From nobody Thu Feb 6 16:09:54 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yphrf5K5Sz5mg6c; Thu, 06 Feb 2025 16:09:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yphrf1lJgz4HLx; Thu, 06 Feb 2025 16:09:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738858194; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0BO9Ldx1BOjZmf13pzTNaRnhxu9Zd5c3+v8pz+CKuu8=; b=i+qxukw26glS0cqfuKldqcfWmb+ObZucJ56L1LioSScJcQ+rJAA8GyZxLjj8Y17zGult3Z p+lbtFQHpne9NEWBG3IJFuBXDMoDjhrCJRo+KKn+oiwu6K810LdElEcRaS3vkR635Y7FGs N3dgnAOEs9fuTVSf3TTfw/qrEqUyk8e6m7VbBfQXgGy+3W/lJOCbNVKbAyRhvWo0neEfDy SIJ9px0wekyALa4/UO31LPzSG1McT7XMngevOZL+IH9treH+mDniDviN3VfxZeh+Khgx1/ ca1N/aBVS4y7nC571ztHfLuVfbWCISE9J8Iuwu+n9yM76xhS4selCrZFv9U48A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738858194; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0BO9Ldx1BOjZmf13pzTNaRnhxu9Zd5c3+v8pz+CKuu8=; b=fjfCsOoKV3Dtu0LU2/aS5m89dGX0yv6PTkoE6PuxDDp/pUwQbEHquxllg6sSBiMShvmQ/t Nydkb0Jppwu/DmikLd3FRD7nVqarRqniGZOKDzykaUbk3eoIxT6hkiWN3im/yVi5r7JUlh V8iQdKa0ECaXY3E73BXHS7y+ezNWyQM8p62RbCjhXA4kbyek2VSnpYiEqqvwODXvSEMjj8 fuGVtcsrYE4pCT9oOdYaD1bLs3YiqV7NK9ofWonbgjTGuqL2ryBhCGXhJbE8sahzGc/4fu W8sMeQdpTItrHRz6zBephS8hddt6bbCZju1gW1jNSprznvhbVdQTqNQkbTI51g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738858194; a=rsa-sha256; cv=none; b=UOGWQNaw6Qvw8JrdCkQrbJiwvo16mjqaqw3habUAL5E380EVJzouaKjwARm/D4nRxo5zbF 7WVZ63XAm22wvdH8b26MFJwBo1UakSE3BoRY9htnJ1tn3zEm1fB2ZwRwkh0k3DrbcXSfhV VMe/FH7Q6GUc+lROkKPH3QBIaf1OUKrBu+KfjTXTEMgYvl60138UsXrAoP9L+XRusMN1wv lfEnuLw4cQkAUQrczBw0By7tSOVItj/6J2opidE70wyvvNHWougW7NgWfYNt9jOZtNMT2f gI0uvcCZv7pV9ljR0uoFg2lsXs7p2HHxObzVMJMRXSDUZLNVnFmj+bomSvv4lQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Yphrf1JmxzlHX; Thu, 06 Feb 2025 16:09:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 516G9s4P059259; Thu, 6 Feb 2025 16:09:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 516G9sGd059256; Thu, 6 Feb 2025 16:09:54 GMT (envelope-from git) Date: Thu, 6 Feb 2025 16:09:54 GMT Message-Id: <202502061609.516G9sGd059256@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Zhenlei Huang Subject: git: 5b0a5d8c1ea3 - stable/13 - sysctl: Teach sysctl to attach and run itself in a jail List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zlei X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 5b0a5d8c1ea33ae7afb56d6c452df7e90ed54e9e Auto-Submitted: auto-generated The branch stable/13 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=5b0a5d8c1ea33ae7afb56d6c452df7e90ed54e9e commit 5b0a5d8c1ea33ae7afb56d6c452df7e90ed54e9e Author: Zhenlei Huang AuthorDate: 2025-01-30 18:20:41 +0000 Commit: Zhenlei Huang CommitDate: 2025-02-06 16:08:53 +0000 sysctl: Teach sysctl to attach and run itself in a jail This allows the parent jail to retrieve or set kernel state when child does not have sysctl(8) installed (e.g. light weighted OCI containers or slim jails). This is especially useful when manipulating jail prison or vnet sysctls. For example, `sysctl -j foo -Ja` or `sysctl -j foo net.fibs=2`. Reviewed by: dfr (previous version), markj MFC after: 1 week Relnotes: yes Differential Revision: https://reviews.freebsd.org/D48618 (cherry picked from commit 08aa7128dea4d14811ae4a0225d7c678869cfe62) (cherry picked from commit 8d5d7e2ba3a685a9ebe7aa578c6b76adf8fe4c2e) --- sbin/sysctl/Makefile | 6 ++++++ sbin/sysctl/sysctl.8 | 12 +++++++++++- sbin/sysctl/sysctl.c | 48 ++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 61 insertions(+), 5 deletions(-) diff --git a/sbin/sysctl/Makefile b/sbin/sysctl/Makefile index b6783833ce41..807d3573d2c3 100644 --- a/sbin/sysctl/Makefile +++ b/sbin/sysctl/Makefile @@ -1,4 +1,5 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 +.include PACKAGE=runtime CONFS= sysctl.conf @@ -6,4 +7,9 @@ PROG= sysctl WARNS?= 3 MAN= sysctl.8 +.if ${MK_JAIL} != "no" && !defined(RESCUE) +CFLAGS+= -DJAIL +LIBADD+= jail +.endif + .include diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8 index a7af56720361..34f22fda7b70 100644 --- a/sbin/sysctl/sysctl.8 +++ b/sbin/sysctl/sysctl.8 @@ -27,7 +27,7 @@ .\" .\" From: @(#)sysctl.8 8.1 (Berkeley) 6/6/93 .\" -.Dd January 23, 2025 +.Dd January 31, 2025 .Dt SYSCTL 8 .Os .Sh NAME @@ -35,12 +35,14 @@ .Nd get or set kernel state .Sh SYNOPSIS .Nm +.Op Fl j Ar jail .Op Fl bdehiJNnoqTtVWx .Op Fl B Ar bufsize .Op Fl f Ar filename .Ar name Ns Op = Ns Ar value Ns Op , Ns Ar value .Ar ... .Nm +.Op Fl j Ar jail .Op Fl bdehJNnoqTtVWx .Op Fl B Ar bufsize .Fl a @@ -99,6 +101,10 @@ Specify a file which contains a pair of name and value in each line. .Nm reads and processes the specified file first and then processes the name and value pairs in the command line argument. +Note that when the +.Fl j Ar jail +option is specified, the file will be opened before attaching to the jail and +then be processed inside the jail. .It Fl h Format output for human, rather than machine, readability. .It Fl i @@ -109,6 +115,10 @@ for collecting data from a variety of machines (not all of which are necessarily running exactly the same software) easier. .It Fl J Display only jail prision sysctl variables (CTLFLAG_PRISON). +.It Fl j Ar jail +Perform the actions inside the +.Ar jail +(by jail id or jail name). .It Fl N Show only variable names, not their values. This is particularly useful with shells that offer programmable diff --git a/sbin/sysctl/sysctl.c b/sbin/sysctl/sysctl.c index 41dcf3db9184..d12e30a537a3 100644 --- a/sbin/sysctl/sysctl.c +++ b/sbin/sysctl/sysctl.c @@ -34,6 +34,9 @@ #include #include #include +#ifdef JAIL +#include +#endif #include #include #include @@ -52,6 +55,9 @@ #include #include #include +#ifdef JAIL +#include +#endif #include #include #include @@ -60,12 +66,16 @@ #include #include +#ifdef JAIL +static const char *jailname; +#endif static const char *conffile; static int aflag, bflag, Bflag, dflag, eflag, hflag, iflag; static int Nflag, nflag, oflag, qflag, tflag, Tflag, Wflag, xflag; static bool Jflag, Vflag; +static void attach_jail(void); static int oidfmt(int *, int, char *, u_int *); static int parsefile(FILE *); static int parse(const char *, int); @@ -122,8 +132,8 @@ usage(void) { (void)fprintf(stderr, "%s\n%s\n", - "usage: sysctl [-bdehiJNnoqTtVWx] [ -B ] [-f filename] name[=value] ...", - " sysctl [-bdehJNnoqTtVWx] [ -B ] -a"); + "usage: sysctl [-j jail] [-bdehiJNnoqTtVWx] [ -B ] [-f filename] name[=value] ...", + " sysctl [-j jail] [-bdehJNnoqTtVWx] [ -B ] -a"); exit(1); } @@ -138,7 +148,7 @@ main(int argc, char **argv) setbuf(stdout,0); setbuf(stderr,0); - while ((ch = getopt(argc, argv, "AabB:def:hiJNnoqtTVwWxX")) != -1) { + while ((ch = getopt(argc, argv, "AabB:def:hiJj:NnoqtTVwWxX")) != -1) { switch (ch) { case 'A': /* compatibility */ @@ -171,6 +181,14 @@ main(int argc, char **argv) case 'J': Jflag = true; break; + case 'j': +#ifdef JAIL + if ((jailname = optarg) == NULL) + usage(); +#else + errx(1, "not built with jail support"); +#endif + break; case 'N': Nflag = 1; break; @@ -215,8 +233,10 @@ main(int argc, char **argv) if (Nflag && nflag) usage(); - if (aflag && argc == 0) + if (aflag && argc == 0) { + attach_jail(); exit(sysctl_all(NULL, 0)); + } if (argc == 0 && conffile == NULL) usage(); @@ -225,6 +245,9 @@ main(int argc, char **argv) file = fopen(conffile, "r"); if (file == NULL) err(EX_NOINPUT, "%s", conffile); + } + attach_jail(); + if (file != NULL) { warncount += parsefile(file); fclose(file); } @@ -235,6 +258,23 @@ main(int argc, char **argv) return (warncount); } +static void +attach_jail(void) +{ +#ifdef JAIL + int jid; + + if (jailname == NULL) + return; + + jid = jail_getid(jailname); + if (jid == -1) + errx(1, "jail not found"); + if (jail_attach(jid) != 0) + errx(1, "cannot attach to jail"); +#endif +} + /* * Parse a single numeric value, append it to 'newbuf', and update * 'newsize'. Returns true if the value was parsed and false if the