Date: Sat, 12 Oct 2013 17:27:59 +0000 (UTC) From: Hiroki Sato <hrs@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r256385 - in head: etc/rc.d share/man/man5 usr.sbin/jail Message-ID: <201310121727.r9CHRxZc047714@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hrs Date: Sat Oct 12 17:27:59 2013 New Revision: 256385 URL: http://svnweb.freebsd.org/changeset/base/256385 Log: - Add mount.fdescfs parameter to jail(8). This is similar to mount.devfs but mounts fdescfs. The mount happens just after mount.devfs. - rc.d/jail now displays whole error message from jail(8) when a jail fails to start. Approved by: re (gjb) Modified: head/etc/rc.d/jail head/share/man/man5/rc.conf.5 head/usr.sbin/jail/command.c head/usr.sbin/jail/config.c head/usr.sbin/jail/jail.8 head/usr.sbin/jail/jail.c head/usr.sbin/jail/jailp.h Modified: head/etc/rc.d/jail ============================================================================== --- head/etc/rc.d/jail Sat Oct 12 16:11:57 2013 (r256384) +++ head/etc/rc.d/jail Sat Oct 12 17:27:59 2013 (r256385) @@ -226,8 +226,7 @@ parse_options() eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} if checkyesno jail_${_j}_fdescfs_enable; then - echo " mount += " \ - "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";" + echo " mount.fdescfs;" fi eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}} if checkyesno jail_${_j}_procfs_enable; then @@ -438,7 +437,7 @@ jail_start() echo -n " ${_hostname:-${_jail}}" else echo " cannot start jail \"${_hostname:-${jail}}\": " - tail +2 $_tmp + cat $_tmp fi rm -f $_tmp done Modified: head/share/man/man5/rc.conf.5 ============================================================================== --- head/share/man/man5/rc.conf.5 Sat Oct 12 16:11:57 2013 (r256384) +++ head/share/man/man5/rc.conf.5 Sat Oct 12 17:27:59 2013 (r256385) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 10, 2013 +.Dd October 12, 2013 .Dt RC.CONF 5 .Os .Sh NAME @@ -3992,9 +3992,7 @@ set from .Va jail_ Ns Ao Ar jname Ac Ns Va _fstab .It Li mount set from -.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable -or -.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable. +.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . .It Li exec.fib set from .Va jail_ Ns Ao Ar jname Ac Ns Va _fib @@ -4042,6 +4040,9 @@ set from .Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . This must be an integer, not a string. +.It Li mount.fdescfs +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable .It Li allow.set_hostname set from .Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow Modified: head/usr.sbin/jail/command.c ============================================================================== --- head/usr.sbin/jail/command.c Sat Oct 12 16:11:57 2013 (r256384) +++ head/usr.sbin/jail/command.c Sat Oct 12 17:27:59 2013 (r256385) @@ -106,7 +106,12 @@ next_command(struct cfjail *j) case IP_MOUNT_DEVFS: if (!bool_param(j->intparams[IP_MOUNT_DEVFS])) continue; - /* FALLTHROUGH */ + j->comstring = &dummystring; + break; + case IP_MOUNT_FDESCFS: + if (!bool_param(j->intparams[IP_MOUNT_FDESCFS])) + continue; + j->comstring = &dummystring; case IP__OP: case IP_STOP_TIMEOUT: j->comstring = &dummystring; @@ -452,6 +457,32 @@ run_command(struct cfjail *j) } break; + case IP_MOUNT_FDESCFS: + argv = alloca(7 * sizeof(char *)); + path = string_param(j->intparams[KP_PATH]); + if (path == NULL) { + jail_warnx(j, "mount.fdescfs: no path"); + return -1; + } + devpath = alloca(strlen(path) + 8); + sprintf(devpath, "%s/dev/fd", path); + if (check_path(j, "mount.fdescfs", devpath, 0, + down ? "fdescfs" : NULL) < 0) + return -1; + if (down) { + *(const char **)&argv[0] = "/sbin/umount"; + argv[1] = devpath; + argv[2] = NULL; + } else { + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "fdescfs"; + *(const char **)&argv[3] = "."; + argv[4] = devpath; + argv[5] = NULL; + } + break; + case IP_COMMAND: if (j->name != NULL) goto default_command; Modified: head/usr.sbin/jail/config.c ============================================================================== --- head/usr.sbin/jail/config.c Sat Oct 12 16:11:57 2013 (r256384) +++ head/usr.sbin/jail/config.c Sat Oct 12 17:27:59 2013 (r256385) @@ -83,6 +83,7 @@ static const struct ipspec intparams[] = #endif [IP_MOUNT] = {"mount", PF_INTERNAL | PF_REV}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, + [IP_MOUNT_FDESCFS] = {"mount.fdescfs", PF_INTERNAL | PF_BOOL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sat Oct 12 16:11:57 2013 (r256384) +++ head/usr.sbin/jail/jail.8 Sat Oct 12 17:27:59 2013 (r256385) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 23, 2013 +.Dd October 12, 2013 .Dt JAIL 8 .Os .Sh NAME @@ -682,7 +682,7 @@ to. An alias for each address will be added to the interface before the prison is created, and will be removed from the interface after the prison is removed. -.It Op Va ip4.addr +.It Va ip4.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a netmask may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask . @@ -691,7 +691,7 @@ will be added to that interface, as it i .Va interface parameter. If a netmask in either dotted-quad or CIDR form is given after IP address, it will be used when adding the IP alias. -.It Op Va ip6.addr +.It Va ip6.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a prefix may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix . @@ -722,11 +722,19 @@ An format file containing filesystems to mount before creating a jail. .It Va mount.devfs Mount a -.Xr devfs -filesystem on the chrooted /dev directory, and apply the ruleset in the +.Xr devfs 5 +filesystem on the chrooted +.Pa /dev +directory, and apply the ruleset in the .Va devfs_ruleset parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. +.It Va mount.fdescfs +Mount a +.Xr fdescfs 5 +filesystem on the chrooted +.Pa /dev/fd +directory. .It Va allow.dying Allow making changes to a .Va dying @@ -1165,6 +1173,8 @@ environment of the first jail. .Xr ps 1 , .Xr quota 1 , .Xr jail_set 2 , +.Xr devfs 5 , +.Xr fdescfs 5 , .Xr jail.conf 5 , .Xr procfs 5 , .Xr rc.conf 5 , Modified: head/usr.sbin/jail/jail.c ============================================================================== --- head/usr.sbin/jail/jail.c Sat Oct 12 16:11:57 2013 (r256384) +++ head/usr.sbin/jail/jail.c Sat Oct 12 17:27:59 2013 (r256385) @@ -92,6 +92,7 @@ static const enum intparam startcommands IP_MOUNT, IP__MOUNT_FROM_FSTAB, IP_MOUNT_DEVFS, + IP_MOUNT_FDESCFS, IP_EXEC_PRESTART, IP__OP, IP_VNET_INTERFACE, @@ -108,6 +109,7 @@ static const enum intparam stopcommands[ IP_STOP_TIMEOUT, IP__OP, IP_EXEC_POSTSTOP, + IP_MOUNT_FDESCFS, IP_MOUNT_DEVFS, IP__MOUNT_FROM_FSTAB, IP_MOUNT, Modified: head/usr.sbin/jail/jailp.h ============================================================================== --- head/usr.sbin/jail/jailp.h Sat Oct 12 16:11:57 2013 (r256384) +++ head/usr.sbin/jail/jailp.h Sat Oct 12 17:27:59 2013 (r256385) @@ -95,6 +95,7 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ + IP_MOUNT_FDESCFS, /* Mount /dev/fd under prison root */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310121727.r9CHRxZc047714>