From owner-svn-src-stable@FreeBSD.ORG Sat Oct 12 17:46:15 2013 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 691133B7; Sat, 12 Oct 2013 17:46:15 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4765028D9; Sat, 12 Oct 2013 17:46:15 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r9CHkF6r058107; Sat, 12 Oct 2013 17:46:15 GMT (envelope-from hrs@svn.freebsd.org) Received: (from hrs@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r9CHkDbU058100; Sat, 12 Oct 2013 17:46:13 GMT (envelope-from hrs@svn.freebsd.org) Message-Id: <201310121746.r9CHkDbU058100@svn.freebsd.org> From: Hiroki Sato Date: Sat, 12 Oct 2013 17:46:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r256387 - in stable/10: etc/rc.d share/man/man5 usr.sbin/jail X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Oct 2013 17:46:15 -0000 Author: hrs Date: Sat Oct 12 17:46:13 2013 New Revision: 256387 URL: http://svnweb.freebsd.org/changeset/base/256387 Log: MFC 256385: - Add mount.fdescfs parameter to jail(8). This is similar to mount.devfs but mounts fdescfs. The mount happens just after mount.devfs. - rc.d/jail now displays whole error message from jail(8) when a jail fails to start. Approved by: re (gjb) Modified: stable/10/etc/rc.d/jail stable/10/share/man/man5/rc.conf.5 stable/10/usr.sbin/jail/command.c stable/10/usr.sbin/jail/config.c stable/10/usr.sbin/jail/jail.8 stable/10/usr.sbin/jail/jail.c stable/10/usr.sbin/jail/jailp.h Directory Properties: stable/10/etc/rc.d/ (props changed) stable/10/share/man/man5/ (props changed) stable/10/usr.sbin/jail/ (props changed) Modified: stable/10/etc/rc.d/jail ============================================================================== --- stable/10/etc/rc.d/jail Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/etc/rc.d/jail Sat Oct 12 17:46:13 2013 (r256387) @@ -226,8 +226,7 @@ parse_options() eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} if checkyesno jail_${_j}_fdescfs_enable; then - echo " mount += " \ - "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";" + echo " mount.fdescfs;" fi eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}} if checkyesno jail_${_j}_procfs_enable; then @@ -438,7 +437,7 @@ jail_start() echo -n " ${_hostname:-${_jail}}" else echo " cannot start jail \"${_hostname:-${jail}}\": " - tail +2 $_tmp + cat $_tmp fi rm -f $_tmp done Modified: stable/10/share/man/man5/rc.conf.5 ============================================================================== --- stable/10/share/man/man5/rc.conf.5 Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/share/man/man5/rc.conf.5 Sat Oct 12 17:46:13 2013 (r256387) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 10, 2013 +.Dd October 12, 2013 .Dt RC.CONF 5 .Os .Sh NAME @@ -3992,9 +3992,7 @@ set from .Va jail_ Ns Ao Ar jname Ac Ns Va _fstab .It Li mount set from -.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable -or -.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable. +.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable . .It Li exec.fib set from .Va jail_ Ns Ao Ar jname Ac Ns Va _fib @@ -4042,6 +4040,9 @@ set from .Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset . This must be an integer, not a string. +.It Li mount.fdescfs +set from +.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable .It Li allow.set_hostname set from .Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow Modified: stable/10/usr.sbin/jail/command.c ============================================================================== --- stable/10/usr.sbin/jail/command.c Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/usr.sbin/jail/command.c Sat Oct 12 17:46:13 2013 (r256387) @@ -106,7 +106,12 @@ next_command(struct cfjail *j) case IP_MOUNT_DEVFS: if (!bool_param(j->intparams[IP_MOUNT_DEVFS])) continue; - /* FALLTHROUGH */ + j->comstring = &dummystring; + break; + case IP_MOUNT_FDESCFS: + if (!bool_param(j->intparams[IP_MOUNT_FDESCFS])) + continue; + j->comstring = &dummystring; case IP__OP: case IP_STOP_TIMEOUT: j->comstring = &dummystring; @@ -452,6 +457,32 @@ run_command(struct cfjail *j) } break; + case IP_MOUNT_FDESCFS: + argv = alloca(7 * sizeof(char *)); + path = string_param(j->intparams[KP_PATH]); + if (path == NULL) { + jail_warnx(j, "mount.fdescfs: no path"); + return -1; + } + devpath = alloca(strlen(path) + 8); + sprintf(devpath, "%s/dev/fd", path); + if (check_path(j, "mount.fdescfs", devpath, 0, + down ? "fdescfs" : NULL) < 0) + return -1; + if (down) { + *(const char **)&argv[0] = "/sbin/umount"; + argv[1] = devpath; + argv[2] = NULL; + } else { + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "fdescfs"; + *(const char **)&argv[3] = "."; + argv[4] = devpath; + argv[5] = NULL; + } + break; + case IP_COMMAND: if (j->name != NULL) goto default_command; Modified: stable/10/usr.sbin/jail/config.c ============================================================================== --- stable/10/usr.sbin/jail/config.c Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/usr.sbin/jail/config.c Sat Oct 12 17:46:13 2013 (r256387) @@ -83,6 +83,7 @@ static const struct ipspec intparams[] = #endif [IP_MOUNT] = {"mount", PF_INTERNAL | PF_REV}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, + [IP_MOUNT_FDESCFS] = {"mount.fdescfs", PF_INTERNAL | PF_BOOL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, Modified: stable/10/usr.sbin/jail/jail.8 ============================================================================== --- stable/10/usr.sbin/jail/jail.8 Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/usr.sbin/jail/jail.8 Sat Oct 12 17:46:13 2013 (r256387) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 23, 2013 +.Dd October 12, 2013 .Dt JAIL 8 .Os .Sh NAME @@ -682,7 +682,7 @@ to. An alias for each address will be added to the interface before the prison is created, and will be removed from the interface after the prison is removed. -.It Op Va ip4.addr +.It Va ip4.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a netmask may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask . @@ -691,7 +691,7 @@ will be added to that interface, as it i .Va interface parameter. If a netmask in either dotted-quad or CIDR form is given after IP address, it will be used when adding the IP alias. -.It Op Va ip6.addr +.It Va ip6.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a prefix may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix . @@ -722,11 +722,19 @@ An format file containing filesystems to mount before creating a jail. .It Va mount.devfs Mount a -.Xr devfs -filesystem on the chrooted /dev directory, and apply the ruleset in the +.Xr devfs 5 +filesystem on the chrooted +.Pa /dev +directory, and apply the ruleset in the .Va devfs_ruleset parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. +.It Va mount.fdescfs +Mount a +.Xr fdescfs 5 +filesystem on the chrooted +.Pa /dev/fd +directory. .It Va allow.dying Allow making changes to a .Va dying @@ -1165,6 +1173,8 @@ environment of the first jail. .Xr ps 1 , .Xr quota 1 , .Xr jail_set 2 , +.Xr devfs 5 , +.Xr fdescfs 5 , .Xr jail.conf 5 , .Xr procfs 5 , .Xr rc.conf 5 , Modified: stable/10/usr.sbin/jail/jail.c ============================================================================== --- stable/10/usr.sbin/jail/jail.c Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/usr.sbin/jail/jail.c Sat Oct 12 17:46:13 2013 (r256387) @@ -92,6 +92,7 @@ static const enum intparam startcommands IP_MOUNT, IP__MOUNT_FROM_FSTAB, IP_MOUNT_DEVFS, + IP_MOUNT_FDESCFS, IP_EXEC_PRESTART, IP__OP, IP_VNET_INTERFACE, @@ -108,6 +109,7 @@ static const enum intparam stopcommands[ IP_STOP_TIMEOUT, IP__OP, IP_EXEC_POSTSTOP, + IP_MOUNT_FDESCFS, IP_MOUNT_DEVFS, IP__MOUNT_FROM_FSTAB, IP_MOUNT, Modified: stable/10/usr.sbin/jail/jailp.h ============================================================================== --- stable/10/usr.sbin/jail/jailp.h Sat Oct 12 17:31:21 2013 (r256386) +++ stable/10/usr.sbin/jail/jailp.h Sat Oct 12 17:46:13 2013 (r256387) @@ -95,6 +95,7 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ + IP_MOUNT_FDESCFS, /* Mount /dev/fd under prison root */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */