Site Navigation

Date:      Sat, 03 Jul 2010 10:05:18 +0200
From:      Harald Schmalzbauer <h.schmalzbauer@omnilan.de>
To:        freebsd-stable <freebsd-stable@freebsd.org>
Subject:   selective jail restriction controlling in rc.conf
Message-ID:  <4C2EEF3E.2010008@omnilan.de>

---

next in thread | raw e-mail | index | archive | help

---

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1DE569796D978C419DB213EC
Content-Type: multipart/mixed; boundary="------------020206070603080009060807"

This is a multi-part message in MIME format.
--------------020206070603080009060807
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: quoted-printable

Hello all,

I very much liked the possibillity to easily manage jails via rc.conf.
Unfortunately I was missing some features.
First, there are many security.jail.allow_* sysctl which didn't get=20
attention.
Second; I needed to allow different things on different jails. For=20
examply only one distinct jail should habe sysvIPC.

Please find attached a patch wich extends rc.d to my needs.
Some jail_start() modifications were neccessary and some cleanups could=20
be done in the "Configuring jails:" section (not needed any more) amd in =

  the _ip_multi processing, since that's not needed any more.
One have to seperatly define ip4 and ip6 addresses. The can be with or=20
without mask, single oder comma seperated list, doesn't matter, thanks=20
to the jail_handle_ips_option() coder, it just works :)

Thanks,

-Harry

--------------020206070603080009060807
Content-Type: text/plain;
 name="jail-allow-selectables.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
 filename="jail-allow-selectables.patch"

--- src/etc/defaults/rc.conf	2010-06-28 19:22:08.000000000 +0200
+++ src/etc/defaults/rc.conf	2010-07-03 09:54:55.000000000 +0200
@@ -642,8 +642,13 @@
 jail_enable=3D"NO"	# Set to NO to disable starting of any jails
 jail_list=3D""		# Space separated list of names of jails
 jail_set_hostname_allow=3D"YES" # Allow root user in a jail to change it=
s hostname
-jail_socket_unixiproute_only=3D"YES" # Route only TCP/IP within a jail
 jail_sysvipc_allow=3D"NO"	# Allow SystemV IPC use from within a jail
+jail_socket_unixiproute_only=3D"YES" # Route only TCP/IP within a jail
+jail_raw_sockets_allow=3D"NO" # Prison root can create raw sockets
+jail_chflags_allow=3D"NO" # Processes in jail can alter system file flag=
s
+jail_mount_allow=3D"NO" # Processes in jail can mount/unmount jail-frien=
dly file systems
+jail_quotas_allow=3D"NO" # The prison root may administer quotas on the =
jail's filesystem(s)
+socket_af_allow=3D"NO" # Sockets within a jail are normally restricted t=
o IPv4, IPv6, local (UNIX), and route.
=20
 #
 # To use rc's built-in jail infrastructure create entries for
@@ -672,6 +677,14 @@
 #jail_example_procfs_enable=3D"NO"		# mount procfs in jail
 #jail_example_mount_enable=3D"NO"			# mount/umount jail's fs
 #jail_example_fstab=3D""				# fstab(5) for mount/umount
+#jail_example_allow_set_hostname=3D"NO"		# This jail can set hostname
+#jail_example_allow_sysvipc=3D"NO"		# This jail can use SystemV IPC
+#jail_example_allow_raw_sockets=3D"NO"		# This jail can create raw socke=
ts (ping)
+#jail_example_allow_chflags=3D"NO"		# This jail can alter it's filesyste=
m flags
+#jail_example_allow_mount=3D"NO"			# This jail can mount jail friendly f=
ilesystems
+#jail_example_allow_quotas=3D"NO"			# This jail can modify quotas on it'=
s filesystems
+#jail_example_allow_socket_af=3D"NO"		# This jail can use other protocol=
 stacks than IP4, IP6 and local
+
 #jail_example_flags=3D"-l -U root"		# flags for jail(8)
=20
 ##############################################################
--- src/etc/rc.d/jail	2010-06-28 19:22:11.000000000 +0200
+++ src/etc/rc.d/jail	2010-07-03 10:02:34.000000000 +0200
@@ -21,6 +21,8 @@
 start_cmd=3D"jail_start"
 stop_cmd=3D"jail_stop"
=20
+jail_restrictions=3D"set_hostname sysvipc raw_sockets chflags mount quot=
as socket_af"
+
 # init_variables _j
 #	Initialize the various jail variables for jail _j.
 #
@@ -38,7 +40,8 @@
 	_fdescdir=3D"${_devdir}/fd"
 	_procdir=3D"${_rootdir}/proc"
 	eval _hostname=3D\"\$jail_${_j}_hostname\"
-	eval _ip=3D\"\$jail_${_j}_ip\"
+	eval _ip4=3D\"\$jail_${_j}_ip4\"
+	eval _ip6=3D\"\$jail_${_j}_ip6\"
 	eval _interface=3D\"\${jail_${_j}_interface:-${jail_interface}}\"
 	eval _exec=3D\"\$jail_${_j}_exec\"
=20
@@ -122,8 +125,9 @@
 	debug "$_j procfs enable: $_procfs"
 	debug "$_j mount enable: $_mount"
 	debug "$_j hostname: $_hostname"
-	debug "$_j ip: $_ip"
-	jail_show_addresses ${_j}
+	debug "$_j ip4: $_ip4"
+	debug "$_j ip6: $_ip6"
+#	jail_show_addresses ${_j}
 	debug "$_j interface: $_interface"
 	debug "$_j fib: $_fib"
 	debug "$_j root: $_rootdir"
@@ -347,27 +351,27 @@
 #	Debug print the input for the given _multi aliases
 #	for a jail for init_variables().
 #
-jail_show_addresses()
-{
-	local _j _type alias
-	_j=3D"$1"
-	alias=3D0
-
-	if [ -z "${_j}" ]; then
-		warn "jail_show_addresses: you must specify a jail"
-		return
-	fi
-
-	while : ; do
-		eval _addr=3D\"\$jail_${_j}_ip_multi${alias}\"
-		if [ -n "${_addr}" ]; then
-			debug "${_j} ip_multi${alias}: $_addr"
-			alias=3D$((${alias} + 1))
-		else
-			break
-		fi
-	done
-}
+#jail_show_addresses()
+#{
+#	local _j _type alias
+#	_j=3D"$1"
+#	alias=3D0
+#
+#	if [ -z "${_j}" ]; then
+#		warn "jail_show_addresses: you must specify a jail"
+#		return
+#	fi
+#
+#	while : ; do
+#		eval _addr=3D\"\$jail_${_j}_ip_multi${alias}\"
+#		if [ -n "${_addr}" ]; then
+#			debug "${_j} ip_multi${alias}: $_addr"
+#			alias=3D$((${alias} + 1))
+#		else
+#			break
+#		fi
+#	done
+#}
=20
 # jail_extract_address argument
 #	The second argument is the string from one of the _ip
@@ -481,20 +485,26 @@
 		*)	;;
 		esac
=20
-		# Append address to list of addresses for the jail command.
-		case "${_addrl}" in
-		"")	_addrl=3D"${_addr}" ;;
-		*)	_addrl=3D"${_addrl},${_addr}" ;;
-		esac
-
 		# Configure interface alias if requested by a given interface
 		# and if we could correctly parse everything.
 		case "${_iface}" in
 		"")	continue ;;
 		esac
 		case "${_type}" in
-		inet)	;;
-		inet6)	;;
+		inet)	{=09
+			# Append address to list of addresses for the jail command.
+			case "${_addrl4}" in
+			"")	_addrl4=3D"${_addr}" ;;
+			*)	_addrl4=3D"${_addrl4},${_addr}" ;;
+			esac
+			};;
+		inet6)	{
+			# Append address to list of addresses for the jail command.
+			case "${_addrl6}" in
+			"")	_addrl6=3D"${_addr}" ;;
+			*)	_addrl6=3D"${_addrl6},${_addr}" ;;
+			esac
+			};;
 		*)	warn "Could not determine address family.  Not going" \
 			    "to ${_action} address '${_addr}' for ${_jail}."
 			continue
@@ -531,18 +541,18 @@
 	esac
=20
 	# Handle addresses.
-	jail_handle_ips_option ${_action} "${_ip}"
+	jail_handle_ips_option ${_action} "${_ip4},${_ip6}"
 	# Handle jail_xxx_ip_multi<N>
-	alias=3D0
-	while : ; do
-		eval _x=3D\"\$jail_${_jail}_ip_multi${alias}\"
-		case "${_x}" in
-		"")	break ;;
-		*)	jail_handle_ips_option ${_action} "${_x}"
-			alias=3D$((${alias} + 1))
-			;;
-		esac
-	done
+#	alias=3D0
+#	while : ; do
+#		eval _x=3D\"\$jail_${_jail}_ip4_multi${alias}\"
+#		case "${_x}" in
+#		"")	break ;;
+#		*)	jail_handle_ips_option ${_action} "${_x}"
+#			alias=3D$((${alias} + 1))
+#			;;
+#		esac
+#	done
 }
=20
 jail_start()
@@ -566,7 +576,8 @@
 			echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id ex=
ists)]"
 			continue;
 		fi
-		_addrl=3D""
+		_addrl4=3D""
+		_addrl6=3D""
 		jail_ips "add"
 		if [ -n "${_fib}" ]; then
 			_setfib=3D"setfib -F '${_fib}'"
@@ -625,6 +636,15 @@
 				fi
 			fi
 		fi
+		_j_allow_parms=3D""
+		for relax in ${jail_restrictions}; do
+			eval _param_allow=3D\"\${jail_${_jail}_allow_${relax}:-\${jail_allow_=
$relax}}\"
+			[ -z "${_param_allow}" ] && _param_allow=3D"NO"
+			checkyesno _param_allow && \
+				_j_allow_parms=3D"${_j_allow_parms}allow.${relax}=3D1 "=20
+			debug "$_jail _allow_${relax}: $_param_allow"
+		done
+		debug "$_jail selectiv relaxation: $_j_allow_parms"
 		_tmp_jail=3D${_tmp_dir}/jail.$$
=20
 		i=3D0
@@ -634,9 +654,10 @@
 			${out}
 			i=3D$((i + 1))
 		done
-
-		eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
-			\"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
+	=09
+		eval ${_setfib} jail ${_flags} -i -c name=3D${_jail}\
+			path=3D${_rootdir} host.hostname=3D${_hostname} \
+			ip4.addr=3D${_addrl4} ip6.addr=3D${_addrl6} ${_j_allow_parms} command=
=3D${_exec_start} > ${_tmp_jail} 2>&1
=20
 		if [ "$?" -eq 0 ] ; then
 			_jail_id=3D$(head -1 ${_tmp_jail})

--------------020206070603080009060807--

--------------enig1DE569796D978C419DB213EC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkwu70UACgkQLDqVQ9VXb8g/hQCfZB01buby15Zku8XaWwphuL6V
dFoAoLAsl8Jv7TQWbvmE8v1LCfqOQ2lz
=hEYV
-----END PGP SIGNATURE-----

--------------enig1DE569796D978C419DB213EC--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C2EEF3E.2010008>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact