Date: Mon, 27 Feb 2012 22:37:35 +0000 (UTC) From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r232242 - projects/jailconf/usr.sbin/jail Message-ID: <201202272237.q1RMbZPv039981@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jamie Date: Mon Feb 27 22:37:35 2012 New Revision: 232242 URL: http://svn.freebsd.org/changeset/base/232242 Log: Use the defvs_ruleset paramater when mounting a jail's /dev, instead of a mount.devfs.ruleset pseudo-parameter. Modified: projects/jailconf/usr.sbin/jail/command.c projects/jailconf/usr.sbin/jail/config.c projects/jailconf/usr.sbin/jail/jail.8 projects/jailconf/usr.sbin/jail/jailp.h Modified: projects/jailconf/usr.sbin/jail/command.c ============================================================================== --- projects/jailconf/usr.sbin/jail/command.c Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/command.c Mon Feb 27 22:37:35 2012 (r232242) @@ -417,6 +417,7 @@ run_command(struct cfjail *j) break; case IP_MOUNT_DEVFS: + argv = alloca(7 * sizeof(char *)); path = string_param(j->intparams[KP_PATH]); if (path == NULL) { jail_warnx(j, "mount.devfs: no path"); @@ -428,22 +429,21 @@ run_command(struct cfjail *j) down ? "devfs" : NULL) < 0) return -1; if (down) { - argv = alloca(3 * sizeof(char *)); *(const char **)&argv[0] = "/sbin/umount"; argv[1] = devpath; argv[2] = NULL; } else { - argv = alloca(4 * sizeof(char *)); - *(const char **)&argv[0] = _PATH_BSHELL; - *(const char **)&argv[1] = "-c"; - ruleset = string_param(j->intparams - [IP_MOUNT_DEVFS_RULESET]); - argv[2] = alloca(strlen(path) + - (ruleset ? strlen(ruleset) + 1 : 0) + 56); - sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; " - "devfs_mount_jail %s/dev%s%s", path, - ruleset ? " " : "", ruleset ? ruleset : ""); - argv[3] = NULL; + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "devfs"; + ruleset = string_param(j->intparams[KP_DEVFS_RULESET]); + if (!ruleset) + ruleset = "4"; /* devfsrules_jail */ + argv[3] = alloca(11 + strlen(ruleset)); + sprintf(argv[3], "-oruleset=%s", ruleset); + *(const char **)&argv[4] = "."; + argv[5] = devpath; + argv[6] = NULL; } break; Modified: projects/jailconf/usr.sbin/jail/config.c ============================================================================== --- projects/jailconf/usr.sbin/jail/config.c Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/config.c Mon Feb 27 22:37:35 2012 (r232242) @@ -81,7 +81,6 @@ static const struct ipspec intparams[] = #endif [IP_MOUNT] = {"mount", PF_INTERNAL}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, - [IP_MOUNT_DEVFS_RULESET]= {"mount.devfs.ruleset", PF_INTERNAL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, @@ -99,6 +98,7 @@ static const struct ipspec intparams[] = [KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0}, [KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0}, [KP_ALLOW_SYSVIPC] = {"allow.sysvipc", 0}, + [KP_DEVFS_RULESET] = {"devfs_ruleset", 0}, [KP_ENFORCE_STATFS] = {"enforce_statfs", 0}, [KP_HOST_HOSTNAME] = {"host.hostname", 0}, #ifdef INET Modified: projects/jailconf/usr.sbin/jail/jail.8 ============================================================================== --- projects/jailconf/usr.sbin/jail/jail.8 Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/jail.8 Mon Feb 27 22:37:35 2012 (r232242) @@ -693,15 +693,10 @@ format file containing filesystems to mo .It Va mount.devfs Mount a .Xr devfs - filesystem on the chrooted /dev directory, and run -.Xr devfs 8 +filesystem on the chrooted /dev directory, and apply the ruleset in the +.Va devfs_ruleset +parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. -.It Va mount.devfs.ruleset -The ruleset from -.Xr devfs.rules 5 -to use when mounting a devfs filesystem. -The default ruleset is -.Dq devfsrules_jail . .It Va allow.dying Allow making changes to a .Va dying Modified: projects/jailconf/usr.sbin/jail/jailp.h ============================================================================== --- projects/jailconf/usr.sbin/jail/jailp.h Mon Feb 27 22:28:38 2012 (r232241) +++ projects/jailconf/usr.sbin/jail/jailp.h Mon Feb 27 22:37:35 2012 (r232242) @@ -93,7 +93,6 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ - IP_MOUNT_DEVFS_RULESET, /* Ruleset for the devfs mount */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ @@ -111,6 +110,7 @@ enum intparam { KP_ALLOW_SET_HOSTNAME, KP_ALLOW_SOCKET_AF, KP_ALLOW_SYSVIPC, + KP_DEVFS_RULESET, KP_ENFORCE_STATFS, KP_HOST_HOSTNAME, #ifdef INET
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202272237.q1RMbZPv039981>