d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6dcfa92ee8
freebsd-skq/usr.sbin/jexec/jexec.c
Ruslan Ermilov f5212d31ce - Style: size_t can't be negative. 
- Don't exit with a zero status code when no jails are configured
  on a system.

- Style: simplify some code constructs.

- If a single jail cannot be found, let the caller print a nicer
  diagnostic message.

Reviewed by:	bz
MFC after:	3 days
2009-04-04 16:03:28 +00:00

291 lines
7.0 KiB
C
Raw Blame History

/*-
* Copyright (c) 2003 Mike Barcroft <mike@FreeBSD.org>
* Copyright (c) 2008 Bjoern A. Zeeb <bz@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/param.h>
#include <sys/jail.h>
#include <sys/sysctl.h>
#include <netinet/in.h>
#include <err.h>
#include <errno.h>
#include <login_cap.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pwd.h>
#include <unistd.h>
static void usage(void);
#ifdef SUPPORT_OLD_XPRISON
static
char *lookup_xprison_v1(void *p, char *end, int *id)
{
struct xprison_v1 *xp;
if (id == NULL)
errx(1, "Internal error. Invalid ID pointer.");
if ((char *)p + sizeof(struct xprison_v1) > end)
errx(1, "Invalid length for jail");
xp = (struct xprison_v1 *)p;
*id = xp->pr_id;
return ((char *)(xp + 1));
}
#endif
static
char *lookup_xprison_v3(void *p, char *end, int *id, char *jailname)
{
struct xprison *xp;
char *q;
int ok;
if (id == NULL)
errx(1, "Internal error. Invalid ID pointer.");
if ((char *)p + sizeof(struct xprison) > end)
errx(1, "Invalid length for jail");
xp = (struct xprison *)p;
ok = 1;
/* Jail state and name. */
if (xp->pr_state < 0 || xp->pr_state >=
(int)((sizeof(prison_states) / sizeof(struct prison_state))))
errx(1, "Invalid jail state.");
else if (xp->pr_state != PRISON_STATE_ALIVE)
ok = 0;
if (jailname != NULL) {
if (xp->pr_name[0] == '\0')
ok = 0;
else if (strcmp(jailname, xp->pr_name) != 0)
ok = 0;
}
q = (char *)(xp + 1);
/* IPv4 addresses. */
q += (xp->pr_ip4s * sizeof(struct in_addr));
if ((char *)q > end)
errx(1, "Invalid length for jail");
/* IPv6 addresses. */
q += (xp->pr_ip6s * sizeof(struct in6_addr));
if ((char *)q > end)
errx(1, "Invalid length for jail");
if (ok)
*id = xp->pr_id;
return (q);
}
static int
lookup_jail(int jid, char *jailname)
{
size_t i, j, len;
void *p, *q;
int version, id, xid, count;
if (sysctlbyname("security.jail.list", NULL, &len, NULL, 0) == -1)
err(1, "sysctlbyname(): security.jail.list");
j = len;
for (i = 0; i < 4; i++) {
if (len == 0)
return (-1);
p = q = malloc(len);
if (p == NULL)
err(1, "malloc()");
if (sysctlbyname("security.jail.list", q, &len, NULL, 0) == -1) {
if (errno == ENOMEM) {
free(p);
p = NULL;
len += j;
continue;
}
err(1, "sysctlbyname(): security.jail.list");
}
break;
}
if (p == NULL)
err(1, "sysctlbyname(): security.jail.list");
if (len < sizeof(int))
errx(1, "This is no prison. Kernel and userland out of sync?");
version = *(int *)p;
if (version > XPRISON_VERSION)
errx(1, "Sci-Fi prison. Kernel/userland out of sync?");
count = 0;
xid = -1;
for (; q != NULL && (char *)q + sizeof(int) < (char *)p + len;) {
version = *(int *)q;
if (version > XPRISON_VERSION)
errx(1, "Sci-Fi prison. Kernel/userland out of sync?");
id = -1;
switch (version) {
#ifdef SUPPORT_OLD_XPRISON
case 1:
if (jailname != NULL)
errx(1, "Version 1 prisons did not "
"support jail names.");
q = lookup_xprison_v1(q, (char *)p + len, &id);
break;
case 2:
errx(1, "Version 2 was used by multi-IPv4 jail "
"implementations that never made it into the "
"official kernel.");
/* NOTREACHED */
break;
#endif
case 3:
q = lookup_xprison_v3(q, (char *)p + len, &id, jailname);
break;
default:
errx(1, "Prison unknown. Kernel/userland out of sync?");
/* NOTREACHED */
break;
}
/* Possible match; see if we have a jail ID to match as well. */
if (id > 0 && (jid <= 0 || id == jid)) {
xid = id;
count++;
}
}
free(p);
if (count == 1)
return (xid);
else if (count > 1)
errx(1, "Could not uniquely identify the jail.");
else
return (-1);
}
#define GET_USER_INFO do { \
pwd = getpwnam(username); \
if (pwd == NULL) { \
if (errno) \
err(1, "getpwnam: %s", username); \
else \
errx(1, "%s: no such user", username); \
} \
lcap = login_getpwclass(pwd); \
if (lcap == NULL) \
err(1, "getpwclass: %s", username); \
ngroups = NGROUPS; \
if (getgrouplist(username, pwd->pw_gid, groups, &ngroups) != 0) \
err(1, "getgrouplist: %s", username); \
} while (0)
int
main(int argc, char *argv[])
{
int jid;
login_cap_t *lcap = NULL;
struct passwd *pwd = NULL;
gid_t groups[NGROUPS];
int ch, ngroups, uflag, Uflag;
char *jailname, *username;
ch = uflag = Uflag = 0;
jailname = username = NULL;
jid = -1;
while ((ch = getopt(argc, argv, "i:n:u:U:")) != -1) {
switch (ch) {
case 'n':
jailname = optarg;
break;
case 'u':
username = optarg;
uflag = 1;
break;
case 'U':
username = optarg;
Uflag = 1;
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc < 2)
usage();
if (strlen(argv[0]) > 0) {
jid = (int)strtol(argv[0], NULL, 10);
if (errno)
err(1, "Unable to parse jail ID.");
}
if (jid <= 0 && jailname == NULL) {
fprintf(stderr, "Neither jail ID nor jail name given.\n");
usage();
}
if (uflag && Uflag)
usage();
if (uflag)
GET_USER_INFO;
jid = lookup_jail(jid, jailname);
if (jid <= 0)
errx(1, "Cannot identify jail.");
if (jail_attach(jid) == -1)
err(1, "jail_attach(): %d", jid);
if (chdir("/") == -1)
err(1, "chdir(): /");
if (username != NULL) {
if (Uflag)
GET_USER_INFO;
if (setgroups(ngroups, groups) != 0)
err(1, "setgroups");
if (setgid(pwd->pw_gid) != 0)
err(1, "setgid");
if (setusercontext(lcap, pwd, pwd->pw_uid,
LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
err(1, "setusercontext");
login_close(lcap);
}
if (execvp(argv[1], argv + 1) == -1)
err(1, "execvp(): %s", argv[1]);
exit(0);
}
static void
usage(void)
{
fprintf(stderr, "%s%s\n",
"usage: jexec [-u username | -U username]",
" [-n jailname] jid command ...");
exit(1);
}
Reference in New Issue View Git Blame Copy Permalink