Date: Mon, 16 May 2022 10:25:00 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: FreeBSD User <freebsd@walstatt-de.de> Cc: security@freebsd.org, jail@freebsd.org Subject: Re: Auto-jailing of services - 2nd implementation Message-ID: <20220516102500.Horde.Jmefw9B2HNSietK_UGUuNbn@webmail.leidinger.net> In-Reply-To: <20220515124900.44aac19b@hermann> References: <20220403214842.Horde.vlwSVh0KOZ6sL7aDfgA9KKL@webmail.leidinger.net> <20220515124900.44aac19b@hermann>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.
--=_r46YExCcqoKewmYnE1X1ETS
Content-Type: multipart/mixed; boundary="=_aaHXkfii9da2Qz_EfZwdseY"
This message is in MIME format.
--=_aaHXkfii9da2Qz_EfZwdseY
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Quoting FreeBSD User <freebsd@walstatt-de.de> (from Sun, 15 May 2022=20=20
12:49:06=20+0200):
> On Sun, 03 Apr 2022 21:48:42 +0200
> Alexander Leidinger <Alexander@leidinger.net> wrote:
>
>> Hi,
>>
>> attached is a new implementation of service jails (auto-jailing of
>> services). This one now supports rc command prefixes (e.g. onestart)
>> and I tested it in nested jails. The benefit of auto-jailing services
>> is, that you can apply some restrictions to services (and what other
>> processes it may see). If your service requires access to network but
>> not sysvipc, and it doesn't run as root, it can be limited to network
>> access with or without raw sockets, filesystem-permitted files, and
>> doesn't see other processes on the system.
>>
>> For a few services I have added the required "svcj-config" in the
>> start scripts (e.g. network access for syslog by setting
>> syslogd_svj_options=3Dnet_basic).
>>
>> Possible svcj config options for service jails:
>> + netv4)
>> + _svcj_cmd_options=3D"ip4=3Dinherit
>> allow.reserved_ports ${_svcj_cmd_options}"
>> + ;;
>> + netv6)
>> + _svcj_cmd_options=3D"ip6=3Dinherit
>> allow.reserved_ports ${_svcj_cmd_options}"
>> + ;;
>> + net_basic)
>> + _svcj_cmd_options=3D"ip4=3Dinherit ip6=3Dinherit
>> allow.reserved_ports ${_svcj_cmd_options}"
>> + ;;
>> + net_raw)
>> + _svcj_cmd_options=3D"allow.raw_sockets
>> ${_svcj_cmd_options}"
>> + ;;
>> + net_all)
>> + _svcj_cmd_options=3D"allow.socket_af
>> allow.raw_sockets allow.reserved_ports ip4=3Dinherit ip6=3Dinherit=20=20
>>=20${_svcj_cmd_options}"
>> + ;;
>> + sysvipc)
>> + _svcj_cmd_options=3D"sysvmsg=3Dinherit
>> sysvsem=3Dinherit sysvshm=3Dinherit ${_svcj_cmd_options}"
>> + ;;
>> + mlock)
>> + _svcj_cmd_options=3D"allow.mlock
>> ${_svcj_cmd_options}"
>> + ;;
>> + vmm)
>> + _svcj_cmd_options=3D"allow.vmm
>> ${_svcj_cmd_options}"
>>
>> By setting syslogd_svcj=3D"YES" in rc.conf your syslogd will be started
>> in a jail which inherits the full filesystem and the ipv4 and ipv6
>> addresses of the parent.
>>
>> It would be nice if interested people could experiment a little bit
>> with this, e.g. adding name_svcj_options=3D"X Y" from above and
>> name_svcj=3D"YES" into rc.conf and see if it works. Note, doing that for
>> sshd doesn't make sense in the generic case, it wouldn't see your
>> jails. It may make sense for services.
>>
>> Any kind of feedback and tested name_svcj_options submissions welcome...
>>
>> Bye,
>> Alexander.
>>
>
> Hello Alexander Leidinger,
>
> is this really interesting feature already part of recent CURRENT rc=20=
=20
>=20subsystem or do I
No.
> have to "patch" CURRENT with the rc script provided by some place=20=20
>=20first to obtain the
> functionality you are talking here about?
The patch was supposed to be attached to the mail you quoted. A more=20=20
recent=20patch (now with docu in the rc.conf man page) is attached to=20=20
this=20email (rc.subr + service command + man pages + a few services ->=20=
=20
"grep=20diff svcjails.diff" for the list of OS services which can enable=20=
=20
without=20research about the svcj_options). At least /etc/rc.subr and=20=20
/usr/sbin/service=20need to be patched (respectively a=20=20
buildworld+installworld).
>=20Thanks in advance and kind regards
>
> O. Hartmann
>
> p.s. would it be possible toput as service with a dedicated network=20=20
>=20interfacing (say,
> jailed vnet/vlan, forinstance an asterisk service running on a small=20=
=20
>=20router appliance, as
> we do in our projects?).
This will use the networking of the host. This is really automatic=20=20
stuff,=20no additional network interface (all what the hosts sees is=20=20
also=20available in the service-jail), no dedicated directory/filesystem=20=
=20
area=20(as if it runs unjailed). All is used from the host. The=20=20
additional=20security this provides is the limit of what the process is=20=
=20
allowed=20to do in the kernel and the namespace isolation. So you could=20=
=20
prevent=20sysvipc access. You could restrict it to ipv6 even if ipv4 is=20=
=20
configured.=20You wouldn't see processes outside of the service jail=20=20
even=20if running as root. If you want more advanced things, you need to=20=
=20
create=20a jail on your own. Parts of what service jails do, could be=20=20
done=20with capabilities (sometimes even with more restrictions), but=20=20
this=20needs support inside the application for capabilities, whereas=20=20
service=20jails do not need changes to the application itself.
If you want to put asterisk into one of my service jails, you would=20=20
have=20to set the following in rc.conf:
asterisk_enable=3D"YES"
asterisk_svcj_options=3D"<see the rc.conf man page for the options in=20=
=20
the=20SERVICE JAILS part>"
asterisk_svcj=3D"YES"
The asterisk_svcj_options part is supposed to be included in the rc=20=20
script=20of asterisk (if/once this is committed to FreeBSD), but can be=20=
=20
specified=20in rc.conf to override it if needed (or to test things). For=20=
=20
asterisk=20I would assume at least asterisk_svcj_options=3D"net_basic".
There's also a svcj_all_enable variable, but as long as not all=20=20
services have a correct setting of their svcj_options, this will not=20=20
do=20what you mean.
Bye,
Alexander.
--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_aaHXkfii9da2Qz_EfZwdseY
Content-Type: text/diff; charset=utf-8; name=svcjails.diff
Content-Disposition: attachment; size=16780; filename=svcjails.diff
Content-Transfer-Encoding: quoted-printable
diff --git a/libexec/rc/rc.d/auditdistd b/libexec/rc/rc.d/auditdistd
index 13cb5d5b69d..3218bd35755 100755
--- a/libexec/rc/rc.d/auditdistd
+++ b/libexec/rc/rc.d/auditdistd
@@ -19,4 +19,7 @@ required_files=3D"/etc/security/${name}.conf"
extra_commands=3D"reload"
=20
=20load_rc_config $name
+
+: ${auditdistd_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ftpd b/libexec/rc/rc.d/ftpd
index dc623ea5943..a04c7ce5ee2 100755
--- a/libexec/rc/rc.d/ftpd
+++ b/libexec/rc/rc.d/ftpd
@@ -23,4 +23,7 @@ ftpd_prestart()
}
=20
=20load_rc_config $name
+
+: ${ftpd_svcj_options:=3D"net_all"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/inetd b/libexec/rc/rc.d/inetd
index aa8ac20aeae..8cf7be5d91e 100755
--- a/libexec/rc/rc.d/inetd
+++ b/libexec/rc/rc.d/inetd
@@ -18,4 +18,7 @@ required_files=3D"/etc/${name}.conf"
extra_commands=3D"reload"
=20
=20load_rc_config $name
+
+: ${inetd_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/kadmind b/libexec/rc/rc.d/kadmind
index 773b2d0e499..1bdd420e415 100755
--- a/libexec/rc/rc.d/kadmind
+++ b/libexec/rc/rc.d/kadmind
@@ -26,4 +26,7 @@ kadmind_start_precmd()
}
=20
=20load_rc_config $name
+
+: ${kadmind_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/kdc b/libexec/rc/rc.d/kdc
index c2747ae08ca..11205d6e092 100755
--- a/libexec/rc/rc.d/kdc
+++ b/libexec/rc/rc.d/kdc
@@ -26,4 +26,7 @@ kdc_start_precmd()
}
=20
=20load_rc_config $name
+
+: ${kdc_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/kpasswdd b/libexec/rc/rc.d/kpasswdd
index a2875bf1515..af7b7a6b9aa 100755
--- a/libexec/rc/rc.d/kpasswdd
+++ b/libexec/rc/rc.d/kpasswdd
@@ -26,4 +26,7 @@ kpasswdd_start_precmd()
}
=20
=20load_rc_config $name
+
+: ${kapsswd_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/local_unbound b/libexec/rc/rc.d/local_unbound
index 19cb9a6c5c0..7436034495f 100755
--- a/libexec/rc/rc.d/local_unbound
+++ b/libexec/rc/rc.d/local_unbound
@@ -34,6 +34,7 @@ load_rc_config $name
: ${local_unbound_anchor:=3D${local_unbound_workdir}/root.key}
: ${local_unbound_forwarders:=3D}
: ${local_unbound_tls:=3D}
+: ${local_unbound_svcj_options:=3D"net_basic"}
=20
=20do_as_unbound()
{
diff --git a/libexec/rc/rc.d/lpd b/libexec/rc/rc.d/lpd
index fc8180cb221..725adda9072 100755
--- a/libexec/rc/rc.d/lpd
+++ b/libexec/rc/rc.d/lpd
@@ -25,4 +25,7 @@ chkprintcap()
}
=20
=20load_rc_config $name
+
+: ${lpd_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/sshd b/libexec/rc/rc.d/sshd
index 282f69f8e4c..9c3b5762579 100755
--- a/libexec/rc/rc.d/sshd
+++ b/libexec/rc/rc.d/sshd
@@ -81,4 +81,11 @@ sshd_precmd()
}
=20
=20load_rc_config $name
+
+# sshd in a jail would not see other jails. As such exclude it from
+# svcj_all_enable=3D"YES" by setting sshd_svcj to NO. This allows to
+# enable it in rc.conf.
+: ${sshd_svcj:=3D"NO"}
+: ${sshd_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.d/syslogd b/libexec/rc/rc.d/syslogd
index 2351c086212..95d2b156b88 100755
--- a/libexec/rc/rc.d/syslogd
+++ b/libexec/rc/rc.d/syslogd
@@ -71,4 +71,7 @@ set_socketlist()
echo $_socketargs
}
load_rc_config $name
+
+: ${syslogd_svcj_options:=3D"net_basic"}
+
run_rc_command "$1"
diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
index dc4f49612c2..356fb0fea61 100644
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -51,6 +51,9 @@ PROTECT=3D"/usr/bin/protect"
ID=3D"/usr/bin/id"
IDCMD=3D"if [ -x $ID ]; then $ID -un; fi"
PS=3D"/bin/ps -ww"
+SERVICE=3D/usr/sbin/service
+JAIL_CMD=3D/usr/sbin/jail
+_svcj_generic_params=3D"path=3D/ mount.nodevfs host=3Dinherit"
JID=3D0
# rc_service provides the path to the service script that we are executing=
.
# This is not being set here in an execution context, necessarily, so it's
@@ -368,6 +371,16 @@ _find_processes()
$_procname|$_procnamebn|${_procnamebn}:|"(${_procnamebn})"|"[${_proc=
namebn}]")'
fi
=20
+=09if checkyesno ${name}_svcj; then
+ JID=3D$(/usr/sbin/jls -j svcj-${name} jid)
+
+ case ${JID} in
+ ''|*[!0-9]*)
+ # svj-jail doesn't exist, fallback to host-check
+ JID=3D0
+ ;;
+ esac
+ fi
_proccheck=3D"\
$PS 2>/dev/null -o pid=3D -o jid=3D -o command=3D $_psargs"' |
while read _npid _jid '"$_fp_args"'; do
@@ -959,6 +972,18 @@ run_rc_command()
_pidcmd=3D
_procname=3D${procname:-${command}}
=20
+=09# If a specifc jail has a specific svcj request, honor it (YES/NO).
+ # If not (variable empty), evaluate the global svcj catch-call.
+ # A global YES can be overriden by a specific NO, and a global NO is over=
riden
+ # by a specific YES.
+ eval _svcj=3D\$${name}_svcj
+ if [ -z "$_svcj" ]; then
+ _svcj=3D${svcj_all_enable}
+ if [ -z "$_svcj" ]; then
+ eval ${name}_svcj=3DNO
+ fi
+ fi
+
# setup pid check command
if [ -n "$_procname" ]; then
if [ -n "$pidfile" ]; then
@@ -994,7 +1019,7 @@ run_rc_command()
_fib=3D\$${name}_fib _env=3D\$${name}_env \
_prepend=3D\$${name}_prepend _login_class=3D\${${name}_login_class:-d=
aemon} \
_limits=3D\$${name}_limits _oomprotect=3D\$${name}_oomprotect \
- _env_file=3D\$${name}_env_file
+ _env_file=3D\$${name}_env_file _svcj_options=3D\$${name}_svcj_options
=20
=20 if [ -n "$_env_file" ] && [ -r "${_env_file}" ]; then # load env from f=
ile
set -a
@@ -1008,6 +1033,42 @@ run_rc_command()
fi
fi
=20
+=09if [ -n "$_svcj_options" ]; then # translate service jail options
+ _svcj_cmd_options=3D""
+
+ for _svcj_option in $_svcj_options; do
+ case "$_svcj_option" in
+ netv4)
+ _svcj_cmd_options=3D"ip4=3Dinherit allow.reserved_ports ${_svcj_cmd_o=
ptions}"
+ ;;
+ netv6)
+ _svcj_cmd_options=3D"ip6=3Dinherit allow.reserved_ports ${_svcj_cmd_o=
ptions}"
+ ;;
+ net_basic)
+ _svcj_cmd_options=3D"ip4=3Dinherit ip6=3Dinherit allow.reserved_ports=
${_svcj_cmd_options}"
+ ;;
+ net_raw)
+ _svcj_cmd_options=3D"allow.raw_sockets ${_svcj_cmd_options}"
+ ;;
+ net_all)
+ _svcj_cmd_options=3D"allow.socket_af allow.raw_sockets allow.reserved=
_ports ip4=3Dinherit ip6=3Dinherit ${_svcj_cmd_options}"
+ ;;
+ sysvipc)
+ _svcj_cmd_options=3D"sysvmsg=3Dinherit sysvsem=3Dinherit sysvshm=3Din=
herit ${_svcj_cmd_options}"
+ ;;
+ mlock)
+ _svcj_cmd_options=3D"allow.mlock ${_svcj_cmd_options}"
+ ;;
+ vmm)
+ _svcj_cmd_options=3D"allow.vmm ${_svcj_cmd_options}"
+ ;;
+ *)
+ echo ${name}: unknown service jail option: $_svcj_option
+ ;;
+ esac
+ done
+ fi
+
[ -z "$autoboot" ] && eval $_pidcmd # determine the pid if necessary
=20
=20 for _elem in $_keywords; do
@@ -1053,9 +1114,50 @@ run_rc_command()
if [ -n "$_env" ]; then
eval "export -- $_env"
fi
- _run_rc_precmd || return 1
- _run_rc_doit "$_cmd $rc_extra_args" || return 1
- _run_rc_postcmd
+
+ if [ "${_rc_svcj}" !=3D jailing ]; then
+ _run_rc_precmd || return 1
+ fi
+ if ! checkyesno ${name}_svcj; then
+ _run_rc_doit "$_cmd $rc_extra_args" || return 1
+ else
+ case "$rc_arg" in
+ start)
+ if [ "${_rc_svcj}" !=3D jailing ]; then
+ _return=3D1
+ $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \
+ exec.start=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_pre=
fix}start $rc_extra_args" \
+ exec.stop=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_pref=
ix}stop $rc_extra_args" \
+ exec.consolelog=3D"/var/log/svcj_${name}_console.log" \
+ name=3Dsvcj-${name} && _return=3D0
+ else
+ _run_rc_doit "$_cmd $rc_extra_args" || _return=3D1
+ fi
+ ;;
+ stop)
+ if [ "${_rc_svcj}" !=3D jailing ]; then
+ $SERVICE -E _rc_svcj=3Djailing -j svcj-${name} ${name} ${_rc_prefix}=
stop $rc_extra_args || _return=3D1
+ $JAIL_CMD -r svcj-${name} 2>/dev/null
+ else
+ _run_rc_doit "$_cmd $rc_extra_args" || _return=3D1
+ fi
+ ;;
+ restart|status) ;; # no special case needed for svcj or handled somewh=
ere else
+ *)
+if checkyesno ${name}_svcj; then
+echo XXX: check if \"$rc_arg\" needs to be executed in the jail or outside
+fi
+# if [ "${_rc_svcj}" !=3D jailing ]; then
+# $SERVICE -j svcj-${name} ${name} ${_rc_prefix}${rc_arg} $rc_extra_a=
rgs || _return=3D1
+# else
+ _run_rc_doit "$_cmd $rc_extra_args" || _return=3D1
+# fi
+ ;;
+ esac
+ fi
+ if [ "${_rc_svcj}" !=3D jailing ];=20then
+ _run_rc_postcmd
+ fi
return $_return
fi
=20
@@=20-1113,9 +1215,21 @@ run_rc_command()
return 1
fi
=20
-=09 if ! _run_rc_precmd; then
- warn "failed precmd routine for ${name}"
- return 1
+ if [ "${_rc_svcj}" !=3D jailing ]; then
+ if ! _run_rc_precmd; then
+ warn "failed precmd routine for ${name}"
+ return 1
+ fi
+ fi
+
+ if checkyesno ${name}_svcj; then
+ if [ "${_rc_svcj}" !=3D jailing ]; then
+ $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options\
+ exec.start=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_pref=
ix}start $rc_extra_args" \
+ exec.stop=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_prefi=
x}stop $rc_extra_args" \
+ exec.consolelog=3D"/var/log/svcj_${name}_console.log" \
+ name=3Dsvcj-${name} || return 1
+ fi
fi
=20
=20 # setup the full command to run
@@ -1152,16 +1266,28 @@ $command $rc_flags $command_args"
# Prepend default limits
_doit=3D"$_cd limits -C $_login_class $_limits $_doit"
=20
+
+=09 local _really_run_it=3Dtrue
+ if checkyesno ${name}_svcj; then
+ if [ "${_rc_svcj}" !=3D jailing ]; then
+ _really_run_it=3Dfalse
+ fi
+ fi
+
+ if [ "$_really_run_it" =3D true ]; then
# run the full command
#
- if ! _run_rc_doit "$_doit"; then
- warn "failed to start ${name}"
- return 1
+ if ! _run_rc_doit "$_doit"; then
+ warn "failed to start ${name}"
+ return 1
+ fi
fi
=20
+=09 if [ "${_rc_svcj}" !=3D jailing ]; then
# finally, run postcmd
#
- _run_rc_postcmd
+ _run_rc_postcmd
+ fi
;;
=20
=20 stop)
@@ -1183,6 +1309,11 @@ $command $rc_flags $command_args"
# and run postcmd.
wait_for_pids $rc_pid
=20
+=09 if checkyesno ${name}_svcj; then
+ # remove service jail
+ $JAIL_CMD -r svcj-${name} 2>/dev/null
+ fi
+
_run_rc_postcmd
;;
=20
@@=20-1211,6 +1342,7 @@ $command $rc_flags $command_args"
=20
=20 _run_rc_precmd || return 1
=20
+
=20 # run those in a subshell to keep global variables
( run_rc_command ${_rc_prefix}stop $rc_extra_args )
( run_rc_command ${_rc_prefix}start $rc_extra_args )
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 01b09b1a59b..320e0c40765 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -239,6 +239,19 @@ such as PostgreSQL will not inherit the OOM killer pro=
tection.
.It Ao Ar name Ac Ns Va _user
.Pq Vt str
Run the service under this user account.
+.It Ao Ar name Ac Ns Va _svcj
+.Pq Vt bool
+If set to
+.Dq Li YES ,
+auto-jail the service with inherited filesystem and other
+jail properties depending on
+.Ao Ar name Ac Ns Va _svcj_options .
+.It Ao Ar name Ac Ns Va _svcj_options
+.Pq Vt str
+A list of jail properties for the service.
+See
+.Sx SERVICE JAILS
+for a list of valid properties.
.It Va apm_enable
.Pq Vt bool
If set to
@@ -372,6 +385,12 @@ is set to
these are the flags to pass to the
.Xr powerd 8
daemon.
+.It Va svcj_all_enable
+Enable auto-jailing of all services which are not explicitely
+excluded.
+See
+.Sx SERVICE JAILS
+for more info.
.It Va tmpmfs
Controls the creation of a
.Pa /tmp
@@ -4666,6 +4685,94 @@ Define the total number of seconds to wait for the z=
fskeys script
to unlock an encrypted dataset.
The default is 10.
.El
+.Sh SERVICE JAILS
+The service jails part of the rc system automatically puts a service
+into a jail.
+This jail inherits the filesystem and various other parts of the
+parent (if you allow child-jails in your jails, service jails
+can be used in jails) depending on the content of the
+.Ao Ar name Ac Ns Va _svcj_options
+variable.
+Typically this variable is set inside rc scripts, but it can be
+overriden in the rc config.
+Valid options for
+.Ao Ar name Ac Ns Va _svcj_options
+are:
+.Bl -tag -width indent-two
+.It netv4
+Inherit the IPv4 address and allows to open reserved ports.
+This can not be combined with
+.Pa netv6 .
+.It netv6
+Inherit the IPv6 address and allows to open reserved ports.
+This can not be combined with
+.Pa netv4 .
+.It net_basic
+Inherits the IPv4 and IPv6 addresses and allows to open
+reserved ports.
+.It net_raw
+Allow to open raw sockets. This option can be combined with
+.Pa netv4 ,
+.Pa netv6 ,
+.Pa net_basic .
+.It net_all
+Inherits the IPv4 and IPv6 addresses, allows to open reserved
+ports, allows to open raw sockets, and allows to open sockets
+of protocol stacks that have not had jail functionality added
+to them.
+.It sysvipc
+Allows access to SysV semaphores, SysV shared memory and
+SysV messages.
+.It mlock
+Allows to lock memory pages into the physical memory.
+.It vmm
+Allows access to
+.Xr vmm 4 .
+This option is only available when
+.Xr vmm 4
+is enabled in the kernel.
+.El
+
+All non-network options can be combined with all other options.
+
+If the
+.Ao Ar name Ac Ns Va _svcj
+variable is set to
+.Dq Li YES ,
+this particular service is started in a
+service jail named
+.Va svcj- Ns Ar name Ac .
+
+The
+.Va svcj_all_enable
+variable allows to enable service jails for all services of the
+system at once.
+Services which have
+.Ao Ar name Ac Ns Va _svcj
+set to
+.Dq Li NO
+are excluded.
+Some services may set
+.Ao Ar name Ac Ns Va _svcj
+to
+.Dq Li NO
+in the script to either prevent service jails for this
+service at all, or may set it to
+.Dq Li NO
+if it is not set in the
+rc config, to exclude it from
+.Va svcj_all_enable
+but allow to explicitely enable it.
+The sshd service for example would not see other jails, if
+it would run as a service jail.
+This may or may not be what is needed, and as such it is
+excluded from
+.Va svcj_all_enable
+but can be enabled via setting
+.Va sshd_svcj
+to
+.Dq Li YES .
+.El
.Sh FILES
.Bl -tag -width ".Pa /etc/defaults/rc.conf" -compact
.It Pa /etc/defaults/rc.conf
diff --git a/usr.sbin/service/service.8 b/usr.sbin/service/service.8
index 9902ae3c857..c2be0e0af03 100644
--- a/usr.sbin/service/service.8
+++ b/usr.sbin/service/service.8
@@ -48,6 +48,7 @@
.Nm
.Op Fl j Ar jail
.Op Fl v
+.Op Fl E Ar var=3Dvalue
.Ar script
.Ar command
.Sh DESCRIPTION
@@ -67,6 +68,13 @@ the scripts using various criteria.
.Pp
The options are as follows:
.Bl -tag -width F1
+.It Fl E Ar var=3Dvalue
+Set the environment variable
+.Ar var
+to the specified
+.Ar value
+before starting the script.
+This option can be used multiple times.
.It Fl e
List services that are enabled.
The list of scripts to check is compiled using
@@ -117,6 +125,9 @@ to
which is how they are set in
.Pa /etc/rc
at boot time.
+If the
+.Fl E
+option is used, the corresponding variable is set accordingly.
.Sh EXIT STATUS
.Ex -std
.Sh EXAMPLES
@@ -126,6 +137,7 @@ command:
.Bd -literal -offset -ident
service named status
service -j dns named status
+service -E LC_ALL=3DC.UTF-8 named start
service -rv
.Ed
.Pp
diff --git a/usr.sbin/service/service.sh b/usr.sbin/service/service.sh
index 76cce580c5b..2f86d117fd1 100755
--- a/usr.sbin/service/service.sh
+++ b/usr.sbin/service/service.sh
@@ -37,10 +37,11 @@ usage () {
echo "${0##*/} [-j <jail name or id>] -e"
echo "${0##*/} [-j <jail name or id>] -R"
echo "${0##*/} [-j <jail name or id>] [-v] -l | -r"
- echo "${0##*/} [-j <jail name or id>] [-v] <rc.d script> start|stop|etc."
+ echo "${0##*/} [-j <jail name or id>] [-v] [-E var=3Dvalue] <rc.d script>=
start|stop|etc."
echo "${0##*/} -h"
echo ''
echo "-j Perform actions within the named jail"
+ echo "-E n=3Dval Set variable n to val before executing the rc.d script"
echo '-e Show services that are enabled'
echo "-R Stop and start enabled $local_startup services"
echo "-l List all scripts in /etc/rc.d and $local_startup"
@@ -49,9 +50,10 @@ usage () {
echo ''
}
=20
-while=20getopts 'j:ehlrRv' COMMAND_LINE_ARGUMENT ; do
+while getopts 'j:E:ehlrRv' COMMAND_LINE_ARGUMENT ; do
case "${COMMAND_LINE_ARGUMENT}" in
j) JAIL=3D"${OPTARG}" ;;
+ E) VARS=3D"${VARS} ${OPTARG}" ;;
e) ENABLED=3Deopt ;;
h) usage ; exit 0 ;;
l) LIST=3Dlopt ;;
@@ -72,6 +74,9 @@ if [ -n "${JAIL}" ]; then
[ -n "${RCORDER}" ] && args=3D"${args} -r"
[ -n "${RESTART}" ] && args=3D"${args} -R"
[ -n "${VERBOSE}" ] && args=3D"${args} -v"
+ for var in ${VARS}; do
+ args=3D"${args} -E ${var}"
+ done
=20
=20 # Call jexec(8) with the rebuild args and any=20positional args that
# were left in $@
@@ -171,7 +176,7 @@ cd /
for dir in /etc/rc.d $local_startup; do
if [ -x "$dir/$script" ]; then
[ -n "$VERBOSE" ] && echo "$script is located in $dir"
- exec env -i -L -/daemon HOME=3D/ PATH=3D/sbin:/bin:/usr/sbin:/usr/bin "$=
dir/$script" "$@"
+ exec env -i -L -/daemon HOME=3D/ PATH=3D/sbin:/bin:/usr/sbin:/usr/bin ${=
VARS} "$dir/$script" "$@"
fi
done
=20
--=_aaHXkfii9da2Qz_EfZwdseY--
--=_r46YExCcqoKewmYnE1X1ETS
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIzBAABCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmKCClsACgkQEg2wmwP4
2IY38Q/9GWrCAw2Sju5yu1BWZCpBUdX5TncddsY1WngYIq9Pv7C3Nx7D6ZbYGQmP
9V3dbtKfodJWSzOW7xYpEPnuaZofIWesQu+vqqneIVdu5usl9CcwelmYYSXqA6cy
JDTnhBnbwlJuPlYFGwR5Tiwqva9psVZ7juwkMmztPVP6dpz+wUPUR6UdaGHippd6
fhprPL1+T9/i1ckir1AAcpsaHpypEJVX9uXTHbYWWmWWm9QPkqeAwmQR30yp6rs3
6MYhlGFXudH4l3p7InT5gyBpWArF7AetpKktFh+DKui/Iwqedn1R3raTGdT/2X+7
yt5bzXgA3VMlPgz+TiZfK4PAZz5DpRu4ZOoXmSAJKw7JrWpVWMrgdQX+av3z68He
vDlG4pHVKTJ5C5ruiR7fR/6hg9P4V7Zm/f3YIYsdwn/puObPhcEcJLJh7j6u2vx0
4AHDZxsUVkWcXHuaowoo+MYfun86drHVuTJTCAB8osN/68QEJL+Y6eb99/AL1K7V
h+vnn18BZENLaUd0zLUuEG1mbeEnZVttU3oDVBJZdWFHA+ASJg4iLy9xJeQJAvNu
1hWC/PaV6IdzMIrYtfJtQijB78AlfkRRi9dMlIaEXRDHKzSR8YWHHInjH1LQCVRZ
lL8crilftqR70+q+WxkKlF+SrgJrw8rm04w1rjkP7h+7S58Lk6E=
=L6fd
-----END PGP SIGNATURE-----
--=_r46YExCcqoKewmYnE1X1ETS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220516102500.Horde.Jmefw9B2HNSietK_UGUuNbn>