Date: Wed, 10 Jun 2009 15:26:35 +0000 (UTC) From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r193929 - head/usr.sbin/jail Message-ID: <200906101526.n5AFQZS4017808@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jamie Date: Wed Jun 10 15:26:35 2009 New Revision: 193929 URL: http://svn.freebsd.org/changeset/base/193929 Log: In the old-style jail command line, explicitly set parameters from the security.jail.* sysctls since jail_set(2) doesn't do it implicitly. Approved by: bz (mentor) Modified: head/usr.sbin/jail/jail.c Modified: head/usr.sbin/jail/jail.c ============================================================================== --- head/usr.sbin/jail/jail.c Wed Jun 10 14:52:34 2009 (r193928) +++ head/usr.sbin/jail/jail.c Wed Jun 10 15:26:35 2009 (r193929) @@ -76,6 +76,21 @@ static void quoted_print(FILE *fp, char static void set_param(const char *name, char *value); static void usage(void); +static const char *perm_sysctl[][3] = { + { "security.jail.set_hostname_allowed", + "allow.noset_hostname", "allow.set_hostname" }, + { "security.jail.sysvipc_allowed", + "allow.nosysvipc", "allow.sysvipc" }, + { "security.jail.allow_raw_sockets", + "allow.noraw_sockets", "allow.raw_sockets" }, + { "security.jail.chflags_allowed", + "allow.nochflags", "allow.chflags" }, + { "security.jail.mount_allowed", + "allow.nomount", "allow.mount" }, + { "security.jail.socket_unixiproute_only", + "allow.socket_af", "allow.nosocket_af" }, +}; + extern char **environ; #define GET_USER_INFO do { \ @@ -101,10 +116,12 @@ main(int argc, char **argv) struct iovec rparams[2]; struct passwd *pwd = NULL; gid_t groups[NGROUPS]; - int ch, cmdarg, i, jail_set_flags, jid, ngroups; + size_t sysvallen; + int ch, cmdarg, i, jail_set_flags, jid, ngroups, sysval; int hflag, iflag, Jflag, lflag, rflag, uflag, Uflag; + unsigned pi; char *ep, *jailname, *securelevel, *username, *JidFile; - char errmsg[ERRMSG_SIZE]; + char errmsg[ERRMSG_SIZE], enforce_statfs[4]; static char *cleanenv; const char *shell, *p = NULL; FILE *fp; @@ -236,6 +253,26 @@ main(int argc, char **argv) add_ip_addr(&ip4_addr, argv[2]); #endif cmdarg = 3; + /* Emulate the defaults from security.jail.* sysctls */ + sysvallen = sizeof(sysval); + if (sysctlbyname("security.jail.jailed", &sysval, &sysvallen, + NULL, 0) == 0 && sysval == 0) { + for (pi = 0; pi < sizeof(perm_sysctl) / + sizeof(perm_sysctl[0]); pi++) { + sysvallen = sizeof(sysval); + if (sysctlbyname(perm_sysctl[pi][0], + &sysval, &sysvallen, NULL, 0) == 0) + set_param(perm_sysctl[pi] + [sysval ? 2 : 1], NULL); + } + sysvallen = sizeof(sysval); + if (sysctlbyname("security.jail.enforce_statfs", + &sysval, &sysvallen, NULL, 0) == 0) { + snprintf(enforce_statfs, + sizeof(enforce_statfs), "%d", sysval); + set_param("enforce_statfs", enforce_statfs); + } + } } if (ip4_addr != NULL) set_param("ip4.addr", ip4_addr);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906101526.n5AFQZS4017808>