Commit Graph

256 Commits

Author SHA1 Message Date
Jamie Gritton
a8702c8383 typo
Submitted by:	Jimmy Olgeni
2016-05-01 16:48:03 +00:00
Pedro F. Giffuni
b5635ba0a2 usr.sbin: minor spelling fixes on comments.
No functional change.
2016-05-01 16:41:25 +00:00
Jamie Gritton
ab9604e1bb Clarify when happens when there is a "depend" parameter in jail.conf,
and how this affects the "jail_list" option in rc.conf.
2016-04-30 21:27:41 +00:00
Jamie Gritton
52a510ace9 Encapsulate SYSV IPC objects in jails. Define per-module parameters
sysvmsg, sysvsem, and sysvshm, with the following bahavior:

inherit: allow full access to the IPC primitives.  This is the same as
the current setup with allow.sysvipc is on.  Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).

disable: all no access, same as the current setup with allow.sysvipc off.

new: A jail may see use the IPC objects that it has created.  It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value.  The parent jail (or base system) can
see the jail's IPC objects, but not its keys.

PR:		48471
Submitted by:	based on work by kikuchan98@gmail.com
MFC after:	5 days
2016-04-25 17:06:50 +00:00
Jamie Gritton
5d6cb09dfc Note the existence of module-specific jail paramters, starting with the
linux.* parameters when linux emulation is loaded.

MFC after:	5 days
2016-04-25 17:01:13 +00:00
Jamie Gritton
a99d821068 Make jail(8) interpret escape codes in fstab the same as getfsent(3).
PR:		208663
MFC after:	3 days
2016-04-25 03:24:48 +00:00
Glen Barber
52259a98ad MFH
Sponsored by:	The FreeBSD Foundation
2016-03-02 16:14:46 +00:00
Bryan Drewery
bd18fd57db DIRDEPS_BUILD: Regenerate without local dependencies.
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by:	EMC / Isilon Storage Division
2016-02-24 17:20:11 +00:00
Glen Barber
0fe0fe112f MFH
Sponsored by:	The FreeBSD Foundation
2016-02-15 21:58:52 +00:00
Jamie Gritton
e94b881ba1 Remove man page references to rndassociates.com, which has been taken over
by a domain squatter.
2016-02-10 14:48:49 +00:00
Glen Barber
ed0d921874 Add a package for jail(8) and related utilities.
Sponsored by:	The FreeBSD Foundation
2016-01-20 17:07:13 +00:00
Jamie Gritton
5160b6a7e6 Don't bother checking an ip[46].addr netmask/prefixlen. This is already
handled by ifconfig, and it was doing it wrong when the paramater included
extra ifconfig options.

PR:		205926
MFC after:	5 days
2016-01-16 22:32:57 +00:00
Jamie Gritton
fcc43d065a Clear errno before calling getpw*. 2016-01-16 18:13:28 +00:00
Bryan Drewery
cf990407e1 Update dependencies after r291406 added libelf to libkvm.
Unfortunately filemon/meta mode tracks all indirect dependencies here
since ld(1) is reading libelf when linking in libkvm.  Churn would be
reduced if this was able to be limited to direct dependencies.

Sponsored by:	EMC / Isilon Storage Division
2015-12-01 05:18:48 +00:00
Eitan Adler
463a577b27 Fix a ton of speelling errors
arc lint is helpful

Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com
Differential Revision: https://reviews.freebsd.org/D3337
2015-10-21 05:37:09 +00:00
Dru Lavigne
7ec72d484f Fix transposed words in man page.
PR: 201752
Reviewed by: bcr
MFC after: 3 days
Sponsored by: Essen FreeBSD Hackathon
2015-07-25 11:10:49 +00:00
Marcelo Araujo
f19e47d691 Add support to the jail framework to be able to mount linsysfs(5) and
linprocfs(5).

Differential Revision:	D2846
Submitted by:		Nikolai Lifanov <lifanov@mail.lifanov.com>
Reviewed by:		jamie
2015-07-19 08:52:35 +00:00
Hiroki Sato
64bb8a3881 Implement PF_IMMUTABLE flag and apply it to "name" and "jid" in
jail.conf parameters.  This flag disallows redefinition of the parameter.

"name" and/or "jid" are automatically defined in jail.conf by using
the jail names at the front of jail parameter definitions.  However,
one could override them by using a variable with the same name like
$name = "foo".  This confused the parser and could end up with SIGSEGV.

Note that this change also affects a case when all of parameters are
defined in the command line arguments, not in jail.conf.  Specifically,
"jail -c name=j1 name=j2" no longer works.  This should be harmless.

PR:		196574
Reviewed by:	jamie
Differential Revision:	https://reviews.freebsd.org/D3017
2015-07-08 16:37:48 +00:00
Hiroki Sato
882efc9ac2 Fix offset calculation in variable substitution
in jail.conf.  The following did not work correctly:

 A="A_${B}_C_${D}"
 B="BBBBB"
 D="DDDD_${E}_FFFFF"
 E="EEEEE"

PR:		189139
Reviewed by:	jamie
Differential Revision:	https://reviews.freebsd.org/D3018
2015-07-08 00:51:53 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Joel Dahl
952364486a Fix minor mdoc issues. 2015-04-24 14:36:06 +00:00
Allan Jude
946ea17f0c Fix typo in jail(8) man page
PR:		198790
Differential Revision:	https://reviews.freebsd.org/D2111
Submitted by:	Jimmy Olgeni
Approved by:	wblock (mentor)
Sponsored by:	ScaleEngine Inc.
2015-03-22 20:38:28 +00:00
Ian Lepore
b96bd95b85 Allow the kern.osrelease and kern.osreldate sysctl values to be set in a
jail's creation parameters.  This allows the kernel version to be reliably
spoofed within the jail whether examined directly with sysctl or
indirectly with the uname -r and -K options.

The values can only be set at jail creation time, to eliminate the need
for any locking when accessing the values via sysctl.

The overridden values are inherited by nested jails (unless the config for
the nested jails also overrides the values).

There is no sanity or range checking, other than disallowing an empty
release string or a zero release date, by design.  The system
administrator is trusted to set sane values.  Setting values that are
newer than the actual running kernel will likely cause compatibility
problems.

Differential Revision:	https://reviews.freebsd.org/D1948
Relnotes:	yes
2015-02-27 16:28:55 +00:00
Jamie Gritton
07a7869fb2 Add mount.procfs jail parameter, so procfs can be mounted when a prison's
root is in its fstab.

Also fix a typo while I'm at it.

PR:		197237 197066
MFC after:	3 days
2015-02-06 17:54:53 +00:00
Jamie Gritton
464aad1407 Add allow.mount.fdescfs jail flag.
PR:		192951
Submitted by:	ruben@verweg.com
MFC after:	3 days
2015-01-28 21:08:09 +00:00
Joel Dahl
914f6e6290 mdoc: sort SEE ALSO. 2014-12-26 21:56:23 +00:00
Jamie Gritton
eb28afe422 Setgid before running a command as a specified user. Previously only
initgroups(3) was called, what isn't quite enough.  This brings jail(8)
in line with jexec(8), which was already doing the right thing.

PR:		195984
MFC after:	1 week
2014-12-18 18:10:39 +00:00
Jamie Gritton
d031802b05 In preparation for using clang's -Wcast-qual:
Use __DECONST (instead of my own attempted re-invention) for the iov
parameters to jail_get/set(2).  Similarly remove the decost-ish hack
from execvp's argv, except the __DECONST is only added at very end.

While I'm at it, remove an unused variable and fix a comment typo.
2014-11-25 21:01:08 +00:00
Baptiste Daroussin
c6db8143ed Convert usr.sbin to LIBADD
Reduce overlinking
2014-11-25 16:57:27 +00:00
Simon J. Gerraty
9268022b74 Merge from head@274682 2014-11-19 01:07:58 +00:00
Simon J. Gerraty
ee7b0571c2 Merge head from 7/28 2014-08-19 06:50:54 +00:00
Steven Hartland
b22b6abd34 Added support for extra ifconfig args to jail ip4.addr & ip6.addr params
This allows for CARP interfaces to be  used in jails e.g.
ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100"

Before this change using exec.prestart to configure a CARP address
would result in the wrong MAC being broadcast on startup as jail creates
IP aliases to support ip[4|6].addr before exec.prestart is executed.

PR:		191832
Reviewed by:	jamie
MFC after:	1 week
X-MFC-With:	r269340
Phabric:	D528
Sponsored by:	Multiplay
2014-08-04 16:32:08 +00:00
Gavin Atkinson
6bfc8b0112 The month's name shall not be abbreviated. 2014-07-11 22:38:05 +00:00
Gavin Atkinson
4b829b3ee0 Reword an awkward option description
PR:		191726
Reported by:	yaneurabeya gmail.com
MFC after:	3 days
2014-07-10 10:00:10 +00:00
Benjamin Kaduk
aaf40f14ee Bump .Dd, missed in r266206
Approved by:	hrs (mentor, implicit)
2014-05-17 02:53:10 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Benjamin Kaduk
06e36338ca Review pass through jail.8
Replace usage of "prison" with "jail", since that term has mostly dropped
out of use.  Note once at the beginning that the "prison" term is equivalent,
but do not use it otherwise. [1]

Some grammar issues.

Some mdoc formatting fixes.

Consistently use \(em for em dashes, with spaces around it.

Avoid contractions.

Prefer ssh to telnet.

PR:		docs/176832 [1]
Approved by:	hrs (mentor)
2014-05-16 01:50:04 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
cc3f4b9965 Merge from head 2014-05-08 23:54:15 +00:00
Warner Losh
c6063d0da8 Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
Simon J. Gerraty
3b8f084595 Merge head 2014-04-28 07:50:45 +00:00
Robert Watson
994e8550e6 Line-wrapping tweak: make the sample jail command line fit in 80 characters.
MFC after:	3 days
2014-03-17 14:19:42 +00:00
Niclas Zeising
d4f5f0007e Bump .Dd forgotten in r261832.
MFC after:	2 weeks
2014-02-13 13:11:34 +00:00
Niclas Zeising
22e9d10a7f Add commas (,) to the list in the SEE ALSO section, to match most other
manuals.

MFC after:	2 weeks
2014-02-13 12:53:57 +00:00
Niclas Zeising
a074a227fa Add cross references between rc.conf(5) and jail.conf(5).
MFC after:	2 weeks
2014-02-13 12:52:26 +00:00
Jamie Gritton
f15444cc97 Back out r261266 pending security buy-in.
r261266:
  Add a jail parameter, allow.kmem, which lets jailed processes access
  /dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
  This in conjunction with changing the drm driver's permission check from
  PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
2014-01-31 17:39:51 +00:00
Jamie Gritton
109ca2d5f1 Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.

Submitted by:	netchild
MFC after:	1 week
2014-01-29 13:41:13 +00:00
Simon J. Gerraty
3caf0790a8 Merge head@256284 2013-10-13 02:35:19 +00:00