From nobody Thu Jan 30 18:23:03 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YkS7X1M81z5mJKC;
	Thu, 30 Jan 2025 18:23:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YkS7W4pLPz3yhw;
	Thu, 30 Jan 2025 18:23:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1738261383;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=yUMXvPJPZjGD/hf2aWkSfI/oUg6YNKV4tOCeNaE0HkQ=;
	b=pLYlhZGh388+NKF7H9YBx+/3oUL8pYVXrT3aEwltbjChAMNTu99zkku6+iVIXUOu1zqa/5
	wEh7Owcw738KSrESLjigzo+HEE5kV1tQj16W0RV3VscJqDp+MMPWfye6jg64zH00tB/rGf
	lDD9JsJUFchF5Ay71DAFLmSYRVdiBnmQ50X1uqpoV7P5AxcbZy3162EC4pkplv01ehEV/c
	jaKfs5wbcJX03w2PTeZWp95pI+lTXelWujYg6hnuDr4AcLlzneq+12glwQW+j9+ArJws3n
	61s+qgbwklIq2rwIEkLqQQZu51y35ZI2UR0UfINsJZzRuvmeCTH9LyGZ0YusHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1738261383;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=yUMXvPJPZjGD/hf2aWkSfI/oUg6YNKV4tOCeNaE0HkQ=;
	b=OJdLeIkS4Ro6GtvQTkRFq3n6IdbU+Ysq96K9vqvCM6Iy/IFM20R4v1zruAynAXl7dMuX+r
	l4+DPXFTeL9LxdObCRlupWRo2sSIpcKTjTm9DjDLTSwrjhRVC6jyOJUXbeND2kvj9sLXAS
	waEsDA1ML/16IBVoqAcSIkagUL4iRd3gMhug5N8sJuHoMSrJUZDyyYjWIB+iUXANMxcDZA
	qwqxYaj4jH38DgnkoQAhSwnO2ym0QHdve1bAYjb308dlbdAvNkPzok+ChoGkQg2g01jfgc
	20JcVQUBVEgg/4h7km+G75oPxiWkkEFOCvy7D5S4CCg60IiLWt8lCWMeW7vu1A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738261383; a=rsa-sha256; cv=none;
	b=xLQIlV7xcDoIj0V6YKT4rjEUaTxlnubBOeVcM328SB8OQTYfslODX1r7D+DORcQx4fTpv5
	2nvrQ7GXViL8xsqCHH0hjbkXiXoqA/nDMAcjDEK6SbAV5416S5zSJOLpOyMEoG0p9Soi1c
	koPvtv4zZoWGDqSEPDqSU2h0H5eAQRFR/w13Z361h6g1Kh+Wtn2cPeZa40Bf3Cze3MAp15
	RfTEh7INPgXdlz+PLLjGW+ibgyJDPLUGZOmJMQjO+zufya+fbpPoH5d89tphfgfe9WqQKo
	8GsdMjvhbair8JK5hMdrvfnDa2wHSut+hI1GWgkjDZUnWtN5HQa5uP8FpWSlBw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YkS7W45h4zyxw;
	Thu, 30 Jan 2025 18:23:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50UIN3O5006312;
	Thu, 30 Jan 2025 18:23:03 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50UIN3Ju006309;
	Thu, 30 Jan 2025 18:23:03 GMT
	(envelope-from git)
Date: Thu, 30 Jan 2025 18:23:03 GMT
Message-Id: <202501301823.50UIN3Ju006309@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Zhenlei Huang <zlei@FreeBSD.org>
Subject: git: 08aa7128dea4 - main - sysctl: Teach sysctl to attach
  and run itself in a jail
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: zlei
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 08aa7128dea4d14811ae4a0225d7c678869cfe62
Auto-Submitted: auto-generated

The branch main has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=08aa7128dea4d14811ae4a0225d7c678869cfe62

commit 08aa7128dea4d14811ae4a0225d7c678869cfe62
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2025-01-30 18:20:41 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2025-01-30 18:20:41 +0000

    sysctl: Teach sysctl to attach and run itself in a jail
    
    This allows the parent jail to retrieve or set kernel state when child
    does not have sysctl(8) installed (e.g. light weighted OCI containers
    or slim jails).
    
    This is especially useful when manipulating jail prison or vnet sysctls.
    For example, `sysctl -j foo -Ja` or `sysctl -j foo net.fibs=2`.
    
    Reviewed by:    dfr (previous version), markj
    MFC after:      1 week
    Relnotes:       yes
    Differential Revision:  https://reviews.freebsd.org/D48618
---
 sbin/sysctl/Makefile |  5 +++++
 sbin/sysctl/sysctl.8 | 12 +++++++++++-
 sbin/sysctl/sysctl.c | 48 ++++++++++++++++++++++++++++++++++++++++++++----
 3 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/sbin/sysctl/Makefile b/sbin/sysctl/Makefile
index cd47d8b28295..99074e47964d 100644
--- a/sbin/sysctl/Makefile
+++ b/sbin/sysctl/Makefile
@@ -6,6 +6,11 @@ PROG=	sysctl
 WARNS?=	3
 MAN=	sysctl.8
 
+.if ${MK_JAIL} != "no" && !defined(RESCUE)
+CFLAGS+=	-DJAIL
+LIBADD+=	jail
+.endif
+
 HAS_TESTS=
 SUBDIR.${MK_TESTS}+=	tests
 
diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8
index b6a06e2c3bab..e0e35f075a78 100644
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd January 23, 2025
+.Dd January 31, 2025
 .Dt SYSCTL 8
 .Os
 .Sh NAME
@@ -36,12 +36,14 @@
 .Nd get or set kernel state
 .Sh SYNOPSIS
 .Nm
+.Op Fl j Ar jail
 .Op Fl bdeFhiJlNnoqTtVWx
 .Op Fl B Ar bufsize
 .Op Fl f Ar filename
 .Ar name Ns Op = Ns Ar value Ns Op , Ns Ar value
 .Ar ...
 .Nm
+.Op Fl j Ar jail
 .Op Fl bdeFhJlNnoqTtVWx
 .Op Fl B Ar bufsize
 .Fl a
@@ -103,6 +105,10 @@ Specify a file which contains a pair of name and value in each line.
 .Nm
 reads and processes the specified file first and then processes the name
 and value pairs in the command line argument.
+Note that when the
+.Fl j Ar jail
+option is specified, the file will be opened before attaching to the jail and
+then be processed inside the jail.
 .It Fl h
 Format output for human, rather than machine, readability.
 .It Fl i
@@ -113,6 +119,10 @@ for collecting data from a variety of machines (not all of which
 are necessarily running exactly the same software) easier.
 .It Fl J
 Display only jail prision sysctl variables (CTLFLAG_PRISON).
+.It Fl j Ar jail
+Perform the actions inside the
+.Ar jail
+(by jail id or jail name).
 .It Fl l
 Show the length of variables along with their values.
 This option cannot be combined with the
diff --git a/sbin/sysctl/sysctl.c b/sbin/sysctl/sysctl.c
index 200c2da8850f..302dc6865123 100644
--- a/sbin/sysctl/sysctl.c
+++ b/sbin/sysctl/sysctl.c
@@ -33,6 +33,9 @@
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
+#ifdef JAIL
+#include <sys/jail.h>
+#endif
 #include <sys/sysctl.h>
 #include <sys/vmmeter.h>
 #include <dev/evdev/input.h>
@@ -51,6 +54,9 @@
 #include <err.h>
 #include <errno.h>
 #include <inttypes.h>
+#ifdef JAIL
+#include <jail.h>
+#endif
 #include <locale.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -59,12 +65,16 @@
 #include <sysexits.h>
 #include <unistd.h>
 
+#ifdef JAIL
+static const char *jailname;
+#endif
 static const char *conffile;
 
 static int	aflag, bflag, Bflag, dflag, eflag, hflag, iflag;
 static int	Nflag, nflag, oflag, qflag, tflag, Tflag, Wflag, xflag;
 static bool	Fflag, Jflag, lflag, Vflag;
 
+static void	attach_jail(void);
 static int	oidfmt(int *, int, char *, u_int *);
 static int	parsefile(FILE *);
 static int	parse(const char *, int);
@@ -121,8 +131,8 @@ usage(void)
 {
 
 	(void)fprintf(stderr, "%s\n%s\n",
-	    "usage: sysctl [-bdeFhiJlNnoqTtVWx] [ -B <bufsize> ] [-f filename] name[=value] ...",
-	    "       sysctl [-bdeFhJlNnoqTtVWx] [ -B <bufsize> ] -a");
+	    "usage: sysctl [-j jail] [-bdeFhiJlNnoqTtVWx] [ -B <bufsize> ] [-f filename] name[=value] ...",
+	    "       sysctl [-j jail] [-bdeFhJlNnoqTtVWx] [ -B <bufsize> ] -a");
 	exit(1);
 }
 
@@ -137,7 +147,7 @@ main(int argc, char **argv)
 	setbuf(stdout,0);
 	setbuf(stderr,0);
 
-	while ((ch = getopt(argc, argv, "AaB:bdeFf:hiJlNnoqTtVWwXx")) != -1) {
+	while ((ch = getopt(argc, argv, "AaB:bdeFf:hiJj:lNnoqTtVWwXx")) != -1) {
 		switch (ch) {
 		case 'A':
 			/* compatibility */
@@ -173,6 +183,14 @@ main(int argc, char **argv)
 		case 'J':
 			Jflag = true;
 			break;
+		case 'j':
+#ifdef JAIL
+			if ((jailname = optarg) == NULL)
+				usage();
+#else
+			errx(1, "not built with jail support");
+#endif
+			break;
 		case 'l':
 			lflag = true;
 			break;
@@ -222,8 +240,10 @@ main(int argc, char **argv)
 	/* TODO: few other combinations do not make sense but come back later */
 	if (Nflag && (lflag || nflag))
 		usage();
-	if (aflag && argc == 0)
+	if (aflag && argc == 0) {
+		attach_jail();
 		exit(sysctl_all(NULL, 0));
+	}
 	if (argc == 0 && conffile == NULL)
 		usage();
 
@@ -231,6 +251,9 @@ main(int argc, char **argv)
 		file = fopen(conffile, "r");
 		if (file == NULL)
 			err(EX_NOINPUT, "%s", conffile);
+	}
+	attach_jail();
+	if (file != NULL) {
 		warncount += parsefile(file);
 		fclose(file);
 	}
@@ -241,6 +264,23 @@ main(int argc, char **argv)
 	return (warncount);
 }
 
+static void
+attach_jail(void)
+{
+#ifdef JAIL
+	int jid;
+
+	if (jailname == NULL)
+		return;
+
+	jid = jail_getid(jailname);
+	if (jid == -1)
+		errx(1, "jail not found");
+	if (jail_attach(jid) != 0)
+		errx(1, "cannot attach to jail");
+#endif
+}
+
 /*
  * Parse a single numeric value, append it to 'newbuf', and update
  * 'newsize'.  Returns true if the value was parsed and false if the