From fd4e8702103ee5f138e85a8824d40dd0f499475d Mon Sep 17 00:00:00 2001 From: mizhka Date: Thu, 12 Sep 2019 18:53:29 +0000 Subject: [PATCH] [jail] removal by jid doesn't trigger pre/post stop scripts This commit fixes bug: command "jail -r" didn't trigger pre/post stop commands (and others) defined in config file if jid is specified insted of name. Also it adds basic tests for usr.sbin/jail to avoid regression. Reviewed by: jamie, kevans, ray MFC after: 5 days Differential Revision: https://reviews.freebsd.org/D21328 --- etc/mtree/BSD.tests.dist | 2 + usr.sbin/jail/Makefile | 3 + usr.sbin/jail/state.c | 62 ++++++----- usr.sbin/jail/tests/Makefile | 9 ++ usr.sbin/jail/tests/commands.jail.conf | 7 ++ usr.sbin/jail/tests/jail_basic_test.sh | 136 +++++++++++++++++++++++++ 6 files changed, 196 insertions(+), 23 deletions(-) create mode 100644 usr.sbin/jail/tests/Makefile create mode 100644 usr.sbin/jail/tests/commands.jail.conf create mode 100755 usr.sbin/jail/tests/jail_basic_test.sh diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist index d0092241edae..d9f4897e026e 100644 --- a/etc/mtree/BSD.tests.dist +++ b/etc/mtree/BSD.tests.dist @@ -1082,6 +1082,8 @@ .. fstyp .. + jail + .. makefs .. mixer diff --git a/usr.sbin/jail/Makefile b/usr.sbin/jail/Makefile index 668733fc21fa..14266be83932 100644 --- a/usr.sbin/jail/Makefile +++ b/usr.sbin/jail/Makefile @@ -24,4 +24,7 @@ CFLAGS+= -DINET CLEANFILES= y.output +HAS_TESTS= +SUBDIR.${MK_TESTS}+= tests + .include diff --git a/usr.sbin/jail/state.c b/usr.sbin/jail/state.c index 0989c86b1739..2bb93d8054b2 100644 --- a/usr.sbin/jail/state.c +++ b/usr.sbin/jail/state.c @@ -44,7 +44,7 @@ static void dep_add(struct cfjail *from, struct cfjail *to, unsigned flags); static int cmp_jailptr(const void *a, const void *b); static int cmp_jailptr_name(const void *a, const void *b); static struct cfjail *find_jail(const char *name); -static int running_jid(const char *name, int flags); +static struct cfjail *running_jail(const char *name, int flags); static struct cfjail **jails_byname; static size_t njails; @@ -72,7 +72,7 @@ dep_setup(int docf) if ((j = TAILQ_FIRST(&cfjails)) && (p = j->intparams[IP_DEPEND])) { TAILQ_FOREACH(s, &p->val, tq) { - if (running_jid(s->s, 0) < 0) { + if (running_jail(s->s, 0) == NULL) { warnx("depends on nonexistent jail " "\"%s\"", s->s); j->flags |= JF_FAILED; @@ -369,11 +369,7 @@ start_state(const char *target, int docf, unsigned state, int running) j = find_jail(target); if (j == NULL && state == JF_STOP) { /* Allow -[rR] to specify a currently running jail. */ - if ((jid = running_jid(target, JAIL_DYING)) > 0) { - j = add_jail(); - j->name = estrdup(target); - j->jid = jid; - } + j = running_jail(target, JAIL_DYING); } if (j == NULL) { warnx("\"%s\" not found", target); @@ -446,6 +442,9 @@ static struct cfjail * find_jail(const char *name) { struct cfjail **jp; + + if (jails_byname == NULL) + return NULL; jp = bsearch(name, jails_byname, njails, sizeof(struct cfjail *), cmp_jailptr_name); @@ -453,26 +452,43 @@ find_jail(const char *name) } /* - * Return the named jail's jid if it is running, and -1 if it isn't. + * Return jail if it is running, and NULL if it isn't. */ -static int -running_jid(const char *name, int flags) +static struct cfjail * +running_jail(const char *name, int flags) { - struct iovec jiov[2]; + struct iovec jiov[4]; + struct cfjail *jail; char *ep; - int jid; - + char jailname[MAXHOSTNAMELEN]; + int jid, ret, len; + if ((jid = strtol(name, &ep, 10)) && !*ep) { - jiov[0].iov_base = __DECONST(char *, "jid"); - jiov[0].iov_len = sizeof("jid"); - jiov[1].iov_base = &jid; - jiov[1].iov_len = sizeof(jid); + memset(jailname,0,sizeof(jailname)); + len = sizeof(jailname); } else { - jiov[0].iov_base = __DECONST(char *, "name"); - jiov[0].iov_len = sizeof("name"); - jiov[1].iov_len = strlen(name) + 1; - jiov[1].iov_base = alloca(jiov[1].iov_len); - strcpy(jiov[1].iov_base, name); + strncpy(jailname, name,sizeof(jailname)); + len = strlen(name) + 1; + jid = 0; } - return jail_get(jiov, 2, flags); + + jiov[0].iov_base = __DECONST(char *, "jid"); + jiov[0].iov_len = sizeof("jid"); + jiov[1].iov_base = &jid; + jiov[1].iov_len = sizeof(jid); + jiov[2].iov_base = __DECONST(char *, "name"); + jiov[2].iov_len = sizeof("name"); + jiov[3].iov_base = &jailname; + jiov[3].iov_len = len; + + if ((ret = jail_get(jiov, 4, flags)) < 0) + return (NULL); + + if ((jail = find_jail(jailname)) == NULL) { + jail = add_jail(); + jail->name = estrdup(jailname); + jail->jid = ret; + } + + return (jail); } diff --git a/usr.sbin/jail/tests/Makefile b/usr.sbin/jail/tests/Makefile new file mode 100644 index 000000000000..24c0c6c05194 --- /dev/null +++ b/usr.sbin/jail/tests/Makefile @@ -0,0 +1,9 @@ +# $FreeBSD$ + +PACKAGE= tests + +ATF_TESTS_SH+= jail_basic_test + +${PACKAGE}FILES+= commands.jail.conf + +.include diff --git a/usr.sbin/jail/tests/commands.jail.conf b/usr.sbin/jail/tests/commands.jail.conf new file mode 100644 index 000000000000..8787af49eba0 --- /dev/null +++ b/usr.sbin/jail/tests/commands.jail.conf @@ -0,0 +1,7 @@ +# $FreeBSD$ + +exec.prestop = "echo STOP"; +exec.prestart = "echo START"; +persist; + +basejail {} diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh new file mode 100755 index 000000000000..f9d52cf8a780 --- /dev/null +++ b/usr.sbin/jail/tests/jail_basic_test.sh @@ -0,0 +1,136 @@ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2019 Michael Zhilin +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +# $FreeBSD$ + +atf_test_case "basic" "cleanup" +atf_test_case "nested" "cleanup" +atf_test_case "commands" "cleanup" + +basic_head() +{ + atf_set descr 'Basic jail test' + atf_set require.user root +} + +basic_body() +{ + # Create the jail + atf_check -s exit:0 -o ignore jail -c name=basejail persist ip4.addr=192.0.1.1 + # Check output of jls + atf_check -s exit:0 -o ignore jls + atf_check -s exit:0 -o ignore jls -v + atf_check -s exit:0 -o ignore jls -n + # Stop jail + atf_check -s exit:0 -o ignore jail -r basejail + jail -c name=basejail persist ip4.addr=192.0.1.1 + # Stop jail by jid + atf_check -s exit:0 -o ignore jail -r `jls -j basejail jid` + # Recreate + atf_check -s exit:0 -o ignore jail -cm name=basejail persist ip4.addr=192.0.1.1 + # Restart + atf_check -s exit:0 -o ignore jail -rc name=basejail persist ip4.addr=192.0.1.1 +} + +basic_cleanup() +{ + jail -r basejail +} + +nested_head() +{ + atf_set descr 'Hierarchical jails test' + atf_set require.user root +} + +nested_body() +{ + # Create the first jail + jail -c name=basejail persist ip4.addr=192.0.1.1 children.max=1 + atf_check -s exit:0 -o empty \ + jexec basejail \ + jail -c name=nestedjail persist ip4.addr=192.0.1.1 + + atf_check -s exit:1 -o empty -e inline:"jail: prison limit exceeded\n"\ + jexec basejail \ + jail -c name=secondnestedjail persist ip4.addr=192.0.1.1 + # Check output of jls + atf_check -s exit:0 -o ignore \ + jexec basejail jls + atf_check -s exit:0 -o ignore \ + jexec basejail jls -v + atf_check -s exit:0 -o ignore \ + jexec basejail jls -n + # Create jail with no child - children.max should be 0 by default + jail -c name=basejail_nochild persist ip4.addr=192.0.1.1 + atf_check -s exit:1 -o empty \ + -e inline:"jail: jail_set: Operation not permitted\n" \ + jexec basejail_nochild \ + jail -c name=nestedjail persist ip4.addr=192.0.1.1 +} + +nested_cleanup() +{ + jail -r nestedjail + jail -r basejail + jail -r basejail_nochild +} + +commands_header() +{ + atf_set descr 'Commands jail test' + atf_set require.user root +} + +commands_body() +{ + # exec.prestart + atf_check -s exit:0 -o inline:"START\n" \ + jail -f $(atf_get_srcdir)/commands.jail.conf -qc basejail + # exec.prestop by jailname + atf_check -s exit:0 -o inline:"STOP\n" \ + jail -f $(atf_get_srcdir)/commands.jail.conf -qr basejail + # exec.prestop by jid + jail -f $(atf_get_srcdir)/commands.jail.conf -qc basejail + atf_check -s exit:0 -o inline:"STOP\n" \ + jail -f $(atf_get_srcdir)/commands.jail.conf -qr `jls -j basejail jid` +} + +commands_cleanup() +{ + jls -j basejail > /dev/null 2>&1 + if [ $? -e 0 ] + then + jail -r basejail + fi +} + +atf_init_test_cases() +{ + atf_add_test_case "basic" + atf_add_test_case "nested" + atf_add_test_case "commands" +}