From owner-freebsd-current@FreeBSD.ORG Tue Jul 29 16:16:21 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A6FD37B401; Tue, 29 Jul 2003 16:16:21 -0700 (PDT) Received: from mail.westbend.net (ns1.westbend.net [216.47.253.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F09743F3F; Tue, 29 Jul 2003 16:16:20 -0700 (PDT) (envelope-from hetzels@westbend.net) Received: from WBIw009.westbend.net (wbiw009 [216.47.253.29]) by mail.westbend.net (8.12.9/8.12.9) with ESMTP id h6TNGFHZ057354; Tue, 29 Jul 2003 18:16:15 -0500 (CDT) (envelope-from hetzels@westbend.net) Received: from WBIw009.westbend.net (localhost [127.0.0.1]) by WBIw009.westbend.net (8.12.9/8.12.9) with ESMTP id h6TNGDhb045797; Tue, 29 Jul 2003 18:16:15 -0500 (CDT) (envelope-from hetzels@westbend.net) Received: (from root@localhost) by WBIw009.westbend.net (8.12.9/8.12.9/Submit) id h6TNGBJx045796; Tue, 29 Jul 2003 18:16:12 -0500 (CDT) Message-Id: <200307292316.h6TNGBJx045796@WBIw009.westbend.net> From: "Scot W. Hetzel" To: "Mike Makonnen" , "Jens Rehsack" References: <3F26AA16.5030007@liwing.de> <20030729172122.GA5005@kokeb.ambesa.net> Date: Tue, 29 Jul 2003 16:51:54 -0500 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) cc: Clement Laforet cc: Robert Watson cc: FreeBSD-Current List Subject: Re: [PATCH] jail NG schript patch for mounting devfs and procfsautomatically X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 23:16:21 -0000 Below is my current patch to devfs and jail to support the mounting of devfs and procfs in jails. This patch also allows a jail to specify what devfs rule to apply to the jail. As well as defining a default jail devfs rule in /etc/rc.d/devfs. Scot Index: etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.182 diff -u -r1.182 rc.conf --- etc/defaults/rc.conf 28 Jul 2003 13:09:00 -0000 1.182 +++ etc/defaults/rc.conf 29 Jul 2003 22:06:08 -0000 @@ -426,12 +426,35 @@ harvest_ethernet="YES" # Entropy device harvests ethernet randomness harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot -jail_enable="NO" # Set to NO to disable starting of any jails -jail_list="" # Space separated list of names of jails -jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname -jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail -jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail watchdogd_enable="NO" # Start the software watchdog daemon + +############################################################## +### Jail Configuration ####################################### +############################################################## +devfs_jail_ruleset_enable="NO" # Enable Standard Jail devfs ruleset in rc.d/devfs +devfs_jail_ruleset_num="666" # Standard Jail ruleset number + # (change if it conflicts with your rulesets) + +jail_enable="NO" # Set to NO to disable starting of any jails +jail_list="" # Space separated list of names of jails +jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname +jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail +jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail +jail_default_ruleset="666" # Default jail devfs ruleset to apply +jail_stop_jailer="NO" # Only stop jailer. Requires jail_*_exec be set + # to use sysutils/jailer port to start the jail. + +# create an entry for each jail named in jail_list, with these variables +# +#jail_example_rootdir="/usr/jail/default" # Jails root directory +#jail_example_hostname="default.domain.com" # Jails hostname +#jail_example_ip="192.168.0.10" # Jails IP number +#jail_example_exec="/bin/sh /etc/rc" # command to execute in jail +#jail_example_devfs="NO" # mount devfs in jail +#jail_example_devfs_ruleset="666" # devfs ruleset to apply to jail +#jail_example_procfs="NO" # mount procfs in jail +# +# NOTE: replace 'example' with the jail's name from jail_list ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## Index: etc/rc.d/devfs =================================================================== RCS file: /home/ncvs/src/etc/rc.d/devfs,v retrieving revision 1.5 diff -u -r1.5 devfs --- etc/rc.d/devfs 6 May 2003 01:10:33 -0000 1.5 +++ etc/rc.d/devfs 6 May 2003 16:24:39 -0000 @@ -39,3 +39,21 @@ load_rc_config $name run_rc_command "$1" + +# Standard Jail ruleset +if checkyesno devfs_jail_ruleset_enable ; then + /sbin/devfs rule -s ${devfs_jail_ruleset_num} delset + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 100 hide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 200 path ptyp* unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 300 path ttyp* unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 400 path null unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 500 path zero unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 600 path random unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 610 path urandom unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 700 path fd unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 800 path fd/* unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 810 path mdctl unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 900 path stdin unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 910 path stdout unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 920 path stderr unhide +fi Index: etc/rc.d/jail =================================================================== RCS file: /home/ncvs/src/etc/rc.d/jail,v retrieving revision 1.4 diff -u -r1.4 jail --- etc/rc.d/jail 5 May 2003 15:38:41 -0000 1.4 +++ etc/rc.d/jail 21 Jun 2003 20:22:44 -0000 @@ -6,7 +6,7 @@ # PROVIDE: jail # REQUIRE: LOGIN # BEFORE: securelevel -# KEYWORD: FreeBSD +# KEYWORD: FreeBSD shutdown . /etc/rc.subr @@ -15,6 +15,15 @@ start_cmd="jail_start" stop_cmd="jail_stop" +create_dev_links() +{ + local devdir=$1 + local source=$2 + local target=$3 + + (cd ${devdir} && ln -sf ${source} ${target}) +} + jail_start() { echo -n 'Configuring jails:' @@ -50,18 +59,91 @@ for _jail in ${jail_list} do eval jail_rootdir=\"\$jail_${_jail}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_procdir="${jail_rootdir}/proc" + eval jail_hostname=\"\$jail_${_jail}_hostname\" eval jail_ip=\"\$jail_${_jail}_ip\" eval jail_exec=\"\$jail_${_jail}_exec\" [ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc" - + + eval jail_devfs=\"\$jail_${_jail}_devfs\" + [ -z ${jail_devfs} ] && jail_devfs="NO" + + eval jail_ruleset=\"\$jail_${_jail}_devfs_ruleset\" + [ -z ${jail_ruleset} ] && jail_ruleset="${jail_default_ruleset}" + + eval jail_procfs=\"\$jail_${_jail}_procfs\" + [ -z ${jail_procfs} ] && jail_procfs="NO" + + if checkyesno jail_devfs; then + if [ -d ${jail_devdir} ] ; then + mount -t devfs dev ${jail_devdir} + + if [ -n "${jail_ruleset}" ]; then + # Apply devfs ruleset + devfs -m ${jail_devdir} ruleset ${jail_ruleset} + + # for libkvm (ab)users + create_dev_links ${jail_devdir} null mem + create_dev_links ${jail_devdir} null kmem + + # create_dev_links ${jail_devdir} null console + fi + + # Transitional symlink for old binaries + if [ ! -L ${jail_devdir}/log ]; then + create_dev_links ${jail_devdir} ../var/run/log log + fi + + # Jail console output + create_dev_links ${jail_devdir} ../var/log/console console + fi + fi + + if checkyesno jail_procfs; then + if [ -d ${jail_procdir} ] ; then + mount -t procfs proc ${jail_procdir} + fi + fi + jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec} done } jail_stop() { - kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print $2};') + if checkyesno jail_stop_jailer; then + rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};') + else + rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};') + fi + if [ -n "${rc_pid}" ]; then + kill -TERM $rc_pid + wait_for_pids $rc_pid + fi + for _jail in ${jail_list} + do + eval jail_rootdir=\"\$jail_${_jail}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_procdir="${jail_rootdir}/proc" + eval jail_devfs=\"\$jail_${_jail}_devfs\" + [ -z ${jail_devfs} ] && jail_devfs="NO" + eval jail_procfs=\"\$jail_${_jail}_procfs\" + [ -z ${jail_procfs} ] && jail_procfs="NO" + + if checkyesno jail_devfs; then + if [ -d ${jail_devdir} ] ; then + umount -f ${jail_devdir} >/dev/null 2>&1 + fi + fi + + if checkyesno jail_procfs; then + if [ -d ${jail_procdir} ] ; then + umount -f ${jail_procdir} >/dev/null 2>&1 + fi + fi + done } Index: share/man/man5/rc.conf.5 =================================================================== RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v retrieving revision 1.197 diff -u -r1.197 rc.conf.5 --- share/man/man5/rc.conf.5 28 Jul 2003 13:56:00 -0000 1.197 +++ share/man/man5/rc.conf.5 29 Jul 2003 22:12:05 -0000 @@ -2431,12 +2431,25 @@ jail_vjail_ip="192.168.1.100" jail_vjail_rootdir="/var/jails/vjail/root" jail_vjail_exec="/bin/sh /etc/rc" +jail_vjail_devfs="YES" +jail_vjail_devfs_ruleset="666" +jail_vjail_procfs="NO" .Ed .Pp -The last one is optional. -It defaults to +The last four are optional. jail__exec defaults to .Pa /etc/rc if it is not set. +jail__devfs and jail__procfs default to +not mounting the devfs/procfs on the jail. +jail__devfs_ruleset defaults to using devfs ruleset 666. +.It Va jail_default_ruleset +.Pq Vt int +The default ruleset to apply to a jail that has devfs enabled, but +no jail__devfs_ruleset defined. By default it is set to +666. A Standard Jail rule set is provided in rc.d/devfs to enable +it set devfs_jail_ruleset_enable to YES. If this ruleset conflicts +with your rulesets change devfs_jail_ruleset_num from 666 to another +value. .It Va jail_set_hostname_allow .Pq Vt bool If set to