From owner-svn-src-projects@FreeBSD.ORG Mon Feb 27 22:37:35 2012 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4CE31065672; Mon, 27 Feb 2012 22:37:35 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A4E098FC08; Mon, 27 Feb 2012 22:37:35 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q1RMbZpt039986; Mon, 27 Feb 2012 22:37:35 GMT (envelope-from jamie@svn.freebsd.org) Received: (from jamie@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q1RMbZPv039981; Mon, 27 Feb 2012 22:37:35 GMT (envelope-from jamie@svn.freebsd.org) Message-Id: <201202272237.q1RMbZPv039981@svn.freebsd.org> From: Jamie Gritton Date: Mon, 27 Feb 2012 22:37:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r232242 - projects/jailconf/usr.sbin/jail X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2012 22:37:35 -0000 Author: jamie Date: Mon Feb 27 22:37:35 2012 New Revision: 232242 URL: http://svn.freebsd.org/changeset/base/232242 Log: Use the defvs_ruleset paramater when mounting a jail's /dev, instead of a mount.devfs.ruleset pseudo-parameter. Modified: projects/jailconf/usr.sbin/jail/command.c projects/jailconf/usr.sbin/jail/config.c projects/jailconf/usr.sbin/jail/jail.8 projects/jailconf/usr.sbin/jail/jailp.h Modified: projects/jailconf/usr.sbin/jail/command.c ============================================================================== --- projects/jailconf/usr.sbin/jail/command.c Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/command.c Mon Feb 27 22:37:35 2012 (r232242) @@ -417,6 +417,7 @@ run_command(struct cfjail *j) break; case IP_MOUNT_DEVFS: + argv = alloca(7 * sizeof(char *)); path = string_param(j->intparams[KP_PATH]); if (path == NULL) { jail_warnx(j, "mount.devfs: no path"); @@ -428,22 +429,21 @@ run_command(struct cfjail *j) down ? "devfs" : NULL) < 0) return -1; if (down) { - argv = alloca(3 * sizeof(char *)); *(const char **)&argv[0] = "/sbin/umount"; argv[1] = devpath; argv[2] = NULL; } else { - argv = alloca(4 * sizeof(char *)); - *(const char **)&argv[0] = _PATH_BSHELL; - *(const char **)&argv[1] = "-c"; - ruleset = string_param(j->intparams - [IP_MOUNT_DEVFS_RULESET]); - argv[2] = alloca(strlen(path) + - (ruleset ? strlen(ruleset) + 1 : 0) + 56); - sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; " - "devfs_mount_jail %s/dev%s%s", path, - ruleset ? " " : "", ruleset ? ruleset : ""); - argv[3] = NULL; + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "devfs"; + ruleset = string_param(j->intparams[KP_DEVFS_RULESET]); + if (!ruleset) + ruleset = "4"; /* devfsrules_jail */ + argv[3] = alloca(11 + strlen(ruleset)); + sprintf(argv[3], "-oruleset=%s", ruleset); + *(const char **)&argv[4] = "."; + argv[5] = devpath; + argv[6] = NULL; } break; Modified: projects/jailconf/usr.sbin/jail/config.c ============================================================================== --- projects/jailconf/usr.sbin/jail/config.c Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/config.c Mon Feb 27 22:37:35 2012 (r232242) @@ -81,7 +81,6 @@ static const struct ipspec intparams[] = #endif [IP_MOUNT] = {"mount", PF_INTERNAL}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, - [IP_MOUNT_DEVFS_RULESET]= {"mount.devfs.ruleset", PF_INTERNAL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, @@ -99,6 +98,7 @@ static const struct ipspec intparams[] = [KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0}, [KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0}, [KP_ALLOW_SYSVIPC] = {"allow.sysvipc", 0}, + [KP_DEVFS_RULESET] = {"devfs_ruleset", 0}, [KP_ENFORCE_STATFS] = {"enforce_statfs", 0}, [KP_HOST_HOSTNAME] = {"host.hostname", 0}, #ifdef INET Modified: projects/jailconf/usr.sbin/jail/jail.8 ============================================================================== --- projects/jailconf/usr.sbin/jail/jail.8 Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/jail.8 Mon Feb 27 22:37:35 2012 (r232242) @@ -693,15 +693,10 @@ format file containing filesystems to mo .It Va mount.devfs Mount a .Xr devfs - filesystem on the chrooted /dev directory, and run -.Xr devfs 8 +filesystem on the chrooted /dev directory, and apply the ruleset in the +.Va devfs_ruleset +parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. -.It Va mount.devfs.ruleset -The ruleset from -.Xr devfs.rules 5 -to use when mounting a devfs filesystem. -The default ruleset is -.Dq devfsrules_jail . .It Va allow.dying Allow making changes to a .Va dying Modified: projects/jailconf/usr.sbin/jail/jailp.h ============================================================================== --- projects/jailconf/usr.sbin/jail/jailp.h Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/jailp.h Mon Feb 27 22:37:35 2012 (r232242) @@ -93,7 +93,6 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ - IP_MOUNT_DEVFS_RULESET, /* Ruleset for the devfs mount */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ @@ -111,6 +110,7 @@ enum intparam { KP_ALLOW_SET_HOSTNAME, KP_ALLOW_SOCKET_AF, KP_ALLOW_SYSVIPC, + KP_DEVFS_RULESET, KP_ENFORCE_STATFS, KP_HOST_HOSTNAME, #ifdef INET