Ar jname Ac Ns Va _exec_poststop Ns Aq Ar N
.Pq Vt str
Unset by default.
This is the command run as
.Ar N Ns
th command
after jail shutdown, where
.Ar N
is 0, 1, and so on.
It is run outside the jail.
.It Va jail_set_hostname_allow
.Pq Vt bool
If set to
.Dq Li NO ,
do not allow the root user in a jail to set its hostname.
.It Va jail_socket_unixiproute_only
.Pq Vt bool
If set to
.Dq Li YES ,
do not allow any sockets,
besides UNIX/IP/route sockets,
to be used within a jail.
.It Va jail_sysvipc_allow
.Pq Vt bool
If set to
.Dq Li YES ,
allow applications within a jail to use System V IPC.
or
.Va jail_ Ns Ao Ar jname Ac Ns Va _ip_multi Ns Aq Ar n
contain IPv6 addresses
.It Li allow.mount
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _mount_enable
.It Li mount.devfs
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_enable
.It Li devfs_ruleset
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset .
This must be an integer,
not a string.
.It Li allow.set_hostname
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow
.It Li allow.rawsocket
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _socket_unixiproute_only
.It Li allow.sysvipc
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow
.El
.\" -----------------------------------------------------
.It Va harvest_interrupt
.Pq Vt bool

10
usr.sbin/jail/jail.c
View File

@ -470,10 +470,12 @@ main(int argc, char **argv)
if (dep_check(j))
continue;
if (j->jid < 0) {
if (!(j->flags & (JF_DEPEND | JF_WILD))
&& verbose >= 0)
jail_quoted_warnx(j,
"not found", NULL);
if (!(j->flags & (JF_DEPEND|JF_WILD))) {
if (verbose >= 0)
jail_quoted_warnx(j,
"not found", NULL);
failed(j);
}
goto jail_remove_done;
}
j->comparam = stopcommands;