From fbd868c9d84fdf7c9831d326b3c50da863f0fc09 Mon Sep 17 00:00:00 2001 From: Hiroki Sato Date: Sat, 12 Oct 2013 17:27:59 +0000 Subject: [PATCH] - Add mount.fdescfs parameter to jail(8). This is similar to mount.devfs but mounts fdescfs. The mount happens just after mount.devfs. - rc.d/jail now displays whole error message from jail(8) when a jail fails to start. Approved by: re (gjb) --- etc/rc.d/jail | 5 ++--- share/man/man5/rc.conf.5 | 9 +++++---- usr.sbin/jail/command.c | 33 ++++++++++++++++++++++++++++++++- usr.sbin/jail/config.c | 1 + usr.sbin/jail/jail.8 | 20 +++++++++++++++----- usr.sbin/jail/jail.c | 2 ++ usr.sbin/jail/jailp.h | 1 + 7 files changed, 58 insertions(+), 13 deletions(-) diff --git a/etc/rc.d/jail b/etc/rc.d/jail index 63e489aabc02..c935fac13fdf 100755 --- a/etc/rc.d/jail +++ b/etc/rc.d/jail @@ -226,8 +226,7 @@ parse_options() eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} if checkyesno jail_${_j}_fdescfs_enable; then - echo " mount += " \ - "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";" + echo " mount.fdescfs;" fi eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}} if checkyesno jail_${_j}_procfs_enable; then @@ -438,7 +437,7 @@ jail_start() echo -n " ${_hostname:-${_jail}}" else echo " cannot start jail \"${_hostname:-${jail}}\": " - tail +2 $_tmp + cat $_tmp fi rm -f $_tmp done diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index effbd96af0bd..799f5357c309 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 10, 2013 +.Dd October 12, 2013 .Dt RC.CONF 5 .Os .Sh NAME @@ -3992,9 +3992,7 @@ set from .Va jail_ Ns Ao Ar jname Ac Ns Va _fstab .It Li mount set from -.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable -or -.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable. +.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . .It Li exec.fib set from .Va jail_ Ns Ao Ar jname Ac Ns Va _fib @@ -4042,6 +4040,9 @@ set from .Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . This must be an integer, not a string. +.It Li mount.fdescfs +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable .It Li allow.set_hostname set from .Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c index 452a079829d2..04a4514da368 100644 --- a/usr.sbin/jail/command.c +++ b/usr.sbin/jail/command.c @@ -106,7 +106,12 @@ next_command(struct cfjail *j) case IP_MOUNT_DEVFS: if (!bool_param(j->intparams[IP_MOUNT_DEVFS])) continue; - /* FALLTHROUGH */ + j->comstring = &dummystring; + break; + case IP_MOUNT_FDESCFS: + if (!bool_param(j->intparams[IP_MOUNT_FDESCFS])) + continue; + j->comstring = &dummystring; case IP__OP: case IP_STOP_TIMEOUT: j->comstring = &dummystring; @@ -452,6 +457,32 @@ run_command(struct cfjail *j) } break; + case IP_MOUNT_FDESCFS: + argv = alloca(7 * sizeof(char *)); + path = string_param(j->intparams[KP_PATH]); + if (path == NULL) { + jail_warnx(j, "mount.fdescfs: no path"); + return -1; + } + devpath = alloca(strlen(path) + 8); + sprintf(devpath, "%s/dev/fd", path); + if (check_path(j, "mount.fdescfs", devpath, 0, + down ? "fdescfs" : NULL) < 0) + return -1; + if (down) { + *(const char **)&argv[0] = "/sbin/umount"; + argv[1] = devpath; + argv[2] = NULL; + } else { + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "fdescfs"; + *(const char **)&argv[3] = "."; + argv[4] = devpath; + argv[5] = NULL; + } + break; + case IP_COMMAND: if (j->name != NULL) goto default_command; diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index a201f314e577..57967082b9f2 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -83,6 +83,7 @@ static const struct ipspec intparams[] = { #endif [IP_MOUNT] = {"mount", PF_INTERNAL | PF_REV}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, + [IP_MOUNT_FDESCFS] = {"mount.fdescfs", PF_INTERNAL | PF_BOOL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 88d69f99241f..4a16e9aba5e8 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 23, 2013 +.Dd October 12, 2013 .Dt JAIL 8 .Os .Sh NAME @@ -682,7 +682,7 @@ to. An alias for each address will be added to the interface before the prison is created, and will be removed from the interface after the prison is removed. -.It Op Va ip4.addr +.It Va ip4.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a netmask may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask . @@ -691,7 +691,7 @@ will be added to that interface, as it is with the .Va interface parameter. If a netmask in either dotted-quad or CIDR form is given after IP address, it will be used when adding the IP alias. -.It Op Va ip6.addr +.It Va ip6.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a prefix may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix . @@ -722,11 +722,19 @@ An format file containing filesystems to mount before creating a jail. .It Va mount.devfs Mount a -.Xr devfs -filesystem on the chrooted /dev directory, and apply the ruleset in the +.Xr devfs 5 +filesystem on the chrooted +.Pa /dev +directory, and apply the ruleset in the .Va devfs_ruleset parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. +.It Va mount.fdescfs +Mount a +.Xr fdescfs 5 +filesystem on the chrooted +.Pa /dev/fd +directory. .It Va allow.dying Allow making changes to a .Va dying @@ -1165,6 +1173,8 @@ environment of the first jail. .Xr ps 1 , .Xr quota 1 , .Xr jail_set 2 , +.Xr devfs 5 , +.Xr fdescfs 5 , .Xr jail.conf 5 , .Xr procfs 5 , .Xr rc.conf 5 , diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index 9930dbb3fc98..661c4adfc660 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -92,6 +92,7 @@ static const enum intparam startcommands[] = { IP_MOUNT, IP__MOUNT_FROM_FSTAB, IP_MOUNT_DEVFS, + IP_MOUNT_FDESCFS, IP_EXEC_PRESTART, IP__OP, IP_VNET_INTERFACE, @@ -108,6 +109,7 @@ static const enum intparam stopcommands[] = { IP_STOP_TIMEOUT, IP__OP, IP_EXEC_POSTSTOP, + IP_MOUNT_FDESCFS, IP_MOUNT_DEVFS, IP__MOUNT_FROM_FSTAB, IP_MOUNT, diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h index 63995b2be6a4..3f893920ab21 100644 --- a/usr.sbin/jail/jailp.h +++ b/usr.sbin/jail/jailp.h @@ -95,6 +95,7 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ + IP_MOUNT_FDESCFS, /* Mount /dev/fd under prison root */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */