Date: Fri, 29 Aug 2025 23:06:58 GMT From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 72d01e62b082 - main - netgraph: teach ngctl to attach and run itself in a jail Message-ID: <202508292306.57TN6wnO087495@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by jamie: URL: https://cgit.FreeBSD.org/src/commit/?id=72d01e62b082de39ecf1ff3ced67dcf7259e5084 commit 72d01e62b082de39ecf1ff3ced67dcf7259e5084 Author: Jamie Gritton <jamie@FreeBSD.org> AuthorDate: 2025-08-29 23:02:14 +0000 Commit: Jamie Gritton <jamie@FreeBSD.org> CommitDate: 2025-08-29 23:02:14 +0000 netgraph: teach ngctl to attach and run itself in a jail Add -j <jail> flag to ngctl to allow ngctl to attach and run inside a jail. This allow parent to manipulate netgraph nodes in the jail even if ngctl is not available. Submitted by: David Marker <dave_freedave.net> Reviewed by: kevans, zlei, jamie Relnotes: yes Differential Revision: https://reviews.freebsd.org/D50241 --- usr.sbin/ngctl/Makefile | 5 +++++ usr.sbin/ngctl/main.c | 41 +++++++++++++++++++++++++++++++++++------ usr.sbin/ngctl/ngctl.8 | 25 +++++++++++++++++++++++-- 3 files changed, 63 insertions(+), 8 deletions(-) diff --git a/usr.sbin/ngctl/Makefile b/usr.sbin/ngctl/Makefile index 72a5ccaa96d7..997841272376 100644 --- a/usr.sbin/ngctl/Makefile +++ b/usr.sbin/ngctl/Makefile @@ -13,4 +13,9 @@ LIBADD= netgraph CFLAGS+= -DEDITLINE LIBADD+= edit pthread +.if ${MK_JAIL} != "no" +CFLAGS+= -DJAIL +LIBADD+= jail +.endif + .include <bsd.prog.mk> diff --git a/usr.sbin/ngctl/main.c b/usr.sbin/ngctl/main.c index 7c79e67d8275..b32e4f878b6e 100644 --- a/usr.sbin/ngctl/main.c +++ b/usr.sbin/ngctl/main.c @@ -55,6 +55,10 @@ #include <histedit.h> #include <pthread.h> #endif +#ifdef JAIL +#include <sys/jail.h> +#include <jail.h> +#endif #include <netgraph.h> @@ -137,16 +141,17 @@ int csock, dsock; int main(int ac, char *av[]) { - char name[NG_NODESIZ]; - int interactive = isatty(0) && isatty(1); - FILE *fp = NULL; - int ch, rtn = 0; + char name[NG_NODESIZ]; + int interactive = isatty(0) && isatty(1); + FILE *fp = NULL; + const char *jail_name = NULL; + int ch, rtn = 0; /* Set default node name */ snprintf(name, sizeof(name), "ngctl%d", getpid()); /* Parse command line */ - while ((ch = getopt(ac, av, "df:n:")) != -1) { + while ((ch = getopt(ac, av, "df:j:n:")) != -1) { switch (ch) { case 'd': NgSetDebug(NgSetDebug(-1) + 1); @@ -157,6 +162,13 @@ main(int ac, char *av[]) else if ((fp = fopen(optarg, "r")) == NULL) err(EX_NOINPUT, "%s", optarg); break; + case 'j': +#ifdef JAIL + jail_name = optarg; +#else + errx(EX_UNAVAILABLE, "not built with jail support"); +#endif + break; case 'n': snprintf(name, sizeof(name), "%s", optarg); break; @@ -169,6 +181,22 @@ main(int ac, char *av[]) ac -= optind; av += optind; + if (jail_name != NULL) { + int jid; + + if (jail_name[0] == '\0') + Usage("invalid jail name"); + + jid = jail_getid(jail_name); + + if (jid == -1) + errx((errno == EPERM) ? EX_NOPERM : EX_NOHOST, + "%s", jail_errmsg); + if (jail_attach(jid) != 0) + errx((errno == EPERM) ? EX_NOPERM : EX_OSERR, + "cannot attach to jail"); + } + /* Create a new socket node */ if (NgMkSockNode(name, &csock, &dsock) < 0) err(EX_OSERR, "can't create node"); @@ -657,6 +685,7 @@ Usage(const char *msg) if (msg) warnx("%s", msg); fprintf(stderr, - "usage: ngctl [-d] [-f file] [-n name] [command ...]\n"); + "usage: ngctl [-j jail] [-d] [-f filename] [-n nodename] " + "[command [argument ...]]\n"); exit(EX_USAGE); } diff --git a/usr.sbin/ngctl/ngctl.8 b/usr.sbin/ngctl/ngctl.8 index 2225c836674a..63b8f58ed3df 100644 --- a/usr.sbin/ngctl/ngctl.8 +++ b/usr.sbin/ngctl/ngctl.8 @@ -31,7 +31,7 @@ .\" OF SUCH DAMAGE. .\" $Whistle: ngctl.8,v 1.6 1999/01/20 03:19:44 archie Exp $ .\" -.Dd January 19, 1999 +.Dd August 29, 2025 .Dt NGCTL 8 .Os .Sh NAME @@ -39,9 +39,11 @@ .Nd netgraph control utility .Sh SYNOPSIS .Nm +.Op Fl j Ar jail .Op Fl d .Op Fl f Ar filename .Op Fl n Ar nodename +.Op Ar command Op Ns Ar argument ... .Op Ar command ... .Sh DESCRIPTION The @@ -73,12 +75,31 @@ form if the originating node supports conversion. .Pp The options are as follows: .Bl -tag -width indent -.It Fl f Ar nodeinfo +.It Fl f Ar filename Read commands from the named file. A single dash represents the standard input. Blank lines and lines starting with a .Dq # are ignored. +Note that when the +.Fl j Ar jail +option is specified, the file will be opened before attaching to the jail and +then be processed inside the jail. +.It Fl j Ar jail +Perform the actions inside the +.Ar jail . +.Pp +.Nm +will first attach to the +.Ar jail +(by jail id or jail name) before performing the effects. +.Pp +This allows netgraph nodes of +.Ar jail +to be created, modified, and destroyed even if the +.Nm +binary is not available in +.Ar jail . .It Fl n Ar nodename Assign .Em nodename
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202508292306.57TN6wnO087495>